Postfix: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
No edit summary
 
(50 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Installing Postfix =
Changes for a new install on Debian in /etc/postfix:
<pre>
<pre>
Changes for a new install on Debian:
/etc/postfix
touch relay-domains
touch relay-domains
touch virtual
touch virtual
touch virtual-domains
touch virtual-domains
touch transport
touch transport
#This is the list of domains we will transport mail for over smtp, using different protocols.
touch aliases
touch sender_whitelist
postmap aliases
postmap virtual
postmap transport
postmap sender_whitelist
</pre>
This goes in some of the files:
 
== /etc/postfix/virtual ==
<pre>
# In order to translate any mailbox address from one domain to a mapped user on another domain add the following entries:
 
# account1@olddomain.ext account1
# account2@olddomain.ext account2
# newdomain.ext DOMAIN
# @newdomain.ext @olddomain.ext
 
# this will ensure that account1@olddomain.ext AND account1@newdomain.ext is delivered to account1 and account2@[newdomain or olddomain].ext goes to account2
 
# After changing this file run
# postmap virtual
 
# Catchalls are set up with
# @domain.ext userid
</pre>
 
== /etc/postfix/virtual-domains ==
<pre>
# This file contains the domains for which postfix will accept email
# It's not a hash file, so no need to run postmap on it.
</pre>
 
== /etc/postfix/transport ==
<pre>
# This is the list of domains we will transport mail for over smtp, using different protocols.
# This is a hashfile, so postmap transport after editing.
# This is a hashfile, so postmap transport after editing.
apt-get install popa3d
</pre>
# get rid of the postfix pop daemon
 
== /etc/postfix/sender_whitelist ==
<pre>
# don't forget to postmap sender_whitelist after editing, as it's a hash file
# we are a relay for this host
 
domoticz.edgarbv.int    OK
</pre>
 
 
Make sure the following is appended to mynetworks in main.cf
<pre>
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24, 212.61.33.42/32, 31.160.12.64/29, 188.204.140.192/27, 217.81.192.88/32
</pre>
 
'''On the machine sending mail from the home network''
Also, because this machine is relaying from my home network (because port 25 traffic is blocked by my ISP), change in main.cf
<pre>
relayhost = MY.IP.ADDRESS:587
</pre>
(it was empty)
 
== These are the /etc/postfix/main.cf edits ==
<pre>
# My edits
# Prevent backscatter
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
 
message_size_limit = 15000000
 
# Add virtual accounts and all the domains into these two files
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = /etc/postfix/virtual-domains
# To make aliases add them to these files
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_mailbox_base = /var/spool/mail
# Anti Spam measures (note the order is important!)
smtpd_client_restrictions = permit_mynetworks,
                                permit_sasl_authenticated,
                          reject_rbl_client sbl.spamhaus.org,
                          reject_rbl_client bl.spamcop.net,
                          permit
smtpd_helo_restrictions = permit_mynetworks,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                        reject_invalid_helo_hostname,
                        permit
smtpd_sender_restrictions = permit_mynetworks,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                          reject_non_fqdn_sender,
                          reject_unknown_sender_domain,
                          permit
smtpd_data_restrictions = reject_unauth_pipelining,
                        permit
# This is the new style for after 2.10. Debian still has 2.9. They then get removed from smtpd_recipient_restrictions
#smtpd_relay_restrictions = permit_mynetworks,
#                      permit_sasl_authenticated,
#                      reject_unauth_destination,
#                      permit
smtpd_relay_restrictions = permit_mynetworks,
                        permit_sasl_authenticated,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                        reject_unauth_destination,
                        reject_unknown_recipient_domain,
                        reject_unlisted_recipient,
                        reject_unverified_recipient,
                        reject_non_fqdn_recipient,
                        reject_unknown_sender_domain,
                        reject_non_fqdn_hostname,
                        reject_unauth_pipelining,
                        reject_rbl_client zen.spamhaus.org,
                        reject_rbl_client bl.spamcop.net,
                        permit
smtpd_recipient_restrictions = permit_mynetworks,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                            permit_sasl_authenticated,
                            reject_unauth_destination,
                            reject_unknown_recipient_domain,
                            reject_unlisted_recipient,
                            reject_unverified_recipient,
                            reject_non_fqdn_recipient,
                            reject_unknown_sender_domain,
                            reject_non_fqdn_hostname,
                            reject_unauth_pipelining,
                            # spamhaus is only for non-commercial / low volume use
                            reject_rbl_client zen.spamhaus.org,
                            reject_rbl_client bl.spamcop.net,
                            permit
 
# you can test the above lines by putting warn_if_reject before a rule, eg "warn_if_reject reject_non_fqdn_hostname,", which puts up a warning in the logfiles, but allows the mail to go through anyway
 
smtpd_helo_required = yes
disable_vrfy_command = yes
default_process_limit = 100
 
# This is what postfix will act as an SMTP server for
relay_domains = /etc/postfix/relay-domains
# For delayed delivery using etrn
defer_transports = etrn-only
fast_flush_domains = $relay_domains
smtpd_etrn_restrictions = permit_mynetworks, reject
# This is all added for Mailman
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
# This is for maildir delivery
home_mailbox = Maildir/
</pre>
 
Some of the documentation on Maildir sets
<pre>
mailbox_command =
</pre>
But we're going to configure procmail to deliver to mailbox later, so we keep it as such:
<pre>
mailbox_command = procmail -a "$EXTENSION"
</pre>
 
Check configuration
<pre>
postconf -n
or
postconf -d
</pre>
 
get rid of the postfix pop daemon
 
<pre>
apt-get install dovecot-popa3d (for maildir support)
</pre>
 
== procmail ==
Change procmail to maildir delivery. Create /etc/procmailrc
<pre>
LOGFILE=/var/log/mail/procmail
LOGABSTRACT=all
VERBOSE=off
LOG=$date
DEFAULT="$HOME/Maildir/"
MAILDIR="$HOME/Maildir/"
</pre>
 
Create everything
<pre>
mkdir /var/log/mail/
touch /var/log/mail/procmail
</pre>
 
=== Old procmail (non maildir) ===
 
vi /etc/procmailrc
<pre>
#Procmailrc modified by RazoR
#
MAILDIR=/var/spool/mail
LOGFILE=/var/log/mail/procmail
LOGABSTRACT=all
VERBOSE=off
LOG=$date
</pre>
Create everything
<pre>
mkdir /var/log/mail/
touch /var/log/mail/procmail
</pre>
 
== If you mount your mail (mbox format) ==
<pre>
ln -s /home/spool/mail/ /var/mail
</pre>
 
== rsyslog and logrotation ==


Edit /etc/logrotate.d/rsyslog to add /var/log/mail/procmail to it


edit the mail lines in /etc/rsyslog.conf to go to /var/log/mail/:wq
edit the mail lines in /etc/rsyslog.conf to go to /var/log/mail/ something like:
<pre>
mail.info                      -/var/log/mail/mail.info
mail.warn                      -/var/log/mail/mail.warn
mail.err                        /var/log/mail/mail.err
</pre>


<pre>
mv /var/log/mail.* /var/log/mail/
service rsyslog restart
</pre>


In /etc/logrotate.d/rsyslog
In /etc/logrotate.d/rsyslog (nb. because we have moved mail logs to /var/log/mail from /var/log)
-----------------------------
<pre>
/var/log/syslog
/var/log/syslog
{
{
Line 43: Line 260:
         sharedscripts
         sharedscripts
         prerotate
         prerotate
                 /opt/triphost/statisticstripghostmail.sh
                 /opt/myhost/statisticsmyhostmail.sh
         endscript
         endscript
         rotate 7
         rotate 7
Line 57: Line 274:
         endscript
         endscript
}
}
</pre>
=== If still using popa3d ===
<pre>
touch /var/log/mail/popa3d.log
</pre>
'''FOR OLD SYSLOG BEHAVIOUR'''
<pre>
!popa3d
*.*                            /var/log/mail/popa3d.log
</pre>
'''FOR RSYSLOG'''
<pre>
in /etc/rsyslog.d/popa3d.conf
if $programname == 'popa3d' and $syslogseverity <= '6' then /var/log/mail/popa3d.log
if $programname == 'popa3d' and $syslogseverity <= '6' then ~
</pre>
== Mutt ==
Use Mutt to open a maildir:
<pre>
mutt -m maildir -f ~/Maildir
</pre>
Set Mutt to read maildir. Edit /etc/Muttrc
<pre>
set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"
</pre>
= Authentication with sasl =
This uses saslauthd as an authentication layer between pam and postfix smtpd services to check if the user is allowed to log in. There are methods to use dovecot as an authentication layer too, but I haven't gotten that to work.
This one works so far:
http://wiki.debian.org/PostfixAndSASL with more info at http://www.postfix.org/SASL_README.html
Install libsasl2-modules, postfix, postfix-tls, sasl2-bin
/etc/postfix/sasl/smtpd.conf
<pre>
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
</pre>
/etc/default/saslauthd
<pre>
START=yes
</pre>
<pre>
adduser postfix sasl
</pre>
/etc/fstab
<pre>
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind bind 0 0
</pre>
<pre>
cd /var/spool/postfix
mkdir -p var/run/saslauthd
mount /var/spool/postfix/var/run/saslauthd
</pre>
/etc/postfix/main.cf
<pre>
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
</pre>
also make sure that smtpd_recipient_restrictions includes
<pre>
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
</pre>


/etc/logrotate.d/postfix:
== TLS ==
------------------------------
TLS is an encryption layer that runs on the submission port (587) waiting for people to log in. Make sure the firewall opens this port on UDP / TCP
/var/log/mail/mail.log {
 
        prerotate
First you need to generate the key files for the fully qualified mailname / myhostname / hostname of the machine. You can have multiple key files, but only one per IP adress.
                /opt/triphost/statisticstripghostmail.sh
 
        endscript
=== Generating the certificate files ===
        daily
Get the certificate from Lets Encrypt
        missingok
<pre>
        rotate 7
certbot certonly -d mail.edgarbv.com
        compress
</pre>
        delaycompress
 
        notifempty
choose apache.
        create 640 root adm
}


/var/log/mail/popa3d.log /var/log/mail/mail.err /var/log/mail/mail.info /var/log/mail/mail.warn {
==== Depreciated ====
        daily
When filling in common name (CN) Always fill in your domain eg mail.edgarbv.com
        missingok
Generate a private key
        rotate 7
<pre>
        compress
openssl genrsa -des3 -out mail.edgarbv.com.key 2048</pre>
        delaycompress
Create a certificate request
        notifempty
<pre>
        create 640 root adm
openssl req -new -key mail.edgarbv.com.key -out mail.edgarbv.com.csr
}
</pre>
Self sign the key
<pre>
openssl x509 -req -days 365 -in mail.edgarbv.com.csr -signkey mail.edgarbv.com.key -out mail.edgarbv.com.crt
</pre>
remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):
<pre>
openssl rsa -in mail.edgarbv.com.key -out mail.edgarbv.com.key.nopasscp mail.domain.tld.key mail.edgarbv.com.key.pass
mv mail.domain.tld.key.nopass mail.edgarbv.com.key
</pre>
Make ourself a trusted CA:
<pre>
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
</pre>
Copy the files into a proper location:
<pre>
chmod 600 mail.edgarbv.com.key
chmod 600 cakey.pem
mv mail.edgarbv.com.key /etc/ssl/private/
mv mail.edgarbv.com.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/
</pre>


------------------------------
=== /etc/postfix/main.cf ===
<pre>
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.edgarbv.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.edgarbv.com/privkey.pem
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
</pre>
==== Depreciated ====
<pre>
smtpd_tls_cert_file = /etc/ssl/certs/mail.edgarbv.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.edgarbv.com.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
</pre>


add the following to /etc/rsyslogd.conf
== Security for sasl and TLS ==
!popa3d
NB Default policy is:
*.*                            /var/log/mail/popa3d.log
<pre>


touch /var/log/mail/popa3d.log
smtp_sasl_security_options = noplaintext, noanonymous
</pre>
</pre>
So that shouldn't have to be changed to
<pre>


smtp_sasl_security_options = noanonymous
</pre>
Unless the remote server only offers plaintext authentication.


The same goes for TLS, where default is
<pre>
<pre>
Check configuration
postconf -n


/etc/postfix/virtual
smtp_sasl_tls_security_options = $smtp_sasl_security_options
# In order to translate any mailbox address from one domain to a mapped user on another domain add the following entries:
</pre>
 
This could be changed to something like:
<pre>
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
</pre>


# account1@olddomain.ext account1
== using the submission port (587) ==
# account2@olddomain.ext account2
NB no whitespace around the '=' sign!
# newdomain.ext DOMAIN
# @newdomain.ext @olddomain.ext


# this will ensure that account1@olddomain.ext AND account1@newdomain.ext is delivered to account1 and account2@[newdomain or olddomain].ext goes to account2
/etc/postfix/master.cf
<pre>
submission inet n      -      -      -      -      smtpd
  -o syslog_name=postfix/submission
  -o smtpd_etrn_restrictions=reject
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
</pre>


# After changing this file run
Ensure the port is open in shorewall as well :)
# postmap virtual


# Catchalls are set up with
Options to look at:
# @domain.ext userid
<pre>
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
</pre>


/etc/postfix/virtual-domains
== using SSL with the ssmtp / smtps port (465) ==
# This file contains the domains for which postfix will accept email
/etc/postfix/master.cf
# It's not a hash file, so no need to run postmap on it.
<pre>
smtps    inet  n      -      -      -      -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_etrn_restrictions=reject
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
</pre>
</pre>


These are the /etc/postfix/main.cf edits
Ensure the port is open in shorewall as well :)
 
== Testing ==
After a postfix restart you can telnet to the open ports, issue an ehlo and you should see '''AUTH''' in the list. Once for compliant and once for brokenclients
<pre>
<pre>
# Tripany edits
telnet localhost 25
# Prevent backscatter
Trying 127.0.0.1...
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
Connected to edgarinet.localdomain.
unverified_recipient_reject_code = 550
Escape character is '^]'.
unverified_sender_reject_code = 550
220 edgarinet.edgarbv.com ESMTP Postfix (Debian/GNU)
ehlo edgarbv.com
250-edgarinet.edgarbv.com
250-PIPELINING
250-SIZE 15000000
250-ETRN
250-STARTTLS
'''250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN'''
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
</pre>
 
If you don't see the '''AUTH''' in the list when connecting to port 587, There may be a problem with the certificate files. You can try putting the pem and key files are in the /etc/postfix directory somewhere. It doesn't always like it if they are in /etc/ssl/... somewhere but then it doesn't always like it if they are in the postfix dir either :S




message_size_limit = 15000000
You can check if the server is running properly as an SSL server with
<pre>
openssl verify -purpose sslserver /etc/ssl/certs/ssl-cert-snakeoil.pem
</pre>
 


# Add virtual accounts and all the domains into these two files
You can check if SASL is running with
virtual_alias_maps = hash:/etc/postfix/virtual
<pre>
virtual_alias_domains = /etc/postfix/virtual-domains
testsaslauthd -u razor -p "password"
# To make aliases add them to these files
</pre>
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_mailbox_base = /var/spool/mail
# Anti Spam measures
smtpd_recipient_restrictions = permit_mynetworks,
                            permit_sasl_authenticated,
                            reject_unauth_destination,
                            reject_unknown_recipient_domain,
                            reject_unlisted_recipient,
                            reject_unverified_recipient,
                            reject_non_fqdn_sender,
                            reject_non_fqdn_recipient,
                            reject_non_fqdn_hostname,
                            reject_unknown_sender_domain,
                            reject_unauth_destination,
                            reject_unauth_pipelining,
                            reject_invalid_hostname,
                            reject_rbl_client zen.spamhaus.org,
                            reject_rbl_client bl.spamcop.net,
                            permit
smtpd_client_restrictions = permit_mynetworks,
                          reject_rbl_client sbl.spamhaus.org,
                          permit
smtpd_helo_restrictions = permit_mynetworks,
                        reject_invalid_hostname,
                        permit
smtpd_sender_restrictions = warn_if_reject,
                          reject_non_fqdn_sender,
                          warn_if_reject,
                          reject_unknown_sender_domain,
                          warn_if_reject,
                          reject_unknown_address,
                          permit
smtpd_data_restrictions = reject_unauth_pipelining,
                        permit
smtpd_helo_required = yes
disable_vrfy_command = yes
default_process_limit = 100


# This is what postfix will act as an SMTP server for
Increase logging with
relay_domains = /etc/postfix/relay-domains
<pre>
# For delayed delivery using etrn
smtpd_tls_loglevel = 2
defer_transports = etrn-only
fast_flush_domains = $relay_domains
smtpd_etrn_restrictions = permit_mynetworks, reject
# This is all added for Mailman
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
</pre>
</pre>
in main.cf
== setting up for dovecot ==
An alternative idea is you set up dovecot to accept authentication through SASL and then pipe postfix through it to let it authenticate.
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
You can test it as explained in these pages:
http://www.anchor.com.au/hosting/dedicated/Postfix-SASL-setup
http://www.adomas.org/2006/08/postfix-dovecot/
= Useful info =
== accept for primary MX if it goes down ==


To accept messages in the mailqueue and defer them untill the primary MX server is up again, add the domain.ext to /etc/postfix/relay-domains and in transport add
<pre>
<pre>
To accept messages in the mailqueue and defer them untill the primary MX server is up again,
add the domain.ext to /etc/postfix/relay-domains and in transport add
domain.ext etrn-only:
domain.ext etrn-only:
</pre>


The mail will then be delivered when sendmail -q is sent, or when telnet mailserver 25,  
The mail will then be delivered when sendmail -q is sent, or when  
<pre>
telnet mailserver 25,  
helo originating.domain
helo originating.domain
etrn defermaildomain.ext
etrn defermaildomain.ext
</pre>


mails get defered - you can see them in mailq
mails get defered - you can see them in mailq
also in /var/spool/postfix/flush/
also in /var/spool/postfix/flush/


(see also
(see also
http://lists.freebsd.org/pipermail/freebsd-questions/2006-February/112246.html
[http://lists.freebsd.org/pipermail/freebsd-questions/2006-February/112246.html]
http://www.postfix.org/ETRN_README.html
[http://www.postfix.org/ETRN_README.html]
http://archives.neohapsis.com/archives/postfix/2001-07/0730.html)
[http://archives.neohapsis.com/archives/postfix/2001-07/0730.html)]


postfix reload reloads the config
== postfix reload reloads the config ==


http://wiki.ev-15.com/debian:mail_system for how to set up squirrelmail and cyrus for IMAP with postfix
== Squirrelmail and IMAP ==
</pre>
[http://wiki.ev-15.com/debian:mail_system for how to set up squirrelmail and cyrus for IMAP with postfix]
[Webmail_Squirrelmail_for_Debian]


You can also force the queue delivery by running


== force the queue delivery ==
<pre>
postqueue -f
postqueue -f
 
</pre>


or deliver a specific message by
or deliver a specific message by
 
<pre>
postsuper -r queue_id
postsuper -r queue_id
</pre>


 
== Queue management ==
You can see the structure of the queues by using
See the queue structure
 
<pre>
qshape
qshape
</pre>


you can see the active / incoming / deferred / hold queues by doing
you can see the active / incoming / deferred / hold queues by doing
 
<pre>
qshape deferred
qshape deferred
 
</pre>
you may have to wait a bit for the output though.
you may have to wait a bit for the output though.


To kill all deferred messages in the queue you can use
To kill all deferred messages in the queue you can use
 
<pre>
postsuper -d ALL deferred
postsuper -d ALL deferred
</pre>


An example from http://sysop.com.cn/document/Postfix.The.Definitive.Guide/0596002122_postfix-chp-5-sect-2.html
An example from [http://sysop.com.cn/document/Postfix.The.Definitive.Guide/0596002122_postfix-chp-5-sect-2.html]


<pre>
<pre>
Line 299: Line 660:
Postgrey is a greylister that rejects email from a server on the first try, using the fact that most spammers do not retry to send their email, whereas
Postgrey is a greylister that rejects email from a server on the first try, using the fact that most spammers do not retry to send their email, whereas
almost all normal mail servers do.
almost all normal mail servers do.
= Old info =
Old pop daemon
<pre>
apt-get install popa3d
</pre>
/etc/logrotate.d/postfix:
<pre>
/var/log/mail/mail.log {
        prerotate
                /opt/myhost/statisticsmyhostmail.sh
        endscript
        daily
        missingok
        rotate 7
        compress
        delaycompress
        notifempty
        create 640 root adm
}
/var/log/mail/popa3d.log /var/log/mail/mail.err /var/log/mail/mail.info /var/log/mail/mail.warn {
        daily
        missingok
        rotate 7
        compress
        delaycompress
        notifempty
        create 640 root adm
}
</pre>

Latest revision as of 13:24, 16 May 2019

Installing Postfix

Changes for a new install on Debian in /etc/postfix:

touch relay-domains
touch virtual
touch virtual-domains
touch transport
touch aliases
touch sender_whitelist
postmap aliases
postmap virtual
postmap transport
postmap sender_whitelist

This goes in some of the files:

/etc/postfix/virtual

# In order to translate any mailbox address from one domain to a mapped user on another domain add the following entries:

# account1@olddomain.ext account1
# account2@olddomain.ext account2
# newdomain.ext DOMAIN
# @newdomain.ext @olddomain.ext

# this will ensure that account1@olddomain.ext AND account1@newdomain.ext is delivered to account1 and account2@[newdomain or olddomain].ext goes to account2

# After changing this file run
# postmap virtual

# Catchalls are set up with
# @domain.ext	userid

/etc/postfix/virtual-domains

# This file contains the domains for which postfix will accept email
# It's not a hash file, so no need to run postmap on it.

/etc/postfix/transport

# This is the list of domains we will transport mail for over smtp, using different protocols.
# This is a hashfile, so postmap transport after editing.

/etc/postfix/sender_whitelist

# don't forget to postmap sender_whitelist after editing, as it's a hash file
# we are a relay for this host

domoticz.edgarbv.int    OK


Make sure the following is appended to mynetworks in main.cf

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24, 212.61.33.42/32, 31.160.12.64/29, 188.204.140.192/27, 217.81.192.88/32

'On the machine sending mail from the home network Also, because this machine is relaying from my home network (because port 25 traffic is blocked by my ISP), change in main.cf

relayhost = MY.IP.ADDRESS:587

(it was empty)

These are the /etc/postfix/main.cf edits

# My edits
# Prevent backscatter
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

message_size_limit = 15000000

# Add virtual accounts and all the domains into these two files
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = /etc/postfix/virtual-domains
# To make aliases add them to these files
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_mailbox_base = /var/spool/mail
# Anti Spam measures (note the order is important!)
smtpd_client_restrictions = permit_mynetworks,
                                permit_sasl_authenticated,
                           reject_rbl_client sbl.spamhaus.org,
                          reject_rbl_client bl.spamcop.net,
                          permit
smtpd_helo_restrictions = permit_mynetworks,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                        reject_invalid_helo_hostname,
                        permit
smtpd_sender_restrictions = permit_mynetworks,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                          reject_non_fqdn_sender,
                          reject_unknown_sender_domain,
                          permit
smtpd_data_restrictions = reject_unauth_pipelining,
                        permit
# This is the new style for after 2.10. Debian still has 2.9. They then get removed from smtpd_recipient_restrictions
#smtpd_relay_restrictions = permit_mynetworks,
#                       permit_sasl_authenticated,
#                       reject_unauth_destination,
#                       permit
smtpd_relay_restrictions = permit_mynetworks,
                        permit_sasl_authenticated,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                        reject_unauth_destination,
                        reject_unknown_recipient_domain,
                        reject_unlisted_recipient,
                        reject_unverified_recipient,
                        reject_non_fqdn_recipient,
                        reject_unknown_sender_domain,
                        reject_non_fqdn_hostname,
                        reject_unauth_pipelining,
                        reject_rbl_client zen.spamhaus.org,
                        reject_rbl_client bl.spamcop.net,
                        permit
smtpd_recipient_restrictions = permit_mynetworks,
                        check_sender_access hash:/etc/postfix/sender_whitelist,
                            permit_sasl_authenticated,
                            reject_unauth_destination,
                            reject_unknown_recipient_domain,
                            reject_unlisted_recipient,
                            reject_unverified_recipient,
                            reject_non_fqdn_recipient,
                            reject_unknown_sender_domain,
                            reject_non_fqdn_hostname,
                            reject_unauth_pipelining,
                            # spamhaus is only for non-commercial / low volume use
                            reject_rbl_client zen.spamhaus.org,
                            reject_rbl_client bl.spamcop.net,
                            permit

# you can test the above lines by putting warn_if_reject before a rule, eg "warn_if_reject reject_non_fqdn_hostname,", which puts up a warning in the logfiles, but allows the mail to go through anyway

smtpd_helo_required = yes
disable_vrfy_command = yes
default_process_limit = 100

# This is what postfix will act as an SMTP server for
relay_domains = /etc/postfix/relay-domains
# For delayed delivery using etrn
defer_transports = etrn-only
fast_flush_domains = $relay_domains
smtpd_etrn_restrictions = permit_mynetworks, reject
# This is all added for Mailman
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
# This is for maildir delivery
home_mailbox = Maildir/

Some of the documentation on Maildir sets

mailbox_command =

But we're going to configure procmail to deliver to mailbox later, so we keep it as such:

mailbox_command = procmail -a "$EXTENSION"

Check configuration

postconf -n
or
postconf -d

get rid of the postfix pop daemon

apt-get install dovecot-popa3d (for maildir support)

procmail

Change procmail to maildir delivery. Create /etc/procmailrc

LOGFILE=/var/log/mail/procmail
LOGABSTRACT=all
VERBOSE=off
LOG=$date
DEFAULT="$HOME/Maildir/"
MAILDIR="$HOME/Maildir/"

Create everything

mkdir /var/log/mail/
touch /var/log/mail/procmail

Old procmail (non maildir)

vi /etc/procmailrc

#Procmailrc modified by RazoR
#
MAILDIR=/var/spool/mail
LOGFILE=/var/log/mail/procmail
LOGABSTRACT=all
VERBOSE=off
LOG=$date

Create everything

mkdir /var/log/mail/
touch /var/log/mail/procmail

If you mount your mail (mbox format)

ln -s /home/spool/mail/ /var/mail

rsyslog and logrotation

Edit /etc/logrotate.d/rsyslog to add /var/log/mail/procmail to it

edit the mail lines in /etc/rsyslog.conf to go to /var/log/mail/ something like:

mail.info                       -/var/log/mail/mail.info
mail.warn                       -/var/log/mail/mail.warn
mail.err                        /var/log/mail/mail.err
mv /var/log/mail.* /var/log/mail/
service rsyslog restart

In /etc/logrotate.d/rsyslog (nb. because we have moved mail logs to /var/log/mail from /var/log)

/var/log/syslog
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
}

/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages

/var/log/mail/mail.info /var/log/mail/mail.warn /var/log/mail/mail.err /var/log/mail/mail.log /var/log/mail/popa3d.log /var/log/mail/spamd.log /var/log/mail/procmail
{
        sharedscripts
        prerotate
                /opt/myhost/statisticsmyhostmail.sh
        endscript
        rotate 7
        daily
        missingok
#       notifempty
        compress
        delaycompress
        create 640 root adm
        sharedscripts
        postrotate
                /etc/init.d/rsyslog restart
        endscript
}

If still using popa3d

touch /var/log/mail/popa3d.log

FOR OLD SYSLOG BEHAVIOUR

!popa3d
*.*                             /var/log/mail/popa3d.log

FOR RSYSLOG

in /etc/rsyslog.d/popa3d.conf

if $programname == 'popa3d' and $syslogseverity <= '6' then /var/log/mail/popa3d.log
if $programname == 'popa3d' and $syslogseverity <= '6' then ~

Mutt

Use Mutt to open a maildir:

mutt -m maildir -f ~/Maildir

Set Mutt to read maildir. Edit /etc/Muttrc

set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

Authentication with sasl

This uses saslauthd as an authentication layer between pam and postfix smtpd services to check if the user is allowed to log in. There are methods to use dovecot as an authentication layer too, but I haven't gotten that to work.

This one works so far:

http://wiki.debian.org/PostfixAndSASL with more info at http://www.postfix.org/SASL_README.html

Install libsasl2-modules, postfix, postfix-tls, sasl2-bin

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

/etc/default/saslauthd

START=yes
adduser postfix sasl

/etc/fstab

/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind bind 0 0
cd /var/spool/postfix
mkdir -p var/run/saslauthd
mount /var/spool/postfix/var/run/saslauthd

/etc/postfix/main.cf

smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

also make sure that smtpd_recipient_restrictions includes

permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

TLS

TLS is an encryption layer that runs on the submission port (587) waiting for people to log in. Make sure the firewall opens this port on UDP / TCP

First you need to generate the key files for the fully qualified mailname / myhostname / hostname of the machine. You can have multiple key files, but only one per IP adress.

Generating the certificate files

Get the certificate from Lets Encrypt

certbot certonly -d mail.edgarbv.com

choose apache.

Depreciated

When filling in common name (CN) Always fill in your domain eg mail.edgarbv.com Generate a private key

openssl genrsa -des3 -out mail.edgarbv.com.key 2048

Create a certificate request

openssl req -new -key mail.edgarbv.com.key -out mail.edgarbv.com.csr

Self sign the key

openssl x509 -req -days 365 -in mail.edgarbv.com.csr -signkey mail.edgarbv.com.key -out mail.edgarbv.com.crt

remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):

openssl rsa -in mail.edgarbv.com.key -out mail.edgarbv.com.key.nopasscp mail.domain.tld.key mail.edgarbv.com.key.pass
mv mail.domain.tld.key.nopass mail.edgarbv.com.key

Make ourself a trusted CA:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Copy the files into a proper location:

chmod 600 mail.edgarbv.com.key
chmod 600 cakey.pem
mv mail.edgarbv.com.key /etc/ssl/private/
mv mail.edgarbv.com.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/

/etc/postfix/main.cf

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.edgarbv.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.edgarbv.com/privkey.pem
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Depreciated

smtpd_tls_cert_file = /etc/ssl/certs/mail.edgarbv.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.edgarbv.com.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem

Security for sasl and TLS

NB Default policy is:


smtp_sasl_security_options = noplaintext, noanonymous

So that shouldn't have to be changed to


smtp_sasl_security_options = noanonymous

Unless the remote server only offers plaintext authentication.

The same goes for TLS, where default is


smtp_sasl_tls_security_options = $smtp_sasl_security_options

This could be changed to something like:

smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous

using the submission port (587)

NB no whitespace around the '=' sign!

/etc/postfix/master.cf

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_etrn_restrictions=reject
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes

Ensure the port is open in shorewall as well :)

Options to look at:

  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual

using SSL with the ssmtp / smtps port (465)

/etc/postfix/master.cf

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_etrn_restrictions=reject
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Ensure the port is open in shorewall as well :)

Testing

After a postfix restart you can telnet to the open ports, issue an ehlo and you should see AUTH in the list. Once for compliant and once for brokenclients

telnet localhost 25
Trying 127.0.0.1...
Connected to edgarinet.localdomain.
Escape character is '^]'.
220 edgarinet.edgarbv.com ESMTP Postfix (Debian/GNU)
ehlo edgarbv.com
250-edgarinet.edgarbv.com
250-PIPELINING
250-SIZE 15000000
250-ETRN
250-STARTTLS
'''250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN'''
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

If you don't see the AUTH in the list when connecting to port 587, There may be a problem with the certificate files. You can try putting the pem and key files are in the /etc/postfix directory somewhere. It doesn't always like it if they are in /etc/ssl/... somewhere but then it doesn't always like it if they are in the postfix dir either :S


You can check if the server is running properly as an SSL server with

openssl verify -purpose sslserver /etc/ssl/certs/ssl-cert-snakeoil.pem


You can check if SASL is running with

testsaslauthd -u razor -p "password"

Increase logging with

smtpd_tls_loglevel = 2

in main.cf

setting up for dovecot

An alternative idea is you set up dovecot to accept authentication through SASL and then pipe postfix through it to let it authenticate.

http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

You can test it as explained in these pages:

http://www.anchor.com.au/hosting/dedicated/Postfix-SASL-setup

http://www.adomas.org/2006/08/postfix-dovecot/

Useful info

accept for primary MX if it goes down

To accept messages in the mailqueue and defer them untill the primary MX server is up again, add the domain.ext to /etc/postfix/relay-domains and in transport add

domain.ext	etrn-only:

The mail will then be delivered when sendmail -q is sent, or when

telnet mailserver 25, 
helo originating.domain
etrn defermaildomain.ext

mails get defered - you can see them in mailq

also in /var/spool/postfix/flush/

(see also [1] [2] [3]

postfix reload reloads the config

Squirrelmail and IMAP

for how to set up squirrelmail and cyrus for IMAP with postfix [Webmail_Squirrelmail_for_Debian]


force the queue delivery

postqueue -f

or deliver a specific message by

postsuper -r queue_id

Queue management

See the queue structure

qshape

you can see the active / incoming / deferred / hold queues by doing

qshape deferred

you may have to wait a bit for the output though.

To kill all deferred messages in the queue you can use

postsuper -d ALL deferred

An example from [4]

Example 5-1. Perl script to delete queued messages by email address

#!/usr/bin/perl -w
#
# pfdel - deletes message containing specified address from
# Postfix queue. Matches either sender or recipient address.
#
# Usage: pfdel <email_address>
#

use strict;

# Change these paths if necessary.
my $LISTQ = "/usr/sbin/postqueue -p";
my $POSTSUPER = "/usr/sbin/postsuper";

my $email_addr = "";
my $qid = "";
my $euid = $>;

if ( @ARGV !=  1 ) {
        die "Usage: pfdel <email_address>\n";
} else {
        $email_addr = $ARGV[0];
}

if ( $euid != 0 ) {
        die "You must be root to delete queue files.\n";
}


open(QUEUE, "$LISTQ |") || 
  die "Can't get pipe to $LISTQ: $!\n";

my $entry = <QUEUE>;    # skip single header line
$/ = "";                # Rest of queue entries print on
                        # multiple lines.
while ( $entry = <QUEUE> ) {
        if ( $entry =~ / $email_addr$/m ) {
                ($qid) = split(/\s+/, $entry, 2);
                $qid =~ s/[\*\!]//;
                next unless ($qid);

                #
                # Execute postsuper -d with the queue id.
                # postsuper provides feedback when it deletes
                # messages. Let its output go through.
                #
                if ( system($POSTSUPER, "-d", $qid) != 0 ) {
                        # If postsuper has a problem, bail.
                        die "Error executing $POSTSUPER: error " .
                           "code " .  ($?/256) . "\n";
                }
        }
}
close(QUEUE);

if (! $qid ) {
        die "No messages with the address <$email_addr> " .
          "found in queue.\n";
}

exit 0;

Postgrey is a greylister that rejects email from a server on the first try, using the fact that most spammers do not retry to send their email, whereas almost all normal mail servers do.

Old info

Old pop daemon

apt-get install popa3d

/etc/logrotate.d/postfix:

/var/log/mail/mail.log {
        prerotate
                /opt/myhost/statisticsmyhostmail.sh
        endscript
        daily
        missingok
        rotate 7
        compress
        delaycompress
        notifempty
        create 640 root adm
}

/var/log/mail/popa3d.log /var/log/mail/mail.err /var/log/mail/mail.info /var/log/mail/mail.warn {
        daily
        missingok
        rotate 7
        compress
        delaycompress
        notifempty
        create 640 root adm
}