Postfix 2.3 with LDAP, SSL and AUTH on Solaris
Software Components
- Berkeley DB, www.sleepycat.com
- OpenSSL, www.openssl.org
- OpenLDAP, www.openldap.org
- Cyrus SASL, cyrusimap.web.cmu.edu
- Postfix, www.postfix.org
Compile and Install
Compile on Solaris 9 with GCC 3.4.x.
PATH="/opt/gnu/gcc/3.4.1/bin:/opt/gnu/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/ccs/bin" CC="gcc" CFLAGS="-O3 -fPIC -Wall" CXX="g++" CXXFLAGS="-O3 -fPIC -Wall" CPPFLAGS="-I/opt/postfix/include" LDFLAGS="-R/opt/postfix/lib -L/opt/postfix/lib" LD_OPTIONS="$LDFLAGS" unset LD_LIBRARY_PATH export PATH CC CFLAGS CXX CXXFLAGS LDFLAGS CPPFLAGS LD_OPTIONS alias make=gmake
Every binary compiled with GCC are linked against libgcc_s.so
. Copy these librarys into the package tree.
mkdir -p /opt/postfix/lib/sparcv9 cd /opt/postfix/lib cp /opt/gnu/gcc/3.4.1/lib/libgcc_s.so.1 . ln -s libgcc_s.so.1 libgcc_s.so cd /opt/postfix/lib/sparcv9 cp /opt/gnu/gcc/3.4.1/lib/sparcv9/libgcc_s.so.1 . ln -s libgcc_s.so.1 libgcc_s.so
Go to the directory containing the sources.
Berkeley DB
gtar -xvpzf /tmp/db-4.4.20.tar.gz cd /tmp/db-4.4.20/build_unix ../dist/configure --prefix=/opt/postfix gmake gmake install
OpenSSL
gtar -xvpzf /tmp/openssl-0.9.8d.tar.gz cd /tmp/openssl-0.9.8d ./config --prefix=/opt/postfix \ --openssldir=/opt/postfix/openssl shared \ -R/opt/postfix/lib -L/opt/postfix/lib \ -R/opt/postfix/lib/sparcv9 -L/opt/postfix/lib/sparcv9 gmake gmake install
OpenLDAP
OpenLDAP is used for Cyrus SASL with LDAP support. One could also store aliases in LDAP but I don't recommend it because it is an useless overhead.
gtar -xvpzf /tmp/openldap-2.3.27.tgz cd /tmp/openldap-2.3.27 ./configure --prefix=/opt/postfix \ --sysconfdir=/etc/opt/postfix \ --disable-slapd --disable-slurpd \ --localstatedir=/var/opt/postfix \ --with-tls gmake depend gmake gmake install
Cyrus SASL
Cyrus SASL is required for SMTP AUTH. Postfix cannot authenticate directly to /etc/passwd or LDAP.
gtar -xvpzf /tmp/cyrus-sasl-2.1.22.tar.gz cd /tmp/cyrus-sasl-2.1.22 ./configure --prefix=/opt/postfix \ --with-dbpath=/var/opt/postfix/sasldb2 \ --sysconfdir=/etc/opt/postfix \ --with-dblib=berkeley \ --with-bdb-libdir=/opt/postfix/lib \ --with-bdb-incdir=/opt/postfix/include \ --with-openssl=/opt/postfix \ --with-ldap=/opt/postfix \ --with-plugindir=/opt/postfix/lib/sasl2 \ --with-saslauthd=/var/opt/postfix/socket \ --with-des=/opt/postfix \ --enable-shared \ --enable-static \ --disable-gssapi \ --disable-kerb5 gmake gmake install
Postfix
Postfix is built with support for SMTPS, TLS and LDAP. Building it for a different than the default location is a bit tricky because Postfix does not have the standard configure program.
gtar -xvpzf /tmp/postfix-2.3.3.tar.gz cd /tmp/postfix-2.3.3 gmake makefiles \ CCARGS='-I/opt/postfix/include -I/opt/postfix/include/sasl \ -DDEF_COMMAND_DIR=\"/opt/postfix/sbin\" \ -DDEF_CONFIG_DIR=\"/etc/opt/postfix\" \ -DDEF_DAEMON_DIR=\"/opt/postfix/libexec\" \ -DDEF_MAILQ_PATH=\"/opt/postfix/sbin/mailq\" \ -DDEF_MANPAGE_DIR=\"/opt/postfix/man\" \ -DDEF_NEWALIAS_PATH=\"/opt/postfix/sbin/newaliases\" \ -DDEF_QUEUE_DIR=\"/var/opt/postfix\" \ -DDEF_SENDMAIL_PATH=\"/opt/postfix/sbin/sendmail\" \ -DHAS_LDAP -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL' \ AUXLIBS="-L/opt/postfix/lib -R/opt/postfix/lib \ -llber -lldap -lsasl2 -lssl -lcrypto" gmake su - groupadd -g 82 postfix groupadd -g 83 postdrop useradd -u 82 -g 82 -d /var/opt/postfix -c "Postfix User" postfix ln -s /etc/opt/postfix /etc/postfix gmake install
install_root: [/] / tempdir: [/tmp/postfix-2.3.3] /tmp config_directory: [/etc/postfix] /etc/opt/postfix daemon_directory: [/usr/libexec/postfix] /opt/postfix/libexec command_directory: [/usr/sbin] /opt/postfix/sbin queue_directory: [/var/spool/postfix] /var/opt/postfix sendmail_path: [/usr/lib/sendmail] /opt/postfix/sbin/sendmail newaliases_path: [/usr/bin/newaliases] /opt/postfix/sbin/newaliases mailq_path: [/usr/bin/mailq] /opt/postfix/sbin/mailq mail_owner: [postfix] postfix setgid_group: [postdrop] postdrop html_directory: [no] no manpage_directory: [/usr/local/man] /opt/postfix/man readme_directory: [no] no
cd /opt/postfix/sbin rm mailq newaliases ln -s sendmail mailq ln -s sendmail newaliases
Configuration
main.cf
### SASL Authentication (Client) smtp_sasl_auth_enable = yes smtp_sasl_password_maps = dbm:/etc/opt/postfix/smtp_passwd ### SASL Authentication (Daemon) smtpd_sasl_auth_enable = yes smtpd_sasl_type = cyrus smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_authenticated_header = yes smtpd_sasl_path = smtpd broken_sasl_auth_clients = yes ### SMTP Daemon: Anti SPAM/Relay Settings smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_recipient_restrictions = check_recipient_access dbm:/etc/opt/postfix/access, reject_non_fqdn_recipient, permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, check_relay_domains smtpd_client_restrictions = check_client_access dbm:/etc/opt/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client combined.njabl.org smtpd_sender_restrictions = check_sender_access dbm:/etc/opt/postfix/access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated ### SMTP Client: TLS Settings smtp_tls_security_level = may smtp_tls_key_file = /etc/opt/postfix/certs/smtp.example.com_key.pem smtp_tls_cert_file = /etc/opt/postfix/certs/smtp.example.com_cert.pem smtp_tls_CAfile = /etc/opt/postfix/certs/ca_example.com.pem smtp_tls_CApath = /etc/opt/ostfix/certs/ca smtp_tls_loglevel = 2 smtp_tls_policy_maps = dbm:/etc/opt/postfix/tls_policy ### SMTP Daemon: TLS Settings smtpd_tls_security_level = may smtpd_tls_received_header = no smtpd_tls_key_file = /etc/opt/postfix/certs/smtp.example.com_key.pem smtpd_tls_cert_file = /etc/opt/postfix/certs/smtp.example.com_cert.pem smtpd_tls_CAfile = /etc/opt/postfix/certs/ca_example.com.pem smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes
Cyrus SASL
smtpd.conf
pwcheck_method: saslauthd #mech_list: plain login cram-md5 digest-md5 mech_list: plain login
saslauthd.conf
ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=people,dc=example,dc=com ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com ldap_password: password ldap_scope: one ldap_uidattr: uid ldap_filter_mode: yes ldap_filter: uid=%u
The SASL authentication daemon must be started as follows:
/opt/postfix/sbin/saslauthd -a ldap &