Move to Postfix install checklist.

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
Galactic Zero
Forum Regular
Forum Regular
Posts: 471
Joined: Mon Dec 06, 2004 10:43 pm

Move to Postfix install checklist.

Unread post by Galactic Zero »

Looks like I'm going to have to move to Postfix. I just need a verification of my process please.

Currently have Clamav, spamassassin, pyzor, dcc, qmail-scanner, etc running on Qmail.

Should I uninstall spamassassin, clamav, qmail-scanner before switching to Postfix and then reinstall clamav, spamassassin then install clampf?

What gotcha's should I be aware of and will this be seamless for the client? Currently requilre long user name.

Thanks, Franklyn
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Move to Postfix install checklist.

Unread post by scott »

So first gotcha, if you're going from a legacy system where you used short names for smtp_auth its not going to work with postfix.

We have a thread talking about Anti-spam/Anti-virus options for postfix: https://atomicorp.com/forum/viewtopic.php?f=4&t=8086

The one Im currently playing with is called sagator. The thread there really gets into some nitty gritty details.
Galactic Zero
Forum Regular
Forum Regular
Posts: 471
Joined: Mon Dec 06, 2004 10:43 pm

Re: Move to Postfix install checklist.

Unread post by Galactic Zero »

Thanks Scott,

Just5 upgraded to 12 with latest patches. Only 2 clients on it and everyone is uing long names.

So, guess I'll do my switch tomorow night. Only reason I'm doing tis is because the client needs to be able to send mail to AOL customers and they aren't getting through. The IP rep test says undetermined with them even though the main IP for mail is clean. The don';t like the mismatch or in-arpa address for the virtual host domain.
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Move to Postfix install checklist.

Unread post by scott »

Gotcha, so you're using postfix so you can bind the outbound mail for a domain to a specific IP right?
Galactic Zero
Forum Regular
Forum Regular
Posts: 471
Joined: Mon Dec 06, 2004 10:43 pm

Re: Move to Postfix install checklist.

Unread post by Galactic Zero »

Yes, that is the idea. AOL doesn't like to recieve mail from my virtual client and no matter what I do on the receiving end, ie. adding to all whitelists on client side his mail is still being bounced.
*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its delivery. The reason your mail is being returned to you is listed in the section labeled: "----- The delivery status notification errors -----".

The line beginning with "Diagnostic-Code:" describes the specific reason your e-mail could not be delivered. The following lines contains the
RFC822 header of the original email message.

Please direct further questions regarding this message to your e-mail administrator.

--AOL Postmaster

----- The delivery status notification errors -----

<jmoorecatz@aol.com>: host core-lrb02g.mail.aol.com[10.76.58.115] said: 554
5.7.1 Your mail could not be delivered because the recipient is only
accepting mail from specific email addresses. If you feel you received this
in error, please contact the recipient directly and ask them to check their
email settings. (in reply to end of DATA command)
The onoly thing I can figure at this point is the SMTP Header doesn't match his domain. I've contacted the postmaster on this and they replied that the receiver is blocking. This particular email is to his Mother.... I've specifically allowed his email, whitelisted etc on her mail profile and still getting this bounce message.

Hence my move to postfix. /sigh.
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Move to Postfix install checklist.

Unread post by faris »

Wow. I've never seen that rejection error before. It implies the recipient is using an AOL setting I've never seen before, or maybe there's something more complex going on?

Do you have an AOL mail feedback loop set up with them?
https://postmaster.aol.com/fbl-request
Also https://postmaster.aol.com/
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Galactic Zero
Forum Regular
Forum Regular
Posts: 471
Joined: Mon Dec 06, 2004 10:43 pm

Re: Move to Postfix install checklist.

Unread post by Galactic Zero »

Not yet Feris. I've not been able to whitelist the domain or ip address's either.Using their reputation tool I get an undisclosed message which doesn't do me any good.

The last test I ran came back with a Reverse DNS listing softlayer static ip and not the ip of the domain. Also that IP is shared with other domains on the server.
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net
Galactic Zero
Forum Regular
Forum Regular
Posts: 471
Joined: Mon Dec 06, 2004 10:43 pm

Re: Move to Postfix install checklist.

Unread post by Galactic Zero »

This is my current setting for postfix and outgoing mail:

Outgoing mail mode
Send from domain IP addresses
Send from domain IP addresses and use domain names in SMTP greeting
Send from the specified IP addresses
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Move to Postfix install checklist.

Unread post by prupert »

Some tips for any Postfix installation (different than OS defaults):

- Set secure smtpd_banner, do not leak program/version info.
- Enable optimistic encryption via smtp_tls_security_level.
- Configure your own certificate via smtpd_tls_cert_file
- Disable weak ciphers for TLS encryption in Postfix via 'smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA'
- Generate custom Diffie Hellman parameters for Postfix via "openssl dhparam -out /etc/pki/tls/certs/postfix_dhparam.pem 2048" and set via smtpd_tls_dh1024_param_file.
- Set the smtp_tls_CAfile /etc/pki/tls/certs/ca-bundle.crt (CentOS 6/7) to validate remote certs.
- Not using IPv6? Set "inet_protocols = ipv4"
- Wanting to log Subjects in maillog? Set "header_checks = regexp:/etc/postfix/header_checks" and let that file have contents "/^Subject:/ WARN"
Lemonbit Internet Dedicated Server Management
Galactic Zero
Forum Regular
Forum Regular
Posts: 471
Joined: Mon Dec 06, 2004 10:43 pm

Re: Move to Postfix install checklist.

Unread post by Galactic Zero »

will this fix the client getting the CA message being invalid? Basically they don't have one and the serve3r is selfsigned. for the mail IP address? Do I have to create a selfsigned cert for each domain on this shared IP in each domain panel?

How do I get rid of the Reverse DNS pointing to softlayer instead of each virtual domain on that IP?

Thanks.
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Move to Postfix install checklist.

Unread post by prupert »

Galactic Zero wrote:will this fix the client getting the CA message being invalid? Basically they don't have one and the serve3r is selfsigned. for the mail IP address? Do I have to create a selfsigned cert for each domain on this shared IP in each domain panel?
You can only install one server certificate via Postfix, and if you want this to be working without warnings, you will need to make sure that:
- The certificate is signed by a trusted CA.
- The certificate holds the domain name that the client uses to connect to the mail server.

Basically, how it works for every certificate validated service.
How do I get rid of the Reverse DNS pointing to softlayer instead of each virtual domain on that IP?
This can be done through the Softlayer control panel. Networks themselves are usually authoritative for the reverse DNS zones of IP blocks. This has nothing to do with your mail server configuration.
Lemonbit Internet Dedicated Server Management
Post Reply