Freesbsd - Long version - Step by step with explanations

From Wiki_EAI
Jump to navigation Jump to search


Installing Postfix with SMTPUTF8 enabled, Cyrus SASL and OpenSSL

Summary of the mail server

This guide will install a Mail server that can receive mail with SMTPUTF8 . This prevents the senders email to bounce when the mail server does not support SMTPUTF8.

This includes Imap and POP3 using Courier, the users will be added as local user, with or without SSH login . They have their mail stored in /home/user.

A modified Squirrel-mail is installed to send and receive email?? (NEED TO TEST THIS )

Any email client can be used as your user is not an EAI address.


Using Freebsd 10.2

Notice, requirements and initial setup

  • Make sure you don't have Postfix installed which is lesser than version 3.0
  • If you install any mail compontent after installation, make sure to test your Server if it still return the SMTPUTF8
  • You already setup your DNS settings
  • hostname is the name your domain e.g ( domain.com )
  • mail.hostname is the name of your Mail server e.g (mail.domain.com)
  • A working FreeBSD server with a root account (sudo privileges.)
  • Installation is run as root unless if specified


Update your hostname 

If you are using an international domain, use the punycode equivalent.

For example mail.วีคลาส.ไทย should be punycode equivalent mail.xn--42c0eeo3bp.xn--o3cw4h

vi /etc/hostname

UPDATE YOUR OWN hostname for your Mail server

mail.domain.com


Reboot your server to update your hostname.

After reboot, the following command should show your hostname mail.domain.com

hostname

Install Postfix from source and required libraries (Cyrus SASL, OPENSSL)

Get Postfix version 3.0.1 or later versions to enable SMTPUTF8 extension. You can get a copy in http://www.postfix.org/download.html. In the example below we have downloaded postfix-3.0.1.tar.gz, your version might be different. Currently, installing Postfix by apt-get will install an older version that has no support yet for SMTPUTF8. This may also change in the future.


Install the required libraries using ports with the default options

cd /usr/ports/security/openssl 
make && make install

cd /usr/ports/security/cyrus-sasl2
make && make install

cd /usr/ports/devel/icu
make && make install


Refresh your environment

Create the required users and directory ownership

pw groupadd postfix -g 32 
pw groupmod mail -m postfix
pw groupadd postdrop 
pw useradd postfix -c "Postfix Daemon User" -d /var/spool/postfix -g postfix  -s /bin/false -u 32  
chown -v postfix:postfix /var/mail

Download Postfix 3.x.x or later version and Compile with openssl and sasl auth

tar -xzvf postfix-3.0.1.tar.gz
cd postfix-3.0.1
make CCARGS="-DUSE_TLS -I/usr/include/openssl/   -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl" AUXLIBS="-lssl -lcrypto -lsasl2" makefiles 
make

Install Postfix

sh postfix-install -non-interactive   daemon_directory=/usr/lib/postfix  \
                    manpage_directory=/usr/share/man  \
                    html_directory=/usr/share/doc/postfix-3.0.1/html  \
                    readme_directory=/usr/share/doc/postfix-3.0.1/readme

Edit or update /etc/rc.conf with the following

postfix_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

Edit, create or update /etc/periodic.conf

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

Stop sendmail and start postfix

service sendmail stop
postfix start

Postfix configuration

Change mail.domain.tld, domain.tld, yourotherdomain.tld(or remove this)

postconf -e 'myhostname  = mail.domain.tld'
postconf -e 'mydomain    = domain.tld'
postconf -e 'myorigin    = $mydomain'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24'
postconf -e 'alias_database = hash:/etc/aliases'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, yourotherdomain.tld'
postconf -e 'smtputf8_enable = yes'
postfix reload


@TODO

Enable Postfix as service and run at startup


Try and Send a Mail using Telnet and send mail to an external server like gmail

Test if you have SMTPUTF8 enabled

Enter the command in the console, this will connect to the SMTP

 telnet localhost 25

This should result to

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 YourHostName ESMTP Postfix


Type the following and press enter

EHLO localhost


If you can see 250 SMTPUTF8 then your server should be able to send and received from an internationalized email addresses

250-YourHostName
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8


If you don't see the 250 SMTPUTF8, try removing Postfix and try again. You may have installed a component that installed an older Postfix.

Enable SMTP Auth

Install saslauthd with default options

cd /usr/ports/security/cyrus-sasl2-saslauthd
make && make install

edit /etc/rc.conf

saslauthd_enable="YES"


create or edit /usr/local/lib/sasl2/smtpd.conf . Only PLAIN mechanism will be used.

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


Update Postfix config

sudo postconf -e 'smtpd_sasl_path = smtpd'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
service saslauthd start
sudo postfix reload


Create a user which we can test for authentication, replace AnyUserName with your own.

sudo useradd -m AnyUserName  -s /usr/sbin/nologin
sudo passwd AnyUserName


Generate your Auth key, replace username with your username and password with your password

perl -MMIME::Base64 -e 'print encode_base64("\000username\000yourpassword")'


Replace dGVzdAB0ZXN0AHRlc3Q= , with the one you generated

	
telnet 	localhost 25
EHLO localhost
AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=

You should get a message Authentication successful.


Known Error: If your base64 encode has two == in the last, it may not be accepted by the terminal. So use a password that won't result a two == in the last part of the string.


Finalize Postfix config to allow only authenticated users to send SMTP

postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'smtpd_sasl_local_domain = $mydomain'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
postconf -e 'smtpd_relay_restrictions =  permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch '
postfix reload

Enable TLS

Create the certificates

cd /etc/postfix

openssl req -new -outform PEM -out smtpd.cert \
   -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
   -days 365 -x509

Answer the following questions as prompted


Update Postfix config

postconf -e 'smtpd_enforce_tls = no'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_key_file  = /etc/postfix/smtpd.key'
postconf -e 'smtpd_tls_cert_file  = /etc/postfix/smtpd.cert'
postfix reload

You can test by telnet to 25 and doing an EHLO, you should see STARTTLS

250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8

Issue the command

STARTTLS

and you should see the result

220 2.0.0 Ready to start TLS

Sending and Receiving email to and from the Internet

Sending email by telnet

telnet localhost 25
EHLO localhost

MAIL FROM: <youruser@domain.tld> SMTPUTF8
RCPT FROM: <EAI@IDN.idn>
data
Subject: A Test

This is the body

.

Take not of the dot(.) , this is to end and send the message.


In this point make sure you can send and receive mail.

You can send message using an EAI address and check /var/mail/mail.log, in the log below test@domain.tld is a local receiver

Aug  3 02:48:49 ip-172-31-21-209 postfix/local[21614]: 7EAD343550: to=<test@domain.tld>, relay=local, delay=0.62, delays=0.62/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Aug  3 02:48:49 ip-172-31-21-209 postfix/qmgr[21586]: 7EAD343550: removed

The email stored is stored in /var/mail/

if you cannot receive any email, use an online tool such as mxtoolbox.com to diagnose your problem.

Configuring Courier authlib, Courier imap

This will enable imap and pop3

cd /usr/ports/security/courier-authlib
make && make install
cd  /usr/ports/mail/courier-imap
make && make install

Edit /usr/local/etc/authlib/authdaemonrc and change the authentication method

authmodulelist="authpam"

Add in /etc/rc.conf

courier_authdaemond_enable="YES"
courier_imap_imapd_enable="YES"
courier_imap_imapd_ssl_enable="YES"
courier_imap_pop3d_enable="YES"
courier_imap_pop3d_ssl_enable="YES"


Configure Postfix to use Maildir as a storage for Mail

postconf -e 'home_mailbox = Maildir/'
service courier-authdaemond start
service courier-imap-imapd
service courier-imap-imapd-ssl
service courier-imap-pop3d
service courier-imap-pop3d-ssl

service courier-imap-imapd start
service courier-imap-imapd-ssl start
service courier-imap-pop3d start
service courier-imap-pop3d-ssl start
postfix reload

Update the Skeleton and create the folder for user we created just before. In this example we used the user test

mkdir -p /usr/share/skel/Maildir/{cur,new,tmp}

mkdir -p /home/test/Maildir/{cur,new,tmp}
chown test:test /home/test/Maildir/{,cur,new,tmp}
chmod 0700 /home/test/Maildir/{,cur,new,tmp}

Test imap, pop3

telnet localhost imap
ok login username password


telnet localhost pop3
User username
Pass password

Install Squirrel-mail

Install Modified Squirrel mail

cd to-your-public-html-filder
wget http://interlab.ait.ac.th/eai-wiki/files/squirrelmail.zip
unzip squirrelmail.zip

edit the configuration file and change the attachchment_dir and data_dir, don't forget to create the folders. Change the ownership to your apache user, and allow a write access as well.

vi squirrelmail/config/config.php

Access squirrelmail

http://your-domain/squirrelmail/

Related Links

Mail server is not sending or receiving email to outside world



Sources

http://postfix.org/