Debian Postfix-TLS Courier IMAP Howto

Aus Bennys Wiki
Wechseln zu: Navigation, Suche


Was ist das hier[Bearbeiten]

Dies ist ein Howto, das bei der Umstellung von Postfix Mailboxen auf Maildirs entstanden ist. Da ich nicht mehr weiß wie die Konfig-dateien ursprünglich aussahen habe ich die wichtigsten einfach als Kopie hier reingestellt. Sollte es nicht auf Anhieb funktionieren checkt eure Konfiguration und vorallem die Logs durch. Die hier benutzten Programme lassen sich alle auf debug umstellen, so dass man evtl. wichtige Infos warum etwas nicht geht bekommt. Da ich mich mit anderen Distributionen nur selten rumaerger kann ich nur sagen bei mir hat es bei 2 Debian Rechnern funktioniert ;-).

Für Fragen erreicht man mich per mail: ansgar_(at)_bennyshome_(dot)_de

Have a lot of fun!

apt-get install[Bearbeiten]

diese Pakete installieren:

apt-get install postfix postfix-tls ca-certificates courier-authdaemon courier-base courier-imap courier-imap-ssl courier-ssl libfam0c102 openssl libasn1-6-heimdal libdb4.1 libgsasl7 libgssapi1-heimdal libkrb-1-kerberos4kth libkrb5-17-heimdal libroken16-kerberos4kth libsasl2-modules sasl2-bin

postfix        2.1.5-6        A high-performance mail transport agent
postfix-tls    2.1.5-6        TLS and SASL support for Postfix
---
courier-authdaemon 0.47-4         Courier Mail Server - Authentication daemon
courier-base       0.47-4         Courier Mail Server - Base system
courier-imap       3.0.8-4        Courier Mail Server - IMAP server
courier-imap-ssl   3.0.8-4        Courier Mail Server - IMAP over SSL
courier-ssl        0.47-4         Courier Mail Server - SSL/TLS Support
---
libsasl-modules-plain  1.5.28-6.4     Basic Pluggable Authentication Modules for S
libsasl2         2.1.19-1.5     Authentication abstraction library
libsasl2-modules 2.1.19-1.5     Pluggable Authentication Modules for SASL
libsasl7         1.5.28-6.4     Authentication abstraction library
sasl-bin         1.5.28-6.4     Programs for manipulating the SASL users dat
sasl2-bin        2.1.19-1.5     Programs for manipulating the SASL users dat
---
maildrop         1.5.3-1.1      mail delivery agent with filtering abilities

Postfix[Bearbeiten]

/etc/postfix/main.cf


# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = mail.foo.bar
mydomain = $myhostname
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, $mydomain, localhost, localhost.$mydomain
#relayhost = 
mynetworks = 127.0.0.0/8
home_mailbox= Maildir/
# pre Maildir
#mailbox_command = procmail -a "$EXTENSION"
mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

#
smtpd_recipient_restrictions = permit_mynetworks
        permit_sasl_authenticated
        check_relay_domains

smtpd_sender_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem
smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
# Be nice to brokenware like Outlook Express:
broken_sasl_auth_clients = yes

/etc/postfix/master.cf


# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
# debug only:
#smtp     inet  n       -       -       -       -       smtpd -v
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       -       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

# only used by postfix-tls
tlsmgr    fifo  -       -       n       300     1       tlsmgr
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587       inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

/etc/postfix/sasl/smtpd.conf


pwcheck_method: saslauthd
mech_list: plain login
log_level: 0

/etc/default/saslauthd


# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

/etc/init.d/saslauthd


#!/bin/sh -e

NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
###
# PARAMS so aendern! Sonst kann postfix ausm chroot nicht saslauthd erreichen...
###
PARAMS="-m /var/spool/postfix/var/run/saslauthd"
PWDIR=/var/run/saslauthd
#PWDIR=/var/spool/postfix/var/run/saslauthd
PIDFILE="/var/run/${NAME}/saslauthd.pid"
# [...]

Zertifikate (smtp/sasl)


~> cd /usr/lib/ssl/misc
~> mv demoCA demoCA.old
~> cp CA.pl CA_nodes.pl
~> cp CA.sh CA_nodes.sh
~> vi CA_nodes.sh
# in beiden Zeilen -nodes einfügen!
vorher      $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
---
nachher     $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS

vorher      $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
---
nachher     $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS

# Defaultwerte fuer das Certificat in /usr/lib/ssl/openssl.cnf ändern!

~> ./CA_nodes.sh -newca        # Password eintragen und merken
~> ./CA_nodes.sh -newreq       # KEINE PASSWORT!!!
~> ./CA_nodes.sh -sign         # das gemerkte Passwort noch mal
~> mkdir /etc/postfix/ssl
~> cp new*.pem /etc/postfix/ssl
~> cp demoCA/cacert.pem /etc/postfix/ssl

Courier Imap[Bearbeiten]

/etc/courier/imapd.cnf


RANDFILE = /usr/lib/courier/imapd.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=DE
ST=State
L=Location
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key
CN=mail.foo.bar
emailAddress=postmaster@mail.foo.bar


[ cert_type ]
nsCertType = server

Certificate (IMAP) erstellen:

~> /usr/sbin/mkimapdcert
~> rm /etc/courier/imapd.pem
~> cp /usr/lib/courier/imapd.pem /etc/courier/

old Mails / mb2md (mailbox to maildir)[Bearbeiten]

kleines bash script zum konvertieren:


#!/bin/sh
cd /var/spool/mail
for i in `ls -1A`; do
    if ( `test ! -d ~$i/Maildir/` ); then maildirmake ~$i/Maildir; fi
    mb2md -s /var/spool/mail/$i -d ~$i/Maildir
    chown -R $i:$i /home/$i/Maildir
    mv /var/spool/mail/$i /var/spool/mail/$i.pre_maildir
done
exit 0