serveurmail:postfix

Postfix

lecture http://www.cedratnet.fr/opensource/postfix/
lecture http://www.howtoforge.com/perfect_setup_mandriva_2006_p5

Instalation

urpmi cyrus-sasl libsasl2 libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous libsasl2-plug-crammd5 libsasl2-plug-digestmd5 libsasl2-plug-gssapi libsasl2-plug-login postfix imap
 
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'mydestination = /etc/postfix/local-host-names, localhost.example.com'
 
touch /etc/postfix/local-host-names

Edit : /etc/postfix/main.cf: 

mydestination = 127.0.0.1, gwadanina.net
myhostname = serena

Edit /etc/ftpusers: 

root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
anonymous
ftp

Edit /etc/postfix/sasl/smtpd.conf 

# The mech_list parameters list the sasl mechanisms to use,
 
# default being all mechs found.
 
mech_list:         plain login
 
 
# To authenticate using the separate saslauthd daemon, (e.g. for
 
# system or ldap users). Also see /etc/sysconfig/saslauthd.
 
pwcheck_method:    saslauthd
 
saslauthd_path:    /var/lib/sasl2/mux
 
 
# To authenticate against users stored in sasldb.
 
#pwcheck_method:    auxprop
 
#auxprop_plugin:    sasldb
 
#sasldb_path:       /var/lib/sasl2/sasldb2

Sécurisation

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
 
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Créer un utilisateur

Créer un utilisateur qui sera propriétaire de la file d'attente: 

$groupadd -g 101 postfix
$useradd -u 101 -g 101 --disable-password -d /var/spool/postfix -s /bin/false postfix

Ajoutez-le aussi dans le fichier /etc/aliases : 

postfix: root

Eviter de servir de relai de messagerie

/etc/postfix/main.cf 

# $mynetworks relais les mails venant d'adresses IP
mynetworks = 192.168.0.0/24, 127.0.0.0/8
# $relay_domain relais les mails venant ou à destination 
relay_domain = domain.fr
smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains

Gestion des logs

A mettre dans syslog.conf 

mail.*			/var/log/mail.log
mail.info		/var/log/mail.info
mail.warn		/var/log/mail.warn
mail.err		/var/log/mail.err

Relancer syslogd

Changer le nom du logiciel de mail

/etc/postfix/main.cf 

mail_name = Microsoft Exchange
mail_version = 5.5     
smtpd_banner = ESMTP $mail_name ($mail_version)

Vérifier les utilisateurs valides

/etc/postfix/main.cf 

disable_vrfy_command = yes

Démarage

chkconfig imap on
chkconfig imaps on
chkconfig ipop3 on
chkconfig pop3s on
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/xinetd restart

Postfix via Google Apps

$ aptitude install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
 
# backup du fichier de configuration d'origine
$ cp /etc/postfix/main.cf /etc/postfix/main.cf.backup
 
# ajouter les lignes suivante dans le fichier de configuration
$ nano /etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_google_apps_password
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_sasl_auth_enable = yes
smtp_use_tls = yes
$ mkdir -p /etc/postfix/sasl
$ nano /etc/postfix/sasl/sasl_google_apps_password
# ajouter la ligne suivante : [smtp.gmail.com]:587    USERNAME@gmail.com:PASSWORD
 
# correction des permissions
$ chmod 400 /etc/postfix/sasl/sasl_google_apps_password
 
# mise à jour de la configuration postfix
$ postmap /etc/postfix/sasl/sasl_google_apps_password
 
# ajouter les certificats
$ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | tee -a /etc/postfix/cacert.pem
$ cat /etc/ssl/certs/ca-certificates.crt | tee -a /etc/postfix/cacert.pem
 
 
# relancer le serveur de mail
$ /etc/init.d/postfix restart
 
# rajouter une nouvelle règle de firewall
$ iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
 
# tester l'envoi de mail
$ echo "Test de mail depuis postfix" | mail -s "Test Postfix" test@_gwadanina.net_
 
$ tail -f mail.err mail.log
# test de connexion vers google 
$ openssl s_client -starttls smtp -connect smtp.gmail.com:587
# configuration des alias de mail 
$ nano /etc/aliases
# root: postmaster
# postmaster:  backoffice@_gwadanina.net_
 
# valider
$ newaliases
$ postfix reload
  • serveurmail/postfix.txt
  • Dernière modification: 2018/10/13 14:59
  • (modification externe)