Postfix Installation: Difference between revisions
Wikisailor (talk | contribs) No edit summary |
Wikisailor (talk | contribs) No edit summary |
||
| Line 72: | Line 72: | ||
sudo systemctl restart postfix | sudo systemctl restart postfix | ||
the tails file should clear and send the email. | the tails file should clear and send the email. | ||
=== Joomla Configuration === | |||
To set joomla to use Postfix as its MTA simply go to System->Global Configuration->Server scroll down to Mail and set Mailer to PHP Mail. After saving send a test email and it should just work. Now that Postfix is doing the auth to Brevo Joomla can just use the local PHP mail so no need to negotiate any SSL/TLS because Postfix does it all. Postfix is well known and quite reliable, mature and robust service it should be reasonably secure, especially as hostile actors cannot directly connect to it, it is only for the websites to use. | |||
=== Media Wiki Configuration=== | |||
We have set mynetworks and smtpd_relay_restrictions to allow production to use the Postfix MTA so there is no need to have Logan install Postfix. All that we need to do to get Wikimedia sending out email is to edit the ubiquitous LocalSettings.php. The item to set is $wgSMTP. so we ssh to Logan and cd to the public_html dir the | |||
sudo nano LocalSettings.php | |||
CTRL + W and search for $wgSMTP then add a message block so it looks like | |||
$wgSMTP = [ | |||
'host' => '192.168.100.10', // the IP of lime | |||
'port' => '25, // SMTP port with no encription as this is a private LAN there is no need for SSL | |||
'auth' => false, // authentication is not need on a private LAN like this | |||
// 'username' =>'', // auth is false so no username required | |||
// 'password' => '', // no need for password if there is no username | |||
// 'encription' => '', // we are on 25 so no encription | |||
]; | |||
Save and exit and it should be good to go a simple test is to change a email address of a wiki user and authenticate the new email. | |||
Revision as of 23:35, 10 April 2025
Introduction
Installing Postfix on Lime is not too difficult and if more instructions are needed then a quick web search should give several more verbose installation and error checking notes
Install Postfix
Postfix was can be installed with apt the line is no more complicated than
sudo apt install postfix
once the install gets going it asks a few questions either answer them now or add them to a config file later. The first question is something like General type of mail configuration. The two possible options are either internet with smarthost which would deliver local mail locally but use the smarthost for outgoing mail but as there is no real need for local mail the better option for me is.
Satellite System
If this was a company email system and email directly from postfix the best option would be internet site but that would need a fixed internet facing IP address. The next question is about system name so in my case
seaoffate.net
Any name could be used but as that is the domain name that made more sense. The last question was about SMTP relay host, it should be noted that it should have the square brackets around the relay host so that Postfix does not do some sort of MX lookup. I guess that if internet site only had been chosen earlier there would be different questions. For me to use Brevo as a relay SMTP relay host should be
[smtp-relay.brevo.com]:587
The setup should finish at this point and extra config will have to be in the file /etc/postfix/main.cf so type
sudo nano /etc/postfix/main.cf
In the config there may be some settings already configured but make sure that these at least are present
- Outgoing relay configuration
relayhost = [smtp-relay.brevo.com]:587
- Enable SASL authentication for outgoing mail
smtp_sasl_auth_enable = yes
- Specify the password file and format and Make sure this points to the file that will be created
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
- Security options: disable anonymous logins
smtp_sasl_security_options = noanonymous
- Enable STARTTLS encryption. Use 'yes' for STARTTLS on port 587. 'encrypt' is for implicit SSL/TLS usually on port 465
smtp_use_tls = yes
- specify the local domains only (remove seaoffate.net from this option
mydestination = localhost.localdomain, localhost # should not have seaoffate.net in this line
- Make sure smtpd_relay_restrictions has permit_mynetworks at or close to the beginning of the list
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
- mynetworks should include any other hosts that need to use this MTA eg include the production network adjust if yours lists specific IPs
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.100.0/24
- make sure that postfix is listening on all of the host's interfaces that it should.
inet_interfaces = all
- Optional, but recommended: Path to CA certificates for verifying the relay server's cert.
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Once that is done we need to create the password file. We have specified that it will be /etc/postfix/sasl_passwd so the command will be
sudo nano /etc/postfix/sasl_passwd
In the file there needs to be a line
[smtp-relay.brevo.com]:587 TheBrevoUsername:TheBrevoPassword
Obviously, chmod the file to 600
sudo chmod 600 /etc/postfix/sasl_passwd
Then create the HashDB with the file /etc/postfix/sasl_passwd.db using the command
sudo postmap /etc/postfix/sasl_passwd
That should be all that is needed to get postfix working so a restart would activate the config changes
sudo systemctl restart postfix
Testing
Once Postfix has restarted it should be ready to roll. As there is no mail app to write an email with we need to use the Mail app. if it isn't installed it should be
sudo apt install mailutils
then send a test email with something like
echo "This is the test body of the email." | mail -s "Postfix Relay Test via Brevo" [email protected]
it is probably better to open another ssh terminal and run
tail -f /var/log/mail.log
Error Message
One obvious error set of messages is
postfix/smtp[167780]: error: open database /etc/postfix/sasl_passwd.db: No such file or directory postfix/smtp[167780]: warning: hash:/etc/postfix/sasl_passwd is unavailable. open database /etc/postfix/sasl_passwd.db: No such file or directory postfix/smtp[167780]: warning: hash:/etc/postfix/sasl_passwd lookup error for "smtp-relay.brevo.com" postfix/smtp[167780]: warning: 1B73C29D44: smtp_sasl_password_maps lookup error
These mean that there is no password file or it is in the wrong place. Check inside the config for the line that gives the path to the password maps "smtp_sasl_password_maps" ls the dir specified and look for a file "sasl_passwd.db" if it is not present it needs to be created with a line like
sudo postmap /etc/postfix/sasl_passwd
or whatever path is in the config. if postmap fails check the sasl_passwd file
sudo nano /etc/postfix/sasl_passwd
it should have the line
[smtp-relay.brevo.com]:587 TheBrevoUsername:TheBrevoPassword
The format is important when the sasl_passwd is done re run the postmap command so that it creates sasl_passwd.db. then do
sudo systemctl restart postfix
the tails file should clear and send the email.
Joomla Configuration
To set joomla to use Postfix as its MTA simply go to System->Global Configuration->Server scroll down to Mail and set Mailer to PHP Mail. After saving send a test email and it should just work. Now that Postfix is doing the auth to Brevo Joomla can just use the local PHP mail so no need to negotiate any SSL/TLS because Postfix does it all. Postfix is well known and quite reliable, mature and robust service it should be reasonably secure, especially as hostile actors cannot directly connect to it, it is only for the websites to use.
Media Wiki Configuration
We have set mynetworks and smtpd_relay_restrictions to allow production to use the Postfix MTA so there is no need to have Logan install Postfix. All that we need to do to get Wikimedia sending out email is to edit the ubiquitous LocalSettings.php. The item to set is $wgSMTP. so we ssh to Logan and cd to the public_html dir the
sudo nano LocalSettings.php
CTRL + W and search for $wgSMTP then add a message block so it looks like
$wgSMTP = [ 'host' => '192.168.100.10', // the IP of lime 'port' => '25, // SMTP port with no encription as this is a private LAN there is no need for SSL 'auth' => false, // authentication is not need on a private LAN like this // 'username' =>, // auth is false so no username required // 'password' => , // no need for password if there is no username // 'encription' => , // we are on 25 so no encription ];
Save and exit and it should be good to go a simple test is to change a email address of a wiki user and authenticate the new email.
