Posts Tagged postfix

Configure Microsoft Outlook Express

Posted by Filed Under Mail Client with Comments Off

Configure Microsoft Outlook Express with TLS and SMTP_AUTH.  This is a common issue that can be overlooked by administrators for users who insist on using Outlook Express.  The set up for secure login and sending email is not intuitive.

For more information on how to configure Postfix you can consider Postfix Self-Directed Course or the Postfix Live Course.

First you need to create the account, so choose Tools-Accounts-Add.  The Display name is simply how it will look in the list.

Enter the full email address here.

Select IMAP for your mail server.  This gives you a number of options in that you can access your mail in several different ways, web based or on your desktop.  Your mail server must have a FQDN, Fully Qualified Domain Name, in other words three parts separated by periods, the hostname and the domain.  If you do not know the mail server name find out before you continue.  The outgoing mail server must also be listed and they are typically the same.

Provide an account name, again this will typically be the full email address, so this could be test@example.com.  Enter your password if you want to have it check that automatically.

This will complete the first stage.

Once it is created, right click the account and choose properties.  Now fill in the email address if not done so already.

Go the Server tab and be sure the incoming and outgoing mail is set. Also verify the email address and that you have the password set if you want it to be automatic.

At the bottom of the page you see the “Outgoing Mail Server”, check this box and select Settings.  Your email account can be used to authenticate when you send email.  This is the SMTP_AUTH, what this does is allows only people with email accounts on the server to send email.  In other words, this is what stops spammers from using your mail server as a relay but allows you to send email.

Now go to the Advanced tab.  Make sure your mail is going out on port 25 and you have selected the SSL option, as you see.  Also, be sure to select 993 for incoming and SSL.  What this does is provide encrypted communication between the user and your mail server.

That completes the Microsoft Outlook Express configuration.  Now you can allow those Microsoft users to start enjoying the security and stability of Postfix.

Policy Banks with Amavis

Posted by Filed Under Filters with Comments Off

Amavisd-new provides Policy Banks that allow you to manage messages based on the client or sender.  For example if you wanted senders to be able to send to email lists without using the server resources for scanning with Spamassassin and ClamAv for these outgoing messages you could create a Policy Bank

Solution: Specify Clients Who Can Bypass Scanning
This solution will allow the mail server to avoid the scanning process to save on system resources, This solution will require you to add an additional port so you can separate options.

master.cf
Notice that there are two ports here. The port 10024 assumes you are using it with Amavis to scan incoming mail on a re-injection port. The 10026 port is what you can separate the outgoing mail to avoid scanning to save on resources for your server.
smtp inet  n       -       n       -       -       smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
4025 inet  n       -       n       -       -       smtpd
-o mynetworks=127.0.0.0/8,192.168.1.0/24
-o smtpd_client_restrictions=permit_mynetworks,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026

smtp-amavis unix    -       -       n       -       6     smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n    -       n       -       -     smtpd
-o content_filter=
-o local_recipient_maps=
-o replay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes

You need to add the additional port and set up the Policy Bank in amavisd.conf.

$inet_socket_port = [10024, 10026];

You will set up the Policy Bank, “SERVER” for the Policy Bank on port 10026.
$interface_policy{’10026′} = ‘SERVER’;

$policy_bank{‘SERVER’} = {  # Server mail submitted to port 4025
originating => 1,  # mail submitted by server
bypass_spam_checks_maps   => [1],  # no spam check
bypass_banned_checks_maps => [1],  # no banned check
bypass_header_checks_maps => [1],  # no header checks
};

The mail can actually avoid the content filter and be sent to port 4025.  By placing an IP Address in the amavis_bypass_client you will be able to control who will be able to use this option.

4025 inet  n       -       n       -       -       smtpd
-o content_filter=
-o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject

The reject will stop other clients from having this option.

contents of /etc/postfix/amavis_bypass_client:
192.168.7.9 OK

Once you have made the changes you want restart Postfix and amavis and check network connections to verify your ports are listening.  You should see these four ports.

netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:10024             0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:10025             0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:10026             0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:4025                0.0.0.0:*                   LISTEN

Exmaples of what you should see in logs.
Outgoing Mail Scanned with Spamassassin before changes.
Mail sent out is tagged as SPAMMY and scores 6.282
Jan 30 06:22:58 mail postfix/pickup[9525]: C22BA73479D: uid=501 from=<tom>
Jan 30 06:22:58 mail postfix/cleanup[9600]: C22BA73479D: message-id=<20100130132258.C22BA73479D@mail.testexample.com>
Jan 30 06:22:58 mail postfix/qmgr[9526]: C22BA73479D: from=<tom@testexample.com>, size=309, nrcpt=1 (queue active)
Jan 30 06:23:13 mail amavis[9566]: (09566-01) Passed SPAMMY, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130132258.C22BA73479D@mail.testexample.com>, mail_id: y-Y0FBXjT2KH, Hits: 6.282, size: 309, queued_as: DF09F734795, 14102 ms

After Changes  No Scan
This indicates that Spamassassin did not scan the mail as there are no hits.
Jan 30 07:11:22 mail amavis[10249]: (10249-01) Passed CLEAN, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130141111.EC9A6734791@mail.testexample.com>, mail_id: 7fdE5pMr6Zjb, Hits: -, size: 298, queued_as: 77B6073478D, 10576 ms

Incoming Mail Indicates it is Scanned
Jan 30 17:40:38 mail amavis[19274]: (19274-01) 2822.From: <joe@example.com>

Jan 30 17:40:38 mail amavis[19274]: (19274-01) collect banned table[0]: tom@testexample.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x983e7a0)
Jan 30 17:40:38 mail amavis[19274]: (19274-01) p.path tom@testexample.com: “P=p001,L=1,M=text/plain,T=asc”
Jan 30 17:40:43 mail amavis[19274]: (19274-01) spam_scan: score=6.283 autolearn=no tests=[FH_DATE_PAST_20XX=3.384,TVD_SPACE_RATIO=2.899]
Jan 30 17:40:43 mail amavis[19274]: (19274-01) do_notify_and_quar: ccat=Spammy (5,0) (“5″:Spammy, “1,1″:CleanTag, “1″:Clean, “0″:CatchAll) ccat_block=(), qar_mth=
Jan 30 17:40:43 mail amavis[19274]: (19274-01) SPAM-TAG, <joe@example.com> -> <tom@testexample.com>, Yes, score=6.283 tagged_above=2 required=6.2 tests=[FH_DATE_PAST_20XX=3.384, TVD_SPACE_RATIO=2.899] autolearn=no

Securing PostfixAdmin

Posted by Filed Under Postfixadmin with Comments Off

Securing the PostfixAdmin Directory on Ubuntu
Many administrators who use Postfixadmin, a web based tool to manage virtual domains on Postfix, would like to secure the transactions between the PostfixAdmin program and the administrator.  At the same time often you do not want to add the extra burden of SSL on the whole domain but just want to secure one directory.   The solution is to create a certificate for that one directory only and also locking that directory with a password so only administrators can gain access.  The example is on an Ubuntu 9.10 server, which will be very similar to most server procedures.

Enable the SSL module using the “a2enmod” command.

sudo a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

SSL Security with Apache
The next thing you’ll need for this is a server certificate.  There are two ways to get one.  You can either create your own self-signed certificate, or you can request one from a commercial Certificate Authority.  A self-signed one will work fine if you’re just using it for your organization’s internal operations.  But, if you’re dealing with the public, you’ll want a commercial certificate that verifies that you are who you say you are.

SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing or administrator passwords.

SSL is a protocol that uses TCP/IP on behalf of the higher-level protocols like HTTP. This protocol allows a SSL-enabled server to authenticate itself to a SSL-enabled client. In order to use SSL the client must request a connection on port 443 instead of the typical port 80 used by a web browser.

For either self signed or a commercial type of certificate, you’ll first need to create an encryption key:

sudo openssl genrsa -des3 -out server.key 1024
Password:
Generating RSA private key, 1024 bit long modulus
…………………….++++++
……………………….++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

You’ll now use this key to create a certificate request:

sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MT
Locality Name (eg, city) []:TC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: ubmail.example.com/postfixadmin
Email Address []:fsmith@example.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

If you need a commercial certificate, you’ll now send this request to a commercial CA.  If you’re creating your own self-signed certificate, you’ll use this request in the next step:

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key     -out server.crt
Signature ok
subject=/C=US/ST=MT/L=TC/O=MyCompany/CN=ubmail.example.com/postfixadmin/emailAddress=fsmith@example.com
Getting Private key
Enter pass phrase for server.key:

Now, you’ll need to install the key and certificate by copying them to the appropriate directories:

sudo cp server.crt /etc/ssl/certs

Open the /etc/apache2/sites-available/your_site_file  for editing.  In the “Virtual Host” section, under the “DocumentRoot” line, modify the following lines:

DocumentRoot  /var/www/my_website/postfixadmin

The goal is to impact only the postfixadmin directory of your site so that users can normally go to the other locations without knowing that the postixadmiin directory location is different.

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Save and exit.

Enable the default SSL site:
Or enable  your site.  Remember if you are using virtual hosting you will have to use IP Based virtual hosting to assign the SSL to an IP Address.

sudo  a2ensite default-ssl

After all of this is done, restart Apache:

service apache2 restart

Apache/2.2.12 mod_ssl/2.2.12 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 127.0.1.1:80 (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
[ ok ]

Now that you’ve installed  the private encryption key, you’ll need to supply your passphrase every time you start or restart Apache.

Once you get the “https” prefix right, you’ll get this if you’re using a self-signed certificate.  You will have the choice to accept or reject the self-signed certificate.

You can accept the certificate, but you’re not through yet.  There’s also the little detail of having a domain name on the certificate that doesn’t match the URL.

You can choose to view the certificate before deciding whether to accept or reject it.

You can see from the example above that the attempt to connect using regular http will not allow a connection but also you can see that if you type https://ubmail.example.com/postfixadmin it sends you to a secure login for the postfixadmin and you can use it securely.

Password Protected Directory
Now lock down the directory so only and administrator with a password can get access.

Apache provides Password Authentication to directories using the htpasswd program. The first thing that needs to be done is to decide on where to place these password files. It is important that they are not placed in areas that are easily accessed as they should only be read by apache. It is probably best to place them in the /etc/apache2 directory. You may even want to create a separate more secure directory called within /etc/apache2. Use the htpasswd program to initialize a file for sales for example:

sudo htpasswd -c /etc/apache2/postfixadmin tom

The program will request a password and then to confirm the password. The -c option creates the file so DO NOT USE IT THE SECOND TIME!!!! If you do it will wipe out the first users you placed in the file. The password file will contain passwords for any number of people you want to have access to this folder. For example if you wanted to add mary later you would use this command:

sudo htpasswd /etc/apache2/postfixadmin mary

The next step is to make sure the permissions are correct on the password files. Change the owner to apache and change permissions to 600.

chown www-data:www-data postfixadmin

The owner and group were changed to www-data. Note you will need to verify these permissions each time changes are made to the file.

chmod 600 postfixadmin

Now the file rights are rw for the owner and nothing for group or other. This is an important setting.

Once a password file has been created, the directory that needs to be protected should be setup in the config file for your web server. The Directory directive is used to create the context of the file by using:

<Directory >
</Directory>

The first line shows which directory the password will protect.

<Directory /var/www/postfixadmin>

The second line determines the kind of authentication, which is Basic.

AuthType Basic

The AuthName will show on the login this text string to verify which group should use this directory.

AuthName “Admin Group”

The AuthUserFile is the file location for the password file.

AuthUserFile /etc/apache2/postfixadmin

Each user of the directory may be determined with specific listing of the user name and the inclusion of that password in the /etc/apache2/postfixadmin password file. “require user” will mandate that no one will be able to use this directory except those users listed. require user tom jane mary joe

If there were a lot of people using the directory one password could be given to all users in the admin group for example.

<Directory /var/www/postfixadmin>
AuthType Basic
AuthName “Admin  Group”
AuthUserFile /etc/apache2/postfixadmin
require user tom jane mary joe
</Directory>

Once you have saved this restart apache and then you can see below that now not only is it encrypted but users have to have a password to access the directory.

PostfixAdmin on Ubuntu 9.10

Posted by Filed Under Postfixadmin with Comments Off

PostfixAdmin provides a way to manage your virtual accounts, multiple domains, using a web based interface.  Once it is set up it is very easy to use.  This install process is not easy to do as there are many commands and a lot of configuration that must be done without mistakes.  If you would like a Live Virtual Class for Postfix, click on the link for more information.  To get started you will need to install postfix and dovecot-postfix.

apt-get install postfix dovecot-postfix

If you install Postfix at install you can just choose this option.

Install The Postfix Mail Server

When you have the options to choose what type of mail site select “Internet Site” and enter the domain you will use as the canonical or main domain.  Note the canonical domain cannot be listed as a virtual domain.

The next step is to use MySQL for the virtual users and configure dovecot-postfix to connect to the MySQL database.

Install MySQL and Postfix MySQL

apt-get install mysql-server postfix-mysql

When you install MySQL it will require a password for the root user for MySQL, do not confuse this with the root user on the system…and write down the password you use…you will need it.

Now secure the user and create the database.

Start  MySQL

mysql -u root -p

CREATE DATABASE postfix;
CREATE USER ‘postfix’@'localhost’ IDENTIFIED BY ‘your_password’;
GRANT ALL ON postfix.* to ‘postfix’@'localhost’;

Install PostfixAdmin

The PostfixAdmin program is a web based administration panel for Postfix.  There are several advantages for this program.  It is an easy interface to work with to install new domains, users and of course set up autoresponders for your users.  You still have to be able to work at the command line to set up Postfix features however.  You need to install PHP5 and apache2 as well and several helper programs.

sudo apt-get install apache2 php5 php5-mysql php5-imap

sudo  /etc/init.d/apache2 restart

Once that is done you should be able to see the default web server page when you point your browser to the server IP Address.

Move to the /var/www directory

/var/www

Download  postfixadmin

wget http://downloads.sourceforge.net/sourceforge/postfixadmin/postfixadmin_2.3rc7.tar.gz

tar -zxvf postfixadmin_2.3rc7.tar.gz

Rename the directory and remove the tarball

mv postfixadmin-2.3rc7 postfixadmin
rm postfixadmin_2.3rc7.tar.gz

Set the configuration for postfixadmin

cd postfixadmin
nano config.inc.php

$CONF['configured'] = true;
$CONF['postfix_admin_url'] = $_SERVER['HTTP_HOST'].’/postfixadmin’;
$CONF['database_password'] = ‘your_passowrd_for_the_db’;

Update the following variables to what makes sense for your installation
$CONF['admin_email']
$CONF['default_aliases']

Change tis line to “true” as seen to verify a completed configuration.
$CONF['configured'] = true;

Save

Point our browser  to: http://server_ip/postfixadmin/setup.php.

You will see an overview of settings that you need to configure…fix all problems before you proceed.

postfixadmin2

Refresh the setup page each time you make a change to verify it is fixed.

At the bottom you will see that you will need to create a password.

postfixadmin1

The hashed password that is created you will need to place in the config.in.php.

nano config.inc.php

Update $CONF['setup_password']
Save

Now create a new admin with an email.

postfixadmin3

At this point you need to set up the connections to the MySQL database.  To do this you need ot create 4 files so that MySQL and Postfix can communicate.

cd /etc/postfix
nano my_alias_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address = ‘%s’ AND active = 1

Save

nano my_domains_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain = ‘%s’ AND backupmx = 0 AND active = 1

Save

nano my_mailbox_limits.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username = ‘%s’ AND active = 1

Save

nano my_mailbox_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT CONCAT(domain,’/',maildir) FROM mailbox WHERE username = ‘%s’ AND active = 1

Save

Edit the main.cf file.

virtual_minimum_uid = 150
virtual_uid_maps = static:150
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

virtual_alias_maps = proxy:mysql:/etc/postfix/my_alias_maps.cf
virtual_mailbox_limit = proxy:mysql:/etc/postfix/my_mailbox_limits.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/my_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/my_mailbox_maps.cf

Comment out  or delete these options.
#home_mailbox = Maildir/
#mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m “${EXTENSION}”

You cannot have virtual domains listed in the mydestination option.

Save

Edit the master.cf

dovecot unix – n n – - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -c
/etc/dovecot/dovecot-postfix.conf -f ${sender} -d $(recipient)

Save

Create /var/mail and a user for permissions.

useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail/

Finally, you have to make some changes to the dovecot configuration to accept the mail and deliver it

cd /etc/dovecot
Edit dovecot-sql.conf

driver = mysql
connect = host=localhost dbname=postfix user=postfix password=db_password
default_pass_scheme = MD5-CRYPT

user_query = SELECT ‘/var/vmail/%d/%n’ as home, ‘maildir:/var/vmail/%d/%n’ as mail, 150 AS uid, 8 AS gid, concat(‘dirsize:storage=’, quota) AS quota FROM mailbox WHERE username = ‘%u’ AND active = 1

password_query = SELECT username as user, password, ‘/var/vmail/%d/%n’ as userdb_home, ‘maildir:/var/vmail/%d/%n’ as userdb_mail, 150 as userdb_uid, 8 as userdb_gid FROM mailbox WHERE username = ‘%u’ AND active = 1

Save

Edit dovecot-postfix.conf

Adjust several settings.

mail_location = maildir:/var/vmail/%d/%n
first_valid_uid = 150
last_valid_uid = 150

passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}

Save

Restart both services so changes take effect

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

If you are still having problems consider the Postfix Mail Server Course.


Postfix: Bayesian Learning System

Posted by Filed Under Spam Control with Comments Off

Learning System
You are able to additionally tune SpamAssassin to learn about your email.  Two programs are used together to create this learning system; autowhitelisting and Bayesian filtering.  Autowhitelisting is an algorithm that learns about each senders history and modifies the spam score of their subsequent mail.  This should reduce false positives.  Autowhitelisting develops a database for each sender’s mail address and IP address.  Each time a message is received from that sender the score is added to the database score for that sender.  The average score divided by the number of messages is used to modify any new messages.

The most important issue with autowhitelisting is the weight you place on the sender history.  The auto_whitelist_factor is the directive that sets the multiplier between 0-1.  The default is .5 which will make the final score halfway between the message spam score.  If you wanted to increase the weight set the factor to 1.

The system-wide autowhitelist with amavisd.
Edit the /etc/mail/spamassassin/local.cf

auto_whitelist_path
auto_whitelist_file_mode

Sitewide Bayesian Filtering for Amavisd
The idea behind Bayesian filtering is that it will learn aspects of email which will determine how to distinguish between spam and non-spam.  The advantage is that it can help facilitate a more accurate Spam filtering process.  The Bayesian rules sets up baselines that determine how much each rule should change the possibility that the email is Spam.  These rules have features that are likely to be Spam, thus increasing the probability, and they have rules that typically are not in Spam, thus reducing the probablity of Spam.
Edit the /etc/mail/spamassassin/local.cf

use_bayes 1
bayes_path /var/amavisd/bayes/bayes

Create the directories you need in /var both amavisd and the subdirectory bayes.  Be sure to chmod 700 the database file so no others can access it.  The user is vscan as is set up in the /etc/amavisd.conf file so that user must have access to the file.  Now with the new version of Spamassassin the line for bayes_pay must not end in a folder, so add the name bayes to it per the example.

chown -R vscan:vscan /var/amavisd/

ls -la /var/amavisd/bayes/
total 8
drwx—— 2 vscan vscan 4096 May 11 07:32 .
drwx—— 3 vscan vscan 4096 May 11 07:32 ..

Postfix Features

Posted by Filed Under Postfix Configuration with Comments Off

Sometimes when you are working with Postfix you may be on an older version that does not support a feature you need.  Here is a list of the version and the major features that were added for that version.

Postfix 2.5 Stress-dependent configuration
Postfix 2.3 DKIM, DomainKeys and SenderID authentication, DSN status notifications, Enhanced status codes, Plug-in support for multiple SASL implementations (Cyrus, Dovecot), Configurable delivery status notification message text, Sender-dependent SMTP relay lookup, Sender-dependent SASL password lookup, Sendmail Milter (mail filter) protocol
Postfix 2.2 Connection cache for SMTP, IP version 6, TLS encryption and authentication, SMTP server per-client rate and concurrency limits, CDB database, Masquerading addresses in outbound SMTP mail, Selective address rewriting
Postfix 2.1 Access control per client/sender/recipient/etc., Address probing callout, Greylisting plug-in, SPF plug-in
Postfix 2.0 MIME (including 8BITMIME to 7BIT conversion), PostgreSQL database
Postfix 1.1 QMQP server, Content filter, VERP envelope return addresses
Postfix 1.0 ETRN on-demand relay, LMTP client, Pipelining (SMTP client and server), SASL authentication, Berkeley DB database, DBM database, LDAP database, MySQL database, Maildir and mailbox format, Virtual domains

Compiling SASL Packages with Postfix

Posted by Filed Under Compile Postfix with Comments Off

The environmental variables in CCARGS for instance, provide the options that Postfix needs.

AUXLIBS – If you build support for any additional applications you may need to tell the linker where to look for the additional libraries for those programs.  The standard location for system libraries is /usr/lib.  If you want the linker to look for additional libraries you must indicate that with the -L option.

CentOS Example
AUXLIBS=’-L/usr/lib’

However, that is not enough because you must also indicate the specific library to link to with the -l option.  Library files start with lib and will have an extension of .a for static libraries, .so for a shared object or .sl for a shared library.  If the -l is used the library is referred to without the lib and without the file extension.  So if you were going to add MySQL and mysqlclient it would look like this:

CentOS Example
AUXLIBS=’-L/usr/lib/mysql -L/usr/lib -lmysqlclient -lz -lm’

CC – Postfix will use the gcc compiler, If you want to use a different one you will need to indicate that specifically.  If you look in the makedefs file you will see this text indicating the default is gcc, “${CC-gcc}”.

CCARGS – This will supply any additional arguments you want to make to the compiler.  This is used to indicate files that you need that are not in default locations.

DEBUG – This will provide debugging levels that you may want to use.  Typically you will want to increase debugging levels when you initially build Postfix for testing and then eliminate it when you build the final version for your production server.

OPT – These are optimization levels that you can set if you need your Postfix Mail Server to function at higher levels.

The compiler options can be set up in using the CCARGS.  The standard location for the header files that you need are in /usr/include.  If you need to indicate an alternative location for header files you would use the CCARGS to indicate that.  The “I” options are used for each additional directory the compiler should use.

CCARGS=’-I/usr/local/include/’

The -D option gives you a method of defining a macro to include support for a particular program you want to include.  So that you could tell Postfix to include support for the MySQL macro, HAS_MYSQL like this:

CCARGS=’DHAS_MYSQL’

If you want to change the location of directories you will need to include the Macro Name and the location where you want to place the directory.

Make makefiles CCARGS=’-DEF_CONFIG_DIR=\”a/location\”’

Parameters whose defaults can be specified in this way are:

Macro name         default value for         typical default
DEF_COMMAND_DIR     command_directory     /usr/sbin
DEF_CONFIG_DIR     config_directory         /etc/postfix
DEF_DAEMON_DIR     daemon_directory         /usr/libexec/postfix
DEF_DATA_DIR         data_directory         /var/lib/postfix
DEF_MAILQ_PATH     mailq_path             /usr/bin/mailq
DEF_HTML_DIR         html_directory         no
DEF_MANPAGE_DIR     manpage_directory         /usr/local/man
DEF_NEWALIAS_PATH     newaliases_path         /usr/bin/newaliases
DEF_QUEUE_DIR         queue_directory         /var/spool/postfix
DEF_README_DIR     readme_directory         no
DEF_SENDMAIL_PATH     sendmail_path         /usr/sbin/sendmail

Parameter Changes for the Environment
When you want to make changes to the parameters you will need to execute the build with two steps so that you can modify the Makefile.  Here is an example of some changes you could make.

make makefiles CCARGS=’-DDEF_COMMAND_DIR=\”/usr/local/sbin\” \
-DDEF_DAEMON_DIR=\”/usr/local/libexec/postfix\” \
-DDEF_MAILQ_PATH=\”/usr/local/bin/mailq\” \
-DDEF_NEWALIAS_PATH=\”/usr/local/bin/newaliases\” \
-DHAS_MYSQL -I/usr/src/mysql/include/mysql’ \
AUXLIBS=’-L/usr/src/mysql/lib/mysql -lmysqlclient’

On any server that you are compiling Postfix on, you need to take into account where the additional programs are that you want to compile with Postfix.  These directories will be in different locations depending upon the distro that you are using.

One application you may want to compile with Postifx is SASL support.  The illustration using CentOS but you can see how you would change directories for Ubuntu or Debian and it can work that way also.   Use yum to find out information on your version as you may have to make changes based on version.  Here you can see cyrus-sasl is version 2.1.22.

yum info cyrus-sasl

Name       : cyrus-sasl
Arch       : i386
Version    : 2.1.22
Release    : 4
Size       : 4.6 M
Repo       : installed
Summary    : The Cyrus SASL library.
URL        : http://asg.web.cmu.edu/sasl/sasl-library.html
License    : Freely Distributable
Description: The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding
: authentication support to connection-based protocols.

The following assumes that the Cyrus SASL include files are in /usr/local/
include, and that the Cyrus SASL libraries are in /usr/local/lib.

On some systems this generates the necessary Makefile definitions:

% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS=”-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl” AUXLIBS=”-L/usr/local/lib -lsasl2″

(for Cyrus SASL version 2.1.x):

% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS=”-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl” AUXLIBS=”-L/usr/local/lib \
-R/usr/local/lib -lsasl2″

Why this won’t work.
ls /usr/include/sasl
hmac-md5.h  md5global.h  md5.h  prop.h  sasl.h  saslplug.h  saslutil.h

Modified
make makefiles CCARGS=”-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl” AUXLIBS=”-L/usr/lib -lsasl2″

make upgrade

ldd `postconf -h daemon_directory`/smtpd
linux-gate.so.1 =>  (0x00bfc000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0×00464000)
libdb-4.3.so => /lib/libdb-4.3.so (0×00110000)
libnsl.so.1 => /lib/libnsl.so.1 (0×00207000)
libresolv.so.2 => /lib/libresolv.so.2 (0x003fc000)
libc.so.6 => /lib/libc.so.6 (0x0021e000)
libdl.so.2 => /lib/libdl.so.2 (0x00d22000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0×00362000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00d28000)
/lib/ld-linux.so.2 (0x00bb9000)

Compile MySQL with Postfix on CentOS

Posted by Filed Under Compile Postfix with Comments Off

CentOs MySQL Support
You may want to use MySQL to store passwords of accounts, especially when you are working with virtual mailboxes.  One thing to note when you do compile Postfix is to make good use of the READMEs are they are very helpful. Be sure that the paths are correct for your distro.  Here you can see the changes necessary for CentOS.

This is in the README
make -f Makefile.init makefiles \
‘CCARGS=-DHAS_MYSQL -I/usr/local/mysql/include’ \
‘AUXLIBS=-L/usr/local/mysql/lib -lmysqlclient -lz -lm’

Modified
make -f Makefile.init makefiles \
‘CCARGS=-DHAS_MYSQL -I/usr/include/mysql -I/usr/include’ \
‘AUXLIBS=-L/usr/lib/mysql -L/usr/lib -lmysqlclient -lz -lm’

ldd `postconf -h daemon_directory`/smtpd
linux-gate.so.1 =>  (0×00940000)
libmysqlclient.so.15 => /usr/lib/mysql/libmysqlclient.so.15 (0×00748000)
libz.so.1 => /usr/lib/libz.so.1 (0x00dd7000)
libm.so.6 => /lib/libm.so.6 (0x00d41000)
libdb-4.3.so => /lib/libdb-4.3.so (0×00411000)
libnsl.so.1 => /lib/libnsl.so.1 (0x001a1000)
libresolv.so.2 => /lib/libresolv.so.2 (0x003fc000)
libc.so.6 => /lib/libc.so.6 (0x00bdc000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x001ba000)
libssl.so.6 => /lib/libssl.so.6 (0×00110000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x0050a000)
/lib/ld-linux.so.2 (0x00bb9000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00d28000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0064d000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x006b0000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0×00157000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0×00688000)
libdl.so.2 => /lib/libdl.so.2 (0x00d22000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0067d000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00df8000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00db2000)
libsepol.so.1 => /lib/libsepol.so.1 (0x00d6a000)

« Older Entries