The reason I decided to create this documentation is because I found a lack of clarity in other online documentation regarding various open source software. Some of the documentation was right-on but not conducive to my environment or situation. Thus I thought it was time to detail my purpose for using the software and how I managed to get it working properly to fulfill my needs, which tend to more more general in nature unlike other documentation that specifically conveys one architectural approach. The documentation here is not guaranteed to work in all environments. I tested most of these procedures in OpenBSD 3.2, 3.3 and 3.4, you may have varying results with other Unix-like OS's.

PURPOSE: I created this documentation so something more strait forward would exist. You see, I wanted to replace sendmail on my system completely and install spam ridding programs to compliment it. I have a very small user base that I support for primary mail. I do not perform DNS or mail relaying for any other domains. I do however, accept mail for a second domain name. Doing so is very easy as you will see. My interface to my mail program(postfix) is imap-uw with web mail framework provided by Horde. But that is another topic. Let's get on with the install!

Introduction

The Postfix web site has allot of good information. They even have an FAQ detailing some of the more common problems. However, the documentation I found was boring to read and confusing to follow. The subject matter was all over the place and hard to go from step 1 of unpacking the source to step 100 of running a completed postfix install. The steps I describe below pertain to the latest Postfix version as of 03/03/04 postfix-2.0.18. An OpenBSD source of the postfix program can be found in the OpenBSD ports tree but I would not suggest using this simply because of bug fixes and possible security flaws which are discovered from time to time like in any piece of software code. So needless to say I downloaded the latest source from POSTFIX. This site also provides you with some great information on getting the basics of what postfix is and the features it offers. There are also patches released that enable additional functionality but I will talk more about those later on.

I thought I should throw in exactly why I chose to use postfix. Well, to put it simply I did not trust sendmail anymore. Sendmail was way easier to install on my OpenBSD boxes than postfix only because it took a whole 2 minutes to edit roughly 5 different files with a total of about 6 entries total, not including the cron job. Yeah, real tough that one is. OpenBSD just happens to come with sendmail in the default install. This is only because OBSD needs a program to communicate things to root for important problems or updates. You see, Sendmail was a program originally written back in the 1970's to allow developers to send code from one host to another. It was a beta program not designed to ever be introduced as a production application. But the popularity caught on and here are are today sendmail version 8.12.x or something like that. Simply put, it is insecure by default and new vulnerabilities have and will most likely continue to be found. Besides, Postfix can be configured with much more flexibility.

TLS stands for Transport Layer Security. This has been created in order to add a layer of encryption to your mail clients interaction with the smtp server. TLS is best complimented with SSL and this patch for Postfix requires that you have OpenSSL installed with at least version 0.9.5, but it is recommended to have the latest version installed for obvious reasons. If you are running OpenBSD 3.3 or 3.4, you will already have OpenSSL version 0.9.7x installed and that will be just fine for this TLS patch with postfix version 2.0.18. Be aware of this vulnerability in OpenSSL and patch against it if it is applicable to your environment.

To apply the patch and enable TLS functionality with Postfix please follow the steps below.

1. cd to:
# /usr/src

2. Obtain the patch by entering the following:
# ftp ftp://mirrors.loonybin.net/pub/postfix_tls/pfixtls-0.8.16-2.0.18-0.9.7c.tar.gz

3. verify the tarball exists by issuing:
# ls
unpack the existing tarball with the following:
# tar zxvf pfixtls-0.8.18-2.0.18-0.9.7c.tar.gz

Now cd to the postfix directory and apply the TLS patch:
# cd /usr/src/postfix-2.0.18
# patch -p1 < /usr/src/pfixtls-0.8.16-2.0.18-0.9.7c/pfixtls.diff

If you are not using TLS then skip number 1 below and proceed to step number 2.

1. After patching postfix for TLS you will need to configure and compile. In order to enable the TLS functions, you must specify the path to the OpenSSL header files as well as the appropriate libraries, and you must define USE_SSL. Now we are going to begin to build the package with SSL/TLS support. At your command prompt type:
# make makefiles CCARGS="-DUSE_SSL -I/usr/include/ssl" AUXLIBS="-L/usr/lib -lssl -lcrypto"

The OpenBSD 3.4 and 3.3 SSL header and library files are located:

openssl header files: /usr/include/ssl
openssl libraries: /usr/lib

3. When that finishes without any error messages after it is completed type the following:
# make install
You will be prompted with a set of questions. The questions are listed below with their corresponding answer. Feel free to specify specific directories if you feel comfortable doing so.
A. install_root: [/] Hit enter here or input another path
B. tempdir: [/usr/src/postfix-2.0.18] Hit enter here or input another path
C. config_directory: [/etc/postfix] Hit enter here or input another path
D. daemon_directory: [/usr/libexec/postfix] Hit enter here or input another path
E. daemon_directory: [/usr/libexec/postfix] Hit enter here or input another path
F. command_directory: [/usr/sbin] Hit enter here or input another path
G. queue_directory: [/var/spool/postfix] Hit enter here or input another path
H. sendmail_path: [/usr/sbin/sendmail] Hit enter here or input another path
I. newaliases_path: [/usr/bin/newaliases] Hit enter here or input another path
J. mailq_path: [/usr/bin/mailq] Hit enter here or input another path
K. mail_owner: [postfix] If you created the account (_postfix) then change this to reflect real account name
L. setgid_group: [postdrop] If you created the group (_postdrop) then change this to reflect real group name
M. manpage_directory: [/usr/local/man] Hit enter here or input another path
N. sample_directory: [/etc/postfix] Hit enter here or input another path
O. readme_directory: [no] Hit enter here or type in the path you want these installed to

This will now run the postfix-install file and create the files and directories that you have just specified. If you get an error running the make install command, then review your answers and make sure that the user and group as well as the directories exist and are writeable by root. You may need to replace your Makefile and start the compiling process over if you do receive errors.

1. Now you are ready to customize your postfix install and we will start with the aliases file. We will use the sendmail aliases file because it is a little better than the one that comes with the postfix package, also if you were previously using sendmail this will make an easier migration for you.
# cd /etc/mail
# mv aliases /etc/
# vi /etc/aliases
Your entry should look like this and will come after either the _x11 or _spamd user name. What the entry below does is route any message for _postfix to your root mailbox. You should also have an alias entry for root that a real person will receive. So messages sent by system accounts (daemons) will be seen by a real person and not just sitting in root's mailbox. Your edit to the aliases file will look something like this:
_postfix:root
root: real_person_goes_here
Now we must load the changes we've made to the aliases file by issuing the following command
# newaliases

2. Now you are ready to customize your postfix configuration files. There are many options you can have so I am just listing the basics here. It is good practice to make small changes to your main configuration file (main.cf) and wait a few days and watch your mail log to see if it breaks stuff or causes you unwanted problems. Then go back and turn another thing on and repeat the process. If you turn too many filtering options on at once it will make your troubleshooting difficult.
# cd /etc/postfix
# mkdir maps
We create a maps directory because this is where the .db files will be stored and in the main.cf file we tell postfix to look in the maps directry for these files. The db files are files which are transformed from human-readable format to a format that the postfix program can read and interrupt. It is good practice to store these files in a spereate directory strictly for organizational and management purposes.

3. I have provided an example of what some of the files should look like at the bottom of this Postfix tutorial. Next we edit:
# vi main.cf
# vi master.cf
# vi mynetworks.cf

4. To create the .db files you must run the postmap command.
# postmap access
# postmap virtual
# postmap relay_recipients
You will need to run this command for every file that you are requiring postfix to read as part of your main.cf file. The postmap command transforms the ASCII file into a .db file for postfix to process. Now you have to move these files into your maps directory. Just issue the move command:
# mv access.db maps/
# mv virtual.db maps/
# mv relay_recipients.db maps/

5. It is time to finalize your install of postfix. We do this by using the scripts provided by the package. Run the post-install script: postfix ./post-install set-permissions If you run the following command: # ./post-install you will get a list of options to use with the script. They are:

create-missing Create missing queue directories.
upgrade-source When installing or upgrading from source code.
upgrade-package When installing or upgrading from pre-built package.
first-install-reminder Remind of mandatory first-time configuration steps.
name=value Specify an installation parameter.

One of those options not listed is the 'set-permissions' parameter. This will set all the correct permissions on the necesarry postfix files so that it will run properly.

# ./post-install create-missing
This will create any missing files or directories you may have. Next we issue the set permissions command with:
# ./post-install set-permissions
This sets the correct permissions on all of the files and directories in order for postfix to function properly.
Now you can start postfix and see if it complains about anything. Start postfix by issuing:
# postfix start
You can also use:
# postfix reload
To stop Postfix it is really easy too:
# postfix stop

Don't forget to watch your /var/log/maillog file. Also, you may have to edit your nameserver file called resolv.conf. If you change this and it breaks postfix, this means that you have to edit the other resolv.conf that postfix uses. It is located at: /var/spool/postfix/etc. If you are going to chroot or jail your postfix program (which I highly reccomend and this can be indicated in the master.cf file) then be sure that the correct path to the postfix chroot environment is in your configuration files such as main.cf and master.cf. You may also have problems if the users are authenticating to postfix with the /etc/passwd file. A link or a copy of this file may have to be placed in the postfix chrooted environment.

If you have any questions or complaints then send an email to: support

Example Postfix Files - (Use at your own demise)

MAIN.CF

MASTER.CF

MYNETWROKS

RELAY_RECIPIENTS

VIRTUAL

--------------------------------------------------------End of Postfix Documentation-----------------------------------------------------------------------

Using the vLAN Interface

OpenBSD is an excellent open source Unix-like operating system. It comes with a variety of preinstalled interfaces and one of the interfaces is the vlan interface. I have a firewall using pf rules, dhcp server for a LAN and a webserver all running on one machine. I ran into one snag when I purchased a wireless router, how do I get the thing to be seperated from my hard wired network? The answer was clear, a vLAN would solve that problem. So the next step was to install a third NIC card into my production Hienz 57 box (www, firewall, dhcp box). I had to sacrifice my test box until I got my hands on yet another nic card. However, prior to setting up a vlan, I attempted to plug my wifi router, an SMC 2804WBR, directly into my switch. This worked ok but for some reason my WIN2K machne would not receive an IP address but my OBSD test box had no problem obtaining an IP. So after configuring my wifi router I broke down and redesigned my home network. Below are the steps I took to implement my vlan on OpenBSD 3.2 with a cheapo Netgear NIC card. The card can be purchased for around 10 bucks at at your favorite computer store.

Step 1:

> ifconfig vlan0 192.168.2.1 vlan 2 vlandev sis0
where sis0 is the alias for your network interface card in OpenBSD

Lets look at the above command

ifconfig - can be simply defined as "an interface configuration command". See the man pages for more detail if you need it.

vlan0 - is the vlan number associated with the virtual local area network that you are creating. This number can be vlan1 or vlan10 if you wish, the number afterwards is arbitrary.

IP - Next we have the ip address for your newly configured virtual lan. This cannot be a subnet that is pre-existing on your network.

vlan 2 - The command "vlan" must exist, however, the number following the word 'vlan" can be a number between 1 and 1000 if you so wish. This is merely referred to as the parent identifier. The number is for the admin to identify which subnet this vlan represents. In my scenario above I chose the number 2 because it was on my second subnet.

vlandev - with this command you specify the interface name assigned to supporting the virtual network. In my example above the interface name that OpenBSD uses for my brand of NIC is sis0.

Now type in the following command at your command line:

root# ifconfig vlan0

You should get:

--------------------begin snip--------------------------------
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:09:5b:06:0f:8f
vlan: 2 parent interface: sis0
inet6 fe80::209:5bff:fe06:f8f%vlan0 prefixlen 64 scopeid 0x10
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255

---------------------end snip--------------------------------

Step 2:

Add vlan0 or whichever vlan number you chose to /etc/dhcpd.interfaces

Step 3:

Edit the file: /etc/dhcpd.conf to include a definition for the newly established vlan.

For my example, I would make the following additions:

--------------------begin snip--------------------------------

shared-network VLAN0 {
option domain-name "vlan0.28place.net";
option domain-name-servers 192.168.2.1;

subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
range 192.168.2.100 192.168.2.110;

}
}

----------------------end snip---------------------------------

In the above example I am designating the 192.168.2.255 subnet to my vlan. I am also only allowing up to 10 addressable ip addresses in the ".2" subnet.

HINT: Be careful to add all of the appropriate } { symbols to the dhcpd.conf file. I had to edit the file a couple of times before I got the proper format correct. If this is an addition to a another dhcp network you will need to edit your local network exactly as my example above, quotations and punctuation included. Just think of it as adding an additional record.

Step 4:

Next, issue 'dhcpd' at the command line and look at the services that your dhcpd is offering. Mine looks like this:

--------------begin screenshot-------------------------------------------
root# dhcpd

Listening on BPF/vlan0/00:09:5b:06:0f:8f/VLAN0
Sending on BPF/vlan0/00:09:5b:06:0f:8f/VLAN0
Listening on BPF/rl0/00:50:bf:e4:9e:03/LOCAL-NET
Sending on BPF/rl0/00:50:bf:e4:9e:03/LOCAL-NET
Listening on BPF/fxp0/00:a0:c9:71:48:5d/24.118.167.92
Sending on BPF/fxp0/00:a0:c9:71:48:5d/24.118.167.92
Sending on Socket/fallback/fallback-net
# There's already a DHCP server running.
Sep 11 21:38:31 28place dhcpd: There's already a DHCP server running.

exiting.
Sep 11 21:38:31 28place dhcpd: There's already a DHCP server running.
Sep 11 21:38:31 28place dhcpd: exiting.
Sep 11 21:38:31 28place dhcpd: exiting.
--------------end screenshot-------------------------------------------

That's it! Hope this helped you establish your very own vLAN. If you have any questions or problems with this you may send your comments
to the following email: support