My Postfix install - quick and dirty ... or quick and clean ??? :) ====================================================================== FreeBSD 5.4 and ports collection as of December 16th, 2005. ---------------------------------------------------------------------- Install FreeBSD and the ports collection. First boot: mv /etc/motd /etc/motd.original ; touch /etc/motd pw groupadd -g 1000 -n users adduser (user dogbert, group users, invite to wheel group) cd /usr/ports/net/cvsup-without-gui/ make install clean rehash cp /usr/share/examples/cvsup/ports-supfile /root/ vi /root/ports-supfile go to line 51 (or around) locate *default host=CHANGE_THIS.FreeBSD.org and change it to a cvsup server near to you (see the icmp response time) cvsup -g -L 2 /root/ports-supfile cd /usr/src/sys/i386/conf/ cp GENERIC MYKERNEL vi MYKERNEL and optimize the kernel for your machine add the following lines: # --- Firewall Stuff --- # options TCP_DROP_SYNFIN # Drop TCP packets with SYN+FIN options IPFIREWALL # Firewall options IPFIREWALL_VERBOSE # Print info about dropped packets options IPDIVERT # divert (4) sockets for NAT # --- End Firewall stuff --- # save the file config MYKERNEL cd ../compile/MYKERNEL make depend make make install vi /etc/rc.conf add the following lines: # This machine is a router: #gateway_enable="YES" #forward_sourceroute="NO" #accept_sourceroute="NO" # No-frills TCP: tcp_extensions="NO" tcp_keepalive="YES" tcp_drop_synfin="YES" tcp_restrict_rst="YES" # Tight ICMP control: icmp_bmcastecho="NO" icmp_drop_redirect="YES" icmp_log_redirect="YES" # Enable NAT: #natd_enable="YES" # Enable natd (if firewall_enable == YES) #natd_interface="rl0" # Public interface or IP address to use #natd_flags="-log_denied -use_sockets" # Enable firewall firewall_enable="YES" firewall_type="OPEN" save the file. shutdown -r now cd /usr/ports/security/openssl make install clean mv /usr/bin/openssl /usr/bin/openssl-old ln -s /usr/local/bin/openssl /usr/bin/openssl cd /usr/ports/www/apache13-modssl make install clean echo apache_enable=\"YES\" >> /etc/rc.conf create a certificate (http://www.apache-ssl.org/#FAQ) mkdir /usr/local/etc/rc.d/apache/my-ssl cd /usr/local/etc/rc.d/apache/my-ssl/ Step one - create the key and request: openssl req -new > new.cert.csr Step two - remove the passphrase from the key (optional): openssl rsa -in privkey.pem -out new.cert.key Step three - convert request into signed cert: openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 The Apache-SSL directives that you need to use the resulting cert are: SSLCertificateFile /usr/local/etc/rc.d/apache/my-ssl/new.cert.cert SSLCertificateKeyFile /usr/local/etc/rc.d/apache/my-ssl/new.cert.key Start Apache: apachectl startssl Install postfix: cd /usr/ports/mail/postfix-current/ make install clean select: Perl Compatible Regular Expressions Cyrus SASLv2 (Simple Auth. and Sec. Layer) Enable SSL and TLS support +--------------------------------------------------------------------+ ¦ Options for postfix 2.3.20051212,2 ¦ ¦ +----------------------------------------------------------------+ ¦ ¦ ¦[X] PCRE Perl Compatible Regular Expressions ¦ ¦ ¦ ¦[ ] SASL Cyrus SASLv1 (Simple Auth. and Sec. Layer) ¦ ¦ ¦ ¦[X] SASL2 Cyrus SASLv2 (Simple Auth. and Sec. Layer) ¦ ¦ ¦ ¦[ ] SASLKRB If your SASL req. Kerberos select this option ¦ ¦ ¦ ¦[ ] SASLKRB5 If your SASL req. Kerberos5 select this option ¦ ¦ ¦ ¦[ ] SASLKMIT If your SASL req. MIT Kerberos5 select this option¦ ¦ ¦ ¦[X] TLS Enable SSL and TLS support ¦ ¦ ¦ ¦[ ] DB3 Berkeley DB3 (required if SASL built with DB3) ¦ ¦ ¦ ¦[ ] DB40 Berkeley DB4.0 (required if SASL built with DB4.0)¦ ¦ ¦ ¦[ ] DB41 Berkeley DB4.1 (required if SASL built with DB4.1)¦ ¦ ¦ ¦[ ] DB42 Berkeley DB4.2 (required if SASL built with DB4.2)¦ ¦ ¦ ¦[ ] DB43 Berkeley DB4.3 (required if SASL built with DB4.3)¦ ¦ ¦ ¦[ ] MYSQL MySQL maps (choose version with WITH_MYSQL_VER) ¦ ¦ ¦ ¦[ ] PGSQL PostgreSQL maps (choose with DEFAULT_PGSQL_VER) ¦ ¦ ¦ ¦[ ] OPENLDAP OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)¦ ¦ +-+----v(+)--------------------------------------------------------+-¦ ¦ [ OK ] Cancel ¦ +--------------------------------------------------------------------+ ...... ...... ...... ===> Installing for postfix-2.3.20051212,2 ===> postfix-2.3.20051212,2 depends on file: /usr/local/lib/libcrypto.so.4 - found ===> postfix-2.3.20051212,2 depends on shared library: pcre.0 - found ===> postfix-2.3.20051212,2 depends on shared library: sasl2.2 - found Added group "postfix". Added group "maildrop". Added user "postfix". You need user "postfix" added to group "mail". Would you like me to add it [y]? Answer "y" ...... ...... ...... Installed HTML documentation in /usr/local/share/doc/postfix Would you like to activate Postfix in /etc/mail/mailer.conf [n]? Answer "y" rehash Stop Sendmail: /etc/rc.d/sendmail stop Disable sendmail: - disable starting sendmail on boot: echo 'sendmail_enable="NONE"' >> /etc/rc.conf -disable building sendmail during buildworld (you will move from RELEASE to STABLE, don't you? :-) echo "NO_SENDMAIL=true" >> /etc/make.conf - Disable sendmail's daily cron jobs vi /etc/defaults/periodic.conf and update this: daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" Enable Postfix: cd /usr/local/etc/rc.d/ ln -s /usr/local/sbin/postfix postfix.sh Update the aliases database: /usr/local/bin/newaliases Opiekeys: touch /etc/opiekeys chown root:mail /etc/opiekeys chmod 660 /etc/opiekeys Start Postfix: /usr/local/etc/rc.d/postfix.sh start Verify it works: telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 myserver.example.com ESMTP Postfix quit 221 2.0.0 Bye Connection closed by foreign host. Then stop postfix; postfix stop Verify the correct libraries have linked in: ldd /usr/local/libexec/postfix/smtpd /usr/local/libexec/postfix/smtpd: libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x280b1000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x280d7000) libpam.so.2 => /usr/lib/libpam.so.2 (0x280eb000) libcrypt.so.2 => /lib/libcrypt.so.2 (0x280f2000) libssl.so.4 => /usr/local/lib/libssl.so.4 (0x2810a000) libcrypto.so.4 => /usr/local/lib/libcrypto.so.4 (0x28142000) libc.so.5 => /lib/libc.so.5 (0x28254000) cyrus-sasl2 should be already installed by the Postfix setup Install cyrus-sasl2-saslauthd: cd /usr/ports/security/cyrus-sasl2-saslauthd make install clean Configure sasl2: cd /usr/local/lib/sasl2 echo "pwcheck_method: saslauthd" > smtpd.conf Disable unused sasl authentication methods: mkdir deactivated mv *ntlm* deactivated Add to /etc/rc.conf saslauthd_enable="YES" or saslauthd will not start. Generate a self signed certificate: cd /usr/local/etc/postfix/ mkdir ssl cd ssl openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3652 Update /usr/local/etc/postfix/main.cf Add these lines: # UCE Controls: permit SASL2, reject all others smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination # SASL2 specific options broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks # TLS Configuration smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /usr/local/etc/postfix/ssl/smtpd.pem smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/smtpd.pem smtpd_tls_CAfile = /usr/local/etc/postfix/ssl/smtpd.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom Eventually these ones too: # Increase the message size limit from 10 MB (default) to 50 MB message_size_limit = 51200000 Tim Yocum says "Pray". Start Sasl auth daemon: /usr/local/etc/rc.d/saslauthd.sh start Start postfix: postfix start Verify it works (tls/ssl and auth login) telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 server.example.com ESMTP Postfix ehlo server.example2.com 250-server.example.com 250-PIPELINING 250-SIZE 51200000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-AUTH=LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. Add users to sasldb: saslpasswd2 dogbert@example.com Password: Again (for verification): Verify the user was added: sasldblistusers2 dogbert@example.com: userPassword Install qpopper: cd /usr/ports/mail/qpopper/ make install clean +--------------------------------------------------------------------+ ¦ Options for qpopper 4.0.8 ¦ ¦ +----------------------------------------------------------------+ ¦ ¦ ¦ [ ] APOP_ONLY build with APOP authentication only ¦ ¦ ¦ ¦ [ ] APOP build with APOP ¦ ¦ ¦ ¦ [ ] DOCUMENTATION install pdf documentation ¦ ¦ ¦ ¦ [ ] DRAC build with Dynamic Relay Authorization ¦ ¦ ¦ ¦ [ ] IPV6 build with IPv6 support ¦ ¦ ¦ ¦ [ ] FULL_POPD_DEBUG build with more verbose debugging ¦ ¦ ¦ ¦ [ ] PAM build with PAM authentication ¦ ¦ ¦ ¦ [ ] POPPASSD build the poppassd daemon ¦ ¦ ¦ ¦ [X] QPOPAUTH_SETUID install qpopauth setuid to pop user ¦ ¦ ¦ ¦ [ ] SAMPLE_POPUSERS build a default reject file ¦ ¦ ¦ ¦ [ ] SHY_ENABLED hide qpopper version in POP3 banner ¦ ¦ ¦ ¦ [X] SSL build with SSL/TLS support ¦ ¦ ¦ ¦ [ ] STANDALONE_MODE build qpopper to be run without inetd ¦ ¦ ¦ ¦ [X] U_OPTION include support for user .qpopper-options ¦ ¦ ¦ ¦ ¦ ¦ +-+----------------------------------------------------------------+-¦ ¦ [ OK ] Cancel ¦ +--------------------------------------------------------------------+ ...... To enable the qpopper-daemon, add the following line to your /etc/inetd.conf: pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s but first create the ssl certificate: cd /usr/local/etc/qpopper/ mkdir ssl cd ssl openssl req -new -x509 -nodes -out qpopper.pem -keyout qpopper.pem -days 3652 Then configure qpopper: cd /usr/local/etc/ cp qpopper.config.sample qpopper.config vi qpopper.config add those lines: set tls-support = alternate-port set tls-version = default set tls-server-cert-file = /usr/local/etc/qpopper/ssl/qpopper.pem and save. Then update inetd.conf : vi /etc/inetd.conf and add those lines: pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s pop3s stream tcp nowait root /usr/local/libexec/qpopper qpopper -s -f /usr/local/etc/qpopper.config Then restart inetd (send a HUP signal): kill -HUP $(ps -ax | grep inetd | awk '{print $1}') verify the sockets: sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root inetd 515 4 tcp4 *:110 *:* root inetd 515 7 tcp4 *:995 *:* www httpd 473 16 tcp4 *:443 *:* www httpd 473 17 tcp4 *:80 *:* www httpd 472 16 tcp4 *:443 *:* www httpd 472 17 tcp4 *:80 *:* www httpd 471 16 tcp4 *:443 *:* www httpd 471 17 tcp4 *:80 *:* www httpd 470 16 tcp4 *:443 *:* www httpd 470 17 tcp4 *:80 *:* www httpd 469 16 tcp4 *:443 *:* www httpd 469 17 tcp4 *:80 *:* root master 459 11 tcp4 *:25 *:* root httpd 410 16 tcp4 *:443 *:* root httpd 410 17 tcp4 *:80 *:* root sshd 381 3 tcp4 *:22 *:* root syslogd 266 5 udp4 *:514 *:* verify the plain pop3 service: telnet localhost 110 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK Qpopper (version 4.0.8) at mail.example.com starting. user dogbert +OK Password required for dogbert. pass ****** +OK dogbert has 0 visible messages (0 hidden) in 0 octets. quit +OK Pop server at public signing off. Connection closed by foreign host. verify the pop3 over ssl using an email client (like thunderbird): username: dogbert password: ****** Use secure connection (ssl) port 995 or use openssl to connect to port 995: openssl s_client -connect localhost:995 and continue the pop3 session as shown above. Install the webmail interface: cd /usr/ports/mail/openwebmail/ +--------------------------------------------------------------------+ ¦ Options for openwebmail 2.51 ¦ ¦ +----------------------------------------------------------------+ ¦ ¦ ¦ [ ] ANTIWORD AntiWord ¦ ¦ ¦ ¦ [ ] IMAGEMAGICK ImageMagicK ¦ ¦ ¦ ¦ [ ] ISPELL ISpell ¦ ¦ ¦ ¦ [ ] LEARNSPAM Learn HAM/SPAM ¦ ¦ ¦ ¦ [ ] LSOF lsof ¦ ¦ ¦ ¦ [ ] PAM PAM ¦ ¦ ¦ ¦ [X] POP3_OVER_SSL POP3 Over SSL ¦ ¦ ¦ ¦ [ ] QUOTA Quota ¦ ¦ ¦ ¦ [ ] SPAMCHECK Spam check (Mail::SpamAssassin) ¦ ¦ ¦ ¦ [ ] SPAMCHECK_ALL Spam check for all (default: pop3) ¦ ¦ ¦ ¦ [ ] SPEEDYCGI SpeedyCGI ¦ ¦ ¦ ¦ [X] TNEF tnef ¦ ¦ ¦ ¦ [ ] VIRUSCHECK Virus check (Clam AntiVirus) ¦ ¦ ¦ ¦ [ ] VIRUSCHECK_ALL Virus check for all (default: pop3) ¦ ¦ ¦ ¦ [ ] WGET wget ¦ ¦ +-+--------v(+)----------------------------------------------------+-¦ ¦ [ OK ] Cancel ¦ +--------------------------------------------------------------------+ .... ===> Cleaning for libiconv-1.9.2_1 ===> Cleaning for p5-MIME-Base64-3.07 ===> Cleaning for p5-Text-Iconv-1.4 ===> Cleaning for tnef-1.3.4 ===> Cleaning for libtool-1.5.20 ===> Cleaning for perl-5.8.7 ===> Cleaning for openssl-0.9.8a ===> Cleaning for p5-IO-Socket-SSL-0.97 ===> Cleaning for p5-Net-SSLeay-1.25 ===> Cleaning for openwebmail-2.51 rehash Fire up Firefox and connect to the web interface : http://localhost/cgi-bin/openwebmail/openwebmail.pl Done. ----------------------------------- References: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ http://renaud.waldura.com/doc/freebsd/firewall/ http://www.csua.berkeley.edu/~ranga/notes/freebsd_postfix.html http://www.tuxweb.net/howto/mail/bsd/sasl-bsd4x.html http://yocum.org/faqs/postfix-tls-sasl.html