Set up e-mail dispatch on Linux systems

Use the package management to install the postfix package.

On page Install CA certificates on Linux systems we created *.pem files and integrated the new PEM files into the system's CA certificates set.
The postfix mail transfer agent uses it's own CA certificates set, so we have to integrate the certificates into this set too.

Create the /etc/postfix/cacerts directory if not yet present. Copy the PEM files into this directory.

On RHEL6 and clones run:

 

/usr/sbin/cacertdir_rehash /etc/postfix/cacerts

 

On newer RHEL systems and clones, Debian and derivates run:

 

/usr/sbin/c_reheash /etc/postfix/cacerts

In /etc/services add

 

submission      587/tcp msa
submission      587/udp msa

 

if there are no such lines for 587/tcp and 587/udp yet.

In /etc/postfix/main.cf set:

 

relayhost=[smtp.fh-schmalkalden.de]:submission

 

to specify host smtp.fh-schmalkalden.de and port 587 as relay destination.

The square brackets indicate use of a host name specified directly, not a domain name.

We will use user name and password authentication, but we do not want clear text transmission.
The settings

 

smtp_tls_security_level = encrypt
smtp_tls_CApath = /etc/postfix/certs

 

in /etc/postfix/main.cf require encryption and specify a path of a directory containing CA certificates used in the relayhosts certificate chain.

Access from outside HSM to the HSMs SMTP server requires authentication. The method is to use user name and password.

The /etc/postfix/main.cf lines

 

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

 

allow authentication when sending mail, deny anonymous sending, and specify the configuration file containing user name and password.

Use

 

touch /etc/postfix/sasl_password
chown root:root /etc/postfix/sasl_password
chmod 600 /etc/postfix/sasl_password

 

to create an empty configuration file and set restrictive permissions on it.

Now write the following line to the /etc/postfix/sasl_password file:

 

[smtp.fh-schmalkalden.de]:submission    user:password

 

For user:password specify user name and password of the FHS-ID.

After creating or modifying this file, run

 

postmap /etc/postfix/sasl_password

 

to update the database.

Normally just the local user name is used as sender e-mail in outgoing mails, especially in e-mails sent automatically by system components. Mail servers mostly do not accept just user names but require use of a normal e-mail address instead.

The /etc/postfix/main.cf line

 

sender_canonical_maps = hash:/etc/postfix/sender_canonical

 

configures postfix to use a database based on the /etc/postfix/sender_canonical text file to find e-mail addresses for user names.

This file contains one or multiple lines. Each line contains a user name and an e-mail address separated by one or multiple spaces.
The file should contain lines for all normal user accounts, root and probably further system accounts.

After creating or modifying the file, the

 

postmap /etc/postfix/sender_canonical

 

command must be used to rebuild/update the database.

Some system components send e-mails automatically, especially to the root user.

When using a relay host, a real e-mail address should be used instead of “root”.

The /etc/aliases file is used to configure e-mail aliases. These aliases are resolved locally before transferring the e-mail to the relay host.

Each line in the file contains one alias name (i.e. root), a colon, one or multiple spaces and the e-mail address to use. The file should contain lines at least for “root” and “Postmaster”.

After creating or modifying the file, the

 

newaliases

 

command must be used to update/rebuild the database.