Postfix "attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different. -- from postfix.org
Although I use Qmail at my workplace, I recently explored Postfix as an alternate MTA and found it to be very useful and easy to configure. In this node, I will attempt to document the various incantations I learned while setting up Postfix on my personal mail server.
So, let us begin:
Delivering to Cyrus Imap
Cyrus is definitely my IMAP server of choice as it outstrips Courier in almost every respect. It's fast, scalable, secure, cluster ready, supporting replication, secure authentication, encrypted sessions, and Sieve server side mail filtering. Because Postfix supports Cyrus' LMTP delivery system out of the box, configuring it to deliver to Cyrus was as simple as:
main.cf:
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
This tells Postfix to use the UNIX Socket to deliver into Cyrus using the LMTP protocol. This is the simplest and fastest transport mechanism available.
Authenticated SMTP versus Cyrus Sasl
With the abundance of spam these days almost every Internet facing mail server requires some form of access control to prevent abuse by spammers. The simplest way to do this is by implementing an access control list that allows anyone to deliver to the local domains but only allowing mail sent from the local LAN to enter the queue for remote mail delivery. When this is impossible (for instance when the sender is connecting from home and has a dynamic IP address) a viable alternative is SMTP Auth. Under this scheme the sender presents a username and password to the mail server verifying that he or she is authorised to send mail to remote hosts through that server.
Another thing I like about Cyrus is the SASL authentication layer. I find it much simpler than PAM, although the two are to some extent complementary. In a situation where Cyrus and Postfix are working in tandem SASL provides the ideal mechanism for authenticating SMTP as well as IMAP sessions, as it only needs to be configured once in order to handle both sservices.
The following incantations are required in order to enable SMTP auth against SASL in Postfix.
main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = \
permit_sasl_authenticated, \
reject_unauth_destination, \
reject_non_fqdn_sender, \
reject_non_fqdn_recipient, \
reject_unauth_pipelining, \
reject_unknown_sender_domain,\
reject_unknown_recipient_domain
All of the reject lines above should be used even on systems without authenticated SMTP in order to prevent abuse.
Additionally, you need to create the following file either in /etc/sasl/ or /etc/postfix/sasl under Debian.
sasl.conf:
pwcheck_method: saslauthd
mech_list: login
mechanisms: pam
saslauthd_path: /var/run/saslauthd/mux
This teaches Postfix to use the Cyrus saslauthd to authenticate sessions.
TLS support
Supplying credentials is all very well but what if somebody sniffs your password? All of your work will have been in vain.
Fortunately, we can use TLS to secure our SMTP sessions by encrypting them with standard ciphers. Then an attacker has to break the cipher before he or she is able to abuse your mail server.
Enabling TLS in postfix is as simple as generating a certificate with
openssl, and then adding the following lines:
main.cf:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Then you can sleep easy knowing your SMTP sessions are reasonably secure.
LDAP rfc822mailmember Alias Support
If you're like me you long ago abandoned shadow for identity management and moved to an LDAP database. You can store your mail aliases (extra addresses that are delivered to your mailbox) inside your LDAP directory too.
The following lines enable
rfc822mailmember support in Postfix:
main.cf:
alias_maps = hash:/etc/aliases, ldap:ldapaliases
alias_database = hash:/etc/aliases
ldapaliases_server_host = ldap.example.org
ldapaliases_server_port = 389
ldapaliases_search_base = ou=Aliases,dc=example,dc=org
ldapaliases_query_filter = (&(objectClass=nisMailAlias)(|(cn=%u)))
ldapaliases_result_attribute = uid,rfc822mailmember
This will deliver to a corresponding uid or rfc822mailmember entry in your LDAP database under the Aliases OU.
Spam and Virus Filtering via AMaViS
I implemented spam filtering and anti-virus on my MTA using AMaViS, a powerful open source mail scanner with built in support for Postfix, SpamAssassin and Sophie. Implementing AMaViS on Postfix was as simple as:
main.cf:
content_filter = smtp-amavis:127.0.0.1:10024
That was IT. Oh, I had to configure AMaViS too, but that wasnt too hard. See my (todo) AMaViS Spellbook for configuration tips.
All of the information comes from my own postfix configuration files. Some of the most useful howtos I read while learning Postfix were:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
http://www.postfix.org/CYRUS_README.html
http://www.postfix.org/LDAP_README.html