This took some time, so i’d thought I might share it. If you have any improvements or comments, feel free to contribute.
The scenario, we have multiple post-fix mail relay servers sitting behind various ISP’s in various clouds or data-centers, they all point to a single (cluster) of mail servers (Zimbra of course). It took some time to get these MX’s to do the right thing with SMTP / TLS and SASL.
The MX sits behind a firewall on a private ip (172.16.1.25) (VyOS) which publishes TCP 25 and 465 for the communications.
First apt-get install postfix on a clean Ubuntu 14 LTS server, set it up as a satellite when dpkg-configure asks you to.
Then fetch the TLS and SASL dependencies
apt-get install sasl2-bin postfix-tls sasl2-bin libsasl2-modules
For some odd reason, the socket links in /run between sasl authd and postfix don’t add up. A mess of security and other oddness. So in a quick and dirty way we fix this on reboot in a script called /etc/postfix/fixlink.sh
rm -r /var/run/saslauthd/ mkdir -p /var/spool/postfix/var/run/saslauthd ln -s /var/spool/postfix/var/run/saslauthd /var/run chgrp sasl /var/spool/postfix/var/run/saslauthd service postfix restart /etc/init.d/saslauthd start
To get Postfix to use the plain login for SASL configure the file /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd mech_list: plain login
You can find some more details on the how and why here
Now for the Meat and Potatoes, the /etc/postfix/main.cf file:
inet_interfaces = all myhostname = mx01.yourdomain.com mynetworks = 192.168.0.0/16, 127.0.0.1, 172.16.1.26 myorigin = mydomain.com mydestination = smtpd_banner = $myhostname ESMTP smtpd_use_tls = yes smtp_use_tls = yes smtp_enforce_tls = no # TLS parameters smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel=2 smtpd_tls_auth_only = yes smtpd_tls_security_level = may smtpd_tls_cert_file=/etc/postfix/commercial.crt smtpd_tls_key_file=/etc/postfix/commercial.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4, RC4-MD5 smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom # Sasl smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = broken_sasl_auth_clients = yes # Limits default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100 local_recipient_maps = local_transport = error:no local delivery parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps relay_domains = domain1.com domain2.com and some more domains smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unverified_recipient address_verify_negative_cache = no unverified_recipient_reject_code = 550 maximal_queue_lifetime = 21d relayhost = [your.mail.cluster.local]
Change the bold where appropriate of course
As you can see we use some SSL certs, these come from our own private CA, but you can use some self signed ones as well, just remember to cat the authorizing CA certificate into the CRT and have no password in your key. A lengthy explanation on the how and what can me found here
Now the /etc/postfix/master.cf, un-comment (or add) the bold lines and if all is equal, it should work…
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd # -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard #local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}