In the last article we parted ways after configuring a base FreeBSD system, enabling it with upgrades via cvsup and portsupgrade, and securing it with a simple ipfw2 firewall. The previous article created a solid foundation which this article will build on, covering the configuration of Postfix, amavisd-new, ClamAV, SpamAssassin, MySQL and finally SquirrelMail for web mail. The final setup will have all the bells and whistles of a high end-mail setup: web-mail, anti-virus filtering, spam filtering, and hosting unlimited domains with virtual domains and users stored in MySQL.

Postfix is released under the IBM Public License, and not the GNU Public License

Postfix

The first and most important component is Postfix, a well known mail transfer agent developed by Wietse Venema at IBM and initially known as the “IBM Secure Mailer”. Venema, is a respected software engineer who also developed the popular security tool “S.A.T.A.N” (Security Administrator Tool for Analyzing Networks). Postfix is released under the IBM Public License, and not the GNU Public License; the “IPL” has been approved as an open source license by both the Free Software Foundation (“FSF”) and the Open Source Initiative(“OSI”); however, it has been declared incompatible with the GPL. Initially Postfix was created in reaction to a long list of security vulnerabilities in Sendmail, the then dominant “MTA”. The direct result of the “security first” mind, Postfix has a well earned reputation for being easy to setup, fast and secure.

Postfix has two central configuration files:

• main.cf: which configures the “properties” of the mail server such as where user and domain information is stored, or which domains to accept mail for.
• master.cf: which configures the “behavior” of the Postfix daemon, such as configuring interfaces to non Postfix programs, and other configuration settings for the Postfix daemon itself.

FreeBSD places the configuration files of packages installed from ports under /usr/local/etc; so normally you’ll find the Postfix configuration files under /usr/local/etc/postfix. First of all, you should install Postfix from the ports tree, in the same way that MySQL was installed in the first article.

Installing Postfix using ports

 
cd /usr/ports/mail/postfix

make install && make clean

You will then be presented with a dialog box: select TLS and MYSQL.

Postfix configuration dialog

Note that when MySQL functionality is selected, the default action is to install the MySQL 4.1 client library. If you plan on running a newer version of MySQL, such as 5.0, simply cancel the Postfix installation, install the MySQL client library of your choice, and then re-run the installation.

Example:

 
cd /usr/ports/databases/mysql50-client
make install && make clean

During the installation of the client libraries you may be prompted for options to the gettext package. It’s not necessary to select any of the options, but feel free to do so if you wish.

After Postfix is built, you will be prompted asking if you want to activate it in the mailer.conf file: say “yes”:

 
[Prompt] Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y

Configuring Postfix—main.cf

Now that Postfix is installed, it’s time to dive into the most important of the two configuration files, main.cf. In this one file there are essentially two sets of directives: one for the domains the server will be hosting, which being with the virtual prefix; and one for the mail server itself, with lines that begin with my as in myhostname. I’ll be giving in line commentary, so read the configuration file closely.

 

# These virtual_* directives configure the domains, users, 
# and aliases this Postfix instance will handle.
# Use proxy: for performance
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailboxes_maps.cf

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
  $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
  $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
  $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
  $virtual_mailbox_limit_maps

# Where to store the mail
virtual_mailbox_base = /usr/local/virtual

# Ownership of the mail directory
virtual_uid_maps = static:125
virtual_gid_maps = static:125


smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous

# Secure SMTP-AUTH 
smtpd_use_tls = yes
smtpd_tls_enforce_tls = yes

# Uncomment the following line if you only want auth to happen over tsl
# smtpd_tls_auth_only = yes

# This setups the ssl certificates which I'll configure a little later
smtpd_tls_cert_file = /usr/local/etc/postfix/smtpd.crt
smtpd_tls_key_file = /usr/local/etc/postfix/smtpd.key

# Mostly for MS outlook clients
broken_sasl_auth_clients = yes

# Built in restrictions
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_invalid_hostname,
  reject_rbl_client opm.blitzed.org,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client sbl-xbl.spamhaus.org


# Enables virtual hosting
virtual_transport = virtual

# Filter with amavis-new which uses clam-av for
content_filter=smtp-amavis:[127.0.0.1]:10024