Current Articles | RSS Feed
Every business needs email, but not every business wants an expensive propriety email server like Exchange Server. If you prefer a free mail server, consider Postfix, an open source email server that supports SMTP. Running Postfix on CentOS, an enterprise-level Linux distribution derived from Red Hat Enterprise Linux, gives you a reliable, proven messaging solution.
Postfix is a feature-rich email server. It offers advantages over alternatives such as Sendmail and Exim in areas like security, features, ease of use, and support.In security, for example, according to the Common Vulnerabilities and Exposures database, Postfix had no listed security vulnerabilities for 2009 and 2010, versus three for Sendmail in 2009 and four for Exim in 2010. This year, however, all three mail servers have had security-related problems: Two for Postfix, one for Sendmail, and two for Exim.In terms of features, Postfix offers:
Out of the box Postfix works as a standalone server using direct Internet access. You can easily configure the mail server by editing a few simple text files. If you need help, Postfix has a host of resources available at postfix.org, including online documentation, how-tos, FAQs, and mailing lists.
Before you set up Postfix, you must decide where on your network you want it hosted. You can configure the mail server to work in different ways depending on which side of the firewall it is located.
Postfix servers on the Internet have full routing, transmit, and receive capabilities. Email is sent from each user directly to the server, which stores and forwards messages to clients behind the firewall via POP3 or IMAP. Email sent from one internal user to another goes out to the Internet and then back in again.While Internet servers are easy to configure and deploy, they live outside your firewall, which makes them easier to hack into. You can also set up Postfix as a local server behind a firewall, or as a firewall gateway server, forwarding messages from an Internet server to a local one. Firewall gateway servers reduce the risk of security breaches but are more complex to configure correctly and necessitate the existence of an internal email server. Internal local servers offer the best security, but they need to be used together with an external server to receive email from the Internet.
We installed Postfix on an Internet server running CentOS, whose latest version we reviewed last month. Most CentOS deployments run Sendmail by default; you must remove Sendmail before installing Postfix. To do so, open a terminal window, switch user to root (su -), and run the command yum remove sendmail. Then, to install Postfix, run the command yum -y install postfix.
su -
yum remove sendmail
yum -y install postfix
Before you can start using Postfix you must tweak its configuration file. Edit /etc/postfix/main.cf and find the line for inet_interfaces. Set it to:
inet_interfaces = your IP address, localhost
Use the IP address of your server. This lets Postfix receive email from external clients, not just those running on the server.
By default Postfix appends a little announcement to outgoing messages saying that this email is powered by Postfix. It's best to give hackers as little information as possible about your server, so you should remove the banner by finding the line for smtpd_banner in the configuration file and setting it to:
smtpd_banner = $myhostname ESMTP
Save the file and exit the editor.
Next, you should enable Transport Layer Security (TLS), which allows Postfix to receive messages over an encrypted connection. If you don't, a hacker might be able to eavesdrop on message contents, since the majority of email messages are in plain text or HTML. TLS requires that you have a signed digital certificate that proves the server is legitimate. You can be your own certificate authority and sign your own certificates, as we do here, or you can pay a commercial CA to sign the certificates.
cd /etc/pki/tls/misc
./CA -newca
cd /etc/pki/tls/certs
openssl genrsa -out mailserverkey.pem 2048openssl req -new -key mailserverkey.pem -out mailserver.csr
openssl ca -in mailserver.csr -out mailservercert.pem
mkdir /etc/pki/tls/mailchown root:root /etc/pki/tls/mailchmod 755 /etc/pki/tls/mail
cp mailservercert.pem /etc/pki/tls/mail/cp mailserverkey.pem /etc/pki/tls/mail/chown root:root /etc/pki/tls/mail/mailserverkey.pemchown root:root /etc/pki/tls/mail/mailservercert.pemchmod 600 /etc/pki/tls/mail/mailserverkey.pemchmod 644 /etc/pki/tls/mail/mailservercert.pem
smtpd_tls_CApath = /etc/pki/CAsmtpd_tls_CAfile = /etc/pki/CA/cacert.pemsmtpd_tls_cert_file = /etc/pki/tls/mail/mailservercert.pemsmtpd_tls_key_file = /etc/pki/tls/mail/mailserverkey.pemsmtpd_tls_security_level = may
The smtpd_tls_security_level directive tells Postfix to allow the use of TLS when receiving messages, but not to require it.To enable all the changes, restart Postfix with the command service postfix restart.To see if you got the TLS configuration right, use an email client with TLS enabled to send a test message. The way you enable TLS is different in each client, but in general, look in the account settings for the section that defines the outgoing SMTP server. Make sure it is configured to use a secure connection with TLS.
service postfix restart
You can troubleshoot the configuration, if necessary, in a couple of ways. Postfix logs its actions to /var/log/maillog. During setup and testing it is useful to keep a terminal window open to watch the log file with the command tail -f /var/log/maillog. The mailq command is useful for checking what is in the mail queue.
tail -f /var/log/maillog
mailq
Postfix handles the delivery of messages to the mailbox, but users need a way to get at them. For that, use Dovecot, a POP3 and IMAP4 server.
Make sure Dovecot is installed and set to start on boot up:
yum -y install dovecotchkconfig --levels 235 dovecot on
login_greeting = Ready.
protocols = imaps pop3s
ssl_cert_file = /etc/pki/tls/mail/mailservercert.pemssl_key_file = /etc/pki/tls/mail/mailserverkey.pemssl_ca_file = /etc/pki/CA/cacert.pem
To ensure it is all working, use an email client with SSL enabled for POP3 to connect to the server. The way you enable SSL for POP3 is different in each client. Look in the account settings for POP3 server definition, and make sure the client is configured to use a secure connection with SSL.
For additional security you should also implement the Simple Authentication and Security Layer (SASL), a method of authenticating users and allowing them to submit messages for relaying. Postfix does not implement SASL itself, but instead uses libraries provided by Dovecot. Setting up SASL therefore involves two steps: First, configure Dovecot's SASL mechanisms, and second, configure Postfix to use the SASL services provided by Dovecot.
Edit /etc/dovecot.conf and find the start of the authentication section: auth default {. Within that section find the mechanisms line and replace it with:
mechanisms = plain login
socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix }}
smtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authbroken_sasl_auth_clients = yessmtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination
service dovecot restartservice postfix restart
To test the SASL configuration, use an email client with SASL enabled to send a test message. Like SSL, SASL is enabled differently in each client, but in general, look in the account settings for the section that defines the outgoing SMTP server. Make sure server authentication is enabled, then choose between either PLAIN or LOGIN.
Allowed tags: <a> link, <b> bold, <i> italics