Introducción

Postfix es elMail Transfer Agent (MTA) por omisión de Ubuntu. esta disponible en los repositorios main de Ubuntu, lo que significa que recibirá las actualizaciones de seguridad. Esta guía explicara como instalar y configurar postfix además de configurarlo como un servidor SMTP usando una conexión segura.

Instalación

Para instalar Postfix con SMTP-AUTH y TLS, instale primero el paquete postfix desde los repositorios usando su gestor de paquetes favorito. Por ejemplo:

sudo aptitude install postfix

Basta con aceptar los valores por omisión cuando el proceso de instalación lo pregunte. La configuración detallada se hará con más detalle en la siguiente etapa.

Configuración

Desde una terminal:

sudo dpkg-reconfigure postfix

Ingrese la siguiente información cuando el sistema lo pregunte (reemplace server1.example.com con su nombre de dominio, si tienes uno):

  • General type of mail configuration: Internet Site

  • NONE doesn't appear to be requested in current config

  • System mail name: server1.example.com

  • Root and postmaster mail recipient: <admin_user_name>

  • Other destinations for mail: server1.example.com, example.com, localhost.example.com, localhost

  • Force synchronous updates on mail queue?: No

  • Local networks: 127.0.0.0/8

  • Yes doesn't appear to be requested in current config

  • Mialbox size limit (bytes): 0

  • Local address extension character: +

  • Internet protocols to use: all

Ahora, es un buen momento para decidir que formato de buzón desea usar. Por omisión Postfix utilizará mbox para el formato de buzón. En lugar de editar el archivo de configuración directamente, ud podrá utilizar el comando postconf para configurar todos los parámetros de postfix. Los parámetros de configuración se guardan en el archivo /etc/postfix/main.cf. Más tarde, si desea reconfigurar un parámetro en particular, puede ejecutar el comando o editar el archivo manualmente.

Para configurar el formato del buzón para Maildir

sudo postconf -e 'home_mailbox = Maildir/'

Puede que tenga que ..... You may need to issue this as well:

sudo postconf -e 'mailbox_command ='

Nota: This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.

Configure Postfix para SMTP AUTH usando SASL (saslauthd): sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' sudo postconf -e 'inet_interfaces = all' }}}

A continuación edite /etc/postfix/sasl/smtpd.conf y agregue las siguientes lineas: mech_list: plain login }}}

Generar certificación para ser usado por el cifrado TSL y/o certificado de autenticación: chmod 600 smtpd.key openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/ }}}

Configure Postfix para hacer cifrado TLS al correo entrante y saliente:

sudo postconf -e 'smtpd_tls_security_level = may' sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom' sudo postconf -e 'myhostname = server1.example.com' # remember to change this to yours }}} El archivo /etc/postfix/main.cf ahora se debe ver así:

# See /usr/share/postfix/main.cf.dist para comentariar, la versión más completa *****
for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
#Use these on Postfix 2.2.x only
#smtp_use_tls = yes
#smtpd_use_tls = yes
#For Postfix 2.3 or above use:
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Reiniciar el demonio de Postfix así: }}}

Autenticación

First you will need to install the libsasl2-2 and sasl2-bin from the Main repository [i.e. sudo apt-get install them both].

Note: if you are using Ubuntu 6.06 (Dapper Drake) the package name is libsasl2.

We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have change a couple paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd):


IconsPage/warning.png Note: by changing the saslauthd path other applications that use saslauthd may be affected.

First we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the PWDIR, PARAMS, and PIDFILE lines:

# This needs to be uncommented before saslauthd will be run automatically
START=yes

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"

#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Note: If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server.

Next, we update the dpkg "state" of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:

dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

This may report an error that "--update given" and the "/var/spool/postfix/var/run/saslauthd" directory does not exist. You can ignore this because when you start saslauthd next it will be created.

Finally, start saslauthd:

sudo /etc/init.d/saslauthd start

Testing

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS
250-AUTH

among others, everything is working.

Type quit to return to the system's shell.

Troubleshooting

Remove Postfix from chroot

If you run into issues while running Postfix you may be asked to remove Postfix from chroot to better diagnose the problem. In order to do that you will need to edit /etc/postfix/master.cf locate the following line:

smtp      inet  n       -       -       -       -       smtpd

and modify it as follows:

smtp      inet  n       -       n       -       -       smtpd

Then restart Postfix:

sudo /etc/init.d/postfix restart

Configuring saslauthd to Default

If you don't want to run Postfix in a chroot, or you'd like to not use chroot for troubleshooting purposes you will probably also want to return saslauthd back to its default configuration.

The first step in accomplishing this is to edit /etc/default/saslauthd comment the following lines we added above:

#PWDIR="/var/spool/postfix/var/run/saslauthd"
#PARAMS="-m ${PWDIR}"
#PIDFILE="${PWDIR}/saslauthd.pid"

Then return the saslauthd dpkg "state" to its default location:

dpkg-statoverride --force --update --add root sasl 755 /var/run/saslauthd

And restart saslauthd:

sudo /etc/init.d/saslauthd restart

Using Port 587 for Secure Submission

If you want to use port 587 as the submission port for SMTP mail rather than 25 (many ISPs block port 25), you will need to edit /etc/postfix/master.cf to uncomment the relevant line for port 587 there.

Other Postfix Guides

These guides will teach you how to setup Postfix mail servers, from basic to advanced.

Postfix Basic Setup

Postfix Basic Setup Howto will teach you the concepts of Posfix and how you can get Postfix basics set up and running. If you are new to Postfix it is recomended to follow this guide first.

Postfix Virtual Mailbox and Antivirus Filtering

Postfix Virtual MailBox ClamSmtp Howto will teach you how to setup virtual mailboxes using non-Linux accounts where each user will authenticate using their email address with Dovecot POP3/IMAP server and ClamSMTP Antivirus to filter both incoming and out going mails for known viruses.

Postfix Setup For Sender Policy Framework (SPF) Checking

Postfix SPF will show you how to add SPF checking to your existing Postfix setup. This allows your server to reject mail from unauthorized sources.

Postfix Setup For DKIM email signing and verification

Postfix DKIM will guide you through the setup process of dkim-milter for you existing Postfix installation. This will allow your server to sign and verify emails using DKIM.

Postfix Setup For DomainKeys email signing and verification

Postfix DomainKeys will guide you through the setup process of dk-filter for you existing Postfix installation. This will allow your server to sign and verify emails using Postfix/DomainKeys.

Add Dspam to Postfix

Postfix Dspam lo guiará a traves del proceso de configuración de DSPAM Para la instalación de Postfix. Esto le permitirá alta calidad en el filtrado de SPAM en su servidor de correos Dspam.

Postfix Complete Solution

Postfix Complete Virtual Mail System Howto Lo ayudará si usted esta administrado un número largo de dominios virtuales en un ISP o en una corporación donde maneje cientos o miles de dominios de correo. Esta guía es apropiada i usted esta buscando una solución completa con:

  • Web basada en sistemas de administración.
  • Ilimitado número de dominios.
  • Usuarios de correo virtual sin cuentas de shell.
  • Nombres de dominio especifico.
  • Cuotas de Mailbox
  • Acceso web para cuentas de e-mail.
  • Web basada en interface para cambiar claves de usuarios
  • IMAP y POP3 soporte
  • Respuestas automáticas.
  • SMTP Authentication for secure relaying
  • SSL fpara seguridad de capa de transporte
  • Filtrado de spam
  • Filtro de Antivirus
  • Análisis de registro

Dovecot LDAP

La guíaPostfix/DovecotLDAP lo ayudará a configurar Postfix para usar Dovecot como MDA con usuarios LDAP.

Dovecot SASL

La guía PostfixDovecotSASL podrá ayudarlo a configurar Postfix para la implementación de Dovecot SASL. Usando Dovecot SASL si desea, podrá ejecutar Postfix en un entorno chroot y la necesidad de utilizar Cyrus SASL para otros servicios.

Nota: Esta guía ha sido probada en Ubuntu 6.06 (Dapper) y Ubuntu 7.10 (Gutsy)


CategoryEmail

Postfix/ES (last edited 2009-10-04 19:48:08 by czam01)