====== Postfix  ======

^   lecture |http://www.cedratnet.fr/opensource/postfix/|
^   lecture |http://www.howtoforge.com/perfect_setup_mandriva_2006_p5|

===== Instalation =====

<code bash>
urpmi cyrus-sasl libsasl2 libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous libsasl2-plug-crammd5 libsasl2-plug-digestmd5 libsasl2-plug-gssapi libsasl2-plug-login postfix imap

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'mydestination = /etc/postfix/local-host-names, localhost.example.com'

touch /etc/postfix/local-host-names
</code>



Edit : /etc/postfix/main.cf:
<code bash>
mydestination = 127.0.0.1, gwadanina.net
myhostname = serena
</code>


Edit /etc/ftpusers:
<code bash>
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
anonymous
ftp
</code>

Edit /etc/postfix/sasl/smtpd.conf
<code bash>
# The mech_list parameters list the sasl mechanisms to use,

# default being all mechs found.

mech_list:         plain login


# To authenticate using the separate saslauthd daemon, (e.g. for

# system or ldap users). Also see /etc/sysconfig/saslauthd.

pwcheck_method:    saslauthd

saslauthd_path:    /var/lib/sasl2/mux


# To authenticate against users stored in sasldb.

#pwcheck_method:    auxprop

#auxprop_plugin:    sasldb

#sasldb_path:       /var/lib/sasl2/sasldb2
</code>

===== Sécurisation =====

<code bash>
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
</code>


=== Créer un utilisateur ===
Créer un utilisateur qui sera propriétaire de la file d'attente:
<code bash>
$groupadd -g 101 postfix
$useradd -u 101 -g 101 --disable-password -d /var/spool/postfix -s /bin/false postfix 
</code>

Ajoutez-le aussi dans le fichier /etc/aliases :
	postfix: root

=== Eviter de servir de relai de messagerie===
/etc/postfix/main.cf
<code bash>
# $mynetworks relais les mails venant d'adresses IP
mynetworks = 192.168.0.0/24, 127.0.0.0/8
# $relay_domain relais les mails venant ou à destination 
relay_domain = domain.fr
smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains
</code>

=== Gestion des logs ===
A mettre dans //syslog.conf//
<code bash>
mail.*			/var/log/mail.log
mail.info		/var/log/mail.info
mail.warn		/var/log/mail.warn
mail.err		/var/log/mail.err
</code>
Relancer //syslogd//


===Changer le nom du logiciel de mail ===
/etc/postfix/main.cf
<code bash>
mail_name = Microsoft Exchange
mail_version = 5.5     
smtpd_banner = ESMTP $mail_name ($mail_version)
</code>

=== Vérifier les utilisateurs valides ===
/etc/postfix/main.cf
<code bash>
disable_vrfy_command = yes
</code>


===== Démarage =====

<code bash>
chkconfig imap on
chkconfig imaps on
chkconfig ipop3 on
chkconfig pop3s on
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/xinetd restart
</code>




 
====== Postfix via Google Apps ======

<code bash>
$ aptitude install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

# backup du fichier de configuration d'origine
$ cp /etc/postfix/main.cf /etc/postfix/main.cf.backup

# ajouter les lignes suivante dans le fichier de configuration
$ nano /etc/postfix/main.cf
</code>

<code bash>
relayhost = [smtp.gmail.com]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_google_apps_password
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_sasl_auth_enable = yes
smtp_use_tls = yes
</code>


<code bash>
$ mkdir -p /etc/postfix/sasl
$ nano /etc/postfix/sasl/sasl_google_apps_password
# ajouter la ligne suivante : [smtp.gmail.com]:587    USERNAME@gmail.com:PASSWORD

# correction des permissions
$ chmod 400 /etc/postfix/sasl/sasl_google_apps_password

# mise à jour de la configuration postfix
$ postmap /etc/postfix/sasl/sasl_google_apps_password

# ajouter les certificats
$ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | tee -a /etc/postfix/cacert.pem
$ cat /etc/ssl/certs/ca-certificates.crt | tee -a /etc/postfix/cacert.pem
 

# relancer le serveur de mail
$ /etc/init.d/postfix restart

# rajouter une nouvelle règle de firewall
$ iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT

# tester l'envoi de mail
$ echo "Test de mail depuis postfix" | mail -s "Test Postfix" test@_gwadanina.net_

$ tail -f mail.err mail.log
</code>


<code bash>
# test de connexion vers google 
$ openssl s_client -starttls smtp -connect smtp.gmail.com:587
</code>

<code bash>
# configuration des alias de mail 
$ nano /etc/aliases
# root: postmaster
# postmaster:  backoffice@_gwadanina.net_

# valider
$ newaliases
$ postfix reload
</code>