Upgrading Sendmail to Postfix on Solaris

Life is too short for Sendmail!

Background

No Sendmail wizards!
No Sendmail wizards!
This article is about upgrading ancient Sendmail email server software with Postfix. About a year ago I upgraded my OpenSUSE-based web/file/dns/ntp/mail server to OpenSolaris.

That has worked out for the most part—especially having the ZFS filesystem. The part I missed though was having to go back to using Sendmail instead of Postfix for email. Postfix was written by Wietse Venema as a Sendmail replacement. Venema has also written TCP Wrappers and SATAN security software.

The uninitiated may wonder is Sendmail evil, and why? Well, here's a few reasons off the top of my head:

  • Configuration is difficult. Here's two samples from the sendmail.cf configuration file:
    V10/Sun
    Cwlocalhost
    Fw/etc/mail/local-host-names
    CP.
    DS'smtp-server.san.rr.com'
    CO -AT- % !
    C..
    C[[
    C{ResOk}OKR
    # . . .
    
    SHdrFromSMTP
    R$+                     $: $>PseudoToReal $1            sender/recipient common
    R:; <@>                 $@                              list:; special case
    R$\* <@> $\*              $@ $1 <@> $2                    pass null host through
    R< @ $\* > $\*            $@ < @ $1 > $2                  pass route-addr through
    R$\*                     $: $>MasqSMTP $1                qualify unqual'ed names
    R$+                     $: $>MasqHdr $1                 do masquerading
    SMasqRelay
    R$+                     $: $>MasqSMTP $1
    R$+                     $: $>MasqHdr $1
    Msmtp,          P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\\r\\
    n, L=990,
                    T=DNS/RFC822/SMTP,
                    A=TCP $h
    Mesmtp,         P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\\r
    \\n, L=990,
    # . . .
    
    In fairness, this complexity can be partly-hidden with m4 macros. Here's an example:
    VERSIONID(`@(#)sendmail.mc	1.11 (Sun) 06/21/04')
    OSTYPE(`solaris8')dnl
    DOMAIN(`solaris-antispam')dnl
    MASQUERADE_AS(`drydog.com')dnl
    FEATURE(`dnsbl', `sbl.spamhaus.org',`"550 Mail from " $`'&{client_addr} " refused - see http://www.spamhaus.org/sbl/"')dnl
    define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
    FEATURE(local_procmail)dnl
    MAILER(`local')dnl
    MAILER(`smtp')dnl
    MAILER(`procmail')dnl
    LOCAL_NET_CONFIG
    R$\* < @ $\* .$m. > $\*	$#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3
    
    However, the above is very position oriented. Add a line in the wrong location and sendmail breaks. Furthermore, when things go wrong you still have to debug the original sendmail.cf file, not the slightly-more-friendly sendmail.mc macro file.
  • Error messages are cryptic and require searching Google and Google Groups for hints for what they mean. For example, try figuring out what's wrong when you get these cryptic error messages:
    550 5.1.2 <nameremoved@illinois-DOT-edu>... Host unknown (Name server: 127.0.0.1.com: host not found)
    
  • The Sendmail (or "bat" book), the "Bible" for Sendmail users, is 1308 pages long!
  • Sendmail has poor ("add-on") integration with useful filters such as SpamAssassin, Procmail, SSL certificates, and various Blackhole lists.
  • People who favor Sendmail seem to like gratuitous complexity. Sendmail experts tend to call themselves Wizards—as if complex, buggy, mysterious, hard-to-use software is acceptable!
  • Finally, life is short. Spending time on Sendmail is like dying a little bit sooner.

Although Postfix is not in OpenSolaris, a custom version of it is used by opensolaris.org to deliver email.

Installation

Postfix is available from a few sources. I used the one from Blastwave. Blastwave packages tend to be solid, but they also tend to install a lot of library packages that duplicate what's already in Solaris. Blastwave packages are not supported by Sun Microsystems. I won't repeat the steps to setup Blastwave. Instead carefully follow the steps at http://www.blastwave.org/howto.html

When complete, type these commands to add Procmail, along with SpamAssassin (useful mail filters):

pkg install SUNWprocmail # use pkg-get procmail for Solaris 10
pkg-get spamassassin
pkg-get postfix

Other alternative Postfix ports are available. OpenCSW is a fork of Blastwave and has packages for Solaris 8 and later, including Postfix. The Postfix port by Dogan is popular, but I haven't tried it. See here for a list of Postfix ports: http://www.postfix.org/packages.html You can also download and compile the source from http://www.postfix.org/download.html Neither are Sun-supported. If you know of other Postfix ports to Solaris, leave a comment.

Customization

After Postfix is installed, you only need to type "svcadm enable cswpostfix" to start it (after disabling sendmail with svcadm disable sendmail). I (optionally) setup some links (for /etc/postfix), a spool directory at /var/spool/postfix, and copy over the aliases file from Sendmail to Postfix:

# Disable sendmail (works for S10 or higher)
svcadm disable svc:/network/smtp:sendmail
# Enable NFS client (prerequisite for cswpostfix, even if not used)
svcadm enable nfs/client
# Change spool directory to /var/spool/postfix
mkdir /var/spool/postfix
chgrp postdrop /var/spool/postfix
cd /opt/csw/var/spool/postfix; find . -depth | cpio -pdm /var/spool/postfix
# Setup /etc/postfix link to configuration directory:
cd /etc; ln -s opt/csw/postfix
# Setup link for SpamAssassin spamc for easy access:
ln -s /usr/csw/bin/spamc /usr/bin
# Copy aliases from sendmail:
cp /etc/mail/aliases /etc/postfix
/opt/csw/bin/newaliases
# Allow Postfix sendmail to be used for a client for outgoing email:
chmod 755 /opt/csw/sbin/sendmail

Here's the (optional) changes I make to the Postfix /etc/postfix/main.cf configuration file (in bold). The main.cf file has lots of comments to explain what these lines mean. The host and domain name stuff default to reasonable values, but I set them anyway, just to be sure they're correct. Other changes are for spam control.

# By default only IPv4 is enabled, this enables IPv6 if supported:
inet_protocols = all
queue_directory = /var/spool/postfix
command_directory = /opt/csw/sbin
daemon_directory = /opt/csw/libexec/postfix
mail_owner = postfix
myhostname = tahoma.drydog.com
mydomain = drydog.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks_style = subnet
alias_maps = dbm:/etc/opt/csw/postfix/aliases
alias_database = dbm:/etc/opt/csw/postfix/aliases
mail_spool_directory = /var/mail
# Use /opt/csw/bin/procmail for Solaris 10:
mailbox_command = /usr/bin/procmail
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /opt/csw/sbin/sendmail
newaliases_path = /opt/csw/bin/newaliases
mailq_path = /opt/csw/bin/mailq
setgid_group = postdrop
html_directory = /opt/csw/share/doc/postfix/html
manpage_directory = /opt/csw/share/man
sample_directory = /opt/csw/share/doc/postfix/samples
readme_directory = /opt/csw/share/doc/postfix/README_FILES
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
	reject_rbl_client sbl.spamhaus.org,
	reject_rbl_client bl.spamcop.net,
	reject_unauth_destination,
	reject_non_fqdn_sender,
	reject_unknown_sender_domain,
	reject_non_fqdn_recipient,
	reject_unknown_recipient_domain,
	reject_unauth_pipelining,
	reject_unknown_client,
	reject_invalid_hostname,
	reject_non_fqdn_hostname

Finally, I start postfix and test it by sending and receiving myself emails to myself locally and remotely (e.g., from gmail or Yahoo). Errors and messages are logged to /var/log/syslog by default.

svcadm enable cswpostfix

When customizing Postfix, or software in general, I recommend changing just one thing at a time and verifying it works. Also, save old copies of the configuration files you modify— especially main.cf Type svcadm refresh cswpostfix after modifying main.cf to have Postfix re-read the current version of main.cf.

For more information on Postfix use and configuration, see postfix.org's documentation and mailing lists. RFE 6386192 concerns adding Postfix to Solaris.

<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
Comments:

I've been replacing Sendmail with Qmail on Solaris for at least 10 years. There has only been one issue that I've had and I don't know whether it is the same with Postfix.

Whenever I update the OS, the updating process will replace the sendmail executables. Qmail (and I assume Postfix) replace this with their own version, otherwise some programs won't be able to send mail.

This means that you have to remember to replace it each time you update the OS.

Posted by Gary Gendel on February 04, 2009 at 03:08 AM PST #

Gary,
One solution is to remove the Sendmail packages. Solaris 10: pkgrm SUNWsndmr SUNWsndmu
OpenSolaris: pkg uninstall SUNWsndm

Make sure these links still exist to Qmail or Postfix (or backup the links before removing the package). Here's what they are for Postfix, for example:

/usr/lib/sendmail -> /opt/csw/sbin/sendmail
/usr/bin/mailq -> /opt/csw/bin/mailq
/usr/bin/newaliases -> /opt/csw/bin/newaliases
/usr/sbin/sendmail -> ../lib/sendmail

- Dan

Posted by Daniel Anderson on February 04, 2009 at 04:11 AM PST #

I set up sendmail for the first time yesterday on Solaris.

from a reduced networking install - it was simply pkgadding SUNWsndmu & r - and a host-name check , bam - it was working. add a few virtual users and update the hosts file and this is enough for me, for now.

things were pretty simple and this was the 2nd time I have ever installed sendmail.

now the hard part - IMAP - what is used (uw-imap,cyrus, dovecot) which one ?

Posted by phil on February 04, 2009 at 06:10 PM PST #

Phil,
I use uw-imap and I like it. UW is where the IMAP protocol originated and it's solid. I find Cyrus hard to setup. I have no experience with Dovecot.
Here's information on adding IMAP entries to /etc/inetd.conf if your package doesn't add them :
http://blogs.sun.com/DanX/entry/upgrading_a_linux_server_to
(scroll down to "IMAP")

Posted by Dan Anderson on February 04, 2009 at 11:39 PM PST #

Dan,

I always thought that removing the Sendmail package might work, I've just been lazy. Thanks for the confirmation.

Phil,

As for imap... I used uw-imap for a long time. It's robust and stable, but heavy on resources. About 2 years ago I switched to dovecot and I haven't looked back. It's fast, flexible, plus easy to set up and administer.

If you do try the Qmail route, I strongly recommend spamdyke. I switched to it from a homebrew spam system that I've been tuning for 10 years. This worked extremely well, but recently I saw a sharp increase of spam got through. I tried spamdyke and it really did a great job of stopping just about all of them before they even hit my mail queue.

Gary

Posted by Gary Gendel on February 05, 2009 at 11:06 AM PST #

Hi Dan,

Wonderful blog and very useful.
I just blindly followed your instructions except for domain names and hostnames. I have been able to receive emails from Intranet as well as Internet.

However, I am not able to send emails to any user/host outside of my firewall. I am behind DSL/Router with dynamic IP address. I have port 25 punched for incoming traffic.

Also, I would like to set it up so that I do not get emails from the Internet (to avoid spam). However, I should be able to send emails to the Internet users.

I'll appreciate your help with it on S10 x86

Posted by ken on March 11, 2009 at 04:52 PM PDT #

Ken,
If you want to block incoming email, then you need to block TCP port 25 incoming at your firewall, so you're all set there. If you want to send email, make sure your firewall allows TCP/25 outgoing. You can quickly test this with something like: telnet gmail.com 25

If that's ok, check the /var/adm/messages for postfix errors. For detailed support, I would ask on lists such as http://www.postfix.org/lists.html
- Dan

Posted by Dan Anderson on March 12, 2009 at 09:28 AM PDT #

Jan Friedel has a blog entry showing how to integrate SASL+TLS with Postfix on OpenSolaris. See

http://blogs.sfbay.sun.com/jf/entry/yes_i_can_deliver_via
http://blogs.sfbay/jf/resource/20090327-postfix/20090326-postfix-on-snv.txt

- Dan

Posted by Dan Anderson on March 31, 2009 at 03:26 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Solaris cryptography and optimization.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today