OpenBSD Postfix
Postfix is a MTA (Mail Transport Agent) developed by Wietse Venema as an alternative to the widely-used Sendmail program. It attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different. Postfix also comes with excellent documentation and a lot of howtos.
Our mail server requirements will be quite simple: it will be final destination solely for its canonical domains and it will only relay mail from systems on the internal network (though we will also consider relaying from untrusted networks by meansof SMTP authentication). Canonical domains include the hostname (in our case, "mail.kernel-panic.tld") and the IPaddress (172.16.240.150) of the machine that Postfix runs on, and theparent domain of the hostname ("kernel-panic.tld").
Canonical domains are usually implemented with the Postfix local domain address class,which, unfortunately, has one major drawback for me: it requires eache-mail account to have a corresponding OpenBSD account. On the contrary, Iprefer:
- keeping OpenBSD and e-mail accounts apart and
- having all mailboxes well-ordered inside a single directory.
Therefore, we will use Postfix Virtual Domain Hosting, which is normally used for hosting multiple internet domains on thesame server, but will also allow us to achieve the above goals.
Configuration
n this paragraph, we will configure Postfix to work standalone, with no back-end database. Then, in the next chapter, when everything will be working fine, we will hook up Postfix to a MySQL database; this will allow us to centrally store configuration information that both Postfix and Courier-IMAP will need to access.
There are a few packages we need to install:
- mysql-client-x.x.x.tgz
- pcre-x.x.tgz
- postfix-x.x.x-mysql.tgz
Note: if you're planning to use SMTP authentication, you will need to compile Postfix from the ports, because there's no pre-compiled package available with both MySQL and SASL support:
# cd /usr/ports/mail/postfix/snapshot# env FLAVOR="mysql sasl2" make install
The installation will create the /etc/postfix directory,containing all the configuration files. Postfix has several hundred configuration parameters that are controlledvia the /etc/postfix/main.cf file, but don't worry: for the vast majority of these parameters, the default valueis the best option (see postconf(5) for a detailed list of all the available configuration parameters, their description and their default value) and we will only have to override a very small subset of them:
/etc/postfix/main.cf
# Directory containing all the post* commandscommand_directory = /usr/local/sbin# Directory containing all the Postfix daemon programsdaemon_directory = /usr/local/libexec/postfix# Full pathnames of various Postfix commandssendmail_path = /usr/local/sbin/sendmailnewaliases_path = /usr/local/sbin/newaliasesmailq_path = /usr/local/sbin/mailq# Directories containing documentationhtml_directory = /usr/local/share/doc/postfix/htmlmanpage_directory = /usr/local/manreadme_directory = /usr/local/share/doc/postfix/readme# The owner of the Postfix queue and of most Postfix daemon processesmail_owner = _postfix# The group for mail submission and queue management commandssetgid_group = _postdrop# The myhostname parameter specifies the internet hostname of this mail system. It is# used as default for many other configuration parameters (default = system's FQDN)myhostname = mail.kernel-panic.it # The internet domain name of this mail system. Used as default for many other# configuration parameters (default = $myhostname minus the first component)mydomain = kernel-panic.tld
# The domain name that locally-posted mail appears to come from, and that locally posted# mail is delivered to. As you can see, a parameter value may refer to other parametersmyorigin = $myhostname# Network interface addresses that this mail system receives mail oninet_interfaces = all# Network interface addresses that this mail system receives mail on by way of a# proxy or NAT unitproxy_interfaces = router.kernel-panic.tld# List of domains that this machine considers itself the final destination for.# Virtual domains must not be specified heremydestination = $myhostname, localhost.$mydomain, localhost# List of "trusted" SMTP clients allowed to relay mail through Postfix.mynetworks = 127.0.0.0/8, 172.16.0.0/24, 172.16.240.0/24# What destination (sub)domains this system will relay mail torelay_domains = $mydestination# The default host to send mail to when no entry is matched in the optional# transport(5) table. Square brackets turn off MX lookupsrelayhost = [smtp.isp.com]# List of alias databases used by the local delivery agentalias_maps = hash:/etc/postfix/aliases# Alias database(s) built with "newaliases" or "sendmail -bi". This is a separate# configuration parameter, because alias_maps may specify tables that are not# necessarily all under control by Postfixalias_database = hash:/etc/postfix/aliases# SMTP greeting bannersmtpd_banner = $myhostname ESMTP $mail_name# Postfix is final destination for the specified list of "virtual" domainsvirtual_mailbox_domains = kernel-panic.tld# Virtual mailboxes base directoryvirtual_mailbox_base = /var/mail/vhosts# Optional lookup tables with all valid addresses in the domains that match# $virtual_mailbox_domains.virtual_mailbox_maps = hash:/etc/postfix/vmailbox# The minimum user ID value accepted by the virtual(8) delivery agentvirtual_minimum_uid = 2000# User ID that the virtual(8) delivery agent uses while writing to the recipient's mailboxvirtual_uid_maps = static:2000# Group ID that the virtual(8) delivery agent uses while writing to the recipient's mailboxvirtual_gid_maps = static:2000# Optional lookup tables that alias specific mail addresses or domains to other local or# remote addressvirtual_alias_maps = hash:/etc/postfix/virtual
Let's take a closer look at some of the above configuration parameters.
One of the goals we had was to avoid having a separate OpenBSD accountfor each e-mail account. We have achieved this by configuring Postfixto write to the OpenBSD mailboxes using uid 2000 and gid 2000 (see the virtual_uid_maps and virtual_gid_maps parameters above). Now we only have to create a user with this pair of uid and gid:
# useradd -d /var/mail/vhosts -g =uid -u 2000 -s /sbin/nologin > -c "Virtual Mailboxes Owner" vmail# chown vmail:vmail /var/mail/vhosts
Our second goal was having all OpenBSD mailboxes grouped together in a single directory; this is achieved by setting the value of the virtual_mailbox_base parameter to the path of that directory (in our configuration, /var/mail/vhosts). In matter of fact, this parameter is a prefix that the virtual(8) agent prepends to all pathname results from virtual_mailbox_maps table lookups.
In our configuration, the virtual_mailbox_maps parameter refers to the /etc/postfix/vmailbox file, containing the list of all valid addresses in the virtual domains (virtual_mailbox_domains parameter) and the path to the corresponding mailboxes or maildirs (a mailbox is a single file containing all the emails; a maildir, instead, is a directory, with a particular structure, containing all the emails in separate files):
/etc/postfix/vmailbox
info@kernel-panic.tld kernel-panic.tld/info/d.mazzocchio@kernel-panic.tld kernel-panic.tld/d.mazzocchio/[...]
Please pay attention to the trailing slashes: they tell Postfix thatthe pathname refers to a maildir instead of a mailbox file, andmaildirs are our only option, since Courier-IMAP doesn't support mailbox files.
The virtual_alias_maps parameter allows to alias specificmail addresses or domains to other local or remote address. Its valueis the path name to a file (in our case /etc/postfix/virtual) containing the alias mappings:
/etc/postfix/virtual
root@kernel-panic.tld root@localhost.kernel-panic.tldpostmaster@kernel-panic.tld postmaster@localhost.kernel-panic.tldabuse@kernel-panic.tld postmaster@localhost.kernel-panic.tld[...]
Finally, the /etc/postfix/aliases file contains the addresses to which Postfix will redirect mail for local recipients (see aliases(5)).Since many accounts point to root's email address, you should check root email frequently or forward it all to another account. E.g.:
/etc/postfix/aliases
root: d.mazzocchio@kernel-panic.tld MAILER-DAEMON: postmaster postmaster: rootbin: root[...]
Now we only have to update Postfix lookup tables:
# /usr/local/sbin/postmap /etc/postfix/vmailbox# /usr/local/sbin/postmap /etc/postfix/virtual# /usr/local/sbin/newaliases
replace Sendmail:
# /usr/local/sbin/postfix-enableold /etc/mailer.conf saved as /etc/mailer.conf.pre-postfixpostfix /etc/mailer.conf enabledNOTE: do not forget to add sendmail_flags="-bd" to/etc/rc.conf.local to startup postfix correctly.NOTE: do not forget to add "-a /var/spool/postfix/dev/log" tosyslogd_flags in /etc/rc.conf.local and restart syslogd.NOTE: do not forget to remove the "sendmail clientmqueue runner"from root's crontab.#
and follow the above advice, by commenting out the "sendmail clientmqueue runner" in root's crontab:
# sendmail clientmqueue runner#*/30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q
and adding a couple of variables in the /etc/rc.conf.local file.
/etc/rc.conf.local
# Specify a location where syslogd(8) should place an additional log socket# for Postfixsyslogd_flags="-a /var/spool/postfix/dev/log"# Make Postfix start in background and process queued messages every 30 minsendmail_flags="-bd"
Now we can restart the processes (or simply reboot):
# pkill -HUP syslogd# pkill sendmail# /usr/local/sbin/sendmail -bd
and test our hard work! Are mail server is working on your Openbsd machine
# telnet mail.kernel-panic.tld 25Trying 172.16.240.150...Connected to mail.kernel-panic.tld.Escape character is '^]'.220 mail.kernel-panic.it ESMTP PostfixHELO somedomain.org250 mail.kernel-panic.tldmail from: someone@somedomain.org250 Okrcpt to: d.mazzocchio@kernel-panic.tld250 Okdata354 End data with .From: someone@somedomain.orgTo: d.mazzocchio@kernel-panic.tld
Subject: Test mailIt works!.250 Ok: queued as 548D7286quit221 ByeConnection closed by foreign host.# tail /var/log/maillogDec 16 15:26:35 mail postfix/smtpd[29212]: connect from ws1.lan.kernel-panic.tld[172.16.0.15]Dec 16 15:26:53 mail postfix/smtpd[29212]: 57076222: client=ws1.lan.kernel-panic.tld[172.16.0.15]Dec 16 15:27:02 mail postfix/cleanup[13428]: 57076222: message-id=<20070210142653.57076222@mail.kernel-panic.tld>Dec 16 15:27:02 mail postfix/qmgr[26776]: 57076222: from=, size=392, nrcpt=1 (queue active)Dec 16 15:27:02 mail postfix/virtual[14381]: 57076222: to=, relay=virtual, delay=15,delays=15/0.28/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)Dec 16 15:27:02 mail postfix/qmgr[26776]: 57076222: removedDec 16 15:27:06 mail postfix/smtpd[29212]: disconnect from ws1.lan.kernel-panic.it[172.16.0.15]# cat /var/mail/vhosts/kernel-panic.tld/d.mazzocchio/new/1118146014.V3I9448M811660.mail.kernel-panic.tldReturn-Path: X-Original-To: d.mazzocchio@kernel-panic.tldDelivered-To: d.mazzocchio@kernel-panic.tldReceived: from somedomain.org (ws1.lan.kernel-panic.tld [172.16.0.15])by mail.kernel-panic.tld (Postfix) with SMTP id 57076222for Sat, 16 Dec 2007 15:26:47 +0100 (CET)From: someone@somedomain.orgTo: d.mazzocchio@kernel-panic.tldSubject: Test mailMessage-Id: <20070210142653.57076222@mail.kernel-panic.tld>Date: Sat, 16 Dec 2007 15:26:47 +0100 (CET)It works!#
Comments
No comments yet. Be first!