Need advice for setting up mail server

Sun Aug 7 16:25:08 UTC 2016

> On 7 August 2016, at 08:52, Steve O'Hara-Smith <steve at sohara.org> wrote:
> 
> On Sun, 7 Aug 2016 15:24:48 +0000
> Manish Jain <bourne.identity at hotmail.com> wrote:
> 
>> fo
>> r me, the thing has to be easy to set up and maintain, rather than worry
>> too much about eavesdropping/MITM. Thanks for any advice. Manish Jain
> 
> 	I found it simplest to set up two MTAs (in jails) one for outgoing
> mail (allows relay from inside the LAN only, uses my ISPs SMTP server as a
> smarthost) running exim (I found it easy to configure) and one for incoming
> mail (sendmail delivering via procmail and spamassassin to dovecot for
> IMAP).
> 
> 	Separating the two directions made it very easy to think about the
> security of the configuration.

I recently switched a small business mail server from sendmail to postfix with dovecot.  It wasn't real simple, but it went together quite easily.  The wiki pages for both are extremely good.  I used one instantiation of postfix as it handles security quite well.  You designate which networks are trusted (local) and everything else is not.  You can set it up using dovecot's authentication so that remote users can be trusted also.  There apparently is also a tool to enable the user to maintain their sieve configuration via a browser although I have not tried that yet.  

I found it best to use dovecot's MDA from postfix so that pigeon sieve could be used during delivery.  That gives you features like vacation and automatic delivery to inboxes other than INBOX.  I did the initial setup one step at a time.  Get it working then add the next feature.

You do need to figure out which type of authentication you want at the beginning.  I used password file authentication as the number of users and turnover was not enough to warrant any of the more flexible approaches.  Both postfix and dovecot are dependent on the authentication.  Using dovecot's authentication for postfix made the setup a lot easier as you only have to get authentication working once.

For machines other than the mail server, I used postfix setup to forward all mail to a smart host.  That way the log files are all in the same format.  You will want to decide how to store the log file on the MTA.  I went with syslog into the same file for both postfix and dovecot.  That makes it a bit easier to trace what happened to a particular message.  I did have to add additional fields into the logging format for both though.  That was probably the most difficult configuration item.  It took awhile to figure out which log format is used for which situations.