Postfix 2.3 with LDAP, SSL and AUTH on Solaris

Software Components

Compile and Install

Compile on Solaris 9 with GCC 3.4.x.

PATH="/opt/gnu/gcc/3.4.1/bin:/opt/gnu/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/ccs/bin"
CC="gcc"
CFLAGS="-O3 -fPIC -Wall"
CXX="g++"
CXXFLAGS="-O3 -fPIC -Wall"
CPPFLAGS="-I/opt/postfix/include"
LDFLAGS="-R/opt/postfix/lib -L/opt/postfix/lib"
LD_OPTIONS="$LDFLAGS"

unset LD_LIBRARY_PATH
export PATH CC CFLAGS CXX CXXFLAGS LDFLAGS CPPFLAGS LD_OPTIONS
alias make=gmake

Every binary compiled with GCC are linked against libgcc_s.so. Copy these librarys into the package tree.

mkdir -p /opt/postfix/lib/sparcv9
cd /opt/postfix/lib
cp /opt/gnu/gcc/3.4.1/lib/libgcc_s.so.1 .
ln -s libgcc_s.so.1 libgcc_s.so
         
cd /opt/postfix/lib/sparcv9
cp /opt/gnu/gcc/3.4.1/lib/sparcv9/libgcc_s.so.1 . 
ln -s libgcc_s.so.1 libgcc_s.so

Go to the directory containing the sources.

Berkeley DB

gtar -xvpzf /tmp/db-4.4.20.tar.gz
cd /tmp/db-4.4.20/build_unix
../dist/configure --prefix=/opt/postfix
gmake
gmake install

OpenSSL

gtar -xvpzf /tmp/openssl-0.9.8d.tar.gz
cd /tmp/openssl-0.9.8d
./config --prefix=/opt/postfix \
         --openssldir=/opt/postfix/openssl shared \
         -R/opt/postfix/lib -L/opt/postfix/lib \
         -R/opt/postfix/lib/sparcv9 -L/opt/postfix/lib/sparcv9
gmake
gmake install

OpenLDAP

OpenLDAP is used for Cyrus SASL with LDAP support. One could also store aliases in LDAP but I don't recommend it because it is an useless overhead.

gtar -xvpzf /tmp/openldap-2.3.27.tgz
cd /tmp/openldap-2.3.27
./configure --prefix=/opt/postfix \
            --sysconfdir=/etc/opt/postfix \
            --disable-slapd --disable-slurpd \
            --localstatedir=/var/opt/postfix \
            --with-tls
gmake depend
gmake
gmake install

Cyrus SASL

Cyrus SASL is required for SMTP AUTH. Postfix cannot authenticate directly to /etc/passwd or LDAP.

gtar -xvpzf /tmp/cyrus-sasl-2.1.22.tar.gz
cd /tmp/cyrus-sasl-2.1.22
./configure --prefix=/opt/postfix \
            --with-dbpath=/var/opt/postfix/sasldb2 \
            --sysconfdir=/etc/opt/postfix \
            --with-dblib=berkeley \
            --with-bdb-libdir=/opt/postfix/lib \
            --with-bdb-incdir=/opt/postfix/include \
            --with-openssl=/opt/postfix \
            --with-ldap=/opt/postfix \
            --with-plugindir=/opt/postfix/lib/sasl2 \
            --with-saslauthd=/var/opt/postfix/socket \
            --with-des=/opt/postfix \
            --enable-shared \
            --enable-static \
            --disable-gssapi \
            --disable-kerb5
gmake
gmake install

Postfix

Postfix is built with support for SMTPS, TLS and LDAP. Building it for a different than the default location is a bit tricky because Postfix does not have the standard configure program.

gtar -xvpzf /tmp/postfix-2.3.3.tar.gz
cd /tmp/postfix-2.3.3
gmake makefiles \
      CCARGS='-I/opt/postfix/include -I/opt/postfix/include/sasl \
      -DDEF_COMMAND_DIR=\"/opt/postfix/sbin\" \
      -DDEF_CONFIG_DIR=\"/etc/opt/postfix\" \
      -DDEF_DAEMON_DIR=\"/opt/postfix/libexec\" \
      -DDEF_MAILQ_PATH=\"/opt/postfix/sbin/mailq\" \
      -DDEF_MANPAGE_DIR=\"/opt/postfix/man\" \
      -DDEF_NEWALIAS_PATH=\"/opt/postfix/sbin/newaliases\" \
      -DDEF_QUEUE_DIR=\"/var/opt/postfix\" \
      -DDEF_SENDMAIL_PATH=\"/opt/postfix/sbin/sendmail\" \
      -DHAS_LDAP -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL' \
      AUXLIBS="-L/opt/postfix/lib -R/opt/postfix/lib \
      -llber -lldap -lsasl2 -lssl -lcrypto"
gmake
su -
groupadd -g 82 postfix
groupadd -g 83 postdrop
useradd -u 82 -g 82 -d /var/opt/postfix -c "Postfix User" postfix
ln -s /etc/opt/postfix /etc/postfix
gmake install
install_root: [/]                         /
tempdir: [/tmp/postfix-2.3.3]             /tmp
config_directory: [/etc/postfix]          /etc/opt/postfix
daemon_directory: [/usr/libexec/postfix]  /opt/postfix/libexec
command_directory: [/usr/sbin]            /opt/postfix/sbin
queue_directory: [/var/spool/postfix]     /var/opt/postfix
sendmail_path: [/usr/lib/sendmail]        /opt/postfix/sbin/sendmail
newaliases_path: [/usr/bin/newaliases]    /opt/postfix/sbin/newaliases
mailq_path: [/usr/bin/mailq]              /opt/postfix/sbin/mailq
mail_owner: [postfix]                     postfix
setgid_group: [postdrop]                  postdrop
html_directory: [no]                      no
manpage_directory: [/usr/local/man]       /opt/postfix/man
readme_directory: [no]                    no
cd /opt/postfix/sbin
rm mailq newaliases
ln -s sendmail mailq
ln -s sendmail newaliases

Configuration

main.cf

### SASL Authentication (Client)
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = dbm:/etc/opt/postfix/smtp_passwd

### SASL Authentication (Daemon)
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = smtpd
broken_sasl_auth_clients = yes

### SMTP Daemon: Anti SPAM/Relay Settings
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname

smtpd_recipient_restrictions = check_recipient_access dbm:/etc/opt/postfix/access,
  reject_non_fqdn_recipient, permit_mynetworks,
  permit_auth_destination, permit_sasl_authenticated, check_relay_domains

smtpd_client_restrictions = check_client_access dbm:/etc/opt/postfix/access,
  permit_mynetworks, permit_sasl_authenticated,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client dnsbl.sorbs.net,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client combined.njabl.org

smtpd_sender_restrictions = check_sender_access dbm:/etc/opt/postfix/access,
  reject_non_fqdn_sender, reject_unknown_sender_domain,
  permit_mynetworks, permit_sasl_authenticated

### SMTP Client: TLS Settings
smtp_tls_security_level  = may
smtp_tls_key_file        = /etc/opt/postfix/certs/smtp.example.com_key.pem
smtp_tls_cert_file       = /etc/opt/postfix/certs/smtp.example.com_cert.pem
smtp_tls_CAfile          = /etc/opt/postfix/certs/ca_example.com.pem
smtp_tls_CApath          = /etc/opt/ostfix/certs/ca
smtp_tls_loglevel        = 2
smtp_tls_policy_maps     = dbm:/etc/opt/postfix/tls_policy

### SMTP Daemon: TLS Settings
smtpd_tls_security_level  = may
smtpd_tls_received_header = no
smtpd_tls_key_file        = /etc/opt/postfix/certs/smtp.example.com_key.pem
smtpd_tls_cert_file       = /etc/opt/postfix/certs/smtp.example.com_cert.pem
smtpd_tls_CAfile          = /etc/opt/postfix/certs/ca_example.com.pem
smtpd_tls_loglevel        = 2
smtpd_tls_received_header = yes

Cyrus SASL

smtpd.conf

pwcheck_method: saslauthd
#mech_list: plain login cram-md5 digest-md5
mech_list: plain login

saslauthd.conf

ldap_servers: ldap://127.0.0.1
ldap_search_base: ou=people,dc=example,dc=com
ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_password: password
ldap_scope: one
ldap_uidattr: uid
ldap_filter_mode:  yes
ldap_filter: uid=%u

The SASL authentication daemon must be started as follows:

/opt/postfix/sbin/saslauthd -a ldap &