Postfix

From Indie IT Wiki

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA.

Installation

sudo DEBIAN_PRIORITY=low apt-get install postfix

Reinstallation

sudo dpkg-reconfigure postfix

Main System Domain Name

Postfix will use this file and make any emails sent from within the system as this domain name...

/etc/mailname

domain.co.uk

Fix Error: (No client certificate requested)

sudo postconf -e 'smtpd_tls_received_header = no'
sudo postfix check
sudo postfix reload

Fix Error: NIS domain name not set

Error...

warning: dict_nis_init: NIS domain name not set - NIS lookups disabled

Fix...

sudo postconf -e "alias_maps = hash:/etc/aliases"
sudo postfix stop
sudo postfix start

Thanks - https://unix.stackexchange.com/questions/244199/postfix-mail-logs-keep-showing-nis-domain-not-set

Web Administration

Postfix Admin

Postfix Admin is a PHP web based interface to configure an email server.

It has 2 main backend database options - sqlite and mysql.

postfixadmin

Installation

SQLite

Install the software...

sudo -i
add-apt-repository ppa:ondrej/php
apt-get -y install php7.4-cgi php7.4-sqlite3 php7.4-mbstring php7.4-imap lighttpd postfix-sqlite
lighty-enable-mod fastcgi
lighty-enable-mod fastcgi-php
service lighttpd restart
cd /opt/
git clone https://github.com/postfixadmin/postfixadmin.git
cd postfixadmin/
git checkout

Create the Postfix Admin directories and files...

ln -s /opt/postfixadmin/public /var/www/html/postfixadmin
mkdir /opt/postfixadmin/database
touch /opt/postfixadmin/database/postfixadmin.db
sudo chown -R www-data:www-data /opt/postfixadmin/database
mkdir -p /opt/postfixadmin/templates_c
chown -R www-data /opt/postfixadmin/templates_c

Create the Postfix Admin configuration file...

n /opt/postfixadmin/config.local.php

<?php
$CONF['database_type'] = 'sqlite';
$CONF['database_name'] = '/opt/postfixadmin/database/postfixadmin.db';
$CONF['configured'] = true;
?>

Fire up a web browser and go to...

http://your.domain/postfixadmin/setup.php

Follow the instructions to create a setup password, then re-edit the Postfix Admin configuration file...

n /opt/postfixadmin/config.local.php

<?php
$CONF['database_type'] = 'sqlite';
$CONF['database_name'] = '/opt/postfixadmin/database/postfixadmin.db';
$CONF['configured'] = true;
$CONF['setup_password'] = 'bbe4d0ceb8200ae760dea45b0137abc8:282cd03ac51641c04bf5c06bd241e7c18ccxxxxxxx';
?>

Fire up a web browser and go back to...

http://your.domain/postfixadmin/setup.php

Create the Administrator account.

Check all good, then go to...

http://your.domain/postfixadmin/login.php

All done!

...

TO BE DONE...


Postfix

https://blog.here-host.com/setup-configure-mail-server-postfixadmin-ubuntu-16-04/

https://www.rosehosting.com/blog/setup-and-configure-a-mail-server-with-postfixadmin/


Dovecot

https://blog.here-host.com/setup-configure-mail-server-postfixadmin-ubuntu-16-04/

https://wiki.archlinux.org/index.php/PostfixAdmin - tweaks for dovecot

ViMbAdmin

ViMbAdmin

Postfix and MySQL

sudo -i

Install MySQL...

cd /tmp/
wget https://dev.mysql.com/get/mysql-apt-config_0.8.15-1_all.deb
dpkg -i mysql-apt-config_0.8.15-1_all.deb
apt-get update
apt-get -y install mysql-server
mysql_secure_installation 
mysql -u root -p -e 'status;'

Install PHP...

php -v
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get -y install php7.4-cgi php7.4-cli php7.4-common php7.4-curl php7.4-fpm php7.4-gd php7.4-json php7.4-mysql php7.4-readline php7.4-xml php7.4-mbstring php7.4-zip

Install Composer...

wget https://raw.githubusercontent.com/composer/getcomposer.org/c5e3f5a2a8e6742d38a9eb716161c32931243f57/web/installer -O - -q | php -- --quiet
cp -av composer.phar /usr/local/bin/composer
which composer

Download ViMbAdmin...

cd /opt/
git clone https://github.com/opensolutions/ViMbAdmin.git vimbadmin

Install ViMbAdmin...

cd vimbadmin/
apt install unzip
composer install --prefer-dist --no-dev

Fix folder permissions for web server...

chown -R www-data:www-data var/

Create MySQL database...

mysql -u root -p -e "CREATE DATABASE vimbadmin; CREATE USER 'vimbadmin' IDENTIFIED BY 'SuperPassword'; GRANT ALL ON vimbadmin.* TO 'vimbadmin'; FLUSH PRIVILEGES;"

Copy the example configuration file...

cp /opt/vimbadmin/application/configs/application.ini.dist /opt/vimbadmin/application/configs/application.ini

Edit the configuration file (especially the mailbox format, Dovecot encryption method and the SMTP mail relay, such as AWS SES)...

nano /opt/vimbadmin/application/configs/application.ini

...
defaults.mailbox.maildir = "maildir:/var/vmail/%d/%u/mail:LAYOUT=fs"
defaults.mailbox.homedir = "/var/vmail/%d/%u"
...
defaults.mailbox.password_scheme = "dovecot:SHA256-CRYPT"
...
resources.mail.transport.type = "smtp"
resources.mail.transport.host = "email-smtp.eu-west-1.amazonaws.com"
resources.mail.transport.username = "access key"
resources.mail.transport.password = "secret key"
resources.mail.transport.auth = "login"
resources.mail.transport.ssl = "tls"
resources.mail.transport.port = "587"

Lock down the public folder...

cp /opt/vimbadmin/public/.htaccess.dist /opt/vimbadmin/public/.htaccess

Populate the MySQL database...

cd /opt/vimbadmin
./bin/doctrine2-cli.php orm:schema-tool:create

Open your web browser and go to the opening setup page...

http://ip.or.domain.name/vimbadmin

Copy the Security Salt lines to your configuration file...

nano /opt/vimbadmin/application/configs/application.ini

Reload the setup web page in your browser...

http://ip.or.domain.name/vimbadmin

Copy the same 'security salt' line to the web page and then create an admin user.

Postfix and MySQL

Postfix and MySQL

Blacklist

sudo iptables -I INPUT -s 1.2.3.4 -j DROP
sudo iptables -I INPUT -s 1.2.3.0/24 -j DROP

https://ethitter.com/2016/03/blocking-sender-ips-in-postfix/

Whitelist

To truly whitelist, you must add access controls to each part of the SMTP process shown below or one of them may fail and reject the message (depending on what Postfix does not like about the SMTP transaction).

  1. CLIENT
  2. HELO
  3. SENDER
  4. RECIPIENT

Here is an example line from the mail log file on a Postfix server:-

Mar  1 08:06:21 ip-172-31-45-157 postfix/smtpd[11349]: NOQUEUE: reject: RCPT from exchange.hq.overdrive.com[207.54.136.3]: 450 4.7.1 <postfix1b.hq.overdrive.com>: Helo command rejected: Host not found; from=<donotreply@overdrive.com> to=<user@domain.com> proto=ESMTP helo=<postfix1b.hq.overdrive.com>
  • CLIENT = exchange.hq.overdrive.com
  • HELO = postfix1b.hq.overdrive.com
  • SENDER = donotreply@overdrive.com
  • RECIPIENT = user@domain.com

The lines in italics are the ones which make the whitelisting work...

1. CLIENT

This is where the computers establish a TCP connection and any DNS tests are performed.

/etc/postfix/main.cf
smtpd_client_restrictions =
  permit_mynetworks,
  check_client_access hash:/etc/postfix/client_access,
  reject_unknown_client_hostname,
  reject_unknown_reverse_client_hostname,
  permit

/etc/postfix/client_access
spammerdomain.com REJECT
mydomain.co.uk OK
mail.domain.org OK
11.222.333.444 OK

2. HELO

This is where the computers announce who they are.

/etc/postfix/main.cf
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  check_helo_access hash:/etc/postfix/helo_access,
  reject_non_fqdn_helo_hostname,
  reject_invalid_helo_hostname,
  reject_unknown_helo_hostname,
  permit

/etc/postfix/helo_access
spammerdomain.com REJECT
mydomain.co.uk OK
mail.domain.org OK
11.222.333.444 OK

3. SENDER

This is where the FROM address is offered.

/etc/postfix/main.cf
smtpd_sender_restrictions =
  permit_mynetworks,
  check_sender_access hash:/etc/postfix/sender_access,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit

/etc/postfix/sender_access
spammer@spam.com REJECT
john@domain.com OK
@dodgydomain.co.uk REJECT
@domain.org OK

4. RECIPIENT

This is where the TO address is offered.

/etc/postfix/main.cf
smtpd_recipient_restrictions =
  permit_mynetworks,
  check_client_access hash:/etc/postfix/client_access,
  check_sender_access hash:/etc/postfix/sender_access,
  reject_unauth_pipelining,
  reject_unlisted_recipient,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  reject_invalid_hostname,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client cbl.abuseat.org,
  check_policy_service inet:127.0.0.1:10023,
  permit

/etc/postfix/client_access
spammerdomain.com REJECT
mydomain.co.uk OK
mail.domain.org OK
11.222.333.444 OK

/etc/postfix/sender_access
spammer@spam.com REJECT
john@domain.com OK
@dodgydomain.co.uk REJECT
@domain.org OK

With those files in place, now hash the database files and reload Postfix to start using them...

postmap /etc/postfix/helo_access
postmap /etc/postfix/client_access
postmap /etc/postfix/sender_access
postfix reload

Postfix SMTP relay and access control

OLD

http://linuxlasse.net/linux/howtos/Blacklist_and_Whitelist_with_Postfix

There are two different parameters we can set in postfix, which act differently.

  1. check_client_access - Blocks by client IP, Client IP Range or Hostname.
  2. check_sender_access - Block by sender e-mail address (In the FROM field).

This is how it would look in the main.cf file...

/etc/postfix/main.cf
smtpd_recipient_restrictions =
  check_client_access hash:/etc/postfix/client_access,
  check_sender_access hash:/etc/postfix/sender_access,
  (add your reject lines now)
  ...
  permit

Then, add your email addresses, domains or IP addresses to the text whitelist files...

/etc/postfix/client_access
123.456.789.0 OK
domain.com OK
fish.co.uk OK
/etc/postfix/sender_access
john@domain.com OK
fred@fish.co.uk OK

Create the database file and reload postfix...

postmap /etc/postfix/client_access
postmap /etc/postfix/sender_access
postfix reload

Amazon Web Services SES (Simple Email Service)

/etc/postfix/sasl/sasl_password
[email-smtp.eu-west-1.amazonaws.com]:587 AKyouraccesskeyinhere:youraccesskeypasswordinhere
/etc/postfix/main.cf
## SMTP CLIENT
relayhost = [email-smtp.eu-west-1.amazonaws.com]:587
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_password
smtp_use_tls = yes 
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Content Checking

https://www.unixteacher.org/blog/postfix-built-in-content-inspection/

Add Custom Header

nano /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks
nano /etc/postfix/header_checks

/^Content-Type:/i PREPEND X-Received-By: mail2.domain.co.uk

You can then add a custom Thunderbird Message Filter to Add a Tag based on Header Content :-)

Thanks - http://unix.stackexchange.com/questions/44123/add-header-to-outgoing-email-with-postfix#44211

Remove Headers

https://major.io/2013/04/14/remove-sensitive-information-from-email-headers-with-postfix/

Backup MX

nano /etc/postfix/main.cf

## GENERAL SETTINGS
inet_protocols = ipv4
inet_interfaces = all
myhostname = mail2.domain.co.uk
mynetworks =
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
## SMTP CLIENT
relayhost = [mail.domain.co.uk]:25
relay_domains = domain.co.uk
nano /etc/aliases

postmaster: root
root: info@domain.co.uk

Order Of Postfix Checking

The order of evaluation is...

  1. smtpd_client_restrictions
  2. smtpd_helo_restrictions
  3. smtpd_sender_restrictions
  4. smtpd_recipient_restrictions
  5. smtpd_data_restrictions
telnet 192.168.0.2 25                           # Comments
Trying 192.168.0.2...
Connected to 192.168.0.2 (192.168.0.2).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix              # <-smtp_client_restrictions
HELO mail.example.com                           # <-smtp_helo_restrictions
250 mail.example.com                            #
MAIL FROM:<ned@example.com>                     # <-smtp_sender_restrictions
250 2.1.0 Ok                                    #
RCPT TO:<ned@example.com>                       # <-smtp_recipient_restrictions
250 2.1.5 Ok                                    #
DATA                                            # <-smtp_data_restrictions
354 End data with <CR><LF>.<CR><LF>             #
To:<ned@example.com>                            # <-header_checks
From:<ned@example.com>                          #
Subject:SMTP Test                               #
This is a test message                          # <-body_checks
.                                               #
250 2.0.0 Ok: queued as 301AE20034
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

Rejecting Unknown Clients

If you see the following lines in your logs...

postfix/smtpd[28842]: 3B0CD41C98: client=unknown[116.102.149.61]

Then you can add the following anti-spam measure to stop them.

smtpd_client_restrictions = reject_unknown_client_hostname

e.g.

## SECURITY: RESTRICTIONS
## 0. CLIENT
smtpd_client_restrictions =
    reject_unknown_client_hostname,
    reject_unknown_reverse_client_hostname,
    permit
## 1. HELO

Inspecting Handling Postfix Mail Queue

http://www.tech-g.com/2012/07/15/inspecting-postfixs-email-queue/

Generate Diffe Hellman parameters

for len in 512 1024; do openssl genpkey -genparam -algorithm DH -out /etc/postfix/dh_${len}.pem -pkeyopt dh_paramgen_prime_len:${len}; done

Let's Encrypt SSL Certificate with Postfix

https://upcloud.com/community/tutorials/secure-postfix-using-lets-encrypt/

sudo -i
cat domain_co_uk.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > postfix_domain_co_uk.crt
cat domain_co_uk.key > postfix_domain_co_uk.key
cp -av postfix_domain_co_uk.crt /etc/ssl/certs/
cp -av postfix_domain_co_uk.key /etc/ssl/private/
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix_domain_co_uk.crt'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix_domain_co_uk.key'
service postfix restart

Create Self-Signed SSL Certificate For Postfix In Ubuntu Linux

sudo -i
mkdir -p /etc/ssl/postfix/
cd /etc/ssl/postfix/
/usr/lib/ssl/misc/CA.pl -newca
/usr/lib/ssl/misc/CA.pl -newreq-nodes
/usr/lib/ssl/misc/CA.pl -sign
cp -av demoCA/cacert.pem /etc/ssl/certs/
postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem'
postconf -e 'smtpd_tls_key_file = /etc/ssl/postfix/newkey.pem'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
service postfix restart

Check SSL Certificate

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.domain.co.uk:25 -servername mail.domain.co.uk -starttls smtp

Check End Date of SSL Certificate

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.domain.co.uk:25 -servername mail.domain.co.uk -starttls smtp | openssl x509 -noout -dates

Forward Postfix Email To Another Account

http://www.cyberciti.biz/faq/linux-unix-bsd-postfix-forward-email-to-another-account/

Interesting Scripts

http://www.arschkrebs.de/postfix/scripts/

Test Email Changing FROM Field

echo "This is a test email body." | mail -a "From: joe@bloggs.co.uk" -s "Test" jill@bloggs.co.uk

Test Config Parameter

postconf soft_bounce

Performance Tuning

http://www.postfix.org/TUNING_README.html

Set 20MB Mailbox Size Limit

sudo postconf -e 'message_size_limit=20480000'
sudo service postfix reload

Postfix Virtual Mailbox ClamAV

https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto

Add ClamAV AntiVirus

sudo aptitude install -y -v clamav clamav-freshclam clamsmtp
sudo nano /etc/clamsmtpd.conf
OutAddress: 10026
Listen: 127.0.0.1:10025
User: clamav
sudo nano /etc/postfix/main.cf
## SECURITY: ANTI-VIRUS
content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
sudo nano /etc/postfix/master.cf
#
# ClamAV    (the extra 2 spaces before each -o are needed!)
#
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
  -o smtp_send_xforward_command=yes
  -o smtp_tls_security_level=none
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks_style=host
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtp_tls_security_level=none
chown -R clamav:clamav /var/run/clamsmtp/
chown -R clamav:clamav /var/spool/clamsmtp/
service clamav-freshclam restart
service clamav-daemon restart
service clamsmtp restart
service postfix restart

Each email message that is scanned will have the extra header...

X-Virus-Scanned: ClamAV using ClamSMTP

That's it! Enjoy your new safer email server :-)

Thanks - http://www.linux.com/learn/tutorials/313660:using-clamav-to-kill-viruses-on-postfix

Thanks - http://www.iredmail.org/forum/topic8884-iredmail-support-tls-is-required-but-was-not-offered-by-host-127001.html

Testing With EICAR

wget https://secure.eicar.org/eicar.com.txt
echo "Test virus body" | mutt -a eicar.com.txt -s "This is virus" -- me@mydomain.com

You should see these lines in your mail log...

Oct  8 17:04:51 ip-172-31-21-171 postfix/smtp[8167]: 616E444220: to=<me@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.06, delays=0.01/0/0.05/0, dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)
Oct  8 17:04:51 ip-172-31-21-171 postfix/qmgr[7693]: 616E444220: removed
Oct  8 17:04:51 ip-172-31-21-171 clamsmtpd: 100009: from=me@mydomain.com, to=me@mydomain.com, status=VIRUS:Eicar-Test-Signature
Oct  8 17:04:51 ip-172-31-21-171 postfix/smtpd[8169]: disconnect from localhost[127.0.0.1]

Thanks - https://rtcamp.com/tutorials/mail/server/testing/antivirus/

Anti Spam

Tutorial - Spam Filtering Based on SMTP Header

SpamAssassin

https://www.debuntu.org/postfix-and-spamassassin-how-to-filter-spam/

Antispam

http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

Spam Reports

Download the script...

mkdir /root/bin
cd /root/bin
wget http://www.postconf.com/docs/spamrep/spamrep_today
ln -s spamrep_today spamrep_yesterday

Edit as required...

MAILTO=me@mydomain.com
LOGFILES="mail.log"
MAILCMD=/usr/bin/mail

Add to root's crontab...

@daily /root/bin/spamrep_yesterday |mutt -s "Spam Report" root@localhost

Secure Postfix

https://wiki.centos.org/HowTos/postfix_restrictions

http://www.cyberciti.biz/faq/postfix-backup-mx-server-anti-spam/

http://askubuntu.com/questions/418340/how-to-secure-postfix-on-ubuntu-server

http://www.hsc.fr/ressources/cours/postfix/doc/rate.html

http://edoceo.com/howto/postfix-security

Postgrey

https://wiki.centos.org/HowTos/postgrey

sudo wget -O /etc/postgrey/whitelist_clients https://raw.githubusercontent.com/schweikert/postgrey/master/postgrey_whitelist_clients && sudo service postgrey restart

HOWTO: Test SMTP With SWAKS

swaks --server localhost --to me@mydomain.com --from me@mydomain.com

If you want to test your own email server from another computer, disable the spam and postgrey checks on the server, then use the extra ehlo option...

swaks --ehlo mail.domain.co.uk --from info@domain.co.uk --to info@domain.co.uk --server mail.domain.co.uk

If you have SMTP Authentication on your server, then use the following example as a template, which starts a TLS connection first and uses port 587...

swaks -tls --ehlo computer.hostname --from info@domain.co.uk --to joe@bloggs.co.uk --auth --auth-user=info@domain.co.uk --auth-password=PaSSwOrD --server mail.domain.co.uk --port 587

Thanks - https://www.debian-administration.org/article/633/Testing_SMTP_servers_with_SWAKS

Generate SMTP AUTH Username Password

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0mypassword");'

HOWTO: Virtual Domains Address Redirecting Users Aliases

/etc/postfix/main.cf:
    virtual_alias_domains = example.com fish.com fooey.com
    virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual:
    postmaster@example.com postmaster
    info@example.com       joe
    sales@fish.com         jane
    sales@fooey.com        jeff
    # Uncomment entry below to implement a catch-all address
    # @example.com         jim
postmap /etc/postfix/virtual
postfix reload

Thanks - http://www.postfix.org/VIRTUAL_README.html

HOWTO: Log Information (Subject)

Create a file with the regular expression to match in /etc/postfix/header_checks:

/^Subject:/ INFO

In your /etc/postfix/main.cf add this to your configuration with a line like this:

header_checks = regexp:/etc/postfix/header_checks

Reload the configuration:

sudo service postfix reload

Thanks - http://askubuntu.com/questions/245299/postfix-logging

HOWTO: CONFIGURE

TLS Security Encryption

https://kruyt.org/postfix-and-tls-encryption/

Per User Relay Transport Mapping

sudo postconf -e "transport_maps = hash:/etc/postfix/transport"

/etc/postfix/transport

domain1.com             local:
user1@domain2.com       smtp:smart.host1.com:25
domain2.com             local:
user1@domain3.com       smtp:smart.host1.com:25
user2@domain3.com       smtp:smart.host2.com:25
domain3.com             local:
*                       smtp:outbound.smarthost.com:25

Please note that transport_maps override relayhost parameter. However, you can have a * smtp:outbound.smarthost.com:25 line in your transport file as shown above.

sudo postmap /etc/postfix/transport
sudo postfix reload

Thanks - http://superuser.com/questions/718803/postfix-relay-mail-to-smart-host-for-specifc-users

Per Domain Transport Mapping

EXAMPLES
      In  order  to  deliver internal mail directly, while using a mail relay
      for all other mail, specify a null entry for internal destinations  (do
      not change the delivery transport or the nexthop information) and spec-
      ify a wildcard for all other destinations.

           my.domain    :
           .my.domain   :
           *         smtp:outbound-relay.my.domain

/etc/postfix/main.cf

mynetworks = 127.0.0.0/8 192.168.1.0/24
smtpd_recipient_restrictions =
  permit_mynetworks
  check_sender_access hash:/etc/postfix/sender_access
  reject_unauth_destination
transport_maps = hash:/etc/postfix/transport

/etc/postfix/sender_access

mydomain.com OK
localhost OK
localhost.localdomain OK

/etc/postfix/transport

localhost :
localhost.localdomain :
mydomain.com :
thatdomain.com smtp:[smtp.thatdomain.com]   <-- this is where the magic happens :)
* smtp:[auth.smtp.1and1.co.uk]:587

Thanks - http://www.postfix.org/transport.5.html

Thanks - https://www.howtoforge.com/community/threads/postfix-relay-one-domain-to-smarthost-a-all-else-to-smarthost-b.62955/

Old - http://serverfault.com/questions/257637/postfix-to-relay-mails-to-other-smtp-for-particular-domain

Multiple ISP Client SMTP Authentication

http://www.cyberciti.biz/faq/postfix-multiple-isp-accounts-smarthost-smtp-client/

SMTP AUTHentication In Ubuntu Linux

It would be nice to be able to send email messages from your Ubuntu Linux computer, but most ISPs will not accept them, because of authentication restrictions. These instructions give them what they want...

Configure main configuration file...

sudo nano /etc/postfix/main.cf

Either add or edit the following with your required settings...

smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
relayhost = [my.smtp.host.co.uk]
smtp_sasl_password_maps = hash:/etc/postfix/sasl/password
smtp_sasl_security_options = noanonymous

Create the SASL password file...

sudo nano /etc/postfix/sasl/password

[my.smtp.host.co.uk] me@myemailaccount.com:passW0rD

Lock down permissions...

sudo chmod 0600 /etc/postfix/sasl/password

Hash the file...

sudo postmap hash:/etc/postfix/sasl/password

Create the Postfix generic maps file...

sudo nano /etc/postfix/generic

root@myhostname.localdomain me@myemailaccount.com
user1@myhostname.localdomain me@myemailaccount.com
user2@myhostname.localdomain me@myemailaccount.com

Hash the file...

sudo postmap hash:/etc/postfix/generic

Copy the supporting files to the Postfix working directory...

sudo cp -av /etc/hosts /var/spool/postfix/etc/
sudo cp -av /etc/services /var/spool/postfix/etc/
sudo cp -av /etc/localtime /var/spool/postfix/etc/
sudo cp -av /etc/resolv.conf /var/spool/postfix/etc/

Create the header checks file for later (with MailScanner)...

sudo touch /etc/postfix/header_checks

Start Postfix...

sudo postfix start

Install mailutils and mutt...

sudo aptitude install -y mailutils mutt

Send test email message...

mail me@myemailaccount.com
     Subject: test
     Cc:
     message
     CTRL+D

SMTP AUTHentication With STARTTLS Security Non Standard Port In Ubuntu Linux

sudo nano /etc/postfix/main.cf
          relayhost = [mail.domain.com]:587
          smtp_tls_security_level = may
sudo nano /etc/postfix/sasl_password
          [mail.domain.com]:587 username@domain.com:MyPasswOrd
sudo postmap hash:/etc/postfix/sasl_password
sudo service postfix restart

If you receive the following error...

postfix/smtp: warning: SASL authentication failure: No worthy mechs found
postfix/smtp: status=deferred (SASL authentication failed; cannot authenticate to server: no mechanism available)

Then fix it with this...

sudo aptitude install libsasl2-modules
sudo service postfix restart

SMTP AUTHentication SERVER For Remote Clients

/etc/postfix/main.cf

mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_security_level = may
relayhost = [auth.smtp.1and1.co.uk]:587
inet_protocols = ipv4
header_checks = pcre:/etc/postfix/header_checks
smtpd_recipient_restrictions =
   permit_sasl_authenticated
   permit_mynetworks
   check_relay_domains
   check_sender_access hash:/etc/postfix/sender_access
   reject_unauth_destination
transport_maps = hash:/etc/postfix/transport
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

/etc/dovecot/conf.d/10-master.conf

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix        
  }
}
auth_mechanisms = plain login

Restart the software...

sudo service dovecot restart
sudo service postfix restart

Thanks - https://help.ubuntu.com/lts/serverguide/postfix.html

Thanks - http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

Thanks - http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html

HOWTO: Add Various Options To The Config File

Security

sudo -i
postconf -e "myorigin = example.com"
postconf -e "myhostname=server1.example.com"
postconf -e "relay_domains = example.com, example2.com, example3.com"

Thanks - https://wiki.debian.org/Postfix

HOWTO: Completely Remove Postfix From Debian Or Ubuntu

sudo aptitude remove postfix* --purge

HOWTO: Complete Email Server Setup

  1. Setting up a basic Postfix SMTP server
  2. Set up Dovecot IMAP server and TLS encryption
  3. Create Virtual Mailboxes with PostfixAdmin
  4. Creating SPF and DKIM record to get through spam filters
  5. Setting up DMARC to protect your domain reputation
  6. How to Stop Your Emails From Being Marked as Spam
  7. How to Host Multiple Mail Domains in PostfixAdmin
  8. Blocking Email Spam with Postfix
  9. Blocking Email Spam with SpamAssassin

FAQ

http://www.cise.ufl.edu/~jnw/SysAdminsp01/Lectures/postfix-html/faq.html

HOWTO: Use Dovecot LDA

http://wiki2.dovecot.org/LDA/Postfix

nano /etc/postfix/main.cf
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"

Main Email Hostname

nano /etc/mailname

server1.domain.com

HOWTO: DISABLE

IPv6

sudo nano /etc/postfix/main.cf

inet_protocols = ipv4 # Add this line to the file

SASL Auth on Port 25

This will prevent people from trying to login via the smtp-sasl facility on port 25 such as this ...

Feb  7 16:16:06 mail postfix/smtpd[84778]: connect from unknown[185.36.81.180]
Feb  7 16:16:08 mail dovecot: auth: passwd-file(envio,185.36.81.180): unknown user (SHA1 of given password: 0ab831)
Feb  7 16:16:10 mail postfix/smtpd[84778]: warning: unknown[185.36.81.180]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

You need port 25 for any internet emails but you can turn off the ability to ask for a login on this port.

To fix this, you'll need to make sure the 'submission' port 587 is enabled and has SASL Auth so that you can send legitimate authenticated emails to your own server ...

/etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_sasl_authenticated_header=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=sender-cleanup

Then, change the setting in your main config file to disable smtp sasl ...

/etc/postfix/main.cf

smtpd_sasl_auth_enable = no

Hey presto, no more bots trying to login via a dictionary attack :)

https://github.com/docker-mailserver/docker-mailserver/discussions/3071

Bind Postfix Mail Server To Localhost or Specific IP Address Only

Edit /etc/postfix/main.cf and put the following...

inet_interfaces = 127.0.0.1

HOWTO: MAIL QUEUE

Check

mailq

Flush

postfix flush

Send 1 Message From Queue

postqueue -p | grep -v ^- | grep -v "(" | cut -d' ' -f1 |grep -e alnum:
postqueue -i ID
postqueue -p | awk '/^[0-9A-F]/{print  "postqueue -i "$1 " ;sleep 2s"}' |sh

Thanks - https://serverfault.com/questions/752638/how-to-flush-postfix-queue-one-mail-at-a-time

Release Message In HOLD Queue

mailq (to get ID of message)
postsuper -H ID

Delete A Single Message In The Mail Queue

mailq (to get ID of message)
postsuper -d ID

Delete All Messages In The Mail Queue

sudo postsuper -d ALL

Reload Postfix Configuration

sudo postfix reload

Restart Postfix

sudo service postfix restart

HOWTO: FIX:

warning: SASL authentication failure: No worthy mechs found

apt-get install libsasl2-modules
postfix stop
postfix start

Thanks

warning: dict_nis_init: NIS domain name not set - NIS lookups disabled

Add the following line to /etc/postfix/main.cf...

alias_maps = hash:/etc/aliases

Run the alias mapping tool...

sudo newaliases

Restart Postfix...

sudo service postfix restart

ERROR: Name service error for xxx.com: Host not found, try again

If you get this error in /var/log/mail/info it might be because your /var/spool/postfix/etc/resolv.conf is wrong. If you look in /var/log/mail/warnings and sees

warning: /var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ you should copy /etc/resolv.conf to /var/spool/postfix/etc/ .

The error comes because you run postfix as chroot and postfix can then only see files in /var/spool/postfix/ . During install postfix takes a copy of /etc/resolv.conf and place it in its own directory.

There could be more errors than that. Check /var/log/mail/warnings and /var/log/mail/errors and make sure you have verified all files. In case of more trouble run the command postfix check.

You could also get error messages like:

postfix/postfix-script: warning: /var/spool/postfix/etc/localtime and /etc/localtime differ postfix/postfix-script: warning: /var/spool/postfix/etc/services and /etc/services differ Which implies that /etc/localtime and /etc/services should be copied. Before doing anything check what the difference of the files is.

postdrop: warning: unable to look up public/pickup: No such file or directory

/etc/init.d/sendmail stop
update-rc.d -f sendmail remove
update-rc.d postfix defaults
/etc/init.d/postfix start