FreeBSD How-To: Postfix + SMTP TLS Auth + Dovecot IMAPs, POP3s + Squirrelmail-ssl + ClamAV + Anti Spam with bogofilter and procmail

3. Configure SASL Authentication and Postfix

SASL Auth Daemon

Add to /etc/rc.conf

saslauthd_enable="YES"
saslauthd_flags="-a getpwent"

(Finding this getpwent flag caused me enormous grief! - postfix , if you selected SASL2, should automatically install cyrus-sasl2 and sasl2authd.. if not you can manually install them from ports)

Now we need to create an smtpd.conf for sasl to use

nano /usr/local/lib/sasl2/smtpd.conf

(add these lines)
pwcheck_method: saslauthd
mechlist: plain login

Postfix Config File

nano /usr/local/etc/postfix/main.cf

myhostname = mail.example.com
(whatever is your hostname... make sure it resolves to your IP)
mydomain = example.com
mydestination = $mydomain, $myhostname
mynetworks = 127.0.0.1

alias_maps = hash:/etc/mail/aliases

home_mailbox = Maildir/

'# smtp settings

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

'# content filter - clamsmtpd and clamav hook
'# Refer http://memberwebs.com/nielsen/software/clamsmtp/postfix.html

content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings

(The others can be default. The TLS commands need to be hooked via -o parameters in master.cf)

4. Now create an smtp gateway via postfix's wonderfully flexible master.cf file

nano /usr/local/etc/master.cf
Add these lines to the end of the file.

IMPORTANT gotchas:
1. There should be a <TAB> before the -o parameter in every line.
2. there should be no space before or after the = sign in the -o arguments

# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes

# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtp_use_tls=yes
-o smtpd_use_tls=yes
-o smtp_tls_note_starttls_offer=yes
-o smtpd_tls_key_file=/etc/ssl/private/example.com.key
-o smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt
-o smtpd_tls_loglevel=1
-o smtpd_tls_received_header=yes
-o smtpd_tls_session_cache_timeout=3600s
-o tls_random_source=/dev/urandom

save and exit nano
The 2 files .key and .crt will be created later using dovecot's mkcert.sh.. so please bear with me till then! Again my thanks to Ken Hathaway for pointing out this hole

Prev SB02 Next SB04

BSD Inn - SB03