Upgrading Sendmail to Postfix on Solaris
Life is too short for Sendmail!
Background
No Sendmail wizards! |
The uninitiated may wonder is Sendmail evil, and why? Well, here's a few reasons off the top of my head:
-
Configuration is difficult. Here's two samples from the sendmail.cf configuration file:
V10/Sun Cwlocalhost Fw/etc/mail/local-host-names CP. DS'smtp-server.san.rr.com' CO -AT- % ! C.. C[[ C{ResOk}OKR # . . .
In fairness, this complexity can be partly-hidden with m4 macros. Here's an example:SHdrFromSMTP R$+ $: $>PseudoToReal $1 sender/recipient common R:; <@> $@ list:; special case R$* <@> $* $@ $1 <@> $2 pass null host through R< @ $* > $* $@ < @ $1 > $2 pass route-addr through R$* $: $>MasqSMTP $1 qualify unqual'ed names R$+ $: $>MasqHdr $1 do masquerading SMasqRelay R$+ $: $>MasqSMTP $1 R$+ $: $>MasqHdr $1 Msmtp, P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\ n, L=990, T=DNS/RFC822/SMTP, A=TCP $h Mesmtp, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r \n, L=990, # . . .
However, the above is very position oriented. Add a line in the wrong location and sendmail breaks. Furthermore, when things go wrong you still have to debug the original sendmail.cf file, not the slightly-more-friendly sendmail.mc macro file.VERSIONID(`@(#)sendmail.mc 1.11 (Sun) 06/21/04') OSTYPE(`solaris8')dnl DOMAIN(`solaris-antispam')dnl MASQUERADE_AS(`drydog.com')dnl FEATURE(`dnsbl', `sbl.spamhaus.org',`"550 Mail from " $`'&{client_addr} " refused - see http://www.spamhaus.org/sbl/"')dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl FEATURE(local_procmail)dnl MAILER(`local')dnl MAILER(`smtp')dnl MAILER(`procmail')dnl LOCAL_NET_CONFIG R$* < @ $* .$m. > $* $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3 -
Error messages are cryptic and require searching Google and Google Groups
for hints for what they mean.
For example, try figuring out what's wrong when you get these cryptic
error messages:
550 5.1.2 <nameremoved@illinois-DOT-edu>... Host unknown (Name server: 127.0.0.1.com: host not found)
- The Sendmail (or "bat" book), the "Bible" for Sendmail users, is 1308 pages long!
- Sendmail has poor ("add-on") integration with useful filters such as SpamAssassin, Procmail, SSL certificates, and various Blackhole lists.
- People who favor Sendmail seem to like gratutious complexity. Sendmail experts tend to call themselves Wizards—as if complex, buggy, mysterious, hard-to-use software is acceptable!
- Finally, life is short. Spending time on Sendmail is like dying a little bit sooner.
Although Postfix is not in OpenSolaris, a custom version of it is used by opensolaris.org to deliver email.
Installation
Postfix is available from a few sources. I used the one from Blastwave. Blastwave packages tend to be solid, but they also tend to install a lot of library packages that duplicate what's already in Solaris. Blastwave packages are not supported by Sun Microsystems. I won't repeat the steps to setup Blastwave. Instead carefully follow the steps at http://www.blastwave.org/howto.html
When complete, type these commands to add Procmail, along with SpamAssassin (useful mail filters):
pkg install SUNWprocmail # use pkg-get procmail for Solaris 10 pkg-get spamassassin pkg-get postfix |
Other alternative Postfix ports are available. OpenCSW is a fork of Blastwave and has packages for Solaris 8 and later, including Postfix. The Postfix port by Dogan is popular, but I haven't tried it. See here for a list of Postfix ports: http://www.postfix.org/packages.html You can also download and compile the source from http://www.postfix.org/download.html Neither are Sun-supported. If you know of other Postfix ports to Solaris, leave a comment.
Customization
After Postfix is installed, you only need to type "svcadm enable cswpostfix" to start it (after disabling sendmail with svcadm disable sendmail). I (optionally) setup some links (for /etc/postfix), a spool directory at /var/spool/postfix, and copy over the aliases file from Sendmail to Postfix:
# Disable sendmail (works for S10 or higher) svcadm disable svc:/network/smtp:sendmail # Enable NFS client (prerequisite for cswpostfix, even if not used) svcadm enable nfs/client # Change spool directory to /var/spool/postfix mkdir /var/spool/postfix chgrp postdrop /var/spool/postfix cd /opt/csw/var/spool/postfix; find . -depth | cpio -pdm /var/spool/postfix # Setup /etc/postfix link to configuration directory: cd /etc; ln -s opt/csw/postfix # Setup link for SpamAssassin spamc for easy access: ln -s /usr/csw/bin/spamc /usr/bin # Copy aliases from sendmail: cp /etc/mail/aliases /etc/postfix /opt/csw/bin/newaliases # Allow Postfix sendmail to be used for a client for outgoing email: chmod 755 /opt/csw/sbin/sendmail |
Here's the (optional) changes I make to the Postfix /etc/postfix/main.cf configuration file (in bold). The main.cf file has lots of comments to explain what these lines mean. The host and domain name stuff default to reasonable values, but I set them anyway, just to be sure they're correct. Other changes are for spam control.
# By default only IPv4 is enabled, this enables IPv6 if supported: inet_protocols = all queue_directory = /var/spool/postfix command_directory = /opt/csw/sbin daemon_directory = /opt/csw/libexec/postfix mail_owner = postfix myhostname = tahoma.drydog.com mydomain = drydog.com myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain unknown_local_recipient_reject_code = 550 mynetworks_style = subnet alias_maps = dbm:/etc/opt/csw/postfix/aliases alias_database = dbm:/etc/opt/csw/postfix/aliases mail_spool_directory = /var/mail # Use /opt/csw/bin/procmail for Solaris 10: mailbox_command = /usr/bin/procmail debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /opt/csw/sbin/sendmail newaliases_path = /opt/csw/bin/newaliases mailq_path = /opt/csw/bin/mailq setgid_group = postdrop html_directory = /opt/csw/share/doc/postfix/html manpage_directory = /opt/csw/share/man sample_directory = /opt/csw/share/doc/postfix/samples readme_directory = /opt/csw/share/doc/postfix/README_FILES smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unknown_client, reject_invalid_hostname, reject_non_fqdn_hostname |
Finally, I start postfix and test it by sending and receiving myself emails to myself locally and remotely (e.g., from gmail or Yahoo). Errors and messages are logged to /var/log/syslog by default.
svcadm enable cswpostfix |
When customizing Postfix, or software in general, I recommend changing just one thing at a time and verifying it works. Also, save old copies of the configuration files you modify— especially main.cf Type svcadm refresh cswpostfix after modifying main.cf to have Postfix re-read the current version of main.cf.
For more information on Postfix use and configuration, see postfix.org's documentation and mailing lists. RFE 6386192 concerns adding Postfix to Solaris.
Posted at 03:55PM Jan 06, 2009 by DanX in Solaris | Comments[8]
I've been replacing Sendmail with Qmail on Solaris for at least 10 years. There has only been one issue that I've had and I don't know whether it is the same with Postfix.
Whenever I update the OS, the updating process will replace the sendmail executables. Qmail (and I assume Postfix) replace this with their own version, otherwise some programs won't be able to send mail.
This means that you have to remember to replace it each time you update the OS.
Posted by Gary Gendel on February 04, 2009 at 11:08 AM PST #
Gary,
One solution is to remove the Sendmail packages. Solaris 10: pkgrm SUNWsndmr SUNWsndmu
OpenSolaris: pkg uninstall SUNWsndm
Make sure these links still exist to Qmail or Postfix (or backup the links before removing the package). Here's what they are for Postfix, for example:
/usr/lib/sendmail -> /opt/csw/sbin/sendmail
/usr/bin/mailq -> /opt/csw/bin/mailq
/usr/bin/newaliases -> /opt/csw/bin/newaliases
/usr/sbin/sendmail -> ../lib/sendmail
- Dan
Posted by Daniel Anderson on February 04, 2009 at 12:11 PM PST #
I set up sendmail for the first time yesterday on Solaris.
from a reduced networking install - it was simply pkgadding SUNWsndmu & r - and a host-name check , bam - it was working. add a few virtual users and update the hosts file and this is enough for me, for now.
things were pretty simple and this was the 2nd time I have ever installed sendmail.
now the hard part - IMAP - what is used (uw-imap,cyrus, dovecot) which one ?
Posted by phil on February 05, 2009 at 02:10 AM PST #
Phil,
I use uw-imap and I like it. UW is where the IMAP protocol originated and it's solid. I find Cyrus hard to setup. I have no experience with Dovecot.
Here's information on adding IMAP entries to /etc/inetd.conf if your package doesn't add them :
http://blogs.sun.com/DanX/entry/upgrading_a_linux_server_to
(scroll down to "IMAP")
Posted by Dan Anderson on February 05, 2009 at 07:39 AM PST #
Dan,
I always thought that removing the Sendmail package might work, I've just been lazy. Thanks for the confirmation.
Phil,
As for imap... I used uw-imap for a long time. It's robust and stable, but heavy on resources. About 2 years ago I switched to dovecot and I haven't looked back. It's fast, flexible, plus easy to set up and administer.
If you do try the Qmail route, I strongly recommend spamdyke. I switched to it from a homebrew spam system that I've been tuning for 10 years. This worked extremely well, but recently I saw a sharp increase of spam got through. I tried spamdyke and it really did a great job of stopping just about all of them before they even hit my mail queue.
Gary
Posted by Gary Gendel on February 05, 2009 at 07:06 PM PST #
Hi Dan,
Wonderful blog and very useful.
I just blindly followed your instructions except for domain names and hostnames. I have been able to receive emails from Intranet as well as Internet.
However, I am not able to send emails to any user/host outside of my firewall. I am behind DSL/Router with dynamic IP address. I have port 25 punched for incoming traffic.
Also, I would like to set it up so that I do not get emails from the Internet (to avoid spam). However, I should be able to send emails to the Internet users.
I'll appreciate your help with it on S10 x86
Posted by ken on March 11, 2009 at 11:52 PM PDT #
Ken,
If you want to block incoming email, then you need to block TCP port 25 incoming at your firewall, so you're all set there. If you want to send email, make sure your firewall allows TCP/25 outgoing. You can quickly test this with something like: telnet gmail.com 25
If that's ok, check the /var/adm/messages for postfix errors. For detailed support, I would ask on lists such as http://www.postfix.org/lists.html
- Dan
Posted by Dan Anderson on March 12, 2009 at 04:28 PM PDT #
Jan Friedel has a blog entry showing how to integrate SASL+TLS with Postfix on OpenSolaris. See
http://blogs.sfbay.sun.com/jf/entry/yes_i_can_deliver_via
http://blogs.sfbay/jf/resource/20090327-postfix/20090326-postfix-on-snv.txt
- Dan
Posted by Dan Anderson on March 31, 2009 at 10:26 AM PDT #