Postfix is infinitely configurable to suit your needs. For large corporations and ISPs, Postfix can be configured to use a mySQL backend instead of using configuration files. Thus a quick insert or delete of a record can add users, domains, etc. This tutorial configures Postfix to receive email using local configuration files.
Postfix Installation:
- Red Hat/Fedora/CentOS: yum install postfix
- Ubuntu/Debian: apt-get install postfix
Postfix configuration file: /etc/postfix/main.cf
(Red Hat, Fedora, Suse and Ubuntu!)Basic:
# Common for all Postfix configurations:
smtpd_banner = $myhostname ESMTP $mail_name - Mail RFC requirement. RHEL5: uncomment this line
biff = no - Turn off local user mail notification
mailbox_size_limit = 0 - Zero implies no limit
message_size_limit = 20480000 - Set a size limit on email
recipient_delimiter = + - RHEL5: uncomment this line
append_dot_mydomain = no - appending .domain is the MUA's job
Can not send email to partial domain user@partialdomainname,
only full domains
mail_spool_directory = /var/mail - RHEL5: uncomment this line
Allow no relay or outbound SMTP:
Add to file main.cf:
relayhost =
mynetworks = 127.0.0.1/32
inet_interfaces = all - Interfaces to listen on. Comma separated list eg. localhost, hostname
Receive email for local users: (multiple domains can be specified but an email sent to Michael is not distinguished between domains. One Michael for all domains.)
Add to file main.cf:
myhostname = mail.megawebhost.com
mydomain = megawebhost.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# All domains listed in mydestination are subject to /etc/aliases mapping.
# Do not list domains to be used with virtual hosts!
mydestination = $mydomain $myhostname alternateName1 localhost.localdomain localhost
Virtual host:
(receive email for multiple domains. Users distinguished between domains.
Email recipient ed@megacorp.com is different than ed@charity.com)
Add this definition to support virtual hosts:
# After edting file /etc/postfix/valias.txt
# run command: postmap /etc/postfix/valias.txt
# to create hash db file.
virtual_alias_maps = hash:/etc/postfix/valias.txt
# Use local unix account mailboxes for these domains
virtual_alias_domains = /etc/postfix/vhosts.txt
Add anti-SPAM measures:
Add to file main.cf:
# Place all of the restrictions into the smtpd_recipient_restrictions:
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_sender_restrictions =
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
smtpd_recipient_restrictions =
# permit_mynetworks,
# permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
# check_client_access hash:/etc/postfix/maps/access_client,
# check_helo_access hash:/etc/postfix/maps/access_helo,
# check_sender_access hash:/etc/postfix/maps/access_sender,
check_sender_access hash:/etc/postfix/access_sender,
# check_recipient_access hash:/etc/postfix/maps/access_recipient,
# reject_rhsbl_client blackhole.securitysage.com, THIS SITE IS RETIRED
# reject_rhsbl_sender blackhole.securitysage.com, THIS SITE IS RETIRED
# reject_rbl_client relays.ordb.org, THIS SITE IS RETIRED
# reject_rbl_client blackholes.easynet.nl, THIS SITE IS RETIRED
reject_rbl_client cbl.abuseat.org,
# reject_rbl_client proxies.blackholes.wirehub.net, THIS SITE IS RETIRED
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
# reject_rbl_client opm.blitzed.org, THIS SITE IS RETIRED
# reject_rbl_client dnsbl.njabl.org, THIS SITE IS RETIRED
# reject_rbl_client list.dsbl.org, THIS SITE IS RETIRED
# reject_rbl_client multihop.dsbl.org, THIS SITE IS RETIRED
reject_rbl_client dul.dnsbl.sorbs.net,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
Note:
- SpamHaus combines three blackhole lists: Exploits block list (exploited systems): xbl.spamhaus.org, Policy block list (non-MTA IP): pbl.spamhaus.org and Spamhaus block list: sbl.spamhaus.org, into one "zen.spamhaus.org".
Limit denial of service attacks:
Add to file main.cf:
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
header_size_limit = 51200
smtp_recipient_limit = 100
File: /etc/postfix/vhosts.txt
megacorp.com
charityX.org
productX.com
Domains listed here should NOT be listed with the "mydestination" directive.
File: /etc/postfix/valias.txt
This file maps email addresses to local user names:
joe@megacorp.com userjoe
joe@charityX.org userjoseph
info@productX.com userjoe
Upon creation or change, create the db file: postmap /etc/postfix/valias.txt
This creates the file /etc/postfix/valias.txt.db
File: /etc/postfix/access_sender
0.0.0.0/8 REJECT Domain MX in broadcast network
10.0.0.0/8 REJECT Domain MX in RFC 1918 private network
127.0.0.0/8 REJECT Domain MX in loopback network
169.254.0.0/16 REJECT Domain MX in link local network
172.16.0.0/12 REJECT Domain MX in RFC 1918 private network
192.0.2.0/24 REJECT Domain MX in TEST-NET network
192.168.0/16 REJECT Domain MX in RFC 1918 private network
224.0.0.0/4 REJECT Domain MX in class D multicast network
240.0.0.0/5 REJECT Domain MX in class E reserved network
248.0.0.0/5 REJECT Domain MX in reserved network
Generate database file "access_sender.db": postmap /etc/postfix/access_sender
Used by main.cf directive check_sender_access hash:/etc/postfix/access_sender
Other access lists:
- Iowa State University
- West-Point.org
- IP block list used by http: Wizcrafts.net: Exploited server list
Postfix debugging and diagnostics: Look in log files for error messages.
- Red Hat: /var/log/maillog
- Ubuntu: /var/log/mail.log
Postfix Pitfalls:
- Error in /var/log/maillog
.. ... Feb 7 21:45:00 ip-XXX-XXX-XXX-XXX postfix/postfix-script[26232]: starting the Postfix mail system Feb 7 21:45:00 ip-XXX-XXX-XXX-XXX postfix/master[26233]: fatal: bind 0.0.0.0 port 25: Address already in use Feb 7 21:48:22 ip-XXX-XXX-XXX-XXX postfix/postfix-script[26273]: fatal: the Postfix mail system is not running ... ..Check for other applications using port 25: fuser -uv 25/tcp
Often Sendmail is installed by default and may be running.
Fix: service sendmail stop; service postfix restart
Postfix configuration tutorials:
- Postfix.org: Configuration options
- Postfix.org: Anti-spam configuration [example]
- Blocking Unsolicited Email (UCE)
- Greylisting
More examples:
- Complete mail server configurations - Debian/Ubuntu
Check if your server has been blocked:
Postfix can be configured three different ways to interface with Mailman. The following uses the /etc/aliases file for this configuration. Requires the following main.cf configuration:
alias_maps = hash:/etc/aliasesFile: /etc/aliases
alias_database = hash:/etc/aliases
#
# regular aliases
#
info: user1
joe: user1
theadore: ted
#
# mailman aliases
#
mailman: "|/var/mailman/mail/mailman post mailman"
mailman-admin: "|/var/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/mailman/mail/mailman join mailman"
mailman-leave: "|/var/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/mailman/mail/mailman owner mailman"
mailman-request: "|/var/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/mailman/mail/mailman unsubscribe mailman"
#
megacorp: "|/var/mailman/mail/mailman post megacorp"
megacorp-admin: "|/var/mailman/mail/mailman admin megacorp"
megacorp-bounces: "|/var/mailman/mail/mailman bounces megacorp"
megacorp-confirm: "|/var/mailman/mail/mailman confirm megacorp"
megacorp-join: "|/var/mailman/mail/mailman join megacorp"
megacorp-leave: "|/var/mailman/mail/mailman leave megacorp"
megacorp-owner: "|/var/mailman/mail/mailman owner megacorp"
megacorp-request: "|/var/mailman/mail/mailman request megacorp"
megacorp-subscribe: "|/var/mailman/mail/mailman subscribe megacorp"
megacorp-unsubscribe: "|/var/mailman/mail/mailman unsubscribe megacorp"
#
These entries are generated by Mailman. See the
YoLinux Mailman tutorial.
Links on Postfix and Mailman integration:
(Three different methodologies)
- Postfix-Mailman integration - GNU
- Use regular expression in configuration: Nezo.net: example and tutorial.
Open Relay:
Check if an open relay: (you do not want to be an open relay)
Block Lists:
Check if your server is on the spam block list:
- https://www.spamhaus.org/query/ip/XXX.XXX.XXX.XXX
DNS SPF:
To thwart spammers from pretending to be sending email from your domain (spoofing), use your DNS to specify your outbound email server. Many email servers are now checking inbound email to see if the email is authorized by the SFP record. Use an SPF record in your DNS configuration to prevent being blocked. One popular test email servers are performing is to test whether the server has permission to send email on the behalf of the domain. If the email server sending the outbound email is not listed, the email bounces or is put in the spam folder. Add a Sender Policy Framework (SPF) record as follows (pick one solution):
- Specify the inbound email server as defined by the DNS MX record is also your outbound email server:
; ; Mail server for domain ; IN MX 5 mail ; ; SPF allow MX mail server to send email for the domain your-domain.com. IN TXT "v=spf1 a mx -all"- v=spf1: All SPF records all start with "v=spf1"
- -all: fail network address if it does not pass the rules specified (use this)
- +all: pass network address
- ~all: soft fail
- a: signifies that the host is authorized to send the emails on behalf of the domain
- mx: specify the MX inbound mail server to also be the outbound mail server
- Specify the IP address of the outbound email server:
your-domain.com. IN TXT "v=spf1 a mx ip4:XXX.XXX.XXX.XXX -all"- Use ip4 or ip6 to specift an IP version 4 or version 6 network address
- Specify an alternate email service provider (in this case Google gmail) to also grant permission to send email on behalf of the domain:
your-domain.com. IN TXT "v=spf1 a mx include:_spf.google.com -all"- include: authorize outbound hosts outside of your domain
Books:
 |
"Postfix"
by Richard Blum ISBN #0672321149, Sams
|
|
 |
"Linux Email"
by Black, Koetter, Hilderbrandt, McDonald, Rusenko and Taylor. ISBN #190481137X, Packt I reviewed this book and found it to be a very complete discussion with examples of the installation, configuration, integration and use of Postfix, Courier POP/IMAP, SquirelMail, SpamAssassin, ClamAV and Cyrus SASL. It is concise and to the point. How to configure a Linux email server for the most popular and useful server configurations. This book is specific to the components listed and will get you up and running fast. |
|
 |
"Stopping Spam"
by Alan Schwartz, Debby Russell (Editor), Simson Garfinkel ISBN #156592388X, O'Reilly and Associates
|
|
 |
"Removing the Spam : Email Processing and Filtering"
by Geoff Mulligan ISBN #0201379570, Addison-Wesley Networking Basics Series
|
|