Set up e-mail dispatch on Linux systems
Install postfix
Use the package management to install the postfix package.
Install CA certificates for postfix
On page Install CA certificates on Linux systems we created *.pem files and integrated the new PEM files into the system's CA certificates set.
The postfix mail transfer agent uses it's own CA certificates set, so we have to integrate the certificates into this set too.
Create the /etc/postfix/cacerts directory if not yet present. Copy the PEM files into this directory.
On RHEL6 and clones run:
/usr/sbin/cacertdir_rehash /etc/postfix/cacerts
On newer RHEL systems and clones, Debian and derivates run:
/usr/sbin/c_reheash /etc/postfix/cacerts
Service record for port 587
In /etc/services add
submission 587/tcp msa submission 587/udp msa
if there are no such lines for 587/tcp and 587/udp yet.
Specify relay host and port
In /etc/postfix/main.cf set:
relayhost=[smtp.fh-schmalkalden.de]:submission
to specify host smtp.fh-schmalkalden.de and port 587 as relay destination.
The square brackets indicate use of a host name specified directly, not a domain name.
Require encryption
We will use user name and password authentication, but we do not want clear text transmission.
The settings
smtp_tls_security_level = encrypt smtp_tls_CApath = /etc/postfix/certs
in /etc/postfix/main.cf require encryption and specify a path of a directory containing CA certificates used in the relayhosts certificate chain.
Use user name and password authentication
Access from outside HSM to the HSMs SMTP server requires authentication. The method is to use user name and password.
The /etc/postfix/main.cf lines
smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
allow authentication when sending mail, deny anonymous sending, and specify the configuration file containing user name and password.
Create user name and password configuration file
Use
touch /etc/postfix/sasl_password chown root:root /etc/postfix/sasl_password chmod 600 /etc/postfix/sasl_password
to create an empty configuration file and set restrictive permissions on it.
Now write the following line to the /etc/postfix/sasl_password file:
[smtp.fh-schmalkalden.de]:submission user:password
For user:password specify user name and password of the FHS-ID.
After creating or modifying this file, run
postmap /etc/postfix/sasl_password
to update the database.
Configure sender names
Normally just the local user name is used as sender e-mail in outgoing mails, especially in e-mails sent automatically by system components. Mail servers mostly do not accept just user names but require use of a normal e-mail address instead.
The /etc/postfix/main.cf line
sender_canonical_maps = hash:/etc/postfix/sender_canonical
configures postfix to use a database based on the /etc/postfix/sender_canonical text file to find e-mail addresses for user names.
This file contains one or multiple lines. Each line contains a user name and an e-mail address separated by one or multiple spaces.
The file should contain lines for all normal user accounts, root and probably further system accounts.
After creating or modifying the file, the
postmap /etc/postfix/sender_canonical
command must be used to rebuild/update the database.
Configure recipient names
Some system components send e-mails automatically, especially to the root user.
When using a relay host, a real e-mail address should be used instead of “root”.
The /etc/aliases file is used to configure e-mail aliases. These aliases are resolved locally before transferring the e-mail to the relay host.
Each line in the file contains one alias name (i.e. root), a colon, one or multiple spaces and the e-mail address to use. The file should contain lines at least for “root” and “Postmaster”.
After creating or modifying the file, the
newaliases
command must be used to update/rebuild the database.
Restart postfix
On recent systemd based Linux systems use
systemctl stop postfix sleep 2 systemctl start postfix
to restart postfix.
On initd based systems use
service postfix stop sleep 2 service postfix start
instead.