HOWTO: Replacing Sendmail with Postfix on FreeBSD 4.x

Glenn Sidman
email address
Updated: January 30, 2004



1.0 About This HOWTO

While Sendmail is well documented, offers may features, and is installed on FreeBSD by default, this document explains how to replace it. Why? Sendmail is large, complex, and has a long history of vulnerabilities. Though recent version of Sendmail are more secure, its still large, complex, and thus susceptible to many more new vulnerabilities. Microsoft has studied this concept in depth. Wietse Venema's Postfix offers a smaller and simpler replacement for Sendmail. I am neither a programmer nor a security guru, however, I have read praise for Wietse Venema's diligence in writing small, fast, and secure code.

This HOWTO focuses on replacing Sendmail with Postfix. I also hope to offer a starting point for those interested in tinkering with an Internet accessible mailserver. If you are interested in the later, please be aware that mail is a complex thing, and requires strong security awareness. A compromised mailserver can allow others to perform very annoying and sometimes illegal activities.

The following versions were used for this HOWTO:


2.0 Installing Postfix

Postfix can be built (compiled) with support for additional database and authentication mechanisms. So, before you begin, it would be best to have an idea of what you want Postfix to do. Of course if you change your mind later, you can simply remove Postfix and rebuild it again. This HOWTO covers replacing Sendmail with Postfix. No fancy stuff here. For this HOWTO, it is not necessary specify any additional configuration (compile) options during the installation. If however, you later wish to add support for things such as SASL and/or TLS, you will need to rebuild. If Postfix will only handle local mail delivery, you can install without specifying any additional configuration options. If you are planning on adding support for encryption, you should add TLS support. If you want to allow external users to authenticate and relay mail, you may want to add SASL support. (A pop-before-smtp script can accomplish this as well). I cover SASL in my HOWTO "Adding SASL to Postfix" if you are interested.

In the following, I will cover installing Postfix via the FreeBSD ports collection. I recommend using CVSup to update your ports prior to installing Postfix. Installation of the ports collection and CVSup are covered in my HOWTO Installing CVSup and the Ports Collection. Now lets get to it. Issue the following to locate Postfix in the Ports collection:

cd /usr/ports
make search name=postfix

Installation is quite simple. Change to the 'postfix-current'directory and make install. (Note: postfix-current is the very latest production release which is subject to change, however, it is not a beta release). Running make install will download the source files, compile, and install. Immediately after issuing "make install" you will be presented with the "Postfix configuration options" menu. (This is just an easy way of adding compile options.)

cd /usr/ports/mail/postfix-current
make install

Postfix Configuration Options

In this example, I have selected TLS to provide support for encrypted passwords as well as SASL2 to provide an additional authentication layer capable of authenticating external connections/usres. These are not needed for this HOWTO. However, if you do add them, they will not adversely effect Posfixs functionality unless you specifically turn them on in the Postfix configuration file. Of course, from a security standpoint: Do not install stuff you will not use and maintain.

When Postfix is completing the installation, you will be asked the following questions. I chose 'yes'for both:

  1. You need user "postfix" added to group "mail". Would you like me to add it [y]? Select YES
  2. Would you like to activate Postfix in /etc/mail/mailer.conf [n]? Select YES
          If you goofed and selected the default "NO" to activate Postfix in /etc/mail/mailer.conf, just manually change mailer.conf as shown below. The first, is the original mailer.conf for sendmail and the second is what the Postfix install would have created for you.

          
# ORIGINAL ==============================
# $FreeBSD: src/etc/mail/mailer.conf,v 1.2.2.1 2002/04/09 02:00:56 gshapiro Exp
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail        /usr/libexec/sendmail/sendmail
send-mail       /usr/libexec/sendmail/sendmail
mailq           /usr/libexec/sendmail/sendmail
newaliases      /usr/libexec/sendmail/sendmail
hoststat        /usr/libexec/sendmail/sendmail
purgestat       /usr/libexec/sendmail/sendmail


# AFTER POSTFIX =========================
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail        /usr/local/sbin/sendmail
send-mail       /usr/local/sbin/sendmail
mailq           /usr/local/sbin/sendmail
newaliases      /usr/local/sbin/sendmail

Postfix is now installed. We just need to make a few configurations before we rouse up the Postfix daemon. For those who are interested, below are the primary changes made after installation.

          Groups 'maildrop'and 'postfix'added.
User 'postfix'added.
The following files are modified and/or added:
/etc/group - CHANGED
/etc/master.passwd - CHANGED
/etc/spwd.db - CHANGED
/etc/pwd.db - CHANGED
/etc/passwd - CHANGED
/etc/mail/mailer.conf - CHANGED
/etc/mail/mailer.conf.old ADDED (Postfix is being polite)
/usr/local/bin/pcregrep - ADDED
/usr/local/bin/pcretest - ADDED
/usr/local/bin/pcre-config - ADDED
/usr/local/bin/newaliases - ADDED
/usr/local/bin/mailq - ADDED
/usr/local/bin/rmail ADDED
/usr/local/sbin/postalias - ADDED
/usr/local/sbin/postcat - ADDED
/usr/local/sbin/postconf ADDED
/usr/local/sbin/postfix - ADDED
/usr/local/sbin/postkick - ADDED
/usr/local/sbin/postlock - ADDED
/usr/local/sbin/postlog - ADDED
/usr/local/sbin/postmap - ADDED
/usr/local/sbin/postsuper - ADDED
/usr/local/sbin/postdrop - ADDED
/usr/local/sbin/postqueue - ADDED
/usr/local/sbin/sendmail ADDED


3.0 Configuring Postfix

The main configuration file for Postfix is "/usr/local/etc/postfix/main.cf". Caffeine is in order if you plan on reading the entire file. Happily, there are only a few changes we *must* make. The main.cf comments explain the options quite well. You may also want to read Postfix Configuration Basics at postfix.org. Below are the changes I made for a server externally accessible as mail.foo.org with an internal (real) name of bsd.rocks.local. (Newbe note: If you use a Windows text editor on an ASCII file (any Unix text file), you will need to remove the ^Ms from the end of each line. If you insist on using a Windows editor, you can usually strip the ^M by FTPing it back to the BSD so long as you use ASCII or text mode.)

cd /usr/local/etc/postfix
cp main.cf main.cf.ori (Make a backup of the original if not already there)
ee main.cf

I have uncommented and/or edited the following for my server:

  myhostname = mail.foo.org # our external name
  mydomain = foo.org # our external domain
  myorigin = $mydomain
  mydestination = $myhostname, $mydomain, mail.$mydomain,
            localhost.rocks.local, bsd.rocks.local, rocks.local

Note that mydestination should appear to Postfix as if it were entirely on one line. Alternatively, you may begin a second line with white-space and Postfix will interpret this as one continueses line. This is something to keep in mind if you DO NOT want Postfix to interpret two options as one continues line. If you have multiple interfaces and do not desire an SMTP Internet presence, you should also look at mynetworks. Adding notify_classes for everything, as shown below, may be helpful for trouble shooting. Again, please look at the config file comments for each change.

  notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol

In order to receive messages, such as the notify_classes messages, from Postfix (more specifically, the postfix user), you will need to configure an alias. The simplest is to add a postfix to root alias. You will then receive postfix messages to your root mail account. However, as most aliases point to root, you may want to aliase the postfix user to root and then alias root to your mail account. Confused? Both methods are explained below. If you have never configured aliases, you may want to read the /etc/aliases fileits a quick read.

ee /etc/aliases (FYI: this is actually a link to /etc/mail/aliases)

If not already there, add the following line:
postfix: root

Add the following if you wish to forward all of roots mail to your account:
root: you@your.domain (I believe there is a sample in the aliases file)

After editing /ect/aliases you will need to run 'newaliases'. This will update /etc/aliases.db.

newaliases

[I hope to add some assistance with DNS configuration here.]


4.0 Testing Postfix

First off, we must kill Sendmail. (Refer to the Sendmail documentation if you need to export mail for any users.) We will need to know Sendmails PID and then we can kill it. (Newbe Note: The 123 is the PID (Process ID). The PID can always be different. 123 is an example.)

ps -x | grep sendmail
     123   ?         sendmail (This is the output)

Now kill process 123 with:

kill 123

This should kill Sendmail. Now check Postfix with the following command:

postfix check (no output is good output)

Now start postfix with the following command:

postfix start

Postfix is now running (hopefully). You can verify a happy SMTP daemon by any of the following:

netstat an (look for a listening TCP 25 port)
ps x | grep postfix
telnet localhost 25

When you telnet to localhost 25, you should receive: "220 [your host name] ESMTP Postfix" Notice that [your host name] matches the 'myhostname'value in your main.cf file. This is the name your name servers MX record should point to.

5.0 Postfix Start-up Configuration

Now we just need to figure out how to start postfix on boot. If you are replacing Sendmail you have two options. If you want to keep Sendmail around, you will need to deal with mailwrappers. (I have never used mailwrappers and thus do not cover it). You will need to read the /usr/ports/mail/postfix-current/pkg-message. For your convenience, I have copied it below. (This is the message you may have noticed at the end of make install.)

          If you have postfix configured in your /etc/mail/mailer.conf (answered yes to the previous question) and would like to enable postfix to start at boot time, please set these variables in your /etc/rc.conf file:

sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"

This will disable Sendmail completely.

Alternatively to the above settings, you can enable postfix to start with the other local services, for example, after your database server starts if you need it to be running for postfix. To do this, set in your rc.conf file:

sendmail_enable="NONE"

Then make the following symbolic link:

cd /usr/local/etc/rc.d
ln -s /usr/local/sbin/postfix postfix.sh

Also, you will want to disable some Sendmail-specific daily maintenance routines in your /etc/periodic.conf file:

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

If you are using SASL, you need to make sure that postfix has access to read the sasldb file. This is accomplished by adding postfix to group mail and making the /usr/local/etc/sasldb* file(s) readable by group mail (this should be the default for new installs).

If you are upgrading from postfix version prior to 2.0, please see the README files for recommended changes to your configuration.

Alas, we have options. I have chosen the second method as someday I may prefer that Postfix not start before a database server. By that time, I will likely have forgotten how to do this. For the second option, make the following changes to rc.conf. For the first option, you are on your own.

cp /etc/rc.conf /etc/rc.conf.ori (backup for goof-ups)
ee /etc/rc.conf

Change sendmail_enable = "YES" to sendmail_enable = "NONE"

            YES = Enable Sendmail
  NO = Sendmail still starts! Sendmail stops accepting connections from other system, but still runs for localhost mail services.
  NONE = Disable Sendmail completely

FreeBSD runs scripts in /usr/local/etc/rc.d on boot. In this case we are just creating a symbolic link rather than a script. (Newbe Note: Symbolic link = Shortcut in Windows.)

cd /usr/local/etc/rc.d
ln -s /usr/local/sbin/postfix postfix.sh

If you have a 'periodic.conf'file, make the changes recommended above in the pkg-message, otherwise this doesnt appear to be needed.

If you are interested in connecting and retrieving mail from your new mail server with a POP3 client, you will need to add a POP3 server. You can checkout my HOWTO Adding POP3 to Postfix with akpop3d if you are interested.

If you are interested in authenticating SMTP connections and allowing external clients to relay mail, (For instance, you want to send an email message through your server while you are traveling), you can checkout my HOWTO Adding SASL to Postfix. Alternatively, you can search Google for information on adding a pop-before-smtp script.


6.0 Additional Resources

The Home of Postfix:
www.postfix.org

Postfix + TLS + SASL on FreeBSD by Tim Yocum :
http://yocum.org/faqs/postfix-tls-sasl.html


Please feel free to contact me with corrections or comments.

Glenn Sidman
email address