apt-get install postfix
Accept the defaults when the installation process asks questions.
Configuration
dpkg-reconfigure postfix
Insert the following details when asked (replacing server1.example.com with your domain name if you have one):
General type of mail configuration: Internet Site
NONE doesn't appear to be requested in current config
System mail name: server1.example.com
Root and postmaster mail recipient: <admin_user_name>
Other destinations for mail: server1.example.com, example.com, localhost.example.com, localhost
Force synchronous updates on mail queue?: No
Local networks: 127.0.0.0/8
Yes doesn't appear to be requested in current config
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all
Manuale re-configuration
vim /etc/postfix/main.cf file.
To configure the mailbox format for Maildir:
postconf -e 'home_mailbox = Maildir/'
You may need to issue this as well:
postconf -e 'mailbox_command ='
Will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.
Configure Postfix to do SMTP AUTH using SASL (saslauthd):
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
Next edit /etc/postfix/sasl/smtpd.conf and add the following lines:
pwcheck_method: saslauthd
mech_list: plain login
Generate certificates to be used for TLS encryption and/or certificate Authentication:
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
mv smtpd.key /etc/ssl/private/
mv smtpd.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/
Configure Postfix to do TLS encryption for both incoming and outgoing mail:
postconf -e 'smtp_tls_security_level = may'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com' # remember to change this to yours
The file /etc/postfix/main.cf should now look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
#Use these on Postfix 2.2.x only
#smtp_use_tls = yes
#smtpd_use_tls = yes
#For Postfix 2.3 or above use:
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
/etc/init.d/postfix restart
Authentication
The next steps are to configure Postfix to use SASL for SMTP AUTH.
apt-get install the libsasl2-2 sasl2-bin libsasl2-modules
We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have change a couple paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd):
IconsPage/warning.png Note: by changing the saslauthd path other applications that use saslauthd may be affected.
vim /etc/default/saslauthd
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"
#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Note: If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server.
Next, we update the dpkg "state" of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:
dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
This may report an error that "--update given" and the "/var/spool/postfix/var/run/saslauthd" directory does not exist. You can ignore this because when you start saslauthd next it will be created.
/etc/init.d/saslauthd start
Testing
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type
ehlo localhost
Remove Postfix from chroot
vim /etc/postfix/master.cf
change
smtp inet n - - - - smtpd
to
smtp inet n - n - - smtpd
/etc/init.d/postfix restart
Configuring saslauthd to Default
If you don't want to run Postfix in a chroot, or you'd like to not use chroot for troubleshooting purposes you will probably also want to return saslauthd back to its default configuration.
The first step in accomplishing this is to edit /etc/default/saslauthd comment the following lines we added above:
#PWDIR="/var/spool/postfix/var/run/saslauthd"
#PARAMS="-m ${PWDIR}"
#PIDFILE="${PWDIR}/saslauthd.pid"
Then return the saslauthd dpkg "state" to its default location:
dpkg-statoverride --force --update --add root sasl 755 /var/run/saslauthd
/etc/init.d/saslauthd restart
Using Port 587 for Secure Submission
If you want to use port 587 as the submission port for SMTP mail rather than 25 (many ISPs block port 25)
vim /etc/postfix/master.cf
uncomment
submission inet n - n - - smtpd
Postfix Setup For DKIM email signing and verification
Dovecot LDAP
Complete guide
Sunday, July 20, 2014
Squid
apt-get install squid
vim /etc/squid/squid.conf
visible_hostname 192.168.1.100
http_port 3128
acl MyNetwork 192.168.1.0/255.255.255.0
http_access allow Mon_Reseau
auth_param basic program /usr/local/squid/libexec/squid_db_auth --user someuser --password xxxx --plaintext --persist
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
acl db-auth proxy_auth REQUIRED
http_access allow db-auth
http_access allow localhost
http_access deny all
auth_param basic program /usr/lib/squid3/squid_radius_auth -h 127.0.0.1 -w testing123
auth_param basic children 5
auth_param basic realm Station Oxtrode, Acces Internet...
auth_param basic credentialsttl 2 hours
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl whitelist dstdomain "/etc/squid/sites.whitelist.txt"
acl UsersGroupA proxy_auth "/etc/squid/groupa.txt"
acl SitesGroupA dstdomain "/etc/squid/sites.a.txt"
acl UsersGroupB proxy_auth "/etc/squid/groupb.txt"
acl SitesGroupB dstdomain "/etc/squid/sites.b.txt"
or
http_access allow http port_80 whitelist
http_access allow http port_80 SitesGroupA UsersGroupA
http_access allow http port_80 SitesGroupB UsersGroupB
# catch-all rule
http_access deny authenticated_users
vim /etc/squid/groupa.txt
user1
user2
user3
vim /etc/squid/groupb.txt
user1
user4
user5
vim /etc/squid/sites.a.txt
.foo.example.com
.bar.example.com
vim /etc/squid/sites.b.txt
.foo.example.com
.gazonk.example.com
sudo /etc/init.d/squid restart
apt-get install ncsa_auth
touch /etc/squid/users
vim /etc/squid/users
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/users
auth_param basic children 5
auth_param basic realm Mon proxy
auth_param basic credentialsttl 2 hours
acl Users proxy_auth REQUIRED
http_access allow Mon_Reseau Users
htpasswd -b /etc/squid/users <username> <secretPassw>
CREATE TABLE `passwd` (
`user` varchar(32) NOT NULL default ,
`password` varchar(35) NOT NULL default ,
`enabled` tinyint(1) NOT NULL default '1',
`fullname` varchar(60) default NULL,
`comment` varchar(60) default NULL,
PRIMARY KEY (`user`)
);
vim /etc/ldap.conf
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b ou=Users,dc=orcade -f &((uid=%s)(description=internet)) ldap://10.0.0.21
auth_param basic children 5
auth_param basic realm Station Oxtrode, Acces Internet...
auth_param basic credentialsttl 2 hours
/etc/freeradius/clients.conf
/etc/freeradius/users.conf
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
squid -k reconfigure # ou sudo squid3 -k reconfigure
vim /etc/squid/squidguard.conf
DansGuardian for graphical configuration with squid
http://urlblacklist.com/?sec=download
http://wiki.squid-cache.org/ConfigExamples
http://wiki.freeradius.org/guide/HOWTO
vim /etc/squid/squid.conf
visible_hostname 192.168.1.100
http_port 3128
acl MyNetwork 192.168.1.0/255.255.255.0
http_access allow Mon_Reseau
auth_param basic program /usr/local/squid/libexec/squid_db_auth --user someuser --password xxxx --plaintext --persist
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
acl db-auth proxy_auth REQUIRED
http_access allow db-auth
http_access allow localhost
http_access deny all
auth_param basic program /usr/lib/squid3/squid_radius_auth -h 127.0.0.1 -w testing123
auth_param basic children 5
auth_param basic realm Station Oxtrode, Acces Internet...
auth_param basic credentialsttl 2 hours
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl whitelist dstdomain "/etc/squid/sites.whitelist.txt"
acl UsersGroupA proxy_auth "/etc/squid/groupa.txt"
acl SitesGroupA dstdomain "/etc/squid/sites.a.txt"
acl UsersGroupB proxy_auth "/etc/squid/groupb.txt"
acl SitesGroupB dstdomain "/etc/squid/sites.b.txt"
or
http_access allow http port_80 whitelist
http_access allow http port_80 SitesGroupA UsersGroupA
http_access allow http port_80 SitesGroupB UsersGroupB
# catch-all rule
http_access deny authenticated_users
vim /etc/squid/groupa.txt
user1
user2
user3
vim /etc/squid/groupb.txt
user1
user4
user5
vim /etc/squid/sites.a.txt
.foo.example.com
.bar.example.com
vim /etc/squid/sites.b.txt
.foo.example.com
.gazonk.example.com
sudo /etc/init.d/squid restart
apt-get install ncsa_auth
touch /etc/squid/users
vim /etc/squid/users
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/users
auth_param basic children 5
auth_param basic realm Mon proxy
auth_param basic credentialsttl 2 hours
acl Users proxy_auth REQUIRED
http_access allow Mon_Reseau Users
htpasswd -b /etc/squid/users <username> <secretPassw>
CREATE TABLE `passwd` (
`user` varchar(32) NOT NULL default ,
`password` varchar(35) NOT NULL default ,
`enabled` tinyint(1) NOT NULL default '1',
`fullname` varchar(60) default NULL,
`comment` varchar(60) default NULL,
PRIMARY KEY (`user`)
);
vim /etc/ldap.conf
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b ou=Users,dc=orcade -f &((uid=%s)(description=internet)) ldap://10.0.0.21
auth_param basic children 5
auth_param basic realm Station Oxtrode, Acces Internet...
auth_param basic credentialsttl 2 hours
/etc/freeradius/clients.conf
/etc/freeradius/users.conf
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
squid -k reconfigure # ou sudo squid3 -k reconfigure
vim /etc/squid/squidguard.conf
DansGuardian for graphical configuration with squid
http://urlblacklist.com/?sec=download
http://wiki.squid-cache.org/ConfigExamples
http://wiki.freeradius.org/guide/HOWTO
Subscribe to:
Comments (Atom)