Postfix
Instalation
urpmi cyrus-sasl libsasl2 libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous libsasl2-plug-crammd5 libsasl2-plug-digestmd5 libsasl2-plug-gssapi libsasl2-plug-login postfix imap postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' postconf -e 'mydomain = example.com' postconf -e 'myhostname = server1.$mydomain' postconf -e 'mydestination = /etc/postfix/local-host-names, localhost.example.com' touch /etc/postfix/local-host-names
Edit : /etc/postfix/main.cf:
mydestination = 127.0.0.1, gwadanina.net myhostname = serena
Edit /etc/ftpusers:
root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody anonymous ftp
Edit /etc/postfix/sasl/smtpd.conf
# The mech_list parameters list the sasl mechanisms to use, # default being all mechs found. mech_list: plain login # To authenticate using the separate saslauthd daemon, (e.g. for # system or ldap users). Also see /etc/sysconfig/saslauthd. pwcheck_method: saslauthd saslauthd_path: /var/lib/sasl2/mux # To authenticate against users stored in sasldb. #pwcheck_method: auxprop #auxprop_plugin: sasldb #sasldb_path: /var/lib/sasl2/sasldb2
Sécurisation
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom'
Créer un utilisateur
Créer un utilisateur qui sera propriétaire de la file d'attente:
$groupadd -g 101 postfix $useradd -u 101 -g 101 --disable-password -d /var/spool/postfix -s /bin/false postfix
Ajoutez-le aussi dans le fichier /etc/aliases :
postfix: root
Eviter de servir de relai de messagerie
/etc/postfix/main.cf
# $mynetworks relais les mails venant d'adresses IP mynetworks = 192.168.0.0/24, 127.0.0.0/8 # $relay_domain relais les mails venant ou à destination relay_domain = domain.fr smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains
Gestion des logs
A mettre dans syslog.conf
mail.* /var/log/mail.log mail.info /var/log/mail.info mail.warn /var/log/mail.warn mail.err /var/log/mail.err
Relancer syslogd
Changer le nom du logiciel de mail
/etc/postfix/main.cf
mail_name = Microsoft Exchange mail_version = 5.5 smtpd_banner = ESMTP $mail_name ($mail_version)
Vérifier les utilisateurs valides
/etc/postfix/main.cf
disable_vrfy_command = yes
Démarage
chkconfig imap on chkconfig imaps on chkconfig ipop3 on chkconfig pop3s on /etc/init.d/postfix restart /etc/init.d/saslauthd restart /etc/init.d/xinetd restart
Postfix via Google Apps
$ aptitude install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules # backup du fichier de configuration d'origine $ cp /etc/postfix/main.cf /etc/postfix/main.cf.backup # ajouter les lignes suivante dans le fichier de configuration $ nano /etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_google_apps_password smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_sasl_auth_enable = yes smtp_use_tls = yes
$ mkdir -p /etc/postfix/sasl $ nano /etc/postfix/sasl/sasl_google_apps_password # ajouter la ligne suivante : [smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD # correction des permissions $ chmod 400 /etc/postfix/sasl/sasl_google_apps_password # mise à jour de la configuration postfix $ postmap /etc/postfix/sasl/sasl_google_apps_password # ajouter les certificats $ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | tee -a /etc/postfix/cacert.pem $ cat /etc/ssl/certs/ca-certificates.crt | tee -a /etc/postfix/cacert.pem # relancer le serveur de mail $ /etc/init.d/postfix restart # rajouter une nouvelle règle de firewall $ iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT # tester l'envoi de mail $ echo "Test de mail depuis postfix" | mail -s "Test Postfix" test@_gwadanina.net_ $ tail -f mail.err mail.log
# test de connexion vers google $ openssl s_client -starttls smtp -connect smtp.gmail.com:587
# configuration des alias de mail $ nano /etc/aliases # root: postmaster # postmaster: backoffice@_gwadanina.net_ # valider $ newaliases $ postfix reload