Postfix is the default Mail Transfer Agent (MTA) in Ubuntu. It attempts to be fast and easy to administer and secure. It is compatible with the MTA sendmail. This section explains how to install and configure postfix. It also explains how to set it up as an SMTP server using a secure connection (for sending emails securely).
To install postfix with SMTP-AUTH and Transport Layer Security (TLS), run the following command:
sudo apt-get install postfix
Simply press return when the installation process asks questions, the configuration will be done in greater detail in the next stage.
To configure postfix, run the following command:
sudo dpkg-reconfigure postfix
The user interface will be displayed. On each screen, select the following values:
-
Ok
-
Internet Site
-
NONE
-
mail.example.com
-
mail.example.com, localhost.localdomain, localhost
-
No
-
127.0.0.0/8
-
Yes
-
0
-
+
-
all
Replace mail.example.com with your mail server hostname. |
Now is a good time to decide which mailbox format you want to use. By default
Postifx will use mbox for the mailbox format.
Rather than editing the configuration file directly,
you can use the postconf command to configure
all postfix parameters. The
configuration parameters will be stored in
/etc/postfix/main.cf
file. Later if you
wish to re-configure a particular parameter, you can either
run the command or change it manually in the file.
To configure the mailbox format for Maildir:
sudo postconf -e 'home_mailbox = Maildir/'
This will place new mail in /home/username/Maildir so you'll need to configure your Mail Delivery Agent to use the same path. |
The next steps are to configure postfix to use SASL for SMTP AUTH.
-
Configure Postfix to do SMTP AUTH using SASL (saslauthd):
sudo postconf -e 'smtpd_sasl_local_domain =' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' sudo postconf -e 'inet_interfaces = all'
Open the
/etc/postfix/sasl/smtpd.conf
file and add the following lines to end of the file:pwcheck_method: saslauthd mech_list: plain login
-
Next, configure the digital certificate for TLS. When asked questions, follow the instructions and answer appropriately.
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
You can get the digital certificate from a certificate authority. Alternatively, you can create the certificate yourself. Refer to Creating a self Signed Certification sub-section for more details.
-
Configure Postfix to do TLS encryption for both incoming and outgoing mail:
sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_use_tls = yes' sudo postconf -e 'smtpd_use_tls = yes' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom' sudo postconf -e 'myhostname = mail.example.com'
-
Turn off the chroot operation for SMTP server. Locate for the following line in
/etc/postfix/master.cf
file:smtp inet n - - - - smtpd
and modify it as follows:
smtp inet n - n - - smtpd
After you run all the commands, the SMTP AUTH is configured with postfix. The self-signed cerficiate is created for TLS and it is configured with postfix. |
Now, the file /etc/postfix/main.cf
should look like this.
The postfix initial configuration is complete. Run the following command to start postfix daemon:
sudo /etc/init.d/postfix start
Now the postfix daemon is installed, configured and run successfully. Postfix supports SMTP AUTH as defined in RFC2554. It is based on SASL. However it is still necessary to set up SASL authentication before you can use SMTP.
The libsasl2-2, sasl2-bin and libsasl2-modules are necessary to enable SMTP AUTH using SASL. You can install these applications if you have not installed them already.
sudo apt-get install libsasl2-2 sasl2-bin
A few changes are necessary to make it work properly. Because Postfix runs chrooted in /var/spool/postfix
, SASL needs to be configured to run in the false root (/var/run/saslauthd
becomes /var/spool/postfix/var/run/saslauthd
):
sudo mkdir -p /var/spool/postfix/var/run/saslauthd
sudo rm -rf /var/run/saslauthd
To activate saslauthd, edit the file /etc/default/saslauthd
, and change or add the START variable. In order to configure saslauthd to run in the false root, add the PWDIR, PIDFILE and PARAMS variables. Finally, configure the MECHANISMS variable to your liking. The file should look like this:
# This needs to be uncommented before saslauthd will be run
# automatically
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
If you prefer, you can use shadow instead of pam. This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server. |
Next, update the dpkg "state" of /var/spool/portfix/var/run/saslauthd
. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:
sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
SMTP AUTH configuration is complete. Now it is time to start and test the setup. You can run the following command to start the SASL daemon:
sudo /etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly, run the following command:
telnet mail.example.com 25
After you have established the connection to the postfix mail server, type:
ehlo mail.example.com
If you see the following lines among others, then everything is working perfectly. Type quit to exit.
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME