Versions Compared

Old Version 11

changes.mady.by.user Thomas Tornevall

Saved on

compared with

New Version Current

changes.mady.by.user Thomas Tornevall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a document copied fromĀ https://www.tornevalls.se/2019/08/12/the-postfix-maildir-guide/

...

Code Block
languagebash
themeEmacs
apt-get -y install spamassassin spamc razor pyzor
# If you run on focal, you will get a problem with the spambayes candidate. So that will run separately (for example for bionic).
# E: Package 'spambayes' has no installation candidate
apt-get -y install spambayes
apt-get -y install libcrypt-ssleay-perl libio-socket-ssl-perl razor libnet-ident-perl libdbi-perl pyzor libmail-dkim-perl
apt-get -y install opendkim opendkim-tools opendmarc

...

Code Block
languagebash
themeEmacs
titlesasl.sh
#!/bin/bash
rl=$(readlink /var/run/saslauthd)
if [ "" != "$rl" ] ; then
		echo "/var/run/saslauthd is symlinked already."
		exit
fi

mkdir -p /var/spool/postfix/var/run/saslauthd
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
# Problems with /var/run/saslauthd that should be fixed. If it exists, remove it for instance...
rmdir /var/run/saslauthd >/dev/null 2>&1
# Then symlink it away.
ln -sv /var/spool/postfix/var/run/saslauthd /var/run 
# By the way, if saslauthd is not autostarted, it should really be changed.
sed -i 's/START=no/START=yes/' /etc/default/saslauthd

# Do not forget >/dev/null 2>&1
if [ "$?" != "" ] ; then
	echo "Obviously something is wrong here."
	theDate=$(date +'%Y%m%d%H%M')
	mv -v /var/run/saslauthd /var/run/saslauthd-${theDate}
	ln -sv /var/spool/postfix/var/run/saslauthd /var/run
fi

# By the way, if saslauthd is not autostarted, it should really be changed.
sed -i 's/START=no/START=yes/' /etc/default/saslauthd

# Do not forget to restart the daemons.
service postfix restart
service saslauthd restart

...

Clients that does not support SMTP authentication via imap or pop

This text is written in october 2020 after ripping my hair of my head off for a while. What I did not think of, during the first round of installation, was that there will be non standard clients that won't do a pop/smtp-auth before entering the SMTP out. For example, Postfix, straight out of the box - where you want to relay from postfix to postfix via an authenticated user. With the solution above, there might happen things that you do not want. The error message below for example, is quite common but very much unanswered in different kinds of forums. Most of the posts are relating their problems to dovecot, cyrus and different kind of solutions that in the end seem to be database driven. This is not bad, it's just a little bit stupid since you suddenly rely your systems on yet another point of failure: The database. And the more crap you implement, the harder it will be to find the failing point.

No Format
warning: SASL authentication failure: unable to canonify user and get auxprops

...

https://serverfault.com/questions/409828/cant-get-sasl-auxprop-sasldb-working-with-postfix-ubuntu-12-04
https://annvix.com/enabling_sasl_in_postfix

Greylisting

Preventing spam can be very exhausting. There is a suggested method on stopping spam by greylisting. You can read a longer description of how to set up greylisting for your system on the link below.

https://www.howtoforge.com/greylisting_postfix_postgrey

Installing

Run: apt install postgrey and service postgrey start

No Format
apt install postgrey
service postgrey start

If you have been following the above instructions, your main.cf probably looks like this:

No Format
smtpd_recipient_restrictions = permit_mx_backup, permit_auth_destination, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf

Update this row to:

No Format
smtpd_recipient_restrictions = permit_mx_backup, permit_auth_destination, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, check_policy_service inet:127.0.0.1:10023

Then, reload postfix.

Are we done?

I'm not entirely sure actually. I may have missed something. If someone is actually interested in this post and see that something won't work it may be cause by the fact that I missed that part. I also have a separate configuration (based on this big one) to make sure that relaying actually works out of the box. If you find anything, feel free to contact me and notify me about it...