Postfix

From Indie IT Wiki
Jump to: navigation, search

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA.

Contents

Fix Error: NIS domain name not set

Error...

warning: dict_nis_init: NIS domain name not set - NIS lookups disabled

Fix...

sudo postconf -e "alias_maps = hash:/etc/aliases"
sudo postfix stop
sudo postfix start

Thanks - https://unix.stackexchange.com/questions/244199/postfix-mail-logs-keep-showing-nis-domain-not-set

Web Administration

https://www.vimbadmin.net

Whitelist

Add the line in bold and make sure it is just BEFORE the spam checks...

/etc/postfix/main.cf
smtpd_recipient_restrictions =
   reject_unauth_pipelining,
   reject_unlisted_recipient,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   reject_unauth_destination,
   reject_invalid_hostname,
   check_sender_access hash:/etc/postfix/sender_access,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client cbl.abuseat.org,
   check_policy_service inet:127.0.0.1:10023,
   permit

Then, add your email addresses, domains or IP addresses to the whitelist file...

/etc/postfix/sender.access
domain.com OK
fish.co.uk OK

Create the database file and reload postfix...

postmap /etc/postfix/sender_access
postfix reload

Amazon Web Services SES (Simple Email Service)

/etc/postfix/sasl/sasl_password
[email-smtp.eu-west-1.amazonaws.com]:587 AKyouraccesskeyinhere:youraccesskeypasswordinhere
/etc/postfix/main.cf
## SMTP CLIENT
relayhost = [email-smtp.eu-west-1.amazonaws.com]:587
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_password
smtp_use_tls = yes 
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Add Custom Header

nano /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks
nano /etc/postfix/header_checks

/^Content-Type:/i PREPEND X-Received-By: mail2.domain.co.uk

You can then add a custom Thunderbird Message Filter to Add a Tag based on Header Content :-)

Thanks - http://unix.stackexchange.com/questions/44123/add-header-to-outgoing-email-with-postfix#44211

Backup MX

nano /etc/postfix/main.cf

## GENERAL SETTINGS
inet_protocols = ipv4
inet_interfaces = all
myhostname = mail2.domain.co.uk
mynetworks =
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
## SMTP CLIENT
relayhost = [mail.domain.co.uk]:25
relay_domains = domain.co.uk
nano /etc/aliases

postmaster: root
root: info@domain.co.uk

Order Of Postfix Checking

The order of evaluation is...

  1. smtpd_client_restrictions
  2. smtpd_helo_restrictions
  3. smtpd_sender_restrictions
  4. smtpd_recipient_restrictions
  5. smtpd_data_restrictions

Rejecting Unknown Clients

If you see the following lines in your logs...

postfix/smtpd[28842]: 3B0CD41C98: client=unknown[116.102.149.61]

Then you can add the following anti-spam measure to stop them.

smtpd_client_restrictions = reject_unknown_client_hostname

e.g.

## SECURITY: RESTRICTIONS
## 0. CLIENT
smtpd_client_restrictions =
    reject_unknown_client_hostname,
    reject_unknown_reverse_client_hostname,
    permit
## 1. HELO

Inspecting Handling Postfix Mail Queue

http://www.tech-g.com/2012/07/15/inspecting-postfixs-email-queue/

sudo -i
cat domain_co_uk.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > postfix_domain_co_uk.crt
cat domain_co_uk.key > postfix_domain_co_uk.key
cp -av postfix_domain_co_uk.crt /etc/ssl/certs/
cp -av postfix_domain_co_uk.key /etc/ssl/private/
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix_domain_co_uk.crt'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix_domain_co_uk.key'
service postfix restart

Create Self-Signed SSL Certificate For Postfix In Ubuntu Linux

sudo -i
mkdir -p /etc/ssl/postfix/
cd /etc/ssl/postfix/
/usr/lib/ssl/misc/CA.pl -newca
/usr/lib/ssl/misc/CA.pl -newreq-nodes
/usr/lib/ssl/misc/CA.pl -sign
cp -av demoCA/cacert.pem /etc/ssl/certs/
postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem'
postconf -e 'smtpd_tls_key_file = /etc/ssl/postfix/newkey.pem'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
service postfix restart

Forward Postfix Email To Another Account

http://www.cyberciti.biz/faq/linux-unix-bsd-postfix-forward-email-to-another-account/

Interesting Scripts

http://www.arschkrebs.de/postfix/scripts/

Test Config Parameter

postconf soft_bounce

Performance Tuning

http://www.postfix.org/TUNING_README.html

Set 20MB Mailbox Size Limit

sudo postconf -e message_size_limit=20480000
sudo service postfix reload

Postfix Virtual Mailbox ClamAV

https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto

Add ClamAV AntiVirus

sudo aptitude install -y -v clamav clamav-freshclam clamsmtp
sudo nano /etc/clamsmtpd.conf
OutAddress: 10026
Listen: 127.0.0.1:10025
User: clamav
sudo nano /etc/postfix/main.cf
## SECURITY: ANTI-VIRUS
content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
sudo nano /etc/postfix/master.cf
#
# ClamAV    (the extra 2 spaces before each -o are needed!)
#
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
  -o smtp_send_xforward_command=yes
  -o smtp_tls_security_level=none
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks_style=host
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtp_tls_security_level=none
chown -R clamav:clamav /var/run/clamsmtp/
chown -R clamav:clamav /var/spool/clamsmtp/
service clamav-freshclam restart
service clamav-daemon restart
service clamsmtp restart
service postfix restart

Each email message that is scanned will have the extra header...

X-Virus-Scanned: ClamAV using ClamSMTP

That's it! Enjoy your new safer email server :-)

Thanks - http://www.linux.com/learn/tutorials/313660:using-clamav-to-kill-viruses-on-postfix

Thanks - http://www.iredmail.org/forum/topic8884-iredmail-support-tls-is-required-but-was-not-offered-by-host-127001.html

Testing With EICAR

wget https://secure.eicar.org/eicar.com.txt
echo "Test virus body" | mutt -a eicar.com.txt -s "This is virus" -- me@mydomain.com

You should see these lines in your mail log...

Oct  8 17:04:51 ip-172-31-21-171 postfix/smtp[8167]: 616E444220: to=<me@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.06, delays=0.01/0/0.05/0, dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)
Oct  8 17:04:51 ip-172-31-21-171 postfix/qmgr[7693]: 616E444220: removed
Oct  8 17:04:51 ip-172-31-21-171 clamsmtpd: 100009: from=me@mydomain.com, to=me@mydomain.com, status=VIRUS:Eicar-Test-Signature
Oct  8 17:04:51 ip-172-31-21-171 postfix/smtpd[8169]: disconnect from localhost[127.0.0.1]

Thanks - https://rtcamp.com/tutorials/mail/server/testing/antivirus/

Anti Spam

SpamAssassin

https://www.debuntu.org/postfix-and-spamassassin-how-to-filter-spam/

Antispam

http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

Spam Reports

Download the script...

mkdir /root/bin
cd /root/bin
wget http://www.postconf.com/docs/spamrep/spamrep_today
ln -s spamrep_today spamrep_yesterday

Edit as required...

MAILTO=me@mydomain.com
LOGFILES="mail.log"
MAILCMD=/usr/bin/mail

Add to root's crontab...

@daily /root/bin/spamrep_yesterday |mutt -s "Spam Report" root@localhost

Secure Postfix

https://wiki.centos.org/HowTos/postfix_restrictions

http://www.cyberciti.biz/faq/postfix-backup-mx-server-anti-spam/

http://askubuntu.com/questions/418340/how-to-secure-postfix-on-ubuntu-server

http://www.hsc.fr/ressources/cours/postfix/doc/rate.html

http://edoceo.com/howto/postfix-security

https://wiki.centos.org/HowTos/postgrey

HOWTO: Test SMTP With SWAKS

swaks --server localhost --to me@mydomain.com --from me@mydomain.com

Thanks - https://www.debian-administration.org/article/633/Testing_SMTP_servers_with_SWAKS

Generate SMTP AUTH Username Password

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0mypassword");'

HOWTO: Virtual Domains Address Redirecting Users Aliases

/etc/postfix/main.cf:
    virtual_alias_domains = example.com fish.com fooey.com
    virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual:
    postmaster@example.com postmaster
    info@example.com       joe
    sales@fish.com         jane
    sales@fooey.com        jeff
    # Uncomment entry below to implement a catch-all address
    # @example.com         jim
postmap /etc/postfix/virtual
postfix reload

Thanks - http://www.postfix.org/VIRTUAL_README.html

HOWTO: Log Information (Subject)

Install the package postfix-pcre.

Create a file with the regular expression to match, e.g. /etc/postfix/header_checks:

/^Subject:/ INFO

In your /etc/postfix/main.cf add this to your configuration with a line like this:

header_checks = pcre:/etc/postfix/header_checks

Reload the configuration:

sudo service postfix reload

Thanks - http://askubuntu.com/questions/245299/postfix-logging

HOWTO: CONFIGURE

Per User Relay Transport Mapping

sudo postconf -e "transport_maps = hash:/etc/postfix/transport"

/etc/postfix/transport

domain1.com             local:
user1@domain2.com       smtp:smart.host1.com:25
domain2.com             local:
user1@domain3.com       smtp:smart.host1.com:25
user2@domain3.com       smtp:smart.host2.com:25
domain3.com             local:
*                       smtp:outbound.smarthost.com:25

Please note that transport_maps override relayhost parameter. However, you can have a * smtp:outbound.smarthost.com:25 line in your transport file as shown above.

sudo postmap /etc/postfix/transport
sudo postfix reload

Thanks - http://superuser.com/questions/718803/postfix-relay-mail-to-smart-host-for-specifc-users

Per Domain Transport Mapping

EXAMPLES
      In  order  to  deliver internal mail directly, while using a mail relay
      for all other mail, specify a null entry for internal destinations  (do
      not change the delivery transport or the nexthop information) and spec-
      ify a wildcard for all other destinations.

           my.domain    :
           .my.domain   :
           *         smtp:outbound-relay.my.domain

/etc/postfix/main.cf

mynetworks = 127.0.0.0/8 192.168.1.0/24
smtpd_recipient_restrictions =
  permit_mynetworks
  check_sender_access hash:/etc/postfix/sender_access
  reject_unauth_destination
transport_maps = hash:/etc/postfix/transport

/etc/postfix/sender_access

mydomain.com OK
localhost OK
localhost.localdomain OK

/etc/postfix/transport

localhost :
localhost.localdomain :
mydomain.com :
thatdomain.com smtp:[smtp.thatdomain.com]   <-- this is where the magic happens :)
* smtp:[auth.smtp.1and1.co.uk]:587

Thanks - http://www.postfix.org/transport.5.html

Thanks - https://www.howtoforge.com/community/threads/postfix-relay-one-domain-to-smarthost-a-all-else-to-smarthost-b.62955/

Old - http://serverfault.com/questions/257637/postfix-to-relay-mails-to-other-smtp-for-particular-domain

Multiple ISP Client SMTP Authentication

http://www.cyberciti.biz/faq/postfix-multiple-isp-accounts-smarthost-smtp-client/

SMTP AUTHentication In Ubuntu Linux

It would be nice to be able to send email messages from your Ubuntu Linux computer, but most ISPs will not accept them, because of authentication restrictions. These instructions give them what they want...

Configure main configuration file...

sudo nano /etc/postfix/main.cf

Either add or edit the following with your required settings...

smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
relayhost = [my.smtp.host.co.uk]
smtp_sasl_password_maps = hash:/etc/postfix/sasl/password
smtp_sasl_security_options = noanonymous

Create the SASL password file...

sudo nano /etc/postfix/sasl/password

[my.smtp.host.co.uk] me@myemailaccount.com:passW0rD

Lock down permissions...

sudo chmod 0600 /etc/postfix/sasl/password

Hash the file...

sudo postmap hash:/etc/postfix/sasl/password

Create the Postfix generic maps file...

sudo nano /etc/postfix/generic

root@myhostname.localdomain me@myemailaccount.com
user1@myhostname.localdomain me@myemailaccount.com
user2@myhostname.localdomain me@myemailaccount.com

Hash the file...

sudo postmap hash:/etc/postfix/generic

Copy the supporting files to the Postfix working directory...

sudo cp -av /etc/hosts /var/spool/postfix/etc/
sudo cp -av /etc/services /var/spool/postfix/etc/
sudo cp -av /etc/localtime /var/spool/postfix/etc/
sudo cp -av /etc/resolv.conf /var/spool/postfix/etc/

Create the header checks file for later (with MailScanner)...

sudo touch /etc/postfix/header_checks

Start Postfix...

sudo postfix start

Install mailutils and mutt...

sudo aptitude install -y mailutils mutt

Send test email message...

mail me@myemailaccount.com
     Subject: test
     Cc:
     message
     CTRL+D

SMTP AUTHentication With STARTTLS Security Non Standard Port In Ubuntu Linux

sudo nano /etc/postfix/main.cf
          relayhost = [mail.domain.com]:587
          smtp_tls_security_level = may
sudo nano /etc/postfix/sasl_password
          [mail.domain.com]:587 username@domain.com:MyPasswOrd
sudo postmap hash:/etc/postfix/sasl_password
sudo service postfix restart

If you receive the following error...

postfix/smtp: warning: SASL authentication failure: No worthy mechs found
postfix/smtp: status=deferred (SASL authentication failed; cannot authenticate to server: no mechanism available)

Then fix it with this...

sudo aptitude install libsasl2-modules
sudo service postfix restart

SMTP AUTHentication SERVER For Remote Clients

/etc/postfix/main.cf

mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_security_level = may
relayhost = [auth.smtp.1and1.co.uk]:587
inet_protocols = ipv4
header_checks = pcre:/etc/postfix/header_checks
smtpd_recipient_restrictions =
   permit_sasl_authenticated
   permit_mynetworks
   check_relay_domains
   check_sender_access hash:/etc/postfix/sender_access
   reject_unauth_destination
transport_maps = hash:/etc/postfix/transport
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

/etc/dovecot/conf.d/10-master.conf

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix        
  }
}
auth_mechanisms = plain login

Restart the software...

sudo service dovecot restart
sudo service postfix restart

Thanks - https://help.ubuntu.com/lts/serverguide/postfix.html

Thanks - http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

Thanks - http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

HOWTO: Add Various Options To The Config File

Security

sudo -i
postconf -e "myorigin = example.com"
postconf -e "myhostname=server1.example.com"
postconf -e "relay_domains = example.com, example2.com, example3.com"

Thanks - https://wiki.debian.org/Postfix

HOWTO: Completely Remove Postfix From Debian Or Ubuntu

sudo aptitude remove postfix* --purge

FAQ

http://www.cise.ufl.edu/~jnw/SysAdminsp01/Lectures/postfix-html/faq.html

HOWTO: Use Dovecot LDA

http://wiki2.dovecot.org/LDA/Postfix

nano /etc/postfix/main.cf
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"

Main Email Hostname

nano /etc/mailname

server1.domain.com

HOWTO: DISABLE

IPv6

sudo nano /etc/postfix/main.cf

inet_protocols = ipv4 # Add this line to the file

Bind Postfix Mail Server To Localhost or Specific IP Address Only

Edit /etc/postfix/main.cf and put the following...

inet_interfaces = 127.0.0.1

HOWTO: MAIL QUEUE

Check

mailq

Flush

sudo postfix flush

Delete A Single Message In The Mail Queue

mailq (to get ID of message)
sudo postsuper -d GH123459706X

Delete All Messages In The Mail Queue

sudo postsuper -d ALL

Reload Postfix Configuration

sudo postfix reload

Restart Postfix

sudo service postfix restart

HOWTO: FIX:

warning: dict_nis_init: NIS domain name not set - NIS lookups disabled

Add the following line to /etc/postfix/main.cf...

alias_maps = hash:/etc/aliases

Run the alias mapping tool...

sudo newaliases

Restart Postfix...

sudo service postfix restart

ERROR: Name service error for xxx.com: Host not found, try again

If you get this error in /var/log/mail/info it might be because your /var/spool/postfix/etc/resolv.conf is wrong. If you look in /var/log/mail/warnings and sees

warning: /var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ you should copy /etc/resolv.conf to /var/spool/postfix/etc/ .

The error comes because you run postfix as chroot and postfix can then only see files in /var/spool/postfix/ . During install postfix takes a copy of /etc/resolv.conf and place it in its own directory.

There could be more errors than that. Check /var/log/mail/warnings and /var/log/mail/errors and make sure you have verified all files. In case of more trouble run the command postfix check.

You could also get error messages like:

postfix/postfix-script: warning: /var/spool/postfix/etc/localtime and /etc/localtime differ postfix/postfix-script: warning: /var/spool/postfix/etc/services and /etc/services differ Which implies that /etc/localtime and /etc/services should be copied. Before doing anything check what the difference of the files is.

postdrop: warning: unable to look up public/pickup: No such file or directory

/etc/init.d/sendmail stop
update-rc.d -f sendmail remove
update-rc.d postfix defaults
/etc/init.d/postfix start