(NOTE in 2011: This one post attracts enormous amounts of spam comments, so I’m closing comments on it, while still leaving comments on elsewhere.)
Notes on configuring a SMTP/IMAP server with TLS, SSL, and SMTP AUTH, the least pain possible.
The platform used was Solaris 10 with SunStudio 11. The notes should apply to any reasonably recent unix-like operating system, although Linux users in particular may find it easier to just install the setup from their prefered package management system. I will note any place that is likely to contain Solaris specific stuff.
The main pieces used are Postfix and Dovecot.
A quick note: TLS is basically SSL
About SASL
Postfix requires an external SASL library to use for SMTP AUTH. The normal choice is Cyrus SASL, which has been around for some time. Cyrus SASL is difficult to build on Solaris with SunStudio, and is generally a much hated library.
Starting with Dovecot 1.0, Dovecot now has it’s own SASL library. This is much easier to use. The only downside is that when doing Postfix to Postfix SMTP AUTH connections, the client copy of Postfix can’t use Dovecot SASL. If your installation of Postfix is always going to be a SMTP AUTH server and never a client, then please use Dovecot SASL.
Dovecot
Compile with:
./configure --prefix=/opt/dovecot --with-pgsql --with-gssapi \ --with-ssl=openssl --with-gc
gssapi still doesn’t seem to work for me, and I’m not actually using pgsql, so I could have left it off as well.
At this point, all you have to do is edit the dovecot.conf file. I don’t have anything but plain authentication working correctly. I can get CRAM-MD5 working, but then plain won’t work, at least with mutt. I make up for this by requiring the non-localhost imap connections use SSL, and by later setting postfix to only allow SMTP AUTH over TLS. I accomplish the imap/SSL requirement with a firewall rule.
Find the commented protocols line and uncomment, set to “protocols = imap imaps”. This disables POP usage. Add pop and pops if you wish.
Set the ssl_cert_file and ssl_key_file lines in your dovecot.conf file. Search elsewhere for a guide on creating the key. I reused the same key that I created for apache/ssl usage.
Set the mail_location line to “mail_location = maildir:~/Maildir”.
Adjust the first_valid_uid line, if needed. I set mine to: “first_valid_uid = 100”.
Find the “auth default” section. Change the mechanisms line to: “mechanisms = plain login”. In the passwd pam { second, find the commented out args line, and change it to “args = /etc/pam.conf”.
Still in the auth default section, find the commented out “socket listen” section. Uncomment the first line to: “socket listen {“. Then scroll down to the client section, and uncomment the non-descriptive lines and change to:
client { # The client socket is generally safe to export to everyone. Typical use # is to export it to your SMTP server so it can do SMTP AUTH lookups # using it. path = /var/spool/postfix/private/auth user = postfix group = postfix mode = 0660 }
Start up dovecot. Under Solaris 9 or linux, I added it to the rc.local file (on some systems I had to create a rc.local system to do so). On Solaris 10, find a manifest and method here and here.. To install these files, copy the manifest to /var/svc/manifest/site and the method to /lib/svc/method and install them into SMF with the command:
svccfg import /var/svc/manifest/site/imap-dovecot.xml
Procmail
Very simple. In the expanded source directory, “./configure && make && sudo make install”.
Postfix
To build:
make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DUSE_TLS \ -I/usr/local/ssl/include' \ AUXLIBS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib -lssl -lcrypto" \ CC=/opt/SUNWspro/bin/cc
Non-solaris users can omit the -R option, and the CC option.
The primary options that need set are to append to the end:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/your.crt smtpd_tls_key_file = /etc/ssl/your.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may
Additionally, find the mailbox_command section and set:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/your.crt smtpd_tls_key_file = /etc/ssl/your.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
Additionally, find the mailbox_command section, and set:
mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
Also set: myhostname, mydomain, mydestination.
Follow other guides for setting up things like spam checking, or mailman.