In this post I will describe how to replace Scalix SMTPD with Postfix to use the flexibility of Postfix for Spam and Virus fighting.You should read my installation instructions before starting the steps below. You can find the installation instructions for Scalix on a Debian with Postfix here:
To replace Scalix SMTPD with Postfix, you need to change the port for SMTPD from 25 to a higher one and tell Postfix to use the Scalix LDAP directory for user lookup. The first part is easy, but the last one is tricky and it cost me more than a week to figure it out and get it working correctly.
Set Postfix to Listen on Port 25
The default port, which is used to transfer mails from one server to another is port 25. After installing Scalix, the Scalix SMTPD will listen to that port. This will work perfectly, but the SMTPD is limited when it comes to Spam and Virus filtering. The solution is, to replace Scalix SMTPD with Postfix. First, we need to change the port of the Scalix SMTPD to another, preferable higher, port. Open the SMTPD configuration file here:
[email protected]:~# vi /var/opt/scalix/ml/s/sys/smtpd.cfg
and add this line:
#Change listing port LISTEN=localhost:20025
Make sure, that this line is added before the “submission” part. Replace “20025” with whatever port fits into your environment.
You can now restart the SMTPD with those two commands:
omoff -d0 -w smtpd omon smtpd
Afterwards, SMTPD should listen only on localhost on the specified port.
Now, you need to configure Postfix to listen on port 25. I will configure Postfix to listen on all interfaces on port 25. You have to open the main configuration file for Postfix:
[email protected]:~# vi /etc/postfix/main.cf
Depending in the way, you installed Postfix on Debian, the file could be non-existent. You can start with an empty one, but it would make sense to start with the default one. Just copy the Debian default file into the Postfix directory:
[email protected]:~# cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf
Now, you should add this line to the config:
# let Postfix listen to all interfaces inet_interfaces = all
This will tell Postfix to listen to all interfaces on port 25. This will replace Scalix SMTPD with Postfix, but until now, Postfix did know nothing about the Scalix users and where to deliver the incoming e
Connect Postfix to the Scalix LDAP
This part is the tricky one as you need to install
apt-get install libsasl2-modules-ldap sasl2-bin
This will install all the required
[email protected]:~# vi /etc/default/saslauthd
Go through the configuration options and configure them to your needs. I changed the ones below:
# Should saslauthd run automatically on startup? (default: no) START=yes # Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="ldap" # Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general # information about these options. # # Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" # Example for non-chroot Postfix users: "-c -m /var/run/saslauthd" # # To know if your Postfix is running chroot, check /etc/postfix/master.cf. # If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd" # then your Postfix is running in a chroot. # If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT # running in a chroot. OPTIONS="-c -m /var/run/saslauthd -r"
The last option heavily depends on your Postfix configuration. I use Postfix in a non-chroot environment.
This will enable the
#Check Mail against Scalix LDAP relay_recipient_maps = ldap:/etc/postfix/ldap_relay_recipient_maps.cf # check User against Scalix LDAP transport_maps = ldap:/etc/postfix/scalix-transport.cf smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = $mydomain smtpd_sasl_security_options = noanonymous smtpd_sasl_path = smtpd # Postfix 2.3 and later smtpd_sasl_path = smtpd broken_sasl_auth_clients = yes smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
The “relay_recipient_maps” is used to check if the mail address exists on the Scalix server and the file, referenced by this command has the below content:
server_host = ldap://localhost:389/ search_base = o=Scalix version = 3 bind_dn = cn=sxadmin,o=scalix bind_pw = top-secret query_filter = mail=%s result_attribute = mail
Change the bind_pw to your sxadmin password.
The “transport_maps” option will tell Postfix, what to do with incoming emails. We will forward emails to the Scalix SMTPD process, which will place them into the correct postbox. The file has the following content:
server_host = ldap://localhost:5757 query_filter = mail=%s bind = no result_attribute = scalixInstanceMailHost result_format = smtp:127.0.0.1:20025 size_limit = 1 domain = example.com
This will query the LDAP server for the mail and forward the mail to the Scalix SMTPD process. You have to replace the “domain” with your domain. You are now able to receive e
The other settings will enable authentication for Postfix to relay (send outgoing) emails over the system. Postfix will also use
[email protected]:~# vi /etc/saslauthd.conf
The content of this file should look like this:
ldap_servers: ldap://localhost:389/ ldap_search_base: o=Scalix ldap_auth_method: bind ldap_filter: (|(omUlAuthid=%u)(mail=%u)) ldap_version: 3 ldap_bind_dn: cn=sxadmin,o=scalix ldap_bind_pw: top-secret
This will either use the mail or the username and password for the authentication of users against the Scalix LDAP. Please insert the correct “ldap_bind_pw”.
After restarting Postfix and the sasl daemon you should test your setup, but everything should work fine.
If you see those errors in the “auth.log”, you can ignore them, as they did not cause any problems with the authentication.
Sep 22 14:33:39 mail postfix/submission/smtpd: auxpropfunc error invalid parameter supplied Sep 22 14:33:39 mail postfix/submission/smtpd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb Sep 22 14:33:39 mail postfix/submission/smtpd: canonuserfunc error -7 Sep 22 14:33:39 mail postfix/submission/smtpd: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
I will explain, how to enable TLS support and fight against Spam and Viruses in a later post.
If you have any questions or feedback, please use the comment function.