Open Source Software Technical Articles

Want the Best of the Wazi Blogs Delivered Directly to your Inbox?

Subscribe to Wazi by Email

Your email:

Connect with Us!

Current Articles | RSS Feed RSS Feed

Using Postfix to Build a Masterful Mail Server

  
  
  

Every business needs email, but not every business wants an expensive propriety email server like Exchange Server. If you prefer a free mail server, consider Postfix, an open source email server that supports SMTP. Running Postfix on CentOS, an enterprise-level Linux distribution derived from Red Hat Enterprise Linux, gives you a reliable, proven messaging solution.


Postfix is a feature-rich email server. It offers advantages over alternatives such as Sendmail and Exim in areas like security, features, ease of use, and support.

In security, for example, according to the Common Vulnerabilities and Exposures database, Postfix had no listed security vulnerabilities for 2009 and 2010, versus three for Sendmail in 2009 and four for Exim in 2010. This year, however, all three mail servers have had security-related problems: Two for Postfix, one for Sendmail, and two for Exim.

In terms of features, Postfix offers:

    • IPv6 support

    • SASL and TLS authentication

    • Configurable delivery status notification message text

    • A Sender Policy Framework (SPF) plugin for spam control


    • Maildir and mailbox format

    • Virtual domains

    • Masquerading addresses in outbound SMTP mail

    • Selective address rewriting



Out of the box Postfix works as a standalone server using direct Internet access. You can easily configure the mail server by editing a few simple text files. If you need help, Postfix has a host of resources available at postfix.org, including online documentation, how-tos, FAQs, and mailing lists.

 

Types of Setup


Before you set up Postfix, you must decide where on your network you want it hosted. You can configure the mail server to work in different ways depending on which side of the firewall it is located.


Postfix servers on the Internet have full routing, transmit, and receive capabilities. Email is sent from each user directly to the server, which stores and forwards messages to clients behind the firewall via POP3 or IMAP. Email sent from one internal user to another goes out to the Internet and then back in again.

While Internet servers are easy to configure and deploy, they live outside your firewall, which makes them easier to hack into. You can also set up Postfix as a local server behind a firewall, or as a firewall gateway server, forwarding messages from an Internet server to a local one. Firewall gateway servers reduce the risk of security breaches but are more complex to configure correctly and necessitate the existence of an internal email server. Internal local servers offer the best security, but they need to be used together with an external server to receive email from the Internet.

Setting Up a Standalone Internet Server with TLS


We installed Postfix on an Internet server running CentOS, whose latest version we reviewed last month. Most CentOS deployments run Sendmail by default; you must remove Sendmail before installing Postfix. To do so, open a terminal window, switch user to root (su -), and run the command yum remove sendmail. Then, to install Postfix, run the command yum -y install postfix.



Before you can start using Postfix you must tweak its configuration file. Edit /etc/postfix/main.cf and find the line for inet_interfaces. Set it to:

inet_interfaces = your IP address, localhost


Use the IP address of your server. This lets Postfix receive email from external clients, not just those running on the server.



By default Postfix appends a little announcement to outgoing messages saying that this email is powered by Postfix. It's best to give hackers as little information as possible about your server, so you should remove the banner by finding the line for smtpd_banner in the configuration file and setting it to:

smtpd_banner = $myhostname ESMTP


Save the file and exit the editor.



Next, you should enable Transport Layer Security (TLS), which allows Postfix to receive messages over an encrypted connection. If you don't, a hacker might be able to eavesdrop on message contents, since the majority of email messages are in plain text or HTML. TLS requires that you have a signed digital certificate that proves the server is legitimate. You can be your own certificate authority and sign your own certificates, as we do here, or you can pay a commercial CA to sign the certificates.

19a98812-f823-48dc-841e-bf029c63c6d7

Change directory to the TLS directory with the command cd /etc/pki/tls/misc and set up a certificate authority with the command ./CA -newca. Answer the prompts for distinguished name and password. When asked for a Common Name, you must enter the fully qualified domain name of the server, e.g. example.com, and not your actual name. This common mistake causes over 90% of server certificate errors.

Change into the CA certificate directory – cd /etc/pki/tls/certs– and generate a key pair for the mail server:

 

openssl genrsa -out mailserverkey.pem 2048
openssl req -new -key mailserverkey.pem -out mailserver.csr

Answer the distinguished name and password questions as before. Sign the certificate using the command openssl ca -in mailserver.csr -out mailservercert.pem. Enter the password you entered above and confirm that the certificate should be signed.

Next, create the private key infrastructure (PKI) directory for mail certificates and set the appropriate ownership and permissions:
mkdir /etc/pki/tls/mail
chown root:root /etc/pki/tls/mail
chmod 755 /etc/pki/tls/mail

Copy the certificate and key to the PKI directory so it can be used for mail certificates and set the appropriate ownership and permissions on the files:
cp mailservercert.pem /etc/pki/tls/mail/
cp mailserverkey.pem /etc/pki/tls/mail/
chown root:root /etc/pki/tls/mail/mailserverkey.pem
chown root:root /etc/pki/tls/mail/mailservercert.pem
chmod 600 /etc/pki/tls/mail/mailserverkey.pem
chmod 644 /etc/pki/tls/mail/mailservercert.pem

To configure Postfix to use these certificates, edit main.cf, go to the end of the file, and add the following lines:
smtpd_tls_CApath = /etc/pki/CA
smtpd_tls_CAfile = /etc/pki/CA/cacert.pem
smtpd_tls_cert_file = /etc/pki/tls/mail/mailservercert.pem
smtpd_tls_key_file = /etc/pki/tls/mail/mailserverkey.pem
smtpd_tls_security_level = may


The smtpd_tls_security_level directive tells Postfix to allow the use of TLS when receiving messages, but not to require it.

To enable all the changes, restart Postfix with the command service postfix restart.

To see if you got the TLS configuration right, use an email client with TLS enabled to send a test message. The way you enable TLS is different in each client, but in general, look in the account settings for the section that defines the outgoing SMTP server. Make sure it is configured to use a secure connection with TLS.



You can troubleshoot the configuration, if necessary, in a couple of ways. Postfix logs its actions to /var/log/maillog. During setup and testing it is useful to keep a terminal window open to watch the log file with the command tail -f /var/log/maillog. The mailq command is useful for checking what is in the mail queue.

Dovecot POP3 and IMAP Server


Postfix handles the delivery of messages to the mailbox, but users need a way to get at them. For that, use Dovecot, a POP3 and IMAP4 server.



Make sure Dovecot is installed and set to start on boot up:

yum -y install dovecot
chkconfig --levels 235 dovecot on

For security, as with Postfix, it is best to change the greeting message. Edit /etc/dovecot.conf and find the line for login_greeting. Set it to:
login_greeting = Ready.

Next limit the available protocols to only those available over a secure connection. Find the line for protocols. If it is commented out, removed the # sign and set it to:
protocols = imaps pop3s

To configure Dovecot to use the SSL certificates created for Postfix, in dovecot.conf, find the lines for ssl_cert_file, ssl_key_file, and ssl_ca_file, and set them to:
ssl_cert_file = /etc/pki/tls/mail/mailservercert.pem
ssl_key_file = /etc/pki/tls/mail/mailserverkey.pem
ssl_ca_file = /etc/pki/CA/cacert.pem


To ensure it is all working, use an email client with SSL enabled for POP3 to connect to the server. The way you enable SSL for POP3 is different in each client. Look in the account settings for POP3 server definition, and make sure the client is configured to use a secure connection with SSL.

 

Postfix, SASL, and Dovecot


For additional security you should also implement the Simple Authentication and Security Layer (SASL), a method of authenticating users and allowing them to submit messages for relaying. Postfix does not implement SASL itself, but instead uses libraries provided by Dovecot. Setting up SASL therefore involves two steps: First, configure Dovecot's SASL mechanisms, and second, configure Postfix to use the SASL services provided by Dovecot.



Edit /etc/dovecot.conf and find the start of the authentication section: auth default {. Within that section find the mechanisms line and replace it with:

mechanisms = plain login

Still within the authentication section, find the line socket listen {. It is commented out with a # at the start of the line. Above it insert:
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}

To configure Postfix to use SASL, edit main.cf, go to the end of the file, and add the following lines:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination

The smtpd_recipient_restrictions line tells Postfix to only accept emails from authenticated clients for relaying to other SMTP servers.

Finally, restart Dovecot and Postfix:
service dovecot restart
service postfix restart


To test the SASL configuration, use an email client with SASL enabled to send a test message. Like SSL, SASL is enabled differently in each client, but in general, look in the account settings for the section that defines the outgoing SMTP server. Make sure server authentication is enabled, then choose between either PLAIN or LOGIN.



This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.


This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.

Comments

Hi, 
I currently work as SYSTEMS ENGINEER and am responsible for managing & administration of POSTFIX mail server.Frankly speaking this is a rock solid mail server. 
+You dont need expensive Hardware to run postfix. 
+You dont need expensive software to backup the mailboxes.Its very easy to backup using rsync. 
+Very Stable and reliable. 
+IMAP/s and POP/s support 
+Keeps mail in individual mailboxes and each mail is stored as a file(unlike EXCHANGE EDB Hell!!) 
+Supports mail filtering to check for VIRUSES and SPAM via AMAVIS  
+Postfix can be used as a mail filtering gateway 
+OpenSource: No license to pay. 
+Use and experience the benefits of POSTFIX
Posted @ Friday, July 25, 2014 1:40 PM by vicky
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics