ZhoubaWiki:HowToSetupSmtpServer

From ZhoubaWiki
Jump to navigation Jump to search

How to set up an outgoing email server

Here is a guide on getting outgoing email services running on Ubuntu using Postfix. This tutorial has been tested on Ubuntu 8.04 VPS from LogicWeb. Please keep in mind that you have to be logged as root during the whole process.

Postfix

Let’s get core email functionality going with Postfix.

aptitude install postfix sasl2-bin libsasl2-modules

You will be asked a few questions. Unfortunately, the graphical configuration interface that was automatically launched was a condensed version. Confirm the defaults and run the full graphical configuration utility.

dpkg-reconfigure postfix

Again, you will be asked some questions:

  • General type of mail configuration: Internet Site
  • System mail name: subdomain.hostname.tld (Use the identity domain and replace the prefix as necessary)
  • Root and postmaster mail recipient: hosting@bugweis.com
  • Other destinations to accept mail for: subdomain.hostname.tld, localhost (Use the identity domain)
  • Force synchronous updates on mail queue: No
  • Local networks: leave default
  • Use procmail for local delivery: Yes
  • Mailbox size limit (bytes): 0
  • Local address extension character? leave default
  • Internet protocols to use: all

Sometimes sendmail is an idiot and keeps running although it was replaced by postfix. In order to avoid problems run:

killall sendmail-mta

Next, let’s take care of certificates for TLS. First create a new directory.

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/

Now create a new key and generate a certificate request. You will be asked several questions during this process. Fill them as suggested below. Of course you will have to use domain and name of identity for which this server is being setup.

openssl genrsa -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

Example input:

Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hostname
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:subdomain.hostname.tld
Email Address []:admin@hostname.tld

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now we need to self-sign the certificate.

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
chmod 600 smtpd.key
rm smtpd.csr

Finish configuring Postfix for TLS and SASL.

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_auth_only = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'home_mailbox = Maildir/'

For some strange reason Postfix config did not use the mail name as the hostname in the SMTP banner so we'll have to configure it manually. <c> postconf -e 'myhostname = subdomain.hostname.tld' </c>

In case server doesn't have ipv6 interface set inet_protocols <c> postconf -e 'inet_protocols = ipv4' </c>


If you want that SMTP runs on port 465, you have to add this lines to /etc/postfix/master.cf

smtps	  inet	n		-		-		-		-		smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Finally, restart Postfix.

/etc/init.d/postfix restart

Logging

Postfix uses the syslog facility for logging, which means all logs will be stored in /var/log/mail.*.

These files should be rotated weekly, but pretty much all virtual Ubuntu servers I tested had a weird bug. The weekly syslog script was missing and the log files did not get rotated. If you come across the same problem just install rsyslog which is newer and better than syslogd and uses logrotate.

aptitude install rsyslog

SASL

Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit /etc/default/saslauthd and add or change the following settings so that they match:

START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"


Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group, and then starting saslauthd.


mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
/etc/init.d/saslauthd start

Testing

At this point, core email services should be up and running. Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.

telnet localhost 25

After establsihing a connection with the Postfix service, run:

ehlo localhost


...
250-STARTTLS
250-AUTH PLAIN LOGIN
...

Type quit to get out.

Reverse DNS

Some mail servers don't accept emails from servers with an invalid or non-existent reverse DNS record. Reverse DNS is linking an IP address to a host name and is maintained by the ISP. Contact the server provider and ask them to set up an RDNS record for the new server (IP -> System mail name). Needless to say the hostname must resolve to the appropriate IP address.

SPF Record

Sender Policy Framework (SPF) is an e-mail validation system designed to prevent e-mail spam. It allows e-mail administrators the ability to specify which Internet hosts are allowed to send e-mail claiming to originate from that domain. From our point of view it's a way to look more legitimate to mail servers, therefore prevent our emails from being marked as spam.

To setup a SPF record you'll have to edit DNS records of sender domain, in our case hostname.tld. Let's presume we want to specify that servers smtp01.hostname.tld and smtp02.hostname.tld can send emails from @hostname.tld. You can do this by adding a new TXT record named hostname.tld to the DNS:

v=spf1 a:smtp01.hostname.tld a:smtp02.hostname.tld -all

Postfix seem to always use the last defined net interface for sending emails. It is better to specify which interface should be used in the main Postfix configuration file /etc/postfix/main.cf to avoid later problems with SPF:

smtp_bind_address = 123.123.123.123 # use IP of smtp01.hostname.tld

Restart Postfix.

Note:This setting will cause Amavis (see ZhoubaWiki:HowToSetupSpamFilterAmavis) to reject emails from Postfix: <c> (!)DENIED ACCESS from IP x.y.z.v, policy bank </c> Append following setting to /etc/amavis/conf.d/40-policy_banks to allow messages from bind interface: <c>

  1. relace x.y.z.v by server IP

@inet_acl = qw( 127.0.0.1 x.y.z.v [::1]) </c>


Detailed information about SPF can be found... on the internet.

Stripping the 'Received' header

Variant A

By default Postfix will record the IP address of the client who sent the email. In our case it's the machine where the sendmail script is running. This information can potentially link two Hostname identities together which is something we want to avoid. Therefore we'll configure Postfix to strip the 'Received' header. The /etc/postfix/main.cf file will have to have a reference to the header_checks file as follows:

header_checks = regexp:/etc/postfix/header_checks

Create a new file /etc/postfix/header_checks and add the below line:

/^Received: from/	 IGNORE

Apply the new configuration by restarting Postfix.

Variant B

This variant is different, instead of removing received header it only replaces received from IP address. It will replace all existing Received: from records! Regexp can be latered to taget specific IP only.

First install postfix support for perlc regxexp <c bash> aptitude install postfix-pcre </c> Create file with replacement rules /etc/postfix/smtp_headers_checks <c>

  1. universal

/^\s*(Received: from)[^\n]/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])

  1. Pattern for specific IP replace SERVER IP string

/^\s*(Received: from)[^\n]*SERVER IP[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2

  1. Optional, removes headers about agent and client
  2. /^\s*User-Agent/ IGNORE
  3. /^\s*X-Enigmail/ IGNORE
  4. /^\s*X-Mailer/ IGNORE
  5. /^\s*X-Originating-IP/ IGNORE

</c> Update /etc/postfix/main.cf with <c> smtp_header_checks = pcre:/etc/postfix/smtp_headers_checks </c>

Reload postfix

Test

That's all. Test the new configuration using MX Toolbox.

http://mxtoolbox.com/diagnostic.aspx

...and you can create SMTP connection on your e-mail client. There is example for Thunderbird:

Server Address: IP address for new mail-server
Port:25
User name: tester
Authentization: Password, Secure transmission
Securely Connection: STARTTLS