Every business needs email, but not every business wants an expensive propriety email server like Exchange Server. If you prefer a free mail server, consider Postfix, an open source email server that supports SMTP. Running Postfix on CentOS, an enterprise-level Linux distribution derived from Red Hat Enterprise Linux, gives you a reliable, proven messaging solution.
Postfix is a feature-rich email server. It offers advantages over alternatives such as Sendmail and Exim in areas like security, features, ease of use, and support.
In security, for example, according to the Common Vulnerabilities and Exposures database, Postfix had no listed security vulnerabilities for 2009 and 2010, versus three for Sendmail in 2009 and four for Exim in 2010. This year, however, all three mail servers have had security-related problems: Two for Postfix, one for Sendmail, and two for Exim.
In terms of features, Postfix offers:
- IPv6 support
- SASL and TLS authentication
- Configurable delivery status notification message text
- A Sender Policy Framework (SPF) plugin for spam control
- Berkeley DB, LDAP database, MySQL, and PostgreSQL database support
- Maildir and mailbox format
- Virtual domains
- Masquerading addresses in outbound SMTP mail
- Selective address rewriting
Out of the box Postfix works as a standalone server using direct Internet access. You can easily configure the mail server by editing a few simple text files. If you need help, Postfix has a host of resources available at postfix.org, including online documentation, how-tos, FAQs, and mailing lists.
Types of Setup
Before you set up Postfix, you must decide where on your network you want it hosted. You can configure the mail server to work in different ways depending on which side of the firewall it is located.
Postfix servers on the Internet have full routing, transmit, and receive capabilities. Email is sent from each user directly to the server, which stores and forwards messages to clients behind the firewall via POP3 or IMAP. Email sent from one internal user to another goes out to the Internet and then back in again.
While Internet servers are easy to configure and deploy, they live outside your firewall, which makes them easier to hack into. You can also set up Postfix as a local server behind a firewall, or as a firewall gateway server, forwarding messages from an Internet server to a local one. Firewall gateway servers reduce the risk of security breaches but are more complex to configure correctly and necessitate the existence of an internal email server. Internal local servers offer the best security, but they need to be used together with an external server to receive email from the Internet.
Setting Up a Standalone Internet Server with TLS
We installed Postfix on an Internet server running CentOS, whose latest version we reviewed last month. Most CentOS deployments run Sendmail by default; you must remove Sendmail before installing Postfix. To do so, open a terminal window, switch user to root (su -), and run the command yum remove sendmail. Then, to install Postfix, run the command yum -y install postfix.
Before you can start using Postfix you must tweak its configuration file. Edit /etc/postfix/main.cf and find the line for inet_interfaces. Set it to:
inet_interfaces = your IP address, localhost
Use the IP address of your server. This lets Postfix receive email from external clients, not just those running on the server.
By default Postfix appends a little announcement to outgoing messages saying that this email is powered by Postfix. It’s best to give hackers as little information as possible about your server, so you should remove the banner by finding the line for smtpd_banner in the configuration file and setting it to:
smtpd_banner = $myhostname ESMTP
Save the file and exit the editor.
Next, you should enable Transport Layer Security (TLS), which allows Postfix to receive messages over an encrypted connection. If you don’t, a hacker might be able to eavesdrop on message contents, since the majority of email messages are in plain text or HTML. TLS requires that you have a signed digital certificate that proves the server is legitimate. You can be your own certificate authority and sign your own certificates, as we do here, or you can pay a commercial CA to sign the certificates.
Change directory to the TLS directory with the command cd /etc/pki/tls/misc and set up a certificate authority with the command ./CA -newca. Answer the prompts for distinguished name and password. When asked for a Common Name, you must enter the fully qualified domain name of the server, e.g. example.com, and not your actual name. This common mistake causes over 90% of server certificate errors.
Change into the CA certificate directory – cd /etc/pki/tls/certs – and generate a key pair for the mail server:
openssl genrsa -out mailserverkey.pem 2048 openssl req -new -key mailserverkey.pem -out mailserver.csr
Answer the distinguished name and password questions as before. Sign the certificate using the command openssl ca -in mailserver.csr -out mailservercert.pem. Enter the password you entered above and confirm that the certificate should be signed.
Next, create the private key infrastructure (PKI) directory for mail certificates and set the appropriate ownership and permissions:
mkdir /etc/pki/tls/mail chown root:root /etc/pki/tls/mail chmod 755 /etc/pki/tls/mail
Copy the certificate and key to the PKI directory so it can be used for mail certificates and set the appropriate ownership and permissions on the files:
cp mailservercert.pem /etc/pki/tls/mail/ cp mailserverkey.pem /etc/pki/tls/mail/ chown root:root /etc/pki/tls/mail/mailserverkey.pem chown root:root /etc/pki/tls/mail/mailservercert.pem chmod 600 /etc/pki/tls/mail/mailserverkey.pem chmod 644 /etc/pki/tls/mail/mailservercert.pem
To configure Postfix to use these certificates, edit main.cf, go to the end of the file, and add the following lines:
smtpd_tls_CApath = /etc/pki/CA smtpd_tls_CAfile = /etc/pki/CA/cacert.pem smtpd_tls_cert_file = /etc/pki/tls/mail/mailservercert.pem smtpd_tls_key_file = /etc/pki/tls/mail/mailserverkey.pem smtpd_tls_security_level = may
The smtpd_tls_security_level directive tells Postfix to allow the use of TLS when receiving messages, but not to require it.
To enable all the changes, restart Postfix with the command service postfix restart.
To see if you got the TLS configuration right, use an email client with TLS enabled to send a test message. The way you enable TLS is different in each client, but in general, look in the account settings for the section that defines the outgoing SMTP server. Make sure it is configured to use a secure connection with TLS.
You can troubleshoot the configuration, if necessary, in a couple of ways. Postfix logs its actions to /var/log/maillog. During setup and testing it is useful to keep a terminal window open to watch the log file with the command tail -f /var/log/maillog. The mailq command is useful for checking what is in the mail queue.
Dovecot POP3 and IMAP Server
Postfix handles the delivery of messages to the mailbox, but users need a way to get at them. For that, use Dovecot, a POP3 and IMAP4 server.
Make sure Dovecot is installed and set to start on boot up:
yum -y install dovecot chkconfig --levels 235 dovecot on
For security, as with Postfix, it is best to change the greeting message. Edit /etc/dovecot.conf and find the line for login_greeting. Set it to:
login_greeting = Ready.
Next limit the available protocols to only those available over a secure connection. Find the line for protocols. If it is commented out, removed the # sign and set it to:
protocols = imaps pop3s
To configure Dovecot to use the SSL certificates created for Postfix, in dovecot.conf, find the lines for ssl_cert_file, ssl_key_file, and ssl_ca_file, and set them to:
ssl_cert_file = /etc/pki/tls/mail/mailservercert.pem ssl_key_file = /etc/pki/tls/mail/mailserverkey.pem ssl_ca_file = /etc/pki/CA/cacert.pem
To ensure it is all working, use an email client with SSL enabled for POP3 to connect to the server. The way you enable SSL for POP3 is different in each client. Look in the account settings for POP3 server definition, and make sure the client is configured to use a secure connection with SSL.
Postfix, SASL, and Dovecot
For additional security you should also implement the Simple Authentication and Security Layer (SASL), a method of authenticating users and allowing them to submit messages for relaying. Postfix does not implement SASL itself, but instead uses libraries provided by Dovecot. Setting up SASL therefore involves two steps: First, configure Dovecot’s SASL mechanisms, and second, configure Postfix to use the SASL services provided by Dovecot.
Edit /etc/dovecot.conf and find the start of the authentication section: auth default {. Within that section find the mechanisms line and replace it with:
mechanisms = plain login
Still within the authentication section, find the line socket listen {. It is commented out with a # at the start of the line. Above it insert:
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
To configure Postfix to use SASL, edit main.cf, go to the end of the file, and add the following lines:
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination
The smtpd_recipient_restrictions line tells Postfix to only accept emails from authenticated clients for relaying to other SMTP servers.
Finally, restart Dovecot and Postfix:
service dovecot restart service postfix restart
To test the SASL configuration, use an email client with SASL enabled to send a test message. Like SSL, SASL is enabled differently in each client, but in general, look in the account settings for the section that defines the outgoing SMTP server. Make sure server authentication is enabled, then choose between either PLAIN or LOGIN.
Related posts:
- Escaping Microsoft Exchange via Davmail + Fetchmail + Postfix + Courier IMAP
- A Comparison of Enterprise Mail Servers – Open Source and Otherwise
- How to Troubleshoot Your CentOS Linux Server
- Build Web Apps Like a Pro with These PHP Frameworks
- OpenSSL Expert Tips and Tricks: Test and Benchmark Servers
It’s also worth pointing out that postfix is very easy to setup for both virus scanning and DKIM support (via opendkim), thereby reducing the likelihood of spreading malware through your server and ensuring maximum deliverability to all email services while helping to reduce spam levels. I’ve found both those features indispensable.
Please, in the phrase:
“an open source email server that supports POP3, IMAP, and SMTP”
remove IMAP/POP3 support… there is no such thing, Postfix only supports SMTP and will *deliver* using maildir or mailbox, but it does *NOT* support IMAP/POP3 as such.
There are much more issues about mail server:
1. Quota? How does the IMAP working when mailboxes are up to 10GB?
2. How to back up? Dovecot on MYSQL?
3. SPAM?
4. Antivirus check?
5. Many MX Records on DNS?
Great article, but it needs more. Keep going, talk about setting up shared folders, clamav/amavis/spamassassin, disk quotas (slightly tricky with dovecot actually), mailing lists and so on.
[...] http://olex.openlogic.com/wazi/2011/using-postfix-to-build-a-masterful-mail-server/ Leave a Comment TrackBack URI [...]