Postfix - SMTP Email Server

This article will detail the installation and configuration of an SMTP email server using Postfix 3.9.

postfix-sasl will be used for inbound Internet email delivery as well as for encrypted outbound email via submission and smtps.

cyrus-sasl2-saslauthd or Dovecot will handle authentication requests on behalf of the SASL library and will authenticate against local system users.

Outbound Internet email will be relayed through a third party email server to workaround ISP blocked outbound port 25.

 

Additional Requirements

For this setup there are some additional requirements that should be met. However, the exact implementations are beyond the scope of this article.

- DNS

The domain name you are going to provide email for needs to be a valid Internet registered domain. In the provided examples this will be example.org and should be changed accordingly.

An MX record pointing to the mail server's host record i.e. MX 10 mail.example.org.

A host A record and optionally an AAAA record for mail.example.org that resolves to the Internet IP address(es) of the server

- Firewall

The firewall should be configured to allow SMTP port 25 ingress to the Postfix mail server. Mail submission and smtps ports 587 and 645 will be permitted from LAN connected hosts only.

- TLS

A valid server certificate associated with the mail server's FQDN is required to enable and use TLS encryption.

 

Install Postfix

Install postfix-sasl via your preferred method:
pkg install mail/postfix@sasl


Follow the (former) post install instructions for postfix-sasl:

To use postfix instead of sendmail:
- clear sendmail queue and stop the sendmail daemons
service sendmail stop

Run the following commands to enable postfix during startup:
sysrc postfix_enable="YES"

- sysrc sendmail_enable="NONE"
According to rc.sendmail(8) sendmail_enable="NONE" is deprecated, therefore we will disable sendmail correctly with:
sysrc sendmail_enable="NO"
sysrc sendmail_submit_enable="NO"
sysrc sendmail_outbound_enable="NO"
sysrc sendmail_msp_queue_enable="NO"

If postfix is *not* already activated in /usr/local/etc/mail/mailer.conf
mv /usr/local/etc/mail/mailer.conf /usr/local/etc/mail/mailer.conf.old
install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf

Disable sendmail specific tasks,
add the following lines to /etc/periodic.conf

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

 

Configure Postfix

Postfix uses two files for configuration /usr/local/etc/postfix/main.cf and /usr/local/etc/postfix/master.cf

main.cf contains the majority of the configuration parameters for the server. It is used to configure in/outbound mail delivery SMTP port 25, and forms the base configuration of all other Postfix SMTP daemons. It is only necessary to specify parameters if they differ from the defaults. Refer to main.cf.default to see Postfix default values for all parameters.

master.cf is used to enable and configure additional SMTP daemons for outbound submission port 587 and smtps port 465 as well as any overrides to main.cf configuration parameters.

 

Edit /usr/local/etc/postfix/main.cf
Modify myhostname and mydomain accordingly.
Modify mynetworks replacing 192.0.2.0/24 [2001:DB8::]/32 with your IPv4 and IPv6 network adresses.

myhostname = mail.example.org
mydomain = example.org
myorigin = $mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.0.2.0/24 [2001:DB8::]/32
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain alias_maps = hash:/etc/aliases compatibility_level = 3.6 # Outbound Internet Relay host relayhost = [smtp.example.com]:587 # smtp smtp_tls_security_level = encrypt smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:$config_directory/sasl_passwd smtp_sasl_security_options = noanonymous # smtpd smtpd_tls_security_level = may
smtpd_banner = $myhostname smtpd_sasl_auth_enable = no smtpd_tls_chain_files = /path/to/your/postfix-chain.pem smtpd_relay_restrictions = permit_mynetworks, permit_auth_destination, reject # Security Hardening smtpd_tls_protocols = >=TLSv1.2 smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA25:!DH:!EDH:!ADH tls_preempt_cipherlist = yes tls_ssl_options = NO_RENEGOTIATION smtpd_sasl_security_options=noanonymous smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes disable_vrfy_command = yes smtpd_helo_required = yes smtpd_data_restrictions = reject_unauth_pipelining smtpd_client_connection_count_limit = 10 smtpd_tls_loglevel = 1

NOTE: The 'Security Hardening' section of the configuration is intended to significantly improve and tighten the security of your Postfix services. Prior to adding the hardening section to your own configuration, it is important to firstly, confirm that all Postfix services and mail flow are already working correctly. Secondly, research and understand what each directive accomplishes, as well as ensure the settings are suitable for your needs and backend environment. In rare instances the tighter restrictions can result in an inability to receive mail from older, defunct, or misconfigured Internet SMTP servers.

 

Edit /usr/local/etc/postfix/master.cf and uncomment either submission, smtps, or both and respective override lines:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n -   n       -       -       smtpd
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client. #127.0.0.1:smtps inet n - n - - smtpd smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING

 

Configure User Authentication

Two different methods may be employed to authenticate Postfix clients against local system users. This depends on whether or not Dovecot is already running on the same system as Postfix.

  1. If Dovecot services are not available, then installing and configuring cyrus-sasl2-saslauthd is the necessary choice.
  2. If Dovecot is running on the same system as Postfix, then you can choose to leverage it's authentication services via a Dovecot auth listener socket. This requires configuration changes to both Postfix and Dovcot.
 

Use cyrus-sasl2-saslauthd for Authentication

Install security/cyrus-sasl2-saslauthd:
pkg install cyrus-sasl2-saslauthd

Create and edit the authentication mechanism file /usr/local/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: LOGIN PLAIN

saslauthd only supports LOGIN and PLAIN authentication mechanisms and should be the only ones specified.

Enable saslauthd in /etc/rc.conf and start the service:

sysrc saslauthd_enable="YES"
service saslauthd start

 

Use Dovecot Authentication

Uncomment and change the following lines in /usr/local/etc/dovecot/conf.d/10-master.conf

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

Change the following lines in /usr/local/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no
auth_mechanisms = login plain

Restart Dovecot to create the new listener socket.
service dovecot restart

Add the following override lines to the submission and smtps sections of /usr/local/etc/postfix/master.cf

  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Restart Postfix to begin using Dovecot's socket for authentications.
service postfix restart

 

Create a Mail Local User Account

When creating a new user for email access:

- Add the new user to the mail group. Any existing users that require email access should also be added to the mail group.

- You do not need to configure a shell for email only users, and should specify nologin if one is not specifically required.

- Ensure to create the user's default home directory.

 

Configure Authentication for Outbound Internet Relay Host

Create and edit /usr/local/etc/postfix/sasl_passwd

smtp.example.com    This email address is being protected from spambots. You need JavaScript enabled to view it.:password

Set the file to be read/writable only by root:
chmod 600 /usr/local/etc/postfix/sasl_passwd

Use postmap to compile and hash the contents of sasl_passwd:
postmap /usr/local/etc/postfix/sasl_passwd

 

Rebuild Aliases Database

Use newaliases to (re)generate the /etc/aliases.db database:
newaliases

 

Create an All-in-one Certificate Chain File for TLS

With newer versions of Postfix there is support for using an all-in-one key/cert/chain file which is the recommended method.

Use cat to combine the private key, server certificate, and CA issuer certificate into an all-in-one chain file.
cat rsa-privkey.pem cert.pem chain.pem > postfix-chain.pem

Set the file to be read/writable only by root:
chmod 600 postfix-chain.pem

In /usr/local/etc/postfix/main.cf ensure that smtpd_tls_chain_files = points to the location of your postfix-chain.pem file.

 

Enable and Start the Services

Enable Postfix in /etc/rc.conf and start the services.
sysrc postfix_enable="YES"
service postfix start

 

Test the Postfix Server

Test the server using a configured email client or via command line to ensure that it can send emails to your email domain, as well as send to and receive from the Internet.

To send a test email from the command line:
mail -vs "Postfix Test" destination-email-address
Type your message and then use Ctrl-D to send it.

To test if TLS encryption is configured and working correctly via ports 587 and 465:
openssl s_client -connect mail.example.org:587 -starttls smtp
openssl s_client -connect mail.example.org:465

To view mail that has been delivered to a local user's mailbox
mail -u username

 

Configure an Email Client

To configure an email client i.e. Thunderbird, Outlook etc., use the following settings to configure outgoing SMTP server settings:

Server Name: mail.example.org
Port: 587 or 465
Connection security: STARTTLS for port 587 or SSL/TLS for port 465
Authentication method: Normal password (plaintext)
User Name: username

 

Logging

Postfix logs all successful and failed deliveries to /var/log/maillog

saslauthd logs authentication failures to /var/log/auth

 

Additional Information

For additional information refer to postconf(5) and master(5) man pages for Postfix main.cf and master.cf file syntax. The postfix(1) man page provides names of many other man pages related to configuring and running Postfix.

Postfix also provides extensive documentation with examples at http://www.postfix.org/documentation.html

Postfix SMTP AUTH through Dovecot SASL https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/