Penguin

Postfix + SMTP-Auth + Cyrus21 + LDAP Magic

Here is a collection of the magic required to get Postfix to do various things.

Delivery to Cyrus Imap

main.cf:
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp

Note that this involves having cyrus set up to listen for LMTP on that socket. You can also use TCP delivery for LMTP. See CyrusNotes.

SMTP Auth

main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unauth_pipelining,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain

Create this file (under Debian it is in /etc/postfix/sasl/ but this will differ on other distributions).

sasl.conf:
pwcheck_method: saslauthd
mech_list: login
mechanisms: pam
saslauthd_path: /var/run/saslauthd/mux

Now provided you have Cyrus Sasl working you can authenticate using the same credentials you use for Cyrus.

Note: I experienced problems using saslauthd under the Debian install. I resolved these by turning off chroot for smtpd in master.cf. You need to make sure that the postfix user is a member of the sasl group, otherwise it wont be able to communicate with saslauthd.

TLS

main.cf:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

LDAP Alias support

main.cf:
alias_maps = hash:/etc/aliases, ldap:ldapaliases, ldap:ldappeople
alias_database = hash:/etc/aliases

ldapaliases_server_host = shinobi.seclorum.tla
ldapaliases_server_port = 389

ldapaliases_search_base = ou=Aliases,dc=seclorum,dc=tla
ldapaliases_query_filter = (&(objectClass=nisMailAlias)(|(cn=%u)))
ldapaliases_result_attribute = uid,rfc822mailmember
ldapaliases_debuglevel = 3

This works with the same LDAP directory setup as described in EximNotes. I also use a second section for ldappeople that instead of searching the aliases OU, it searched people.

Address Rewriting

main.cf:
recipient_canonical_classes = envelope_recipient
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical

In some cases, you will need to use regexp or pcre instead of hash. (postconf -m shows you what types of lookup tables your Postfix system supports.)