Postfix – connect from unknown[ip.address]

One server I poke around on, has a number of postfix instances

(see: postmulti).

Interestingly, one instance was logging things like :

Oct 26 22:02:05 mail postfix-blah/smtpd[59158]: connect from unknown[1.2.3.4]
Oct 26 22:02:05 mail postfix-blah/smtpd[59158]: CA9292EE2C0: client=unknown[1.2.3.4]

Continue reading “Postfix – connect from unknown[ip.address]”

Postfixadmin – setup/install guide for virtual mail users on Postfix

This is a re-hash of the various guides I’ve made over the years detailing how to setup a virtual mail server (i.e. one that can handle multiple domains/users).

This guide is based on release 2.3 of Postfixadmin. It’s about the only open source project I contribute to regularly – so I ought to at least make an effort and document it ūüôā

Requirements:

  • Linux Server (Debian, Ubuntu, CentOS, SuSE) or FreeBSD etc
  • PostgreSQL or MySQL database
  • PHP 5.2.x or greater
  • Postfix
  • Courier / Cyrus / Dovecot (as appropriate) (I only use Courier, so am of little help with the others).

Postfixadmin Installation

This assumes version 2.3 or above.

dpkg -i postfixadmin-xxxxx.deb

There are also rpm’s around somewhere for SuSE/RH, a port in FreeBSD or you can install from source.

Using the .deb, the database should be created for you, along with some configuration options being filled in within config.inc.php.

  1. Visit setup.php – it will prompt you to create a setup_password, which needs putting into the config.inc.php file
  2. After editing config.inc.php, re-visit setup.php and follow it through – this will create the admin user and setup the initial DB structure
  3. Your database should now be installed
  4. You may wish to edit other config.inc.php settings (e.g. to turn vacation support on/off or to turn xmlrpc support on/off).

If you perform an upgrade of Postfixadmin in the future, all upgrades to the database should be handled automatically through use of ‘upgrade.php’.

Postfix configuration

There are a few changes that need making to Postfix, firstly – it’s necessary to tell it to use a relational database for various lookups (e.g. aliases and mailboxes); it’s also necessary to configure it to support vacation/auto-reply emails – if you require this functionality.

In my case, I run Postfix on Debian Lenny – other platforms may vary slightly. To attempt at being ‘tidy’ the configuration files for PostgreSQL live in /etc/postfix/pgsql.

(If you’re security concious, then you might want to ensure the database ‘postfix’ user only has read permissions)

Note: I’ve not used the proper alias domains stuff yet – if you wish to use it, check the supplied documentation with Postfixadmin (POSTFIX_CONF.txt)

File: relay_domains.cf

user = postfix
password = something
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = true

File: virtual_alias_maps.cf

user = postfix
password = something
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = true

File: virtual_domains_maps.cf

user = postfix
password = something
hosts = localhost
dbname = postfix
#query = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true

File: virtual_mailbox_limits.cf

# Used for QUOTA!
user = postfix
password = something
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s'

(Note: I’ve never used quota support, so I can’t guarantee the above is correct)

File: virtual_mailbox_maps.cf

user = postfix
password = something
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

To /etc/postfix/main.cf add the following :

relay_domains = <whatever may have been here before> proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 8
virtual_transport = virtual
virtual_uid_maps = static:8
virtual_gid_maps = static:8
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
# this is only needed if you want vacation support -
transport_maps = hash:/etc/postfix/transport

Adding the 'proxy:' to the various lookup lines should improve performance/scalability.

Courier configuration

Courier needs configuring to know how to authorise clients and where to find mailboxes on disk.

/etc/courier/authdaemonrc :

– Enable the appropriate module – e.g.

authmodulelist=”authpgsql”

And then in ‘authpgsqlrc’ contains :

PGSQL_HOST        localhost
PGSQL_PORT        5432
PGSQL_USERNAME        postfix
PGSQL_PASSWORD        something
PGSQL_DATABASE         postfix
PGSQL_USER_TABLE    mailbox
PGSQL_CRYPT_PWFIELD    password
PGSQL_UID_FIELD¬†¬† ¬†¬†¬† ¬†‘8’
PGSQL_GID_FIELD¬†¬† ¬†¬†¬† ¬†‘8’
PGSQL_LOGIN_FIELD    username
PGSQL_HOME_FIELD¬†¬† ¬†‘/var/mail/vmail’
PGSQL_NAME_FIELD    name
PGSQL_MAILDIR_FIELD    maildir
PGSQL_QUOTA_FIELD    quota

(As you can see, I’ve elected to store the mail under /var/mail/vmail with file ownerships set to 8:8. Your installation may differ – but obviously ensure this is kept in sync with Postfix’s main.cf).

This would probably be a good time to test the system to ensure authentication works correctly – create a virtual mailbox through Postfixadmin and tail -f /var/log/mail.log and see if you can login via pop3/imap etc.

SMTP Authentication

This is often useful to allow remote clients to relay through the server – assuming they can prove who they are!

Postfix can use SASL for authentication  Рthis requires SASL to be told to use imap to perform the authentication checks.

File: /etc/sasl/smtpd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
log_level: 3
mech_list: PLAIN LOGIN
auxprop_plugin: rimap

On Debian, I have sasl2-bin, libsasl2-modules and libsasl7 packages installed.

You’ll need to edit /etc/default/saslauthd and ensure it has :

OPTIONS=”-c -r¬† -O localhost -m /var/spool/postfix/var/run/saslauthd”

You may also need to explicitly create the above path.

Create /etc/postfix/sasl/smtpd.conf with :

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
log_level: 3
mech_list: PLAIN LOGIN
auxprop_plugin: rimap

And ensure /etc/postfix/main.cf has :

smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

And smtpd_sender_restrictions contains ‘permit_sasl_authenticated’

Squirrelmail-postfixadmin

If you wish to allow your users to change their passwords/forwarding settings or vacation/auto-reply settings, a postfixadmin plugin is available for squirrelmail (squirrelmail-postfixadmin). You can download it from https://github.com/postfixadmin/postfixadmin/tree/master/ADDITIONS/squirrelmail-plugin

The latest version of the plugin works over XMLRPC and requires very minimal configuration – you’ll need to edit the config file within the plugin to specify the XMLRPC interface URL (http://server/postfixadmin/xmlrpc.php). It’s also necessary to edit the Postfixadmin config.inc.php file to explicitly enable the xmlrpc interface.

Note, when your users go to use the postfixadmin-squirrelmail plugin they will be prompted to enter their mailbox password.