PART ONE POSTFIX Install Postfix using Yum $ yum install postfix Using the alternatives command choose

to use Postfix as our default MTA. You should also ensure that sendmail is not running. $ alternatives config mta $ /etc/init.d/sendmail stop $ chkconfig sendmail off Either edit the /etc/postfix/main.cf configuration file or use the postconf command to setup a minimum configuration. $ postconf -e myhostname = mail.linux.lab $ postconf -e mydomain = linux.lab $ postconf -e myorigin = $mydomain $ postconf -e inet_interfaces = all $ postconf -e mydestination = $myhostname, localhost, $mydomain $ postconf -e mynetworks = 127.0.0.0/8, /32 $ postconf -e relay_domains = $mydestination $ postconf -e home_mailbox = Maildir/ Create a user on the mailserver for yourself if you have not already. $ useradd -s /sbin/nologin labrat $ passwd labrat Note if you do not wish the user to be able to login to the server interactively then you should set the shell to /sbin/nologin using the -s option with useradd as we did in this example. Create a email address for this user in the /etc/aliases configuration file by adding the following line. labrat: labrat The first labrat represents the email address. This value with the value of mydomain in the /etc/postfix/main.cf make up the email address. In this case the email address would be labrat@linux.lab. The second labrat represents the user on the linux system. A user can have multiple aliass associated with their user account. The alias does not have to be the same as the username as it is in this example. After you edit this file you must run the newaliases command to convert /etc/aliases to a binary file used by postfix. $ newaliases Make sure that postfix is configured to run automatically then turn it on or restart it if it is already running. $ chkconfig postfix on $ /etc/init.d/postfix restart Confirm that postfix is running using netstat. You should see that postfix is listening on port 25 (smtp) and that there are several internal Unix sockets owned by postfix. By default the postfix process is called master. $ netstat -nlp | grep master You should get something similar to this. The first line shows the SMTP server listening on port 25. The rest of the lines are internal sockets for the individual components of postfix to use to communicate with each other. tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 7950/master unix 2 [ ACC ] STREAM LISTENING 161001600 7950/master private/tlsmgr

unix 2 [ ACC ] STREAM LISTENING 161001604 7950/master private/rewrite unix 2 [ ACC ] STREAM LISTENING 161001593 7950/master public/cleanup unix 2 [ ACC ] STREAM LISTENING 161001608 7950/master private/bounce unix 2 [ ACC ] STREAM LISTENING 161001624 7950/master public/flush unix 2 [ ACC ] STREAM LISTENING 161001612 7950/master private/defer unix 2 [ ACC ] STREAM LISTENING 161001640 7950/master public/showq unix 2 [ ACC ] STREAM LISTENING 161001616 7950/master private/trace unix 2 [ ACC ] STREAM LISTENING 161001620 7950/master private/verify unix 2 [ ACC ] STREAM LISTENING 161001628 7950/master private/proxymap unix 2 [ ACC ] STREAM LISTENING 161001632 7950/master private/smtp unix 2 [ ACC ] STREAM LISTENING 161001636 7950/master private/relay unix 2 [ ACC ] STREAM LISTENING 161001644 7950/master private/error unix 2 [ ACC ] STREAM LISTENING 161001648 7950/master private/discard unix 2 [ ACC ] STREAM LISTENING 161001652 7950/master private/local unix 2 [ ACC ] STREAM LISTENING 161001656 7950/master private/virtual unix 2 [ ACC ] STREAM LISTENING 161001660 7950/master private/lmtp unix 2 [ ACC ] STREAM LISTENING 161001664 7950/master private/anvil unix 2 [ ACC ] STREAM LISTENING 161001668 7950/master private/scache unix 2 [ ACC ] STREAM LISTENING 161001672 7950/master private/maildrop unix 2 [ ACC ] STREAM LISTENING 161001676 7950/master private/old-cyrus unix 2 [ ACC ] STREAM LISTENING 161001680 7950/master private/cyrus unix 2 [ ACC ] STREAM LISTENING 161001684 7950/master private/uucp unix 2 [ ACC ] STREAM LISTENING 161001688 7950/master private/ifmail unix 2 [ ACC ] STREAM LISTENING 161001692 7950/master private/bsmtp We can now test postfix by trying to send and receive email. Remember that this is a fake domain and no MX record exists for it so we are limited to receiving email that is sent using our local machine to itself. We should however be able to send email to any other mail server on the Internet; although it is likely to be flagged as spam. First lets send a email to ourselves using the mail command. $ mail -s This is a test email labrat@linux.lab test 123 . . After you issue the mail command it waits for input. This is going to be the body of the email. To stop typing and send the email put a period on a line all by itself. The mail program will ask if you want to Cc: anybody just press enter and the mail should be sent. Check the following location for the new mail. Each message has a unique ID that is not very user friendly. Normally we use a mail client to check email but in this case just use the cat command to confirm that the file contains your email message. $ cd /home/labrat/Maildir/new $ cat * One last test before we move on. The previous test showed that we were able to send a email to ourselves and that our MTA was able to process it internally. Lets try to send a email to a remote email server. Repeat the above mail command using your own email address such as a gmail or yahoo email address. Check to see if the mail was received. Remember it is likely that it will end up in the spam folder. You will not be able to reply to the email since gmail or yahoo do not know anything about the Linux.lab domain and it will fail when trying to look up a MX record for the domain.

PART TWO DOVECOT In the above example we had to be directly connected to the email server in order to send or receive email. This is not very practical or common; most email users use a MUA such as Outlook or Thunderbird to manage their email. Mail retrieval is usually accomplished using either POP3 or IMAP. Dovecot is a popular POP/IMAP server used to implement these protocols. Install Dovecot using yum $ yum install dovecot Make sure Dovcot is configured to start automatically and is running. $ chkconfig dovecot on $ /etc/init.d/dovecot restart Using netstat confirm that dovecot is listening on ports 110, 143, 993, and 995. $ netstat -nlp | grep dovecot Your output should be similar to this: tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 7877/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 7877/dovecot tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 7877/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 7877/dovecot unix 2 [ ACC ] STREAM LISTENING 161001232 7878/dovecot-auth /var/spool/postfix/private/auth unix 2 [ ACC ] STREAM LISTENING 161001220 7877/dovecot /var/run/dovecot/dict-server unix 2 [ ACC ] STREAM LISTENING 161001222 7877/dovecot /var/run/dovecot/login/default unix 2 [ ACC ] STREAM LISTENING 161001227 7877/dovecot /var/run/dovecot/auth-worker.7878 Configure Thunderbird or another mail client to connect to your mail server using the IMAP 143 protocol. Because the domain is fake you should enter your IP address for both the incoming and outgoing mail servers. Your username and password are the username and password of the Linux user you setup to receive the email. Every mail client will be slightly different so you will be on your own to figure out how to do this. It is not difficult. Check for new email using your mail client. You should see the message you sent yourself in step 8 of configuring Postfix. Send yourself a email using your mail client. Confirm that you received it. Either use a second virtual machine or a lab partner and configure a mail client to connect to your mail server from a machine other than the mail server itself. Repeat the process of trying to send yourself a email address and confirm you receive it. Now try sending a email to another domain such as gmail or yahoo. It should fail. If we think this through it makes sense. If the server is responsible for the Linux.lab domain we want anyone in the world to use our email server to send us email without needing to authenticate or be on our local network. However we probably do NOT want anybody other than ourselves or our employees using our email server to send email to other domains that we are not responsible for. If our email server allowed anybody to use it to send email to any domain then spamers could use it to send spam that looked like it came from us (because it did). By default postfix lets anybody defined in the mynetworks directive in /etc/postfix/main.cf send relay

mail to other domains. Your users will however most likely be using email from outside those networks and thus require a different method of authentication. In our first example we where connecting to the mail server from the mail server itself which is defined in the mynetworks directive and that is why the email was allowed to send. In the second example we connected from a machine that was not defined in mynetworks and the mail was not allowed to relay to a external domain.

PART THREE SASL (Simple Authentication and Security Layer) In order to allow authenticated users to send mail to remote domains regardless of the network they are attached to when they send the email we use SASL. Historically Postfix used the Cyrus implementation of SASL but in more recent versions supports a version of SASL that ships with Dovecot. Since we already have Dovecot installed we will stick with that version. Edit /etc/dovecot/conf.d/10-auth.conf and append the following to the end of the file. service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = root } We need to tell postfix to use Dovecot SASL. Either edit the /etc/postfix/main.cf file or use the postconf command to add the following settings. $ postconf -e smtpd_sasl_type = dovecot $ postconf -e smtpd_sasl_path = private/auth $ postconf -e smtpd_sasl_auth_enable = yes $ postconf -e smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination $ postconf -e broken_sasl_auth_clients = yes Restart both dovecot and postfix. $ /etc/init.d/dovecot restart $ /etc/init.d/postfix restart Test that you can now send email to a external domain from your mail client that is installed on a machine other than the mail server.