First Try...

My first attempt at blogging...

Posted on: January 11, 2026 at 19:14

moving to the new server... part 2/3

On part 1 of this post, i went through the basic setup of the server with installation of OpenSSL, OpenSSH and NTP daemon.
Now on this part i will focus on the mail server side of things that will build on the basis that has been installled.

Mail server components


For this we will be installing and configuring:
- cyrussasl-authd - allows adding authentication to postfix
- postfix - the mail transfer agent, MTA
- spamassassin - spam filtering
- procmail - processing mail messages

These above a the basic components to have a mail server running with authentication and some spam filtering and mail processing.

cyrussasl-authd


Lets start with Cyrussasl-authd which will be required by postfix to support authentication. We will use the port security/cyrus-sasl2-saslauthd and we install it the usual way:

# cd /usr/ports/security/cyrus-sasl2-saslauthd
# make config
# make install clean

With the installation complete then we need to configure Cyrus SASL to be used by our server

  1. We need to create a file named smtpd.conf to be used by Cyrus SASL when used to work together with the Postfix MTA:

    # vi /usr/local/lib/sasl2/smtpd.conf

    and should contain the following 2 lines:

    pwcheck_method: saslauthd
    mech_list: plain login

    The first line will tell to Cyrus SASL to use the SASL server authentication that we just installed and the second line tells Cyrus SASL to announce PLAIN and LOGIN methods when a client connects to the SMTP server.

  2. We need to enable the SASL authentication server to by started at boot time and then check if it is running has expected.
    We configure it by editing the rc.conf file in the /etc dir:

    # vi /etc/rc.conf

    And we should add the following 2 lines to enable it to start on boot:

    saslauthd_enable="YES"
    saslauthd_flags="-a pam"

    We save the changes and we can test it by doing:

    # /usr/local/etc/rc.d/saslauthd start
    # /usr/local/etc/rc.d/saslauthd status

    And if the server is running you should get a similar output as the one below:

    saslauthd is running as pid 36021.

    Of course the pid most probably will be different in your system.


Postfix - the MTA


As we are following the guide from the book referenced on the first part of this series, we should have already OpenSSL and CyrusSASL which will allow us to use them with Postfix.
We will use the port mail/postfix, and the procedure is the same as the others, but this time we will need to make sure that when we do the config step to make sure in the options presented that TLS/SSL and SASL2 are selected:

# cd /usr/ports/mail/postfix
# make config
# make install clean

During the installation you will be asked to add the user postfix to the group mail, so you should accept it.
You will also be asked if you would like to activate postfix in /etc/mail/mailer.conf and you should say yes and this will create the postfix specific mailer.conf in /etc/mail.

With the installation done and completed, it is time to go through the neededs stetps to configure the different parts of Postfix

  1. we will start with the main parts of the main.cf file in /usr/local/etc/postfix, and you can do:

    # vi /usr/local/etc/postfix/main.cf

    Around line 184 (in my case) you will find:

    #mydestination = \$myhostname, localhost.\$mydomain, localhost, $mydomain

    We should uncomment this line.
    Fruther down, line ~273, you will find:

    #mynetworks_style = host

    If you want to allow relay from the local network/subnet with authentication, then you should uncomment this line.

    A but further down, line ~442, it should appear like this:

    home_mailbox = Maildir/

    The basic stuff is now in place, but as we want to have SASL with SSL encryption, we need to do a few more things.

  2. To enable Cyrus SASL2 we should jump to the bottom/end of the file and add the following config options:

    smtp_sasl_auth_enable = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = $mydomain
    broken_sasl_auth_clients = yes
    smtp_sasl_password_maps = hash:/usr/local/etc/sasldb2
    smtpd_recipient_restrictions =
        permit_sasl_authenticated
        permit_mynetworks
        reject_unauth_destination

    Note: Postfix configuration options that span multiple lines should be preceded with at least a whitespace as above

  3. Continuing at the end of the file after the SASL configuration we need to add the configuration for enabling the SSL encryption for the smtp and smtpd services.
    We will add the following:

    # smtp
    smtp_tls_CAfile = /usr/local/etc/ssl/cert.pem
    smtp_tls_cert_file = /usr/local/etc/letsencrypt/live/host.example.com/cert.pem
    smtp_tls_key_file = /usr/local/etc/letsencrypt/live/host.example.com/privkey.pem
    smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache.db
    smtp_tls_security_level = may
    # smtpd
    smtpd_tls_CAfile = /usr/local/etc/ssl/cert.pem
    smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/host.example.com/fullchain.pem
    smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/host.example.com/privkey.pem
    smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_session_cache.db
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    tls_random_source = dev:/dev/urandom
    smtpd_tls_auth_only = yes

    And we are done, we should now save and exit to complete the configuration to enable SASL authentication with SSL encryption.

  4. We now need to modify master.cf located in /usr/local/etc/postfix by opening if:

    # vi /usr/local/etc/postfix/master.cf

    and uncomment the following four lines around ~20:

    submission inet n - n - - smtpd
        -o smtpd_tls_security_level=may
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

    We should now save and exit.

  5. Independent of enabling SASL with SSL, we still need finish the configuration related to email addresses and alias. Open the file aliases located in /etc/mail/aliases:

    # vi /etc/mail/aliases

    Scroll to around line 20, where you should forward the root account's email to a mailbox, for example:

    root: username@example.cm

    Save and exit and we need to update the aliases.db with the changes we did above, and that we need to issue the command:

    # newaliases


  6. Final steps will be to configure Postfix to start at boot and also making sure the default MTA that comes with FreeBSD, sendmail, is disable. We do this by editing rc.conf:

    #vi /etc/rc.conf

    And we should add the following configuration options:

    postfix_enable="YES"
    sendmail_enable="NO"
    sendmail_submit_enable="NO"
    sendmail_outbound_enable="NO"
    sendmail_msp_queue_enable="NO"

    The first option enable postfix at boot, and the others will disable the sendmail. Same as before, save and exit.
    And one last change would be to change the configuration of the daily periodic scripts so the unnecessary related instructions to sendmail are remove.
    For this we should create a periodic.conf in /etc in case it doesn exist and make sure it contains the following options:

    daily_clean_hoststat_enable="NO"
    daily_status_mail_rejects_enable="NO"
    daily_status_include_submit_mailq="NO"
    daily_submit_queuerun="NO"

    And save and exit.

  7. Now that we should have everything configured we can go ahead and kill the sendmail that might have been running and start the postfix daemon.
    To kill the sendmail one way will be to find the process id and issuing a kill command, and then start postfix:

    # kill "pid of sendmail"
    # /usr/local/etc/rc.d/postfix start

    Note:In case postfix is not activated in the /usr/local/etc/mail/mailer.conf we should run the following commands to do so:

    # mv /usr/local/etc/mail/mailer.conf /usr/local/etc/mail/mailer.conf.old
    # install -d /usr/local/etc/mail
    # install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf



spamassassin - spam filtering


We are going through the same process as the other sofware pieces, and we will use the spamassassin port located in the ports/mail directory:

# cd /usr/ports/mail/spamassassin
# make config
# make install clean

Once again and as a starting point, we are not touching the default options selected and install it. At the moment as we are just using the default options we are also just going to do the simple configuration for spamassassin to meet our needs:

  1. We will need a simple short script that will be called by Postfix when a new mail arrives. This script will then send the email to spamassassin for analysis and then redirects the result back into the mail system for delivery:

    # cd /usr/local/bin
    # touch spamd.sh
    # chmod 555 spamd.sh
    # vi spamd.sh

    And it should contain these lines:

    #! /bin/sh
    /usr/local/bin/spamc | /usr/local/sbin/sendmail -i "$@"


  2. We need to configure Postfix to pipe the new email messages through the script we just created, and we will do this by modifying the master.cf file.

    # vi /usr/local/etc/postfix/master.cf

    Around line 10 or so, you will find the smtp declaration and we should add the content_filter option, and we should modify it to look like this:

    smtp inet n - n - - smtpd
        -o content_filter=spamd:

    Now we should go to the end of the file and add a declaration for Postfix to call the spamd.sh script:

    spamd unix - n n - - pipe
        flags=Rq user=spamd argv=/usr/local/bin/spamd.sh
        -f ${sender} -- ${recipient}

    Save and exit. We should now reload the Postfix configuration files by issuing the command:

    # postfix reload


  3. The last step will be the same, to enable spamassassin to start at boot. For that we should add the following options to /etc/rc.conf file:

    spamd_enable="YES"
    spamd_flags="-u spamd -H /var/spool/spamd"

    And we can now start spamassassin by doing:

    # /usr/local/etc/rc.d/sa-spamd start



procmail - processing mail messages


The last piece in our setup will be to install the procmail port. Procmail is a mail filter, or a Mail Delivery Agent (MDA), that basically processes incoming email according to a set of rules or actions, which can be used to forward email to another address or in our case to move flagged email as spam to a Junk folder
To start the installatiom process, as mentioned we are using the procmail port, we do:

# cd /usr/ports/mail/procmail
# make config
# make install clean

During the installation you might be prompted to add some directories to the test-lock routines, but we should accept the defaults.
After installation is done we need to configure it.

  1. We will need a global configuration file, i.e one that will affect all users, to route the email flagged as spam by SpamAssassin to a subfolder of each user's inbox called Junk:

    # vi /usr/local/etc/procmailrc

    The following lines should be added:

    # Environment Variables
    MAILDIR=\$HOME/Maildir/
    DEFAULT=\$HOME/Maildir/
    DROPPRIVS = yes
    LOGFILE=$HOME/proc.log
    # Spam to Junk Recipe
    :0
    *^X-Spam-Status: Yes
    .Junk/

    the usual save and exit.

  2. We need to add a line to the Postfix's main.cf to specify Procmail as the local mail delivery agent:

    # vi /usr/local/etc/postfix/main.cf

    And at the end of file we shoud add this line:

    mailbox_command = /usr/local/bin/procmail

    We save and exit, and we then should again reload Postfix's configuration with:

    # postfix reload



We have now the basic elements for receiving email as well sending, and of course also filtering spam when it arrives.

My usual last step will be to reboot the system and make sure that everything starts and works as expected.