Beim Erstellen des Zertifikats ist der korrekte CN ist wichtig. Er muss mit dem Servernamen übereinstimmen, welcher in den Mailclients verwendet wird. Sonst bekommt man immer eine Fehlermeldung beim Starten des Mailclients.
/usr/local/corvent/rsa/build-key mailserver # Common Name:mail.granitsoft.ch (als Bsp) chown cyrus:mail /etc/openssl/mailserver.key chmod 600 /etc/openssl/mailserver.key
/etc/postfix/main.cf:
... smtpd_use_tls = yes smtpd_tls_key_file = /etc/openssl/mailserver.key smtpd_tls_cert_file = /etc/openssl/mailserver.crt smtpd_tls_CAfile = /etc/openssl/ca.crt ...
/etc/postfix/master.cf:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
tlsmgr unix - - n 1000? 1 tlsmgr
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
discard unix - - n - - discard
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/sbin/cyrdeliver -e -r ${sender} -m ${extension} ${user}
cyrussa unix - n n - - pipe
user=cyrus argv=/usr/sbin/cyrdewrapper ${sender} ${user} ${extension}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
filter unix - n n - - pipe
flags=Rq user=filter argv=/usr/local/spam/filter -f ${sender} -- ${recipient}
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
/etc/postfix/main.cf:
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
mail_spool_directory = /var/mail
content_filter = smtp-amavis:[127.0.0.1]:10024
setgid_group = postdrop
mail_owner = postfix
#myhostname = server.local
mydomain = localdomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
#relayhost = smtp.hispeed.ch
smtpd_sasl_auth_enable = yes
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_policy_service inet:127.0.0.1:60000,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client spam.dnsrbl.net,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client zombie.dnsbl.sorbs.net,
permit
# check_policy_service inet:127.0.0.1:60000,
# reject_non_fqdn_hostname,
# reject_invalid_hostname,
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/openssl/server.key
smtpd_tls_cert_file = /etc/openssl/server.crt
smtpd_tls_CAfile = /etc/openssl/ca.crt
mime_header_checks = regexp:/etc/postfix/mime_header_checks
# body_checks = regexp:/etc/postfix/body_table
#header_checks = regexp:/etc/postfix/header_table
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
#virtual_alias_domains = ldap:/etc/postfix/ldap-domain.cf
#virtual_alias_maps = ldap:/etc/postfix/ldap-mapping.cf, ldap:/etc/postfix/ldap-virtual.cf
#virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
mailbox_transport = cyrus
#mailbox_transport = cyrussa
/etc/postfix/mime_header_checks:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|eml|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|url|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))\"?\s*$/ REJECT Anhaenge duerfen keine ausfuehrbaren Dateien sein "$2"
/usr/sbin/cyrdewrapper:
#! /bin/sh
# call from master.cf: cyrdewrapper ${sender} ${user} ${extension}
/usr/bin/spamc -u "$1" \
| /usr/sbin/cyrdeliver -e -r "$1" -m "$3" "$2"
* tja und noch: chmod +x /usr/sbin/cyrdewrapper
/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd mech_list: plain login