How to install and configure Postfix on CentOS?

I like digitalocean’s tutorials about setting up servers and VPS, which is usually easy to understand, and if not (like this Postfix tutorial), at least works!

I composed a tutorial about setting up sendmail. In that tutorial, you can see I’ve got a lot of trouble making sendmail work, so I think this time I should try Postfix, which is said to be more advanced than sendmail, and easier to use. But frankly speaking, I do not think the concepts in Postfix are easier to understand than sendmail. In fact, they use the same set of concepts. But with the guide of the digitalocean’s tutorial, the configuration work is indeed simpler  than sendmail. The point is you need not understand the complex concepts involved in it. What you need to do is just to copy/paste the code provided in the tutorial and change the domain name to your real domain name.

Install postfix

This also installs the depending  cyrus-sasl package.

Configure Postfix

vi /etc/postfix/main.cf to use the following configuration:

Do not care much about the meaning of every parameter. Just replace domainhostseotool.com in the configuration file with your own domain name.

Create Postmap

vi /etc/postfix/virtual to add an email:

admin@domainhostseotool.com   admin\@domainhostseotool.com

 

Set up Cyrus

vi /etc/sasl2/smtpd.conf

After editing, the file should contain the following content:

 

vi /etc/imapd.conf

 

 

remember to replace domaihostseotool.com with your own domain name.

 

Start Postfix service

using netstat -antp, you will see the process “master”(the control process of postfix) is listening  on port 25.

 

Install a mail client to send emails

 

Enable SMTPS for postfix

Now you can send mails using the mail command. But the configurations above is far from perfect in real production environment. We’ll add more configuration to make a real email system. First, we will add the ssl support for postfix. By default, postfix listens on port 25 to receive emails from peer mta or email clients. The messages transported via port 25 are not encrypted and easy to be sniffed, even tampered. Some email clients can use STARTTLS command to enter encrypted communication mode via port 25. But old email client does not support STARTTLS. Here we use smtps to implement the encrypted communication. SMTPS uses port 465 to receive packets over SSL. To enable postfix for smtps, edit /etc/postfix/master.cf to un-comment the line:

restart postfix and you will find the process “master” is now listening on port 25 as well as port 465.

You can use openssl to connect to the server via port 465. But openssl will quit during the ssl handshaking phase, complaining “no peer certificate available”. You should modify the settings in /etc/postfix/main.cf to add TLS support:

smtps.crt and smtps.key are the server certification and server key. You can generate the two files according to this guide. However, after adding the ssl setting parameters, openssl still exits with the same error. You should un-comment the following line in master.cf

Now, you should see the server certification during the handshaking phase in the openssl command, although it complains “unable to verify the first certificate” because the server certification is issued by myself, not a real CA. This is a good signal indicating the TLS settings for postfix are ok. The bad news is that openssl still quits after ssl handshaking.

 

Config SASL authentication

By checking the postfix log file:/var/log.maillog, you will see the following error messages:

This is because we’ve not installed any SASL authentication package although we’ve installed the cyrus-sasl package. For simplicity, here we only add one SASL authentication package: cyrus-sasl-plain

This time the openssl command does not exit and stops at the line:

Openssl waits for us to input commands. If you try to send an mail, you will fail after you input the “rcpt to:” command. The error is “Relay access denied”.  This is caused by the smtpd_recipient_restrictions setting in main.cf. We do not allow email relay for unauthorized people. You need to complete the authentication before sending an email.

If you follow the instruction in the guide to submit your login credentials, you will get the error:

Error: authentication failed: authentication failure

Meanwhile, you will see the following errors in /var/log/maillog:

This is because we’ve not set up Cyrus correctly for authentication. Remember we specified the authentication method as “pwcheck_method: auxprop” in the “set up Cyrus” step? This authentication method uses a database file to store user accounts that are independent of the Linux system accounts. You need to create that database and add user accounts in that database. You can follow this guide to do this.

Now you should be able to complete the auth command and send emails in openssl.

 

Receive emails using Cyrus-IMAP

At this point, you can send emails using the postfix system without a problem. However, as to receiving emails, there are more configurations to be done.

First, you should change the following line in main.cf

to

Otherwise, you will get the following error:

That is because according to smtpd_recipient_restrictions, only emails to xxx@mail.domainhostseotool.com are accepted, emails to xxx@domainhostseotool.com are rejected.

Even you change the “mydestination” variable, there is still an error:

 

You should start the service cyrus-imapd:

 

Postfix will talk with this service to deliver received emails to mailbox.

cyrus-imapd will save the emails in  /var/spool/imap(specified by the partition-default parameter in /etc/imapd.conf). Every email address has a directory under  /var/spool/imap. Every email is saved as a file like 1., 2., 3.,…. Note that even there is no account in /etc/sasldb2, the emails postfix receives are still saved in /var/spool/imap, because for email destined to the server postfix controls, no authentication is required. But if you, as an email client, want to retrieve emails from the system using cyrus-imap, you will be asked to pass the authentication. In our example,  cyrus-imapd  uses

/etc/sasldb2 for authentication(sasl_pwcheck_method:    auxprop). Thus we need to add an account in /etc/sasdb2 to retrieve emails associated with that account. For example, if you want to get the emails to admin@domainhostseotool.com, you need to add a user named “admin@domainhostseotool.com” as follows:

If you use an email client such as outlook, you need to input the account information in the “receiving server’s account name” and “receiving server’s password”. The account name is “admin@domainhostseotool.com”, not “admin”.

 

Posted in tips of hosting