postfix and sasl configuration / output

1. root@servername:~# telnet localhost 25
2. Trying ::1...
3. Connected to localhost.
4. Escape character is '^]'.
5. 220 servername.com ESMTP Postfix (Ubuntu)
6. EHLO test
7. 250-servername.de
8. 250-PIPELINING
9. 250-SIZE 10240000
10. 250-VRFY
11. 250-ETRN
12. 250-STARTTLS
13. 250-ENHANCEDSTATUSCODES
14. 250-8BITMIME
15. 250-DSN
16. 250 SMTPUTF8
17.  
18.  
19. root@servername:~# cat /etc/default/saslauthd
20. #
21. # Settings for saslauthd daemon
22. # Please read /usr/share/doc/sasl2-bin/README.Debian for details.
23. #
24.  
25. # Should saslauthd run automatically on startup? (default: no)
26. START=yes
27.  
28. # Description of this saslauthd instance. Recommended.
29. # (suggestion: SASL Authentication Daemon)
30. DESC="SASL Authentication Daemon"
31.  
32. # Short name of this saslauthd instance. Strongly recommended.
33. # (suggestion: saslauthd)
34. NAME="saslauthd"
35.  
36. # Which authentication mechanisms should saslauthd use? (default: pam)
37. #
38. # Available options in this Debian package:
39. # getpwent -- use the getpwent() library function
40. # kerberos5 -- use Kerberos 5
41. # pam -- use PAM
42. # rimap -- use a remote IMAP server
43. # shadow -- use the local shadow password file
44. # sasldb -- use the local sasldb database file
45. # ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
46. #
47. # Only one option may be used at a time. See the saslauthd man page
48. # for more information.
49. #
50. # Example: MECHANISMS="pam"
51. MECHANISMS="shadow"
52.  
53. # Additional options for this mechanism. (default: none)
54. # See the saslauthd man page for information about mech-specific options.
55. MECH_OPTIONS=""
56.  
57. # How many saslauthd processes should we run? (default: 5)
58. # A value of 0 will fork a new process for each connection.
59. THREADS=5
60.  
61. # Other options (default: -c -m /var/run/saslauthd)
62. # Note: You MUST specify the -m option or saslauthd won't run!
63. #
64. # WARNING: DO NOT SPECIFY THE -d OPTION.
65. # The -d option will cause saslauthd to run in the foreground instead of as
66. # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
67. # to run saslauthd in debug mode, please run it by hand to be safe.
68. #
69. # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
70. # See the saslauthd man page and the output of 'saslauthd -h' for general
71. # information about these options.
72. #
73. # Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
74. # Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
75. #
76. # To know if your Postfix is running chroot, check /etc/postfix/master.cf.
77. # If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
78. # then your Postfix is running in a chroot.
79. # If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
80. # running in a chroot.
81. OPTIONS="-c -m /var/run/saslauthd"
82. # OPTIONS="-c -m /var/run/spool/postfix/var/run/saslauthd"
83.  
84.  
85. root@servername:~# cat /etc/postfix/sasl/smtpd.conf
86. pwcheck_method: saslauthd
87. mech_list: PLAIN LOGIN
88. saslauthd_path: /var/run/saslauthd/mux
89. log_level: 7
90. #auxprop_plugin: sasldb
91.  
92.  
93. root@servername:~# ps ax|grep saslauthd
94. 1112 ? Ss 0:00 /usr/sbin/saslauthd -a shadow -c -m /var/run/saslauthd -n 5
95. 1113 ? S 0:00 /usr/sbin/saslauthd -a shadow -c -m /var/run/saslauthd -n 5
96. 1114 ? S 0:00 /usr/sbin/saslauthd -a shadow -c -m /var/run/saslauthd -n 5
97. 1115 ? S 0:00 /usr/sbin/saslauthd -a shadow -c -m /var/run/saslauthd -n 5
98. 1116 ? S 0:00 /usr/sbin/saslauthd -a shadow -c -m /var/run/saslauthd -n 5
99.  
100.  
101. root@servername:~# cat /var/log/auth.log|grep saslauthd
102. [...]
103. Oct 24 16:05:55 servername saslauthd[1112]: detach_tty : master pid is: 1112
104. Oct 24 16:05:55 servername saslauthd[1112]: ipc_init : listening on socket: /var/run/saslauthd/mux
105.  
106.  
107. root@servername:~# cat /etc/group|grep sasl
108. sasl:x:45:postfix
109.  
110.  
111. root@servername:~# id -G postfix
112. 121 45
113.  
114.  
115. root@servername:~# ls -l /var/run/saslauthd/
116. total 968
117. -rw------- 1 root root 0 Oct 24 16:05 cache.flock
118. -rw------- 1 root root 986112 Oct 24 16:05 cache.mmap
119. srwxrwxrwx 1 root root 0 Oct 24 16:05 mux
120. -rw------- 1 root root 0 Oct 24 16:05 mux.accept
121. -rw------- 1 root root 5 Oct 24 16:05 saslauthd.pid
122.  
123.  
124. root@servername:~# ls -l /usr/lib/sasl2
125. total 8
126. -rw-r--r-- 1 root root 4 Oct 24 14:44 berkeley_db.active
127. -rw-r--r-- 1 root root 4 Apr 5 2016 berkeley_db.txt
128. lrwxrwxrwx 1 root root 28 Oct 24 16:21 smtpd.conf -> /etc/postfix/sasl/smtpd.conf
129.  
130.  
131. root@servername:/etc/postfix# cat main.cf
132. # See /usr/share/postfix/main.cf.dist for a commented, more complete version
133.  
134.  
135. # Debian specific: Specifying a file name will cause the first
136. # line of that file to be used as the name. The Debian default
137. # is /etc/mailname.
138. #myorigin = /etc/mailname
139.  
140. compatibility_level=2
141.  
142. smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
143. biff = no
144.  
145. # appending .domain is the MUA's job.
146. append_dot_mydomain = no
147.  
148. # Uncomment the next line to generate "delayed mail" warnings
149. #delay_warning_time = 4h
150.  
151. readme_directory = no
152.  
153. # TLS parameters
154. smtpd_tls_cert_file = /etc/letsencrypt/live/servername.com/fullchain.pem
155. smtpd_tls_key_file = /etc/letsencrypt/live/servername.com/privkey.pem
156. smtpd_use_tls = yes
157. smtpd_tls_auth_only = yes
158. smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
159. smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
160.  
161. tls_ssl_options = NO_COMPRESSION
162. tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
163.  
164. ### outgoing connections ###
165. smtp_tls_security_level = may
166. smtp_tls_cert_file = /etc/letsencrypt/live/servername.com/fullchain.pem
167. smtp_tls_key_file = /etc/letsencrypt/live/servername.com/privkey.pem
168. smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
169.  
170.  
171. # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
172. # information on enabling SSL in the smtp client.
173.  
174. smtpd_sasl_type = dovecot
175. smtpd_sasl_path = smtpd
176. smtpd_sasl_auth_enable = yes
177. broken_sasl_auth_clients = yes
178.  
179. smtpd_recipient_restrictions =
180. permit_sasl_authenticated,
181. permit_mynetworks,
182. reject_unauth_destination
183.  
184. smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_hostname
185.  
186. smtpd_sasl_security_options = noanonymous
187.  
188. #smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
189.  
190. myhostname = servername.com
191. alias_maps = hash:/etc/aliases
192. alias_database = hash:/etc/aliases
193. myorigin = /etc/mailname
194. #mydestination = $myhostname, servername.com, localhost.com, , localhost
195. mydestination = localhost
196. relayhost =
197. mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
198. mailbox_size_limit = 0
199. recipient_delimiter = +
200. inet_interfaces = all
201. inet_protocols = all
202.  
203. #Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
204. virtual_transport = lmtp:unix:private/dovecot-lmtp
205.  
206. #Virtual domains, users, and aliases
207. virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
208. virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
209. virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
210. mysql:/etc/postfix/mysql-virtual-email2email.cf
211. always_bcc = alwaysbcc@localhost
212. recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_maps
213.  
214.  
215. root@servername:/etc/postfix# cat master.cf
216. #
217. # Postfix master process configuration file. For details on the format
218. # of the file, see the master(5) manual page (command: "man 5 master" or
219. # on-line: http://www.postfix.org/master.5.html).
220. #
221. # Do not forget to execute "postfix reload" after editing this file.
222. #
223. # ==========================================================================
224. # service type private unpriv chroot wakeup maxproc command + args
225. # (yes) (yes) (no) (never) (100)
226. # ==========================================================================
227. smtp inet n - - - - smtpd
228. #smtp inet n - y - 1 postscreen
229. #smtpd pass - - y - - smtpd
230. #dnsblog unix - - y - 0 dnsblog
231. #tlsproxy unix - - y - 0 tlsproxy
232. submission inet n - - - - smtpd
233. -o syslog_name=postfix/submission
234. -o smtpd_tls_security_level=encrypt
235. -o smtpd_sasl_auth_enable=yes
236. -o smtpd_reject_unlisted_recipient=no
237. -o smtpd_client_restrictions=$mua_client_restrictions
238. -o smtpd_helo_restrictions=$mua_helo_restrictions
239. -o smtpd_sender_restrictions=$mua_sender_restrictions
240. -o smtpd_recipient_restrictions=
241. -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
242. -o milter_macro_daemon_name=ORIGINATING
243. smtps inet n - - - - smtpd
244. -o syslog_name=postfix/smtps
245. -o smtpd_tls_wrappermode=yes
246. -o smtpd_sasl_auth_enable=yes
247. -o smtpd_reject_unlisted_recipient=no
248. -o smtpd_client_restrictions=$mua_client_restrictions
249. -o smtpd_helo_restrictions=$mua_helo_restrictions
250. -o smtpd_sender_restrictions=$mua_sender_restrictions
251. -o smtpd_recipient_restrictions=
252. -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
253. -o milter_macro_daemon_name=ORIGINATING
254. #628 inet n - y - - qmqpd
255. pickup unix n - y 60 1 pickup
256. cleanup unix n - y - 0 cleanup
257. qmgr unix n - n 300 1 qmgr
258. #qmgr unix n - n 300 1 oqmgr
259. tlsmgr unix - - y 1000? 1 tlsmgr
260. rewrite unix - - y - - trivial-rewrite
261. bounce unix - - y - 0 bounce
262. defer unix - - y - 0 bounce
263. trace unix - - y - 0 bounce
264. verify unix - - y - 1 verify
265. flush unix n - y 1000? 0 flush
266. proxymap unix - - n - - proxymap
267. proxywrite unix - - n - 1 proxymap
268. smtp unix - - y - - smtp
269. relay unix - - y - - smtp
270. # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
271. showq unix n - y - - showq
272. error unix - - y - - error
273. retry unix - - y - - error
274. discard unix - - y - - discard
275. local unix - n n - - local
276. virtual unix - n n - - virtual
277. lmtp unix - - y - - lmtp
278. anvil unix - - y - 1 anvil
279. scache unix - - y - 1 scache
280. #
281. # ====================================================================
282. # Interfaces to non-Postfix software. Be sure to examine the manual
283. # pages of the non-Postfix software to find out what options it wants.
284. #
285. # Many of the following services use the Postfix pipe(8) delivery
286. # agent. See the pipe(8) man page for information about ${recipient}
287. # and other message envelope options.
288. # ====================================================================
289. #
290. # maildrop. See the Postfix MAILDROP_README file for details.
291. # Also specify in main.cf: maildrop_destination_recipient_limit=1
292. #
293. maildrop unix - n n - - pipe
294. flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
295. #
296. # ====================================================================
297. #
298. # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
299. #
300. # Specify in cyrus.conf:
301. # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
302. #
303. # Specify in main.cf one or more of the following:
304. # mailbox_transport = lmtp:inet:localhost
305. # virtual_transport = lmtp:inet:localhost
306. #
307. # ====================================================================
308. #
309. # Cyrus 2.1.5 (Amos Gouaux)
310. # Also specify in main.cf: cyrus_destination_recipient_limit=1
311. #
312. #cyrus unix - n n - - pipe
313. # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
314. #
315. # ====================================================================
316. # Old example of delivery via Cyrus.
317. #
318. #old-cyrus unix - n n - - pipe
319. # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
320. #
321. # ====================================================================
322. #
323. # See the Postfix UUCP_README file for configuration details.
324. #
325. uucp unix - n n - - pipe
326. flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
327. #
328. # Other external delivery methods.
329. #
330. ifmail unix - n n - - pipe
331. flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
332. bsmtp unix - n n - - pipe
333. flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
334. scalemail-backend unix - n n - 2 pipe
335. flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
336. mailman unix - n n - - pipe
337. flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
338. ${nexthop} ${user}