====== Postfix ======

  #> apt-get install postfix postfix-tls postfix-pcre libsasl2 libsasl2-modules sasl2-bin

===== SASL authd =====

Make saslauthd work with changerooted postfix:

Edit ''/etc/default/saslauthd'':

<file>
# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

PWDIR=/var/spool/postfix/var/run/saslauthd
PARAMS="-m /var/spool/postfix/var/run/saslauthd"
</file>

Use ''dpkg-statoverride'' to make sure the startscript works as expected:

  #> dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

Add the postfix user to the group sasl

  #> usermod -g postfix -G sasl postfix

Create a ''/etc/postfix/sasl/smtpd.conf'' file with the following options:

<file>
pwcheck_method: saslauthd
mech_list: plain login
</file>


Start the sasldaemon and restart postfix

  #> /etc/init.d/saslauthd start
  #> /etc/init.d/postfix restart

===== TLS =====

Create a private key and a certificate as described [[sslca|here]].

  #> mkdir /etc/postfix/ssl
  #> cp cp postfixCert.pem postfixKey.pem /etc/postfix/ssl/
  #> chmod 400 /etc/postfix/ssl/postfixKey.pem
  #> cp /etc/ssl/CA/cacert.pem /etc/postfix/ssl/

Add the following to the ''/etc/postfix/main.cf'':

<file>
# Enable TLS support
smtpd_tls_key_file  = /etc/postfix/ssl/postfixKey.pem
smtpd_tls_cert_file = /etc/postfix/ssl/postfixCert.pem
smtpd_tls_CAfile    = /etc/postfix/ssl/cacert.pem
smtpd_use_tls       = yes
</file>

Comment in the following three lines in ''/etc/postfix/master.cf''

<file>
tlsmgr    fifo  -       -       n       300     1       tlsmgr
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587       inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
</file>

===== Spam prevention =====

Follow the tutorial at http://www.freesoftwaremagazine.com/free_issues/issue_02/focus_spam_postfix/

The SPF script which comes with the postfix-doc package is broken ((It produces the following error: ''syslog: invalid level/facility: warn at ./spf-policy.pl line 154'')) so we get a current one from the source directly.

Go to the following URL : 

http://new.openspf.org/source/software/postfix-policyd-spf-perl/tags/1.08/postfix-policyd-spf-perl?rev=13&view=log

and download the most recent version of this file (click on "(download)") and save to /etc/postfix/spf-policy.pl

To make it work install the needed Perl lib and make the script executable.

  #> apt-get install libmail-spf-query-perl
  #> chmod 755 /etc/postfix/spf-policy.pl

Then add the following to ''/etc/postfix/master.cf''

<file>
spfpolicy unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /etc/postfix/spf-policy.pl</file>

Add the following entry

<file>
check_policy_service unix:private/spfpolicy
</file>

to ''/etc/postfix/main.cf'' into the smtpd_recipient_restrictions section. Preferable as one of the last restrictions.

e.g.

<file>
smtpd_recipient_restrictions =
        reject_unauth_destination
        reject_unknown_recipient_domain
        reject_unverified_recipient
        check_policy_service unix:private/spfpolicy
</file>