HowTo: Replace Scalix SMTPD with Postfix

Reading Time: 5 minutes
postfix-logo


In this post I will describe how to replace Scalix SMTPD with Postfix to use the flexibility of Postfix for Spam and Virus fighting.You should read my installation instructions before starting the steps below. You can find the installation instructions for Scalix on a Debian with Postfix here:

How to: Install Scalix on Debian using Postfix instead of Sendmail

To replace Scalix SMTPD with Postfix, you need to change the port for SMTPD from 25 to a higher one and tell Postfix to use the Scalix LDAP directory for user lookup. The first part is easy, but the last one is tricky and it cost me more than a week to figure it out and get it working correctly.

Set Postfix to Listen on Port 25

The default port, which is used to transfer mails from one server to another is port 25. After installing Scalix, the Scalix SMTPD will listen to that port. This will work perfectly, but the SMTPD is limited when it comes to Spam and Virus filtering. The solution is, to replace Scalix SMTPD with Postfix. First, we need  to change the port of the Scalix SMTPD to another, preferable higher, port. Open the SMTPD configuration file here:

root@mail:~# vi /var/opt/scalix/ml/s/sys/smtpd.cfg

and add this line:

#Change listing port
LISTEN=localhost:20025

Make sure, that this line is added before the “submission” part. Replace “20025” with whatever port fits into your environment.

You can now restart the SMTPD with those two commands:

omoff -d0 -w smtpd
omon smtpd

Afterwards, SMTPD should listen only on localhost on the specified port.

Now, you need to configure Postfix to listen on port 25. I will configure Postfix to listen on all interfaces on port 25. You have to open the main configuration file for Postfix:

root@mail:~# vi /etc/postfix/main.cf

Depending in the way, you installed Postfix on Debian, the file could be non-existent. You can start with an empty one, but it would make sense to start with the default one. Just copy the Debian default file into the Postfix directory:

root@mail:~# cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf

Now, you should add this line to the config:

# let Postfix listen to all interfaces
inet_interfaces = all

This will tell Postfix to listen to all interfaces on port 25. This will replace Scalix SMTPD with Postfix, but until now, Postfix did know nothing about the Scalix users and where to deliver the incoming emails to.

Connect Postfix to the Scalix LDAP

This part is the tricky one as you need to install sasl and get it working with the Scalix LDAP. First, install the required sasl packages:

apt-get install libsasl2-modules-ldap sasl2-bin

This will install all the required sasl packages. Afterward, you need to enable the sasl daemon in the default config:

root@mail:~# vi /etc/default/saslauthd

Go through the configuration options and configure them to your needs. I changed the ones below:

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd -r"

The last option heavily depends on your Postfix configuration. I use Postfix in a non-chroot environment.

This will enable the sasl daemon, now we need to tell Postfix to use sasl. You have to open the main.cf and insert the following parts:

#Check Mail against Scalix LDAP
relay_recipient_maps = ldap:/etc/postfix/ldap_relay_recipient_maps.cf

# check User against Scalix LDAP
transport_maps = ldap:/etc/postfix/scalix-transport.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = smtpd

# Postfix 2.3 and later
smtpd_sasl_path = smtpd

broken_sasl_auth_clients = yes

smtpd_client_restrictions =
                permit_mynetworks
                permit_sasl_authenticated
                permit

smtpd_sender_restrictions =
                permit_mynetworks
                permit_sasl_authenticated
                permit

smtpd_recipient_restrictions =
                permit_mynetworks
                permit_sasl_authenticated
                reject_unauth_destination

The “relay_recipient_maps” is used to check if the mail address exists on the Scalix server and the file, referenced by this command has the below content:

server_host = ldap://localhost:389/
search_base = o=Scalix
version = 3
bind_dn = cn=sxadmin,o=scalix
bind_pw = top-secret
query_filter = mail=%s
result_attribute = mail

Change the bind_pw to your sxadmin password.

The “transport_maps” option will tell Postfix, what to do with incoming emails. We will forward emails to the Scalix SMTPD process, which will place them into the correct postbox. The file has the following content:

server_host = ldap://localhost:5757
query_filter = mail=%s
bind = no
result_attribute = scalixInstanceMailHost
result_format = smtp:127.0.0.1:20025
size_limit = 1
domain = example.com

This will query the LDAP server for the mail and forward the mail to the Scalix SMTPD process. You have to replace the “domain” with your domain. You are now able to receive emails with Postfix for your Scalix users.

The other settings will enable authentication for Postfix to relay (send outgoing) emails over the system. Postfix will also use sasl for this. The configuration is done in the saslauthd.cfg here:

root@mail:~# vi /etc/saslauthd.conf

The content of this file should look like this:

ldap_servers: ldap://localhost:389/
ldap_search_base: o=Scalix
ldap_auth_method: bind
ldap_filter: (|(omUlAuthid=%u)(mail=%u))
ldap_version: 3
ldap_bind_dn: cn=sxadmin,o=scalix
ldap_bind_pw: top-secret

This will either use the mail or the username and password for the authentication of users against the Scalix LDAP. Please insert the correct “ldap_bind_pw”.

After restarting Postfix and the sasl daemon you should test your setup, but everything should work fine.

If you see those errors in the “auth.log”, you can ignore them, as they did not cause any problems with the authentication.

Sep 22 14:33:39 mail postfix/submission/smtpd[9657]: auxpropfunc error invalid parameter supplied
Sep 22 14:33:39 mail postfix/submission/smtpd[9657]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Sep 22 14:33:39 mail postfix/submission/smtpd[9657]: canonuserfunc error -7
Sep 22 14:33:39 mail postfix/submission/smtpd[9657]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb

I will explain, how to enable TLS support and fight against Spam and Viruses in a later post.

If you have any questions or feedback, please use the comment function.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.