top image
home  /  pages  /  tech tips  /  contact about

How to set up a Postfix relay with SASL, TLS, Postgrey, and ClamAV

Problem

You want a Postfix server that does greylisting using postgrey, scans incoming mail using ClamAV, and that can relay mail when users authenticate with SASL over TLS. You want to fight spam as best as you can, also.

Solution

There are many guides that claim to solve this for you, but none of them were enough to get it to work on Ubuntu 9.10 (Karmic Koala), mostly because I couldn't get saslauthd to work. It seems to be broken out of the box as it tries to use PAM.

Install packages

Install packages:

$ sudo aptitude install postfix sasl2-bin install clamsmtp clamav-freshclam postgrey

Postfix on the server

Here are the salient details from /etc/postfix/main.cf. Note that there are some bonus spam-fighting measures in smtpd_recipient_restrictions.
# TLS setup
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1


[...]

# Optional, if you want this postfix to use TLS when acting as a client
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes

# SASL setup
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

# Three changes to smtpd_recipient_restrictions:
# - "permit_sasl_authenticated" to relay for SASL-authenticated clients
# - "sleep 5" to slow down spammers; see http://wiki.apache.org/spamassassin/OtherTricks
# - "reject_rbl_client" for spam filtering
# - "check_policy_service ..." for postgrey
smtpd_recipient_restrictions = permit_sasl_authenticated
                               sleep 5
                               permit_mynetworks
                               reject_unauth_destination
                               reject_rbl_client zen.spamhaus.org
                               reject_rbl_client bl.spamcop.net
                               check_policy_service inet:127.0.0.1:10023

# ClamAV setup
content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
Then restart postfix:
$ /etc/init.d/postfix restart

Postgrey

Follow the steps in /usr/share/doc/postgrey/README.Debian; see above for the salient details in /etc/postfix/main.cf.

ClamAV

Follow the steps in a guide on debian-administration.org on "Virus filtering with Postfix and ClamAV in 4 steps".

TLS

Following instructions, create the ssl certificate:
$ sudo mkdir -p /etc/postfix/ssl/
$ sudo openssl req -new -x509 -nodes -out /etc/postfix/ssl/smtpd.pem -keyout /etc/postfix/ssl/smtpd.pem -days 3650
And set some smtpd_* variables; see above for the salient details in /etc/postfix/main.cf.

SASL

Debian's packaging of postfix does not play nice with saslauthd for reasons explained in /usr/share/doc/sasl2-bin/README.Debian.gz. Add user postfix to the sasl group, so it can contact the daemon:
$ sudo adduser postfix sasl
Adding user `postfix' to group `sasl' ...
Adding user postfix to group sasl
Done.
Then, stop saslauthd:
$ sudo /etc/init.d/saslauthd stop
You need to modify /etc/default/saslauthd as follows:
START=yes
MECHANISMS="sasldb"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Then restart saslauthd.
$ sudo /etc/init.d/saslauthd restart
Add the SASL user that should be allowed to relay and make up a password, for example "relay-user".
$ sudo saslpasswd2 -c -u `postconf -h myhostname` relay-user
Password:
Again (for verification):
Check that the user is there:
$ sudo sasldblistusers2
relay-user@some.hostname.com: userPassword
Test authentication:
$ sudo testsaslauthd -u relay-user -p password -s smtp -r `postconf -h myhostname` -f /var/spool/postfix/var/run/saslauthd/mux
0: OK "Success."
If it fails, run saslauthd by hand, try testsaslauthd again, and see what the problem is.
$ sudo /etc/init.d/saslauthd stop
$ sudo /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 5 -d
saslauthd[10419] :main            : num_procs  : 5
saslauthd[10419] :main            : mech_option: NULL
...
Tell postfix how to to SASL authenticate and create /etc/postfix/sasl/smtpd.conf:
$ sudo mkdir -p /etc/postfix/sasl/
$ sudo bash -c "cat > /etc/postfix/sasl/smtpd.conf"
pwcheck_method: saslauthd
mech_list: plain login
(Hit ctrl-d after copy/pasting those two lines.) For good measure, after all this, restart postfix again.
$ /etc/init.d/postfix restart
and keep an eye on its log files:
$ sudo tail -f /var/log/mail.err /var/log/mail.info /var/log/mail.log

Postfix on the client

On the client, install postfix also. Here are the salient details from the client's /etc/postfix/main.cf:
relayhost = your.smtp-server.com
#smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
Create /etc/postfix/smtp_auth:
your.smtp-server.name relay-user:password
Run postmap on smtp_auth:
$ sudo postmap /etc/postfix/smtp_auth
For good measure, after all this, restart postfix again.
$ /etc/init.d/postfix restart
and keep an eye on its log files:
$ sudo tail -f /var/log/mail.err /var/log/mail.info /var/log/mail.log
URL: http://thomer.com/howtos/postfix_sasl.html
Copyright © 1994-2011 by Thomer M. Gil
Updated: 2009/12/17