Difference between revisions of "Postfix"
Plittlefield (talk | contribs) |
Plittlefield (talk | contribs) |
||
Line 1,064: | Line 1,064: | ||
postfix flush | postfix flush | ||
+ | |||
+ | === Send 1 Message From Queue === | ||
+ | |||
+ | postqueue -p | grep -v ^- | grep -v "(" | cut -d' ' -f1 |grep -e [[:alnum:]] | ||
+ | postqueue -i ID | ||
+ | postqueue -p | awk '/^[0-9A-F]/{print "postqueue -i "$1 " ;sleep 2s"}' |sh | ||
+ | |||
+ | Thanks - https://serverfault.com/questions/752638/how-to-flush-postfix-queue-one-mail-at-a-time | ||
=== Release Message In HOLD Queue === | === Release Message In HOLD Queue === |
Revision as of 15:07, 10 September 2024
Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA.
Installation
sudo DEBIAN_PRIORITY=low apt-get install postfix
Reinstallation
sudo dpkg-reconfigure postfix
Main System Domain Name
Postfix will use this file and make any emails sent from within the system as this domain name...
/etc/mailname domain.co.uk
Fix Error: (No client certificate requested)
sudo postconf -e 'smtpd_tls_received_header = no' sudo postfix check sudo postfix reload
Fix Error: NIS domain name not set
Error...
warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Fix...
sudo postconf -e "alias_maps = hash:/etc/aliases" sudo postfix stop sudo postfix start
Thanks - https://unix.stackexchange.com/questions/244199/postfix-mail-logs-keep-showing-nis-domain-not-set
Web Administration
Postfix Admin
Postfix Admin is a PHP web based interface to configure an email server.
It has 2 main backend database options - sqlite and mysql.
SQLite
Install the software...
sudo -i add-apt-repository ppa:ondrej/php apt-get -y install php7.4-cgi php7.4-sqlite3 php7.4-mbstring php7.4-imap lighttpd postfix-sqlite lighty-enable-mod fastcgi lighty-enable-mod fastcgi-php service lighttpd restart cd /opt/ git clone https://github.com/postfixadmin/postfixadmin.git cd postfixadmin/ git checkout
Create the Postfix Admin directories and files...
ln -s /opt/postfixadmin/public /var/www/html/postfixadmin mkdir /opt/postfixadmin/database touch /opt/postfixadmin/database/postfixadmin.db sudo chown -R www-data:www-data /opt/postfixadmin/database mkdir -p /opt/postfixadmin/templates_c chown -R www-data /opt/postfixadmin/templates_c
Create the Postfix Admin configuration file...
n /opt/postfixadmin/config.local.php <?php $CONF['database_type'] = 'sqlite'; $CONF['database_name'] = '/opt/postfixadmin/database/postfixadmin.db'; $CONF['configured'] = true; ?>
Fire up a web browser and go to...
http://your.domain/postfixadmin/setup.php
Follow the instructions to create a setup password, then re-edit the Postfix Admin configuration file...
n /opt/postfixadmin/config.local.php <?php $CONF['database_type'] = 'sqlite'; $CONF['database_name'] = '/opt/postfixadmin/database/postfixadmin.db'; $CONF['configured'] = true; $CONF['setup_password'] = 'bbe4d0ceb8200ae760dea45b0137abc8:282cd03ac51641c04bf5c06bd241e7c18ccxxxxxxx'; ?>
Fire up a web browser and go back to...
http://your.domain/postfixadmin/setup.php
Create the Administrator account.
Check all good, then go to...
http://your.domain/postfixadmin/login.php
All done!
...
TO BE DONE...
Postfix
https://blog.here-host.com/setup-configure-mail-server-postfixadmin-ubuntu-16-04/
https://www.rosehosting.com/blog/setup-and-configure-a-mail-server-with-postfixadmin/
Dovecot
https://blog.here-host.com/setup-configure-mail-server-postfixadmin-ubuntu-16-04/
https://wiki.archlinux.org/index.php/PostfixAdmin - tweaks for dovecot
ViMbAdmin
sudo -i
Install MySQL...
cd /tmp/ wget https://dev.mysql.com/get/mysql-apt-config_0.8.15-1_all.deb dpkg -i mysql-apt-config_0.8.15-1_all.deb apt-get update apt-get -y install mysql-server mysql_secure_installation mysql -u root -p -e 'status;'
Install PHP...
php -v sudo add-apt-repository ppa:ondrej/php sudo apt-get update sudo apt-get -y install php7.4-cgi php7.4-cli php7.4-common php7.4-curl php7.4-fpm php7.4-gd php7.4-json php7.4-mysql php7.4-readline php7.4-xml php7.4-mbstring php7.4-zip
Install Composer...
wget https://raw.githubusercontent.com/composer/getcomposer.org/c5e3f5a2a8e6742d38a9eb716161c32931243f57/web/installer -O - -q | php -- --quiet cp -av composer.phar /usr/local/bin/composer which composer
Download ViMbAdmin...
cd /opt/ git clone https://github.com/opensolutions/ViMbAdmin.git vimbadmin
Install ViMbAdmin...
cd vimbadmin/ apt install unzip composer install --prefer-dist --no-dev
Fix folder permissions for web server...
chown -R www-data:www-data var/
Create MySQL database...
mysql -u root -p -e "CREATE DATABASE vimbadmin; CREATE USER 'vimbadmin' IDENTIFIED BY 'SuperPassword'; GRANT ALL ON vimbadmin.* TO 'vimbadmin'; FLUSH PRIVILEGES;"
Copy the example configuration file...
cp /opt/vimbadmin/application/configs/application.ini.dist /opt/vimbadmin/application/configs/application.ini
Edit the configuration file (especially the mailbox format, Dovecot encryption method and the SMTP mail relay, such as AWS SES)...
nano /opt/vimbadmin/application/configs/application.ini ... defaults.mailbox.maildir = "maildir:/var/vmail/%d/%u/mail:LAYOUT=fs" defaults.mailbox.homedir = "/var/vmail/%d/%u" ... defaults.mailbox.password_scheme = "dovecot:SHA256-CRYPT" ... resources.mail.transport.type = "smtp" resources.mail.transport.host = "email-smtp.eu-west-1.amazonaws.com" resources.mail.transport.username = "access key" resources.mail.transport.password = "secret key" resources.mail.transport.auth = "login" resources.mail.transport.ssl = "tls" resources.mail.transport.port = "587"
Lock down the public folder...
cp /opt/vimbadmin/public/.htaccess.dist /opt/vimbadmin/public/.htaccess
Populate the MySQL database...
cd /opt/vimbadmin ./bin/doctrine2-cli.php orm:schema-tool:create
Open your web browser and go to the opening setup page...
http://ip.or.domain.name/vimbadmin
Copy the Security Salt lines to your configuration file...
nano /opt/vimbadmin/application/configs/application.ini
Reload the setup web page in your browser...
http://ip.or.domain.name/vimbadmin
Copy the same 'security salt' line to the web page and then create an admin user.
Postfix and MySQL
Blacklist
sudo iptables -I INPUT -s 1.2.3.4 -j DROP sudo iptables -I INPUT -s 1.2.3.0/24 -j DROP
https://ethitter.com/2016/03/blocking-sender-ips-in-postfix/
Whitelist
To truly whitelist, you must add access controls to each part of the SMTP process shown below or one of them may fail and reject the message (depending on what Postfix does not like about the SMTP transaction).
- CLIENT
- HELO
- SENDER
- RECIPIENT
Here is an example line from the mail log file on a Postfix server:-
Mar 1 08:06:21 ip-172-31-45-157 postfix/smtpd[11349]: NOQUEUE: reject: RCPT from exchange.hq.overdrive.com[207.54.136.3]: 450 4.7.1 <postfix1b.hq.overdrive.com>: Helo command rejected: Host not found; from=<donotreply@overdrive.com> to=<user@domain.com> proto=ESMTP helo=<postfix1b.hq.overdrive.com>
- CLIENT = exchange.hq.overdrive.com
- HELO = postfix1b.hq.overdrive.com
- SENDER = donotreply@overdrive.com
- RECIPIENT = user@domain.com
The lines in italics are the ones which make the whitelisting work...
1. CLIENT
This is where the computers establish a TCP connection and any DNS tests are performed.
/etc/postfix/main.cf smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_access, reject_unknown_client_hostname, reject_unknown_reverse_client_hostname, permit /etc/postfix/client_access spammerdomain.com REJECT mydomain.co.uk OK mail.domain.org OK 11.222.333.444 OK
2. HELO
This is where the computers announce who they are.
/etc/postfix/main.cf smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit /etc/postfix/helo_access spammerdomain.com REJECT mydomain.co.uk OK mail.domain.org OK 11.222.333.444 OK
3. SENDER
This is where the FROM address is offered.
/etc/postfix/main.cf smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit /etc/postfix/sender_access spammer@spam.com REJECT john@domain.com OK @dodgydomain.co.uk REJECT @domain.org OK
4. RECIPIENT
This is where the TO address is offered.
/etc/postfix/main.cf smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_access, check_sender_access hash:/etc/postfix/sender_access, reject_unauth_pipelining, reject_unlisted_recipient, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, check_policy_service inet:127.0.0.1:10023, permit /etc/postfix/client_access spammerdomain.com REJECT mydomain.co.uk OK mail.domain.org OK 11.222.333.444 OK /etc/postfix/sender_access spammer@spam.com REJECT john@domain.com OK @dodgydomain.co.uk REJECT @domain.org OK
With those files in place, now hash the database files and reload Postfix to start using them...
postmap /etc/postfix/helo_access postmap /etc/postfix/client_access postmap /etc/postfix/sender_access postfix reload
Postfix SMTP relay and access control
OLD
http://linuxlasse.net/linux/howtos/Blacklist_and_Whitelist_with_Postfix
There are two different parameters we can set in postfix, which act differently.
- check_client_access - Blocks by client IP, Client IP Range or Hostname.
- check_sender_access - Block by sender e-mail address (In the FROM field).
This is how it would look in the main.cf file...
/etc/postfix/main.cf smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_access, check_sender_access hash:/etc/postfix/sender_access, (add your reject lines now) ... permit
Then, add your email addresses, domains or IP addresses to the text whitelist files...
/etc/postfix/client_access 123.456.789.0 OK domain.com OK fish.co.uk OK
/etc/postfix/sender_access john@domain.com OK fred@fish.co.uk OK
Create the database file and reload postfix...
postmap /etc/postfix/client_access postmap /etc/postfix/sender_access postfix reload
Amazon Web Services SES (Simple Email Service)
/etc/postfix/sasl/sasl_password [email-smtp.eu-west-1.amazonaws.com]:587 AKyouraccesskeyinhere:youraccesskeypasswordinhere
/etc/postfix/main.cf ## SMTP CLIENT relayhost = [email-smtp.eu-west-1.amazonaws.com]:587 smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_password smtp_use_tls = yes smtp_tls_security_level = encrypt smtp_tls_note_starttls_offer = yes smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Content Checking
https://www.unixteacher.org/blog/postfix-built-in-content-inspection/
Add Custom Header
nano /etc/postfix/main.cf header_checks = regexp:/etc/postfix/header_checks
nano /etc/postfix/header_checks /^Content-Type:/i PREPEND X-Received-By: mail2.domain.co.uk
You can then add a custom Thunderbird Message Filter to Add a Tag based on Header Content :-)
Thanks - http://unix.stackexchange.com/questions/44123/add-header-to-outgoing-email-with-postfix#44211
Remove Headers
https://major.io/2013/04/14/remove-sensitive-information-from-email-headers-with-postfix/
Backup MX
nano /etc/postfix/main.cf ## GENERAL SETTINGS inet_protocols = ipv4 inet_interfaces = all myhostname = mail2.domain.co.uk mynetworks = alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases ## SMTP CLIENT relayhost = [mail.domain.co.uk]:25 relay_domains = domain.co.uk
nano /etc/aliases postmaster: root root: info@domain.co.uk
Order Of Postfix Checking
The order of evaluation is...
- smtpd_client_restrictions
- smtpd_helo_restrictions
- smtpd_sender_restrictions
- smtpd_recipient_restrictions
- smtpd_data_restrictions
telnet 192.168.0.2 25 # Comments Trying 192.168.0.2... Connected to 192.168.0.2 (192.168.0.2). Escape character is '^]'. 220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions HELO mail.example.com # <-smtp_helo_restrictions 250 mail.example.com # MAIL FROM:<ned@example.com> # <-smtp_sender_restrictions 250 2.1.0 Ok # RCPT TO:<ned@example.com> # <-smtp_recipient_restrictions 250 2.1.5 Ok # DATA # <-smtp_data_restrictions 354 End data with <CR><LF>.<CR><LF> # To:<ned@example.com> # <-header_checks From:<ned@example.com> # Subject:SMTP Test # This is a test message # <-body_checks . # 250 2.0.0 Ok: queued as 301AE20034 QUIT 221 2.0.0 Bye Connection closed by foreign host.
Rejecting Unknown Clients
If you see the following lines in your logs...
postfix/smtpd[28842]: 3B0CD41C98: client=unknown[116.102.149.61]
Then you can add the following anti-spam measure to stop them.
smtpd_client_restrictions = reject_unknown_client_hostname
e.g.
## SECURITY: RESTRICTIONS ## 0. CLIENT smtpd_client_restrictions = reject_unknown_client_hostname, reject_unknown_reverse_client_hostname, permit ## 1. HELO
Inspecting Handling Postfix Mail Queue
http://www.tech-g.com/2012/07/15/inspecting-postfixs-email-queue/
Generate Diffe Hellman parameters
for len in 512 1024; do openssl genpkey -genparam -algorithm DH -out /etc/postfix/dh_${len}.pem -pkeyopt dh_paramgen_prime_len:${len}; done
Let's Encrypt SSL Certificate with Postfix
https://upcloud.com/community/tutorials/secure-postfix-using-lets-encrypt/
Paid SSL Certificate For Postfix in Ubuntu Linux
sudo -i cat domain_co_uk.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > postfix_domain_co_uk.crt cat domain_co_uk.key > postfix_domain_co_uk.key cp -av postfix_domain_co_uk.crt /etc/ssl/certs/ cp -av postfix_domain_co_uk.key /etc/ssl/private/ postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix_domain_co_uk.crt' postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix_domain_co_uk.key' service postfix restart
Create Self-Signed SSL Certificate For Postfix In Ubuntu Linux
sudo -i mkdir -p /etc/ssl/postfix/ cd /etc/ssl/postfix/ /usr/lib/ssl/misc/CA.pl -newca /usr/lib/ssl/misc/CA.pl -newreq-nodes /usr/lib/ssl/misc/CA.pl -sign cp -av demoCA/cacert.pem /etc/ssl/certs/ postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt' postconf -e 'smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem' postconf -e 'smtpd_tls_key_file = /etc/ssl/postfix/newkey.pem' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' service postfix restart
Check SSL Certificate
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.domain.co.uk:25 -servername mail.domain.co.uk -starttls smtp
Check End Date of SSL Certificate
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.domain.co.uk:25 -servername mail.domain.co.uk -starttls smtp | openssl x509 -noout -dates
Forward Postfix Email To Another Account
http://www.cyberciti.biz/faq/linux-unix-bsd-postfix-forward-email-to-another-account/
Interesting Scripts
http://www.arschkrebs.de/postfix/scripts/
Test Email Changing FROM Field
echo "This is a test email body." | mail -a "From: joe@bloggs.co.uk" -s "Test" jill@bloggs.co.uk
Test Config Parameter
postconf soft_bounce
Performance Tuning
http://www.postfix.org/TUNING_README.html
Set 20MB Mailbox Size Limit
sudo postconf -e 'message_size_limit=20480000' sudo service postfix reload
Postfix Virtual Mailbox ClamAV
https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto
Add ClamAV AntiVirus
sudo aptitude install -y -v clamav clamav-freshclam clamsmtp sudo nano /etc/clamsmtpd.conf
OutAddress: 10026 Listen: 127.0.0.1:10025 User: clamav
sudo nano /etc/postfix/main.cf
## SECURITY: ANTI-VIRUS content_filter = scan:127.0.0.1:10025 receive_override_options = no_address_mappings
sudo nano /etc/postfix/master.cf
# # ClamAV (the extra 2 spaces before each -o are needed!) # # AV scan filter (used by content_filter) scan unix - - n - 16 smtp -o smtp_send_xforward_command=yes -o smtp_tls_security_level=none # For injecting mail back into postfix from the filter 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtp_tls_security_level=none
chown -R clamav:clamav /var/run/clamsmtp/ chown -R clamav:clamav /var/spool/clamsmtp/ service clamav-freshclam restart service clamav-daemon restart service clamsmtp restart service postfix restart
Each email message that is scanned will have the extra header...
X-Virus-Scanned: ClamAV using ClamSMTP
That's it! Enjoy your new safer email server :-)
Thanks - http://www.linux.com/learn/tutorials/313660:using-clamav-to-kill-viruses-on-postfix
Testing With EICAR
wget https://secure.eicar.org/eicar.com.txt echo "Test virus body" | mutt -a eicar.com.txt -s "This is virus" -- me@mydomain.com
You should see these lines in your mail log...
Oct 8 17:04:51 ip-172-31-21-171 postfix/smtp[8167]: 616E444220: to=<me@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.06, delays=0.01/0/0.05/0, dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email) Oct 8 17:04:51 ip-172-31-21-171 postfix/qmgr[7693]: 616E444220: removed Oct 8 17:04:51 ip-172-31-21-171 clamsmtpd: 100009: from=me@mydomain.com, to=me@mydomain.com, status=VIRUS:Eicar-Test-Signature Oct 8 17:04:51 ip-172-31-21-171 postfix/smtpd[8169]: disconnect from localhost[127.0.0.1]
Thanks - https://rtcamp.com/tutorials/mail/server/testing/antivirus/
Anti Spam
Tutorial - Spam Filtering Based on SMTP Header
SpamAssassin
https://www.debuntu.org/postfix-and-spamassassin-how-to-filter-spam/
Antispam
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
Spam Reports
Download the script...
mkdir /root/bin cd /root/bin wget http://www.postconf.com/docs/spamrep/spamrep_today ln -s spamrep_today spamrep_yesterday
Edit as required...
MAILTO=me@mydomain.com LOGFILES="mail.log" MAILCMD=/usr/bin/mail
Add to root's crontab...
@daily /root/bin/spamrep_yesterday |mutt -s "Spam Report" root@localhost
Secure Postfix
https://wiki.centos.org/HowTos/postfix_restrictions
http://www.cyberciti.biz/faq/postfix-backup-mx-server-anti-spam/
http://askubuntu.com/questions/418340/how-to-secure-postfix-on-ubuntu-server
http://www.hsc.fr/ressources/cours/postfix/doc/rate.html
http://edoceo.com/howto/postfix-security
Postgrey
https://wiki.centos.org/HowTos/postgrey
sudo wget -O /etc/postgrey/whitelist_clients https://raw.githubusercontent.com/schweikert/postgrey/master/postgrey_whitelist_clients && sudo service postgrey restart
HOWTO: Test SMTP With SWAKS
swaks --server localhost --to me@mydomain.com --from me@mydomain.com
If you want to test your own email server from another computer, disable the spam and postgrey checks on the server, then use the extra ehlo option...
swaks --ehlo mail.domain.co.uk --from info@domain.co.uk --to info@domain.co.uk --server mail.domain.co.uk
If you have SMTP Authentication on your server, then use the following example as a template, which starts a TLS connection first and uses port 587...
swaks -tls --ehlo computer.hostname --from info@domain.co.uk --to joe@bloggs.co.uk --auth --auth-user=info@domain.co.uk --auth-password=PaSSwOrD --server mail.domain.co.uk --port 587
Thanks - https://www.debian-administration.org/article/633/Testing_SMTP_servers_with_SWAKS
Generate SMTP AUTH Username Password
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0mypassword");'
HOWTO: Virtual Domains Address Redirecting Users Aliases
/etc/postfix/main.cf: virtual_alias_domains = example.com fish.com fooey.com virtual_alias_maps = hash:/etc/postfix/virtual /etc/postfix/virtual: postmaster@example.com postmaster info@example.com joe sales@fish.com jane sales@fooey.com jeff # Uncomment entry below to implement a catch-all address # @example.com jim
postmap /etc/postfix/virtual postfix reload
Thanks - http://www.postfix.org/VIRTUAL_README.html
HOWTO: Log Information (Subject)
Create a file with the regular expression to match in /etc/postfix/header_checks:
/^Subject:/ INFO
In your /etc/postfix/main.cf add this to your configuration with a line like this:
header_checks = regexp:/etc/postfix/header_checks
Reload the configuration:
sudo service postfix reload
Thanks - http://askubuntu.com/questions/245299/postfix-logging
HOWTO: CONFIGURE
TLS Security Encryption
https://kruyt.org/postfix-and-tls-encryption/
Per User Relay Transport Mapping
sudo postconf -e "transport_maps = hash:/etc/postfix/transport"
/etc/postfix/transport
domain1.com local: user1@domain2.com smtp:smart.host1.com:25 domain2.com local: user1@domain3.com smtp:smart.host1.com:25 user2@domain3.com smtp:smart.host2.com:25 domain3.com local: * smtp:outbound.smarthost.com:25
Please note that transport_maps override relayhost parameter. However, you can have a * smtp:outbound.smarthost.com:25 line in your transport file as shown above.
sudo postmap /etc/postfix/transport sudo postfix reload
Thanks - http://superuser.com/questions/718803/postfix-relay-mail-to-smart-host-for-specifc-users
Per Domain Transport Mapping
EXAMPLES In order to deliver internal mail directly, while using a mail relay for all other mail, specify a null entry for internal destinations (do not change the delivery transport or the nexthop information) and spec- ify a wildcard for all other destinations. my.domain : .my.domain : * smtp:outbound-relay.my.domain
/etc/postfix/main.cf
mynetworks = 127.0.0.0/8 192.168.1.0/24 smtpd_recipient_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination transport_maps = hash:/etc/postfix/transport
/etc/postfix/sender_access
mydomain.com OK localhost OK localhost.localdomain OK
/etc/postfix/transport
localhost : localhost.localdomain : mydomain.com : thatdomain.com smtp:[smtp.thatdomain.com] <-- this is where the magic happens :) * smtp:[auth.smtp.1and1.co.uk]:587
Thanks - http://www.postfix.org/transport.5.html
Old - http://serverfault.com/questions/257637/postfix-to-relay-mails-to-other-smtp-for-particular-domain
Multiple ISP Client SMTP Authentication
http://www.cyberciti.biz/faq/postfix-multiple-isp-accounts-smarthost-smtp-client/
SMTP AUTHentication In Ubuntu Linux
It would be nice to be able to send email messages from your Ubuntu Linux computer, but most ISPs will not accept them, because of authentication restrictions. These instructions give them what they want...
Configure main configuration file...
sudo nano /etc/postfix/main.cf
Either add or edit the following with your required settings...
smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes relayhost = [my.smtp.host.co.uk] smtp_sasl_password_maps = hash:/etc/postfix/sasl/password smtp_sasl_security_options = noanonymous
Create the SASL password file...
sudo nano /etc/postfix/sasl/password [my.smtp.host.co.uk] me@myemailaccount.com:passW0rD
Lock down permissions...
sudo chmod 0600 /etc/postfix/sasl/password
Hash the file...
sudo postmap hash:/etc/postfix/sasl/password
Create the Postfix generic maps file...
sudo nano /etc/postfix/generic root@myhostname.localdomain me@myemailaccount.com user1@myhostname.localdomain me@myemailaccount.com user2@myhostname.localdomain me@myemailaccount.com
Hash the file...
sudo postmap hash:/etc/postfix/generic
Copy the supporting files to the Postfix working directory...
sudo cp -av /etc/hosts /var/spool/postfix/etc/ sudo cp -av /etc/services /var/spool/postfix/etc/ sudo cp -av /etc/localtime /var/spool/postfix/etc/ sudo cp -av /etc/resolv.conf /var/spool/postfix/etc/
Create the header checks file for later (with MailScanner)...
sudo touch /etc/postfix/header_checks
Start Postfix...
sudo postfix start
Install mailutils and mutt...
sudo aptitude install -y mailutils mutt
Send test email message...
mail me@myemailaccount.com Subject: test Cc: message CTRL+D
SMTP AUTHentication With STARTTLS Security Non Standard Port In Ubuntu Linux
sudo nano /etc/postfix/main.cf relayhost = [mail.domain.com]:587 smtp_tls_security_level = may sudo nano /etc/postfix/sasl_password [mail.domain.com]:587 username@domain.com:MyPasswOrd sudo postmap hash:/etc/postfix/sasl_password sudo service postfix restart
If you receive the following error...
postfix/smtp: warning: SASL authentication failure: No worthy mechs found postfix/smtp: status=deferred (SASL authentication failed; cannot authenticate to server: no mechanism available)
Then fix it with this...
sudo aptitude install libsasl2-modules sudo service postfix restart
SMTP AUTHentication SERVER For Remote Clients
/etc/postfix/main.cf
mydomain = mydomain.com myhostname = mail.mydomain.com mynetworks = 127.0.0.0/8 alias_maps = hash:/etc/aliases smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_tls_security_level = may relayhost = [auth.smtp.1and1.co.uk]:587 inet_protocols = ipv4 header_checks = pcre:/etc/postfix/header_checks smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks check_relay_domains check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination transport_maps = hash:/etc/postfix/transport smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes
/etc/dovecot/conf.d/10-master.conf
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } auth_mechanisms = plain login
Restart the software...
sudo service dovecot restart sudo service postfix restart
Thanks - https://help.ubuntu.com/lts/serverguide/postfix.html
Thanks - http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
Thanks - http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html
HOWTO: Add Various Options To The Config File
Security
sudo -i postconf -e "myorigin = example.com" postconf -e "myhostname=server1.example.com" postconf -e "relay_domains = example.com, example2.com, example3.com"
Thanks - https://wiki.debian.org/Postfix
HOWTO: Completely Remove Postfix From Debian Or Ubuntu
sudo aptitude remove postfix* --purge
HOWTO: Complete Email Server Setup
- Setting up a basic Postfix SMTP server
- Set up Dovecot IMAP server and TLS encryption
- Create Virtual Mailboxes with PostfixAdmin
- Creating SPF and DKIM record to get through spam filters
- Setting up DMARC to protect your domain reputation
- How to Stop Your Emails From Being Marked as Spam
- How to Host Multiple Mail Domains in PostfixAdmin
- Blocking Email Spam with Postfix
- Blocking Email Spam with SpamAssassin
FAQ
http://www.cise.ufl.edu/~jnw/SysAdminsp01/Lectures/postfix-html/faq.html
HOWTO: Use Dovecot LDA
http://wiki2.dovecot.org/LDA/Postfix
nano /etc/postfix/main.cf mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
Main Email Hostname
nano /etc/mailname server1.domain.com
HOWTO: DISABLE
IPv6
sudo nano /etc/postfix/main.cf inet_protocols = ipv4 # Add this line to the file
SASL Auth on Port 25
This will prevent people from trying to login via the smtp-sasl facility on port 25 such as this ...
Feb 7 16:16:06 mail postfix/smtpd[84778]: connect from unknown[185.36.81.180] Feb 7 16:16:08 mail dovecot: auth: passwd-file(envio,185.36.81.180): unknown user (SHA1 of given password: 0ab831) Feb 7 16:16:10 mail postfix/smtpd[84778]: warning: unknown[185.36.81.180]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
You need port 25 for any internet emails but you can turn off the ability to ask for a login on this port.
To fix this, you'll need to make sure the 'submission' port 587 is enabled and has SASL Auth so that you can send legitimate authenticated emails to your own server ...
/etc/postfix/master.cf
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_authenticated_header=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o cleanup_service_name=sender-cleanup
Then, change the setting in your main config file to disable smtp sasl ...
/etc/postfix/main.cf
smtpd_sasl_auth_enable = no
Hey presto, no more bots trying to login via a dictionary attack :)
https://github.com/docker-mailserver/docker-mailserver/discussions/3071
Bind Postfix Mail Server To Localhost or Specific IP Address Only
Edit /etc/postfix/main.cf and put the following...
inet_interfaces = 127.0.0.1
HOWTO: MAIL QUEUE
Check
mailq
Flush
postfix flush
Send 1 Message From Queue
postqueue -p | grep -v ^- | grep -v "(" | cut -d' ' -f1 |grep -e alnum: postqueue -i ID postqueue -p | awk '/^[0-9A-F]/{print "postqueue -i "$1 " ;sleep 2s"}' |sh
Thanks - https://serverfault.com/questions/752638/how-to-flush-postfix-queue-one-mail-at-a-time
Release Message In HOLD Queue
mailq (to get ID of message) postsuper -H ID
Delete A Single Message In The Mail Queue
mailq (to get ID of message) postsuper -d ID
Delete All Messages In The Mail Queue
sudo postsuper -d ALL
Reload Postfix Configuration
sudo postfix reload
Restart Postfix
sudo service postfix restart
HOWTO: FIX:
warning: SASL authentication failure: No worthy mechs found
apt-get install libsasl2-modules postfix stop postfix start
warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Add the following line to /etc/postfix/main.cf...
alias_maps = hash:/etc/aliases
Run the alias mapping tool...
sudo newaliases
Restart Postfix...
sudo service postfix restart
ERROR: Name service error for xxx.com: Host not found, try again
If you get this error in /var/log/mail/info it might be because your /var/spool/postfix/etc/resolv.conf is wrong. If you look in /var/log/mail/warnings and sees
warning: /var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ you should copy /etc/resolv.conf to /var/spool/postfix/etc/ .
The error comes because you run postfix as chroot and postfix can then only see files in /var/spool/postfix/ . During install postfix takes a copy of /etc/resolv.conf and place it in its own directory.
There could be more errors than that. Check /var/log/mail/warnings and /var/log/mail/errors and make sure you have verified all files. In case of more trouble run the command postfix check.
You could also get error messages like:
postfix/postfix-script: warning: /var/spool/postfix/etc/localtime and /etc/localtime differ postfix/postfix-script: warning: /var/spool/postfix/etc/services and /etc/services differ Which implies that /etc/localtime and /etc/services should be copied. Before doing anything check what the difference of the files is.
postdrop: warning: unable to look up public/pickup: No such file or directory
/etc/init.d/sendmail stop update-rc.d -f sendmail remove update-rc.d postfix defaults /etc/init.d/postfix start