Phase 2: Postfix MTA
Phase 2: Postfix MTA
Objective
Install and configure postfix as the Mail Transfer Agent. SMTP reception on port 25, authenticated submission on port 587, TLS via Vault-issued certificate.
Concepts
| Term | Meaning |
|---|---|
MTA (Mail Transfer Agent) |
Software that transfers mail between servers via SMTP. Postfix is the MTA. |
SMTP (Simple Mail Transfer Protocol) |
Protocol for sending mail. Port 25 for server-to-server, port 587 for client-to-server. |
STARTTLS |
Upgrades a plaintext SMTP connection to encrypted. Not the same as implicit TLS. |
Relay |
Forwarding mail to another server. An open relay forwards for anyone — a security disaster. |
mynetworks |
Postfix parameter defining which IPs can relay without authentication. |
SASL |
Authentication framework. Postfix uses it to verify client identity on the submission port. |
Installation
sudo dnf install -y postfix cyrus-sasl cyrus-sasl-plain
sudo systemctl enable --now postfixVault TLS Certificate
# Issue certificate from Vault PKI
vault write -format=json pki_int/issue/domus-server \
common_name="mail-01.inside.domusdigitalis.dev" \
alt_names="mail-01" \
ttl="8760h" | tee /tmp/mail-cert.json
# Extract cert and key
jq -r '.data.certificate' /tmp/mail-cert.json | sudo tee /etc/ssl/certs/mail-01.crt
jq -r '.data.private_key' /tmp/mail-cert.json | sudo tee /etc/ssl/private/mail-01.key
jq -r '.data.issuing_ca' /tmp/mail-cert.json | sudo tee /etc/ssl/certs/mail-01-ca.crt
sudo chmod 600 /etc/ssl/private/mail-01.key
# Clean up
rm /tmp/mail-cert.jsonCore Configuration (main.cf)
# Before
sudo postconf -n | head -20
# Key parameters
sudo postconf -e "myhostname = mail-01.inside.domusdigitalis.dev"
sudo postconf -e "mydomain = inside.domusdigitalis.dev"
sudo postconf -e "myorigin = \$mydomain"
sudo postconf -e "inet_interfaces = all"
sudo postconf -e "mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain"
sudo postconf -e "mynetworks = 10.50.1.0/24, 127.0.0.0/8"
sudo postconf -e "home_mailbox = Maildir/"
# TLS
sudo postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/mail-01.crt"
sudo postconf -e "smtpd_tls_key_file = /etc/ssl/private/mail-01.key"
sudo postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/mail-01-ca.crt"
sudo postconf -e "smtpd_tls_security_level = may"
sudo postconf -e "smtpd_tls_loglevel = 1"
# After
sudo postconf -n | head -20Submission Port (master.cf)
Enable authenticated submission on port 587:
# Uncomment submission block in master.cf
sudo sed -i '/^#submission/,/^# -o smtpd_reject_unlisted_recipient/{s/^#//}' /etc/postfix/master.cf
# Verify
sudo awk '/^submission/,/^[^ ]/' /etc/postfix/master.cf | head -10Firewall and SELinux
# Firewalld
sudo firewall-cmd --permanent --add-service=smtp
sudo firewall-cmd --permanent --add-port=587/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
# SELinux — postfix ports should already be labeled
sudo semanage port -l | grep smtpRestart and Verify
sudo systemctl restart postfix
sudo systemctl status postfix
# Test SMTP banner
echo "QUIT" | nc 10.50.1.91 25
# Send test message
echo "Subject: Test from Phase 2" | sendmail -v evan@inside.domusdigitalis.dev
# Check delivery
sudo tail -20 /var/log/maillog
ls -la ~/Maildir/new/Verification Checklist
-
Postfix running:
systemctl is-active postfix -
SMTP responds:
nc 10.50.1.91 25shows banner -
TLS works:
openssl s_client -starttls smtp -connect 10.50.1.91:25 -
Submission port open:
nc 10.50.1.91 587 -
Local delivery works: test message in
~/Maildir/new/ -
Not an open relay:
telnet 10.50.1.91 25from outside mynetworks, attempt relay → rejected