Postfix Setup

Postfix is by far an MTA favorite amongst anyone who has every been a mail server administrator. It’s ease of use and stability is second to none. You can read more about it by visiting their website at http://www.postfix.org/.

Shut down Sendmail:

# /etc/rc.d/sendmail forcestop

NOTE:

If the above command does not shut down Sendmail, you’ll have to manually kill the PIDs. You can either find the PIDs and kill them (2) individually or you can run the following command:

# sh
# for i in `ps auxwww|grep sendmail|awk '{print $2}'`;do kill $i;done && exit

Disable Sendmail and start Postfix at boot:

# cat << EOF >> /etc/rc.conf
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
postfix_enable="YES"
EOF

Create and add Postfix stuffs to the /etc/periodic.conf file:

# cat << EOF >> /etc/periodic.conf
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
EOF

Create and secure the SMTP SSL certificate:

# mkdir -p /usr/local/etc/ssl/postfix
# cd /usr/local/etc/ssl/postfix
# openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650
# chmod 640 /usr/local/etc/ssl/postfix/*
# chgrp -R postfix /usr/local/etc/ssl/postfix

Edit /usr/local/etc/postfix/main.cf file:

Find and edit/add the RED TEXT.

...
soft_bounce = no

# SASL CONFIG
broken_sasl_auth_clients = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_invalid_hostname,
  reject_unknown_hostname,
  reject_non_fqdn_hostname,
  reject_non_fqdn_helo_hostname,
  reject_invalid_helo_hostname,
  permit
smtpd_sender_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unlisted_sender,
  permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_invalid_hostname,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client sbl-xbl.spamhaus.org,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client dnsbl.sorbs.net,
  reject_rbl_client rhsbl.sorbs.net,
  reject_rbl_client db.wpbl.info,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client proxies.blackholes.wirehub.net,
  reject_rbl_client query.bondedsender.org
  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# TLS CONFIG
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /usr/local/etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file = /usr/local/etc/ssl/postfix/smtpd.pem
smtpd_tls_CAfile = /usr/local/etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
tls_random_source = dev:/dev/urandom

#MySQL Configuration
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:125
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 125
virtual_transport = dovecot
virtual_uid_maps = static:125

# Additional for quota support
virtual_mailbox_limit_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
  $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
  $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
  $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
  $virtual_mailbox_limit_maps

maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d

# Adjusted message size limit.
message_size_limit = 25600000
...
myhostname = host.domain.tld
...
mydomain = domain.tld
...
mydestination = localhost.$mydomain, localhost
...
relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
...
relay_recipient_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
...
# TRANSPORT MAP
 #
 # See the discussion in the ADDRESS_REWRITING_README document.
dovecot_destination_recipient_limit = 1
...

Edit the /usr/local/etc/postfix/master.cf file:

Find and edit/add the RED TEXT.

...
submission inet n       -       n       -       -       smtpd
...
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
...
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
smtps     inet  n       -       n       -       -       smtpd
...
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
...
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
(At the end of the file, add)
dovecot unix - n n - - pipe
  flags=DRhu user=vscan:vscan argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}
...

Create and edit /usr/local/etc/postfix/mysql_virtual_alias_maps.cf file:

user = postfix
password = postfix_sql_password
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

Create and edit /usr/local/etc/postfix/mysql_virtual_domains_maps.cf file:

user = postfix
password = postfix_sql_password
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '0' and active = '1'

Create and edit /usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf file:

user = postfix
password = postfix_sql_password
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

Create and edit /usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf file:

user = postfix
password = postfix_sql_password
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s'

Create and edit /usr/local/etc/postfix/mysql_relay_domains_maps.cf file:

user = postfix
password = postfix_sql_password
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1'

Secure Postfix’s MySQL files:

# chmod 640 /usr/local/etc/postfix/mysql_*
# chgrp postfix /usr/local/etc/postfix/mysql_*

Edit /etc/aliases file:

Uncomment and change “root” to an email address you want system messages to be mailed to:

root:     you@your-domain.tld

Create aliases.db file:

# /usr/bin/newaliases

Page 5 or go back to Page 3