Drew's Blog

I recently had the experience of setting up Postfix. It works really well, in my opinion; however, setting it up wasn’t the simplest for what I wanted. But, at least it was simpler than sendmail

Reading through several articles on the Internet, everyone was giving steps on how to setup postfix to handle e-mail for any FQDN (Fully-Qualified Domain Name). Well, we don’t want to be handling someone else’s e-mail, so we decided to set it up with authentication. All of the guides on setting up Postfix with SASL authentication are great and all; however, they don’t address the issue of, what if you want to receive mail as well. That’s a simple fix, but moreover, what if you have a service like mailman running? Mailman isn’t easily configured to authenticate against the SMTP server to send mail. So, the following are the configurations that I’ve come up with to solve all of these problems:

For the file /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = hostname.domain.tld
mydomain = domain.tld
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, localhost.localdomain, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.0.0/24, 127.0.0.1/32
relay_domains = $mydestination
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.5/samples
readme_directory = /usr/share/doc/postfix-2.6.5/README_FILES


Now keep in mind, your values for some of the above WILL be different. This configuration is on a machine that’s running mailman as well (thus the /etc/mailman/aliases file).

And lastly, for SASL auth, edit the file: /usr/lib64/sasl2/smtpd.conf


pwcheck_method: saslauthd
mech_list: plain login


Your lib64 directory may just be lib, depending on the architecture of your box. All of these edits were made a 64-bit Fedora 12 machine, but they should work for every machine.

And last note. After all of the edits have been made, make sure to restart postfix and restart saslauthd with the following:

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart

For questions on what some of the postfix settings mean, you can check out one of the following:

postconf man-page by running “man postconf” or visit http://www.postfix.org/postconf.5.html

Postfix Documentation at: http://www.postfix.org/documentation.html

Postfix HowTo’s at: http://www.postfix.org/docs.html

Postfix is definition the easiest MTA I’ve ever had the pleasure of working with, as far as configuration goes. I hope this helps

Well, I did this on Fedora 12, so I’ll be basing everything off of Fedora packages and yum; however, this should work on any distro.

Things you’ll need: sendmail, sendmail-cf, cyrus-sasl

Might need something more, but if so, I’ve overlooked it…

The first thing we’re going to do is setup our authinfo. Do the following:

mkdir /etc/mail/auth/
cd /etc/mail/auth/
vim client-info

In the client-info file you’ve open in your text editor, insert the following line:

AuthInfo:smtp.gmail.com “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”
AuthInfo:smtp.gmail.com:587 “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”

Now, save it, quit your editor, and run the following in the same directory.

makemap -r hash client-info.db < client-info
chmod 600 *
cd ../
chmod 700 auth

Now, let's move on to making our certs. Do the following:

mkdir /etc/mail/certs/
cd /etc/mail/certs/
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 3650
cp /etc/pki/tls/certs/ca-bundle.crt /etc/mail/certs

And finally, let’s edit our sendmail.mc. Do the following:

cd /etc/mail/
vim sendmail.mc

And, add the following to sendmail.mc:

FEATURE(`authinfo’,`hash /etc/mail/auth/client-info.db’)dnl
define(`SMART_HOST’,`smtp.gmail.com’)dnl
define(`RELAY_MAILER_ARGS’, `TCP $h 587′)
define(`ESMTP_MAILER_ARGS’, `TCP $h 587′)
define(`CERT_DIR’, `/etc/mail/certs’)
define(`confCACERT_PATH’, `CERT_DIR’)
define(`confCACERT’, `CERT_DIR/ca-bundle.crt’)
define(`confCRL’, `CERT_DIR/ca-bundle.crt’)
define(`confSERVER_CERT’, `CERT_DIR/sendmail.pem’)
define(`confSERVER_KEY’, `CERT_DIR/sendmail.pem’)
define(`confCLIENT_CERT’, `CERT_DIR/sendmail.pem’)
define(`confCLIENT_KEY’, `CERT_DIR/sendmail.pem’)
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)

Now run:

m4 sendmail.mc > sendmail.cf
/etc/init.d/sendmail restart

I think it’s all self explanatory for the most part. Happy mailing

-=EDIT=-06/02/2010

In the above configuration files, a user reported having issues while copying the above information into their config files. The issue was regarding the quotes around various options. So, if you experience any trouble, please try replacing the quotes. (e.g. delete the ones that are there and add them back within your text editor)

I found this link on-line and found it to be quite useful.

http://www.beginlinux.com/server_training/web-server/976-apache-and-selinux

I refer to it often as I forget some of the commands once in a while when I add new files for Apache to serve.

I found this very useful article on running DBDesigner 4 on Fedora 8, here. I followed the directions and found it to work on Fedora 11 and Fedora 12. I’m sure it’ll work for just about any distro, so I’m just reposting the directions here as I find it to be a very useful program.

Do not use the original DBDesigner4 download available on the fabForce.net website. Instead download the dbdesigner-fork package from here:

http://sourceforge.net/projects/dbdesigner-fork/

Once you have unpacked it. Edit the bin/startdbd_using_kernel2.6 script and remove the assume kernel 2.4.1 text:

Original file contents: LD_ASSUME_KERNEL=2.4.1 LANG=en_US.ISO8859-1 LD_LIBRARY_PATH=./Linuxlib/ ./DBDesignerFork

Edited contents: LANG=en_US.ISO8859-1 LD_LIBRARY_PATH=./Linuxlib/ ./DBDesignerFork

Save it and run it. It should all work as expected on Linux Fedora 8 or indeed any other modern distribution like Ubuntu, etc.

For this, we’ll throw an .htaccess file into the directory you don’t want anyone to access that’s served via apache. For this, we’ll also have to have the following set for the directory in the httpd.conf file: AllowOverides AuthConfig

Here’s what the .htaccess file should look like (with a few modifications for location and network if you need):

AuthType Basic
AuthName "Remote Auth"
AuthUserFile /var/www/html/.htpasswd
Require valid-user

Satisfy any

And then in the same directory, create the .htpasswd file by:

htpasswd -c .htpasswd username

Then when promptd, enter the password for that username. Make sure both files are owned by apache (or www-data if your webserver runs as such). Viola! It works.

(Note: To add more users that the htpasswd file, do the same command as above, without the -c)

If you get a message similar to this:

[username@localhost ~]$ sudo yum update
rpmdb: Thread/process 2402/139688794072832 failed: Thread died in Berkeley DB library
error: db4 error(-30974) from dbenv->failchk: DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db3 - (-30974)
error: cannot open Packages database in /var/lib/rpm
CRITICAL:yum.main:

Error: rpmdb open failed

You can fix it by running the following 3 commands:

[username@localhost ~]$ sudo rm -f /var/lib/rpm/__db*
[username@localhost ~]$ sudo db_verify /var/lib/rpm/Packages
[username@localhost ~]$ sudo rpm --rebuilddb

Okay, this will be short and sweet. Here’s how you clone a VirtualBox HDD in Windows:

“C:\Program Files\Sun\VirtualBox\VBoxManage.exe” clonevdi “C:\Users\Andrew\.VirtualBox\HardDisks\Windows XP.vdi” “C:\Users\Andrew\.VirtualBox\HardDisks\Windows XP Clone.vdi”

and in Linux:

VBoxManage clonevdi /home/andrew/.VirtualBox/HardDisks/WindowsXP.vdi /home/andrew/.VirtualBox/HardDisks/WindowsXPClone.vdi

The basic form is “VBoxManage clonevdi sourcevdi destinationvdi”. Now you may ask, why clone a virtual machine’s hard drive? Well, if you want to back them up, this works for that. Or, if you want to duplicate that same virtual machine without having to do a second installation/activation.

Also to note, doing it this way will change the HDD’s UID, so you don’t get the error: “A hard disk with UUID {92c7da90-00f3-4bda-b338-57d24dad7f4b} or with the same properties (’/home/andrew/.VirtualBox/HardDisks/WindowsXP.vdi’) is already registered.”

Also, last thing to note… Instead of the directory “HardDrives”, yours may be “VDI”. I believe in older versions of VirtualBox it was VDI; however, these days it’s HardDrives.