HowTo: Postfix and Dovecot in front of Scalix

In this post I would like to show, how to set up Postfix and Dovecot in front of Scalix on a Debian system, for security and mail filter reasons. I assume, that you have a running Scalix installation and full management access. If you need help to install Scalix on Debian, you can use my last post:

How to: Install Scalix on Debian

Dovecot Configuration

I will start with the configuration of Dovecot, as we will use Dovecot later for the authentication in Postfix.

I chose Dovecot because the Scalix IMAP daemon does currently not support SSL out of the box and I also implemented fail2ban, which works easier with Dovecot than with Scalix.

As Dovecot needs to send the requests to Scalix, the only option is to use a Dovecot imapc configuration. In this configuration, Dovecot will act as an IMAP client.

Before I start the configuration, I need to install Dovecot and the required packages using apt-get:

[email protected]:~# apt-get install dovecot-imapd

This will install Dovecot on the system.

Now, I will configure Dovecot to act as an imap proxy. Open the Dovecot configuration file:

[email protected]:~# vi /etc/dovecot/dovecot.conf

As imapc is only working with “plain login” you need to set the “auth_mechanism” accordingly. For security reasons I will enable SSL in a later post, to protect the authentication:

auth_mechanisms = plain login

For caching purposes Dovecot need a user which will cache the mails:

mail_uid = imapproxy
mail_gid = imapproxy

I set the protocols only to imap, as I did not allow pop3 access to the server:

protocols = imap

Now, we will Dovecot tell, to use imapc and where to find the Scalix server:

mail_location = imapc:~/imapc
# Change the line below to reflect the IP address of your Scalix Server.
imapc_host = 10.3.5.20
imapc_port = 143

Dovecot now knows, where to find the emails, the next step is to tell Dovecot, how to authenticate users:

passdb {
 driver = imap
 # Change the line below to reflect the IP address of your Scalix Server.
 args = host=10.3.5.20
 default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
}
userdb {
 driver = prefetch
}

This will proxy the login requests to the Scalix imap daemon, which will do the final authentication.

As Dovecot will cache the mails for faster access Dovecot needs to know the home directory for the user:

# /home/imapproxy is the home directory for the imapproxy user, and
# %u is a subdir that will be automatically created for each IMAP user when they connect

mail_home = /home/imapproxy/%u

As Postfix will also use Dovecot for authentication, I need to enable the specific auth service:

# This is the auth service used by Postfix to do dovecot auth.
service auth {
 unix_listener auth-userdb {
 }
 inet_listener {
 port = 12345
 }
}
userdb {
 driver = prefetch
}

I can now save the configuration and restart Dovecot. If you miss the configuration for SSL, I will handle this topic in a later post.

To complete the configuration, I need to create the imap proxy user:

[email protected]:~# useradd imapproxy

I will make the user as secure as possible and as there is no login needed by this user, I will disable the login function for this user. Simply add a “!” to the user password in the “/etc/shadow” file.

You should now be able to use Dovecot as an imap proxy for Scalix.

Postfix Configuration

I will not explain the full Postfix configuration, but the part, which is related to send incoming emails to Scalix and authenticate users with the help of Dovecot. All the security and mail washing related configuration items will be described in a later post.

The first part is to  install Postfix on the system:

[email protected]:~# apt-get install postfix postfix-ldap

This will install Postfix with LDAP support, which is also needed to check receiver information for incoming mails against the Scalix LDAP service.

The next part is to tell Postfix, to use Dovecot for authentication. Therefore I open the main configuration file of Postfix:

[email protected]:~# vi /etc/postfix/main.cf

I will enable SASL auth for Postfix and use Dovecot:

#SASL Auth
smtpd_sasl_type=dovecot
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = inet:127.0.0.1:12345

The last line will tell Postfix, where to find the Dovecot authentication server.

I will now, include “permit_sasl_authenticated” in my restrictions. I will dig deeper into Postfix restrictions in one of my next posts.

There are only two steps left for Postfix. I will now tell Postfix to check incoming mails against the Scalix LDAP service:

#Check Mail against Scalix LDAP
relay_recipient_maps = ldap:/etc/postfix/ldap_relay_recipient_maps.cf

This file looks like this:

server_host = scalix-host-ip-or-dns-name
server_port = 389
search_base = o=Scalix
version = 3
bind_dn = cn=sxadmin,o=scalix
bind_pw = top-secret
query_filter = mail=%s
result_attribute = mail

This will use the receiver mail address of incoming emails to check if they exist on the Scalix LDAP server. You can test the configuration using the following command:

[email protected]:~# postmap -q [email protected] ldap:/etc/postfix/ldap_relay_recipient_maps.cf
[email protected]

If the mail address is returned, the user is in the LDAP directory.

The last step is to tell Postfix, where to send incoming mails to and for which domains, Postfix can act as a relay.

# Relay Domains
relay_domains = flomain.local, scalix.internal.flomain.local
# Deliver mails to the Scalix Server
transport_maps = hash:/etc/postfix/transport.cf

The file looks like this:

internal.flomain.local smtp:10.3.5.20
flomain.local smtp:10.3.5.20

Before Postfix can work with the file, you need to create a hash from it by:

[email protected]:~# postmap hash:/etc/postfix/transport.cf

This will create a file, which is readable for Postfix. I have chosen this method for the forwarding decision, as my domains did not change. If you are often adding or removing domains you can also query the Scalix LDAP directory for this task. Have a look at this post:

How To: Replace Scalix SMTPD with Postfix

You should now have a working environment with Postfix and Dovecot which will use Scalix as the back end server.

If you have any questions, regarding this post or if you would like provide feedback, please use the comment function below.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.