Postfix

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA.

Rejecting Unknown Clients
If you see the following lines in your logs...

postfix/smtpd[28842]: 3B0CD41C98: client=unknown[116.102.149.61]

Then you can add the following anti-spam measure to cut these out.

smtpd_sender_restrictions = reject_unknown_address

e.g.

smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address, reject_non_fqdn_sender, reject_unknown_sender_domain, permit

Inspecting Handling Postfix Mail Queue
http://www.tech-g.com/2012/07/15/inspecting-postfixs-email-queue/

Create Self-Signed SSL Certificate For Postfix In Ubuntu Linux
sudo -i mkdir -p /etc/ssl/postfix/ cd /etc/ssl/postfix/ /usr/lib/ssl/misc/CA.pl -newca /usr/lib/ssl/misc/CA.pl -newreq-nodes /usr/lib/ssl/misc/CA.pl -sign cp -av demoCA/cacert.pem /etc/ssl/certs/ postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt' postconf -e 'smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem' postconf -e 'smtpd_tls_key_file = /etc/ssl/postfix/newkey.pem' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' service postfix restart

Forward Postfix Email To Another Account
http://www.cyberciti.biz/faq/linux-unix-bsd-postfix-forward-email-to-another-account/

Interesting Scripts
http://www.arschkrebs.de/postfix/scripts/

Test Config Parameter
postconf soft_bounce

Performance Tuning
http://www.postfix.org/TUNING_README.html

Set 20MB Mailbox Size Limit
sudo postconf -e message_size_limit=20480000 sudo service postfix reload

Postfix Virtual Mailbox ClamAV
https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto

Add ClamAV AntiVirus
sudo aptitude install -y -v clamav clamav-freshclam clamsmtp sudo nano /etc/clamsmtpd.conf

OutAddress: 10026 Listen: 127.0.0.1:10025 User: clamav

sudo nano /etc/postfix/main.cf

content_filter = scan:127.0.0.1:10025 receive_override_options = no_address_mappings
 * 1) SECURITY: ANTI-VIRUS

sudo nano /etc/postfix/master.cf

# # scan unix - - n - 16 smtp -o smtp_send_xforward_command=yes -o smtp_tls_security_level=none 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtp_tls_security_level=none
 * 1) ClamAV    (the extra 2 spaces before each -o are needed!)
 * 1) AV scan filter (used by content_filter)
 * 1) For injecting mail back into postfix from the filter

chown -R clamav:clamav /var/run/clamsmtp/ chown -R clamav:clamav /var/spool/clamsmtp/ service clamav-freshclam restart service clamav-daemon restart service clamsmtp restart service postfix restart

Each email message that is scanned will have the extra header...

X-Virus-Scanned: ClamAV using ClamSMTP

'''That's it! Enjoy your new safer email server :-)'''

Thanks - http://www.linux.com/learn/tutorials/313660:using-clamav-to-kill-viruses-on-postfix

Thanks - http://www.iredmail.org/forum/topic8884-iredmail-support-tls-is-required-but-was-not-offered-by-host-127001.html

Testing With EICAR
wget https://secure.eicar.org/eicar.com.txt echo "Test virus body" | mutt -a eicar.com.txt -s "This is virus" -- me@mydomain.com

You should see these lines in your mail log...

Oct 8 17:04:51 ip-172-31-21-171 postfix/smtp[8167]: 616E444220: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.06, delays=0.01/0/0.05/0, dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email) Oct 8 17:04:51 ip-172-31-21-171 postfix/qmgr[7693]: 616E444220: removed Oct 8 17:04:51 ip-172-31-21-171 clamsmtpd: 100009: from=me@mydomain.com, to=me@mydomain.com, status=VIRUS:Eicar-Test-Signature Oct 8 17:04:51 ip-172-31-21-171 postfix/smtpd[8169]: disconnect from localhost[127.0.0.1]

Thanks - https://rtcamp.com/tutorials/mail/server/testing/antivirus/

Anti Spam
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

Spam Reports
Download the script...

mkdir /root/bin cd /root/bin wget http://www.postconf.com/docs/spamrep/spamrep_today ln -s spamrep_today spamrep_yesterday

Edit as required...

MAILTO=me@mydomain.com LOGFILES="mail.log" MAILCMD=/usr/bin/mail

Add to root's crontab...

@daily /root/bin/spamrep_yesterday |mutt -s "Spam Report" root@localhost

Secure Postfix
https://wiki.centos.org/HowTos/postfix_restrictions

http://www.cyberciti.biz/faq/postfix-backup-mx-server-anti-spam/

http://askubuntu.com/questions/418340/how-to-secure-postfix-on-ubuntu-server

http://www.hsc.fr/ressources/cours/postfix/doc/rate.html

http://edoceo.com/howto/postfix-security

https://wiki.centos.org/HowTos/postgrey

HOWTO: Test SMTP With SWAKS
swaks --server localhost --to me@mydomain.com --from me@mydomain.com

Thanks - https://www.debian-administration.org/article/633/Testing_SMTP_servers_with_SWAKS

Generate SMTP AUTH Username Password
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0mypassword");'

HOWTO: Virtual Domains Address Redirecting Users Aliases
/etc/postfix/main.cf: virtual_alias_domains = example.com fish.com fooey.com virtual_alias_maps = hash:/etc/postfix/virtual /etc/postfix/virtual: postmaster@example.com postmaster info@example.com      joe sales@fish.com        jane sales@fooey.com       jeff # Uncomment entry below to implement a catch-all address # @example.com        jim

postmap /etc/postfix/virtual postfix reload

Thanks - http://www.postfix.org/VIRTUAL_README.html

HOWTO: Log Information (Subject)
Install the package postfix-pcre.

Create a file with the regular expression to match, e.g. /etc/postfix/header_checks:

/^Subject:/ INFO

In your /etc/postfix/main.cf add this to your configuration with a line like this:

header_checks = pcre:/etc/postfix/header_checks

Reload the configuration:

sudo service postfix reload

Thanks - http://askubuntu.com/questions/245299/postfix-logging

Per User Relay Transport Mapping
sudo postconf -e "transport_maps = hash:/etc/postfix/transport"

/etc/postfix/transport

domain1.com            local: user1@domain2.com      smtp:smart.host1.com:25 domain2.com            local: user1@domain3.com      smtp:smart.host1.com:25 user2@domain3.com      smtp:smart.host2.com:25 domain3.com            local: *                      smtp:outbound.smarthost.com:25

Please note that transport_maps override relayhost parameter. However, you can have a * smtp:outbound.smarthost.com:25 line in your transport file as shown above.

sudo postmap /etc/postfix/transport sudo postfix reload

Thanks - http://superuser.com/questions/718803/postfix-relay-mail-to-smart-host-for-specifc-users

Per Domain Transport Mapping
EXAMPLES In order  to  deliver internal mail directly, while using a mail relay for all other mail, specify a null entry for internal destinations (do       not change the delivery transport or the nexthop information) and spec- ify a wildcard for all other destinations. my.domain   : .my.domain  : *        smtp:outbound-relay.my.domain

/etc/postfix/main.cf

mynetworks = 127.0.0.0/8 192.168.1.0/24 smtpd_recipient_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination transport_maps = hash:/etc/postfix/transport

/etc/postfix/sender_access

mydomain.com OK localhost OK localhost.localdomain OK

/etc/postfix/transport

localhost : localhost.localdomain : mydomain.com : thatdomain.com smtp:[smtp.thatdomain.com]  <-- this is where the magic happens :) * smtp:[auth.smtp.1and1.co.uk]:587

Thanks - http://www.postfix.org/transport.5.html

Thanks - https://www.howtoforge.com/community/threads/postfix-relay-one-domain-to-smarthost-a-all-else-to-smarthost-b.62955/

Old - http://serverfault.com/questions/257637/postfix-to-relay-mails-to-other-smtp-for-particular-domain

Multiple ISP Client SMTP Authentication
http://www.cyberciti.biz/faq/postfix-multiple-isp-accounts-smarthost-smtp-client/

SMTP AUTHentication In Ubuntu Linux
It would be nice to be able to send email messages from your Ubuntu Linux computer, but most ISPs will not accept them, because of authentication restrictions. These instructions give them what they want...

Configure main configuration file... sudo nano /etc/postfix/main.cf

Either add or edit the following with your required settings...

smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes relayhost = [my.smtp.host.co.uk] smtp_sasl_password_maps = hash:/etc/postfix/sasl/password smtp_sasl_security_options = noanonymous

Create the SASL password file...

sudo nano /etc/postfix/sasl/password [my.smtp.host.co.uk] me@myemailaccount.com:passW0rD

Lock down permissions...

sudo chmod 0600 /etc/postfix/sasl/password

Hash the file...

sudo postmap hash:/etc/postfix/sasl/password

Create the Postfix generic maps file...

sudo nano /etc/postfix/generic root@myhostname.localdomain me@myemailaccount.com user1@myhostname.localdomain me@myemailaccount.com user2@myhostname.localdomain me@myemailaccount.com

Hash the file...

sudo postmap hash:/etc/postfix/generic

Copy the supporting files to the Postfix working directory...

sudo cp -av /etc/hosts /var/spool/postfix/etc/ sudo cp -av /etc/services /var/spool/postfix/etc/ sudo cp -av /etc/localtime /var/spool/postfix/etc/ sudo cp -av /etc/resolv.conf /var/spool/postfix/etc/

Create the header checks file for later (with MailScanner)...

sudo touch /etc/postfix/header_checks Start Postfix...

sudo postfix start

Install mailutils and mutt...

sudo aptitude install -y mailutils mutt

Send test email message...

mail me@myemailaccount.com Subject: test Cc: message CTRL+D

SMTP AUTHentication With STARTTLS Security Non Standard Port In Ubuntu Linux
sudo nano /etc/postfix/main.cf          relayhost = [mail.domain.com]:587 smtp_tls_security_level = may sudo nano /etc/postfix/sasl_password [mail.domain.com]:587 username@domain.com:MyPasswOrd sudo postmap hash:/etc/postfix/sasl_password sudo service postfix restart

If you receive the following error...

postfix/smtp: warning: SASL authentication failure: No worthy mechs found postfix/smtp: status=deferred (SASL authentication failed; cannot authenticate to server: no mechanism available)

Then fix it with this...

sudo aptitude install libsasl2-modules sudo service postfix restart

SMTP AUTHentication SERVER For Remote Clients
/etc/postfix/main.cf

mydomain = mydomain.com myhostname = mail.mydomain.com mynetworks = 127.0.0.0/8 alias_maps = hash:/etc/aliases smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_tls_security_level = may relayhost = [auth.smtp.1and1.co.uk]:587 inet_protocols = ipv4 header_checks = pcre:/etc/postfix/header_checks smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks check_relay_domains check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination transport_maps = hash:/etc/postfix/transport smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes

/etc/dovecot/conf.d/10-master.conf

service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } auth_mechanisms = plain login

Restart the software...

sudo service dovecot restart sudo service postfix restart

Thanks - https://help.ubuntu.com/lts/serverguide/postfix.html

Thanks - http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

Thanks - http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

HOWTO: Add Various Options To The Config File
Security

sudo -i postconf -e "myorigin = example.com" postconf -e "myhostname=server1.example.com" postconf -e "relay_domains = example.com, example2.com, example3.com"

Thanks - https://wiki.debian.org/Postfix

HOWTO: Completely Remove Postfix From Debian Or Ubuntu
sudo aptitude remove postfix* --purge

FAQ
http://www.cise.ufl.edu/~jnw/SysAdminsp01/Lectures/postfix-html/faq.html

HOWTO: Use Dovecot LDA
http://wiki2.dovecot.org/LDA/Postfix

nano /etc/postfix/main.cf mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"

Main Email Hostname
nano /etc/mailname server1.domain.com

IPv6
sudo nano /etc/postfix/main.cf inet_protocols = ipv4 # Add this line to the file

Bind Postfix Mail Server To Localhost or Specific IP Address Only
Edit /etc/postfix/main.cf and put the following...

inet_interfaces = 127.0.0.1

Check
mailq

Flush
sudo postfix flush

Delete A Single Message In The Mail Queue
mailq (to get ID of message) sudo postsuper -d GH123459706X

Delete All Messages In The Mail Queue
sudo postsuper -d ALL

Reload Postfix Configuration
sudo postfix reload

Restart Postfix
sudo service postfix restart

warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Add the following line to /etc/postfix/main.cf...

alias_maps = hash:/etc/aliases

Run the alias mapping tool...

sudo newaliases

Restart Postfix...

sudo service postfix restart

ERROR: Name service error for xxx.com: Host not found, try again
If you get this error in /var/log/mail/info it might be because your /var/spool/postfix/etc/resolv.conf is wrong. If you look in /var/log/mail/warnings and sees

warning: /var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ you should copy /etc/resolv.conf to /var/spool/postfix/etc/.

The error comes because you run postfix as chroot and postfix can then only see files in /var/spool/postfix/. During install postfix takes a copy of /etc/resolv.conf and place it in its own directory.

There could be more errors than that. Check /var/log/mail/warnings and /var/log/mail/errors and make sure you have verified all files. In case of more trouble run the command postfix check.

You could also get error messages like:

postfix/postfix-script: warning: /var/spool/postfix/etc/localtime and /etc/localtime differ postfix/postfix-script: warning: /var/spool/postfix/etc/services and /etc/services differ Which implies that /etc/localtime and /etc/services should be copied. Before doing anything check what the difference of the files is.

postdrop: warning: unable to look up public/pickup: No such file or directory
/etc/init.d/sendmail stop update-rc.d -f sendmail remove update-rc.d postfix defaults /etc/init.d/postfix start