Note: These instructions are identical for Leopard and Snow Leopard.

In a normal setup of the basic mailserver all communication between your server and the end user email client is unencrypted and there is the possibility that usernames and passwords can be sniffed while in transit on the internet. This can be prevented by using TLS/SSL encrypted connections which will encrypt the traffic between the client and the server which in turn means that snooping of password information is history. This is in our setup the default configuration.

First you need to buy yourself a SSL certificate at Thawte or Verisign, but as we are building a server on the cheap we are going to create our own certificate. The only problem you will encounter when creating your own certificates is that users explicitly have to accept and verify your root certificate in contrast with certificates you buy which are already accepted in most email clients by default. If they for instance try to send their email for the first time via your secure server they need to accept your certificate. When using Mail.app in OS X they will get the following warning:

Unable to verify certificate

They need to press continue and from then on your certificate will be accepted and they won’t be asked again.

Just open a Terminal and execute the following command in the directory ‘/etc/postfix‘:

sudo openssl req -new -outform PEM -out smtpd.cert \
    -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
    -days 365 -x509

This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.mailserver.tld
Email Address []:you@yourdomain.tld

 
Configuring Postfix means editing files, I’ll only note the settings that differ from the default settings. We will start by editing the ‘main.cf‘ configuration file located in the directory ‘/etc/postfix/‘ (before you start changing make a copy of the original file for safe keeping, which you should do always). Please note that only the difference from the default settings is documented:

main.cf
# The hostname is the hostname you get from your ISP.
# Don’t take one from your virtual domains
myhostname = server.isp-domain.tld
# you can reduce the debug level to level 0 when every is working.
debug_peer_level = 2
#
# my additions for the virtual domain administration
# to use the MySQL database.
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:102
virtual_mailbox_base = /usr/local/virtual/
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 102
virtual_transport = dovecot
virtual_uid_maps = static:102
#
# The settings for the SASL authentication using the autdaemon.
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_invalid_hostname,
  reject_rbl_client zen.spamhaus.org,
  permit
 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_pw_server_security_options = noanonymous
 
smtpd_enforce_tls = no
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
 
dovecot_destination_recipient_limit = 1
 
# OPTIONAL PART
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_etrn_restrictions = reject

As a last step there are the new files that are to be created to accommodate the MySQL access for the user administration. The are to be created in the directory ‘/etc/postfix‘.

mysql_virtual_alias_maps.cf
user = postfix
password = postfixpassword
hosts = 127.0.0.1
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = 1

mysql_virtual_domains_maps.cf
user = postfix
password = postfixpassword
hosts = 127.0.0.1
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s'

mysql_virtual_mailbox_maps.cf
user = postfix
password = postfixpassword
hosts = 127.0.0.1
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1

The last file we need to edit for postfix configuration is ‘/etc/postfix/master.cf‘. There are two things we need to do in this file.

Open up a second port (587) for authenticated users. Most ISP’s might block port 25 and this will help get past that. All mail clients are able to use it.

submission inet n - n - - smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

The next we need to do is to create an extra transport by adding the following lines at the end:

dovecot unix - n n - - pipe
  flags=DRhu user=_vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}

This enables delivering the mail to dovecot.

Please make sure that the last line starting with ‘flags’ is all on one line in the config file.