The long-awaited Postfix setup details

Right… I’ve been meaning to put these details up for a long time now, but I’ve got some free time (well made some) and am going to put it up for future reference.

The system allows for every kind of service via SMTP. It has capability of remote relaying (incoming and outgoing), relaying certain users on a domain to another MTA, hosting user, forwarding users, forwarding entire domains, multiple administrators, mail graphs, and probably some more I’ve forgotten. Also implemented is spam and virus checking along with dkim and dk.

First off I’m running Ubuntu (but any deb-based distro should be the same). Hopefully I’ve remembered all the packages I installed, if not please do correct this later.

sudo apt-get install courier-imap-ssl courier-pop-ssl courier-authlib-mysql postfix-mysql mailgraph dkim-filter dk-filter clamav-daemon clamav-freshclam spamassassin mysql-server amavisd-new libapache2-mod-php5 php5-mysql

That should be enough to pull all the dependencies anyway. Don’t worry if certain things don’t start up (like spamassassin) that’s because we will use them through the API rather than through a socket.

You should be sure to set your mysql root password (mysqladmin -u root password “newpassword”).

Then we need to setup the mysql tables. This is nice and easy, just download tables.conf and run “mysql -u root -p < tables.conf". Then we need to setup the postifx user and password in MySQL so open up the MySQL command line "mysql -u root -p" and type "GRANT SELECT ON mail_database.* TO [email protected] IDENTIFIED BY 'POSTFIX_PASSWORD'; GRANT SELECT, INSERT, DELETE, UPDATE ON mail_database.* TO [email protected] IDENTIFIED BY 'mail_adminpassw0rd';" (you might want to change POSTFIX_PASSWORD, but you will need to change it in the postfix files later (many times!). Then to set up postfix... To do this just wipe out your /etc/postfix/ and overwrite with the contents of postfix.tar.gz (“tar -xzvf postfix.tar.gz”). You need to edit a couple of things in these files, first of all if you changed POSTFIX_PASSWORD earlier you need to change it in anything that has mysql in its name and sasl/smtp.conf for user SMTP authentication. You should also add any hosts you wish to relay for in hosts.conf, this can either be an IP or a full hostname (DNS name). I’m not 100% sure if this is required, but I did it anyway: any relaying host IP is appended to my_networks in at the bottom. sh.list should have IPs of relaying hosts in it too for the domain keys implementation. You should then make sure you set the permissions correctly “sudo chown -R root:root /etc/postfix/”. In the domainkeys directory you need to create an RSA key pair in public.key and private.key. This is easy enough just run “sudo openssl genrsa -out /etc/postfix/domainkeys/private.key 768; sudo openssl rsa -in /etc/postfix/domainkeys/private.key -out /etc/postfix/domainkeys/public.key -pubout -outform PEM; sudo chmod 400 /etc/postfix/domainkeys/private.key”. Putting your public key in your DNS record is required next, but this is up to you.

Next you need to set up your domainkeys, just put dkim-filter.conf into your /etc/ directory, replacing your dkim-filter.conf and add all the domains you want to sign to the Domain line in it. Then you need to alter your /etc/default/dk-filter so it reads:

SOCKET=”inet:[email protected]

and your /etc/default/dkim-filter so it reads:

SOCKET=”inet:[email protected]

Now to setup your spam and virus filtering. Just open up (“sudo nano /etc/amavis/conf.d/15-content_filter_mode”) and uncomment the four lines which say bypass on them a lot. I did a few changes to 20-debian_defaults as well because I wanted more things to just black-hole than bounce, but that’s not necessary, so is undocumented. The man pages are rather good if you’re interested in doing that. Finally I added the following to /etc/amavis/conf.d/50-user:

$log_level = 0;
$sa_tag_level_deflt = -999;
$sa_tag2_level_deflt = 4.5;
$sa_kill_level_deflt = 10;

Now to move onto courier. This is much easier. Extract courier.tar.gz into /etc/courier/ overwriting everything there. Then edit /etc/courier/authmysqlrc to change POSTFIX_PASSWORD to whatever you had it set as above. Then run the following to setup the SSL certificates. Make sure the CommonName is set to your server hostname.

cd /etc/courier/
sudo openssl genrsa -out mail.key
sudo chmod 400 mail.key
openssl req -new -nodes -key mail.key -out mail.csr

Now visit and send them your mail.csr. They will send you back a signed certificate, you need to save this as /etc/courier/mail.crt, then finish running the rest:

sudo cat mail.key mail.crt > /etc/courier/imapd.pem
sudo openssl gendh >> /etc/courier/imapd.pem
sudo cp /etc/courier/imapd.pem /etc/courier/pop3d.pem

That’s everything other than the admin console now… So for that we need to create a host, apache does this for us on install, so that was easy 🙂 Now just extract admin.tar.gz to /var/www/ and we’re done.

Now to restart all the services….

sudo /etc/init.d/apache2 restart
sudo /etc/init.d/courier-authdaemon restart
sudo /etc/init.d/courier-imap-ssl restart
sudo /etc/init.d/courier-imap restart
sudo /etc/init.d/courier-pop3-ssl restart
sudo /etc/init.d/courier-pop3 restart
sudo /etc/init.d/amavis restart
sudo /etc/init.d/postfix restart
sudo /etc/init.d/dk-filter restart
sudo /etc/init.d/dkim-filter restart

To configure you need to visit http://localhost/ in your browser. The default username is ‘admin’ and the default password is ‘password’, make sure you change this.

Leave a Reply

Your email address will not be published. Required fields are marked *