Differences

This shows you the differences between two versions of the page.

--- email:configure-postfix [2025/03/03 12:26] – willy
+++ email:configure-postfix [2025/03/13 13:30] (current) – [Configuration: postfix] willy
@@ Line 1: / Line 1: @@
-====== Configuration: postfix ======
+====== F) Configuration: postfix ======
+Postfix is the Mail Transfer Agent, the tool that actually **moves** your email messages from a the sender to the destination (recipient). It speak the Simple Mail Transport Protocol (SMTP) and it has some serious responsibilities which are:
+  * Ensure that mail **for** you is properly delivered to you
+  * Ensure that mail **from** you is properly sent to whoever need to deliver it
+  * Filter out all undesired mail (spam)
+  * Prevent abuse from malicious actors who pretend to be you to send unauthorized mail in your name
+  * Prevent abuse from spammers to send mail pretending to be others (not act as an open relay)
+  * Ensure that all good practices are followed to prevent your mail server from being listed in blacklists and flagged down as a spammer.
-We need to configure Postfix properly, and link it to the SQLite database we created so that it will read domains and accounts from there.
+Due to these many tasks, an MTA is not a simple piece of software to properly setup. Postfix is no exception, and you need to understand a few basic concepts before proceeding.
-Postfix feels a bit outdated when it comes to configuration, and probably it is, but it's also well documented and not that hard to understand.
+===== Mail Delivery Pipeline =====
+Traditionally, on UNIX systems, a mail server would deliver and send e-mails for local users as defined in the /etc/passwd file of the server itself. This is called **local delivery** and it is linked to the concept of **mynetwork**. In our modern internet world, this has substantially changed.
+Nowadays you have a complete separation between **server** users and **email** accounts. But the //traditional// approach needs to be considered when configuring Postfix.
+The pipeline is:
+  * An SMTP client connect to your Postfix (SMTP server)
+  * Optional TLS encryption is performed
+  * The client identifies itself (HELO / EHLO)
+  * Optional authentication is performed using SASL
+  * Sender identifies itself (MAIL FROM:)
+  * Recipient is identified (RCPT TO:)
+  * Email data is transferred (DATA...)
+Along all the steps of this pipeline, Postfix can be configured to perform checks to reject the entire transaction.
+=== The local delivery ===
+Emails will be delivered locally to local users on the server. I mean, users of the server, like users that can login on the server via shell and such. In the local delivery concept, there is no difference between user and mailbox.
+In our case, local delivery will be routed to virtual delivery, no local server users will be able to receive emails.
+=== The virtual delivery ===
+Emails will be delivered to a list of domains and mailboxes, not users. It's called //virtual// because there the domains and the mailboxes are defined in a database and are not linked to //real// users of the server.
+For our needs, i will show you how to link PostfixAdmin SQLite database to Postfix to perform domains and mailboxes lookup. Postfix virtual delivery activity will be deferred to Dovecot LMTP (Local Mail Transport) so that the emails are properly stored in to Dovecot management.
+=== The mail Relay ===
+So far, i always referred to emails to be delivered to the server (local) or to domains hosted on the server (virtual). What about emails to be delivered to **others**? This is called **email relay** and it happens when the Postfix server accepts an email destination which is not local, nor virtual.
+The **relay** should be allowed only to authorized users to prevent spammers to abuse our server, which will cause the server itself to be blacklisted and unable to send any emails at all.
+===== Mail Security =====
+The SMTP protocol by itself is unencrypted and unsecured. This was maybe ok at the beginning of Internet, but not today. Today you need to enable both authentication and encryption.
+Encryption is performed using TLS, but for legacy reasons you cannot **require** it. There are three types of SMTP connections:
+  * Plain, no TLS (port 25)
+  * STARTTLS, connection starts unencrypted and can be __upgraded__ to a TLS connection if both parties support it (port 587)
+  * SSL/TLS, connection must be established encrypted (port 465)
+Plain must always be provided, but you can at least prohibit authentication on non-encrypted connections.
+The [[https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer~SASL]] (Simple Authentication Security Layer) is used for authentication. This implies the transmission on the connection of the username+password combination using a Base64 encoding. Please note, and this is **very important**, that Base64 is //not// an encryption and can easily be de-coded. For this reason, it is mandatory that authentication is enabled only is TLS too is enabled.
+Postfix does not provide a SASL authentication, this is demanded to Dovecot SASL implementation. The added value of this choice is to have the same background for both SMTP and IMAP servers.
+===== Postfix documentation resources =====
+Postfix website has tons of great documentation, which i strongly suggest you go read. [[https://www.postfix.org/BASIC_CONFIGURATION_README.html|Basic configuration]], [[https://www.postfix.org/VIRTUAL_README.html|Virtual delivery]], [[https://www.postfix.org/SASL_README.html|SASL]], [[https://www.postfix.org/TLS_README.html|TLS]].
+On the internet there are lots of wikis and HOWTOs about postfix, including [[https://wiki.gentoo.org/wiki/Postfix|this page]] specific to Gentoo. Most of them are outdated or mix different approaches, i strongly suggest to go to the source and read the Postfix links above instead.
+===== Postfix Configuration =====
 Postfix configuration files are located under **/etc/postfix** and can be summarized as:
@@ Line 11: / Line 72: @@
   * sql/*.cf: the specific SQLite link files. You //need// to create this folder.
-The concept of **virtual** delivery comes from the //legacy// idea that the mail server delivers mail to //local users// on the //local server//. Of course, this has not been true for the last (too many) decades, but the concept still stand and Postfix talks about **virtual** delivery to differentiate from delivery mail to local server users.
+Please note that Postfix configuration is deeply connected to Dovecot, Spamassassin, SPF, OpenDKIM and OpenDMARC. The following configuration assumes you have already configured them all. So before you start Postfix you will need to set them up as well. See the relevant pages.
-===== SQL Link =====
+===== PostfixAdmin Link =====
 Postfix support all kinds of SQL databases, including SQLite. To integrate it, you need to create a few //cf// files and specify associated directives in the //main.cf//.
@@ Line 43: / Line 103: @@
 </file>
-To ensure the above files are used by postfix, the following lines need to be added to the **main.cf** config file:
+To ensure the above files are used by postfix, the following lines need to be added to the **main.cf** config file as show below.
-<code>
-# A list of all virtual domains serviced by this instance of postfix.
-virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf
-# Look up the mailbox location based on the email address received.
-virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf
-# Any aliases that are supported by this system
-virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf
-</code>
-The example files at the bottom of this page will include those lines as well.
 ===== main.cf: configuration =====
-Setting up Postfix properly is not an easy task. I will guide you trough my experience and will try to describe the main stuff you need to setup here.
-I will list and try to describe all the settings in the example file below here:
-  * **compatibility_level**: refer to the syntax used in the configuration and the minimum Postfix version.
-  * **soft_bounce**: if yes, local generated emails that //bounce// will not be discarded. This is useful during testing of the server, until everything is properly setup. You should set it to //no// afterward.
-  * **queue_directory, command_directory, daemon_directory, data_directory, sendmail_path, newaliases_path, mailq_path**: do not edit, these are postfix standard paths.
-  * **mail_owner**: the user used my postfix to run. Do not change it. Don't, really.
-  * **setgid_group**: do not edit, like above
-  * **myhostname**: set it to your mail FQDN (mail.mydomain.com). If you host more than one domain, pick the main one.
-  * **mydomain**: se this to the domain part of your FQDN. If you host more than one domain, pick the main one.
-  * **myorigin**: set for local generated mail. Set it to your main domain.
-  * **inet_interfaces**: on which interfaces postfix should listen on. All is the usual default.
-  * **mydestination**: which email destination domains should be delivered to this server. This //does not// include the virtual domains. On modern servers, leave it to localhost.localdomain.
-  * **local_recipient_maps**: leave this commented, you do not want to deliver emails to local users of the server.
-  * **unknown_lo#relay_domainscal_recipient_reject_code**: 550 will cause messages to be discarded, while 450 will have upstream servers try again to send the mail, when the destination user does not exist. Since you will use the SQLite virtual maps, it's safe to use 550 here.
-  * **mynetworks_style**: leave it as host. This means that //trusted// hosts will only be the server itself
-  * **relay_domains**: for which domains this server will relay mail. Leave it blank or don't set it at all!
-  * **in_flow_delay**: throttle incoming mails to 1 per second under heavy loads. It's a good idea to set it to at least 1 (maximum is 10).
-  * **home_mailbox**: name of folder where to store incoming messages. This will then be picked up by Dovecot later on for IMAP access.
-  * **smtpd_banner**: define how Postfix will reply to other servers connecting to it. It's a good choice not to reply with software version or postfix.
-  * **html_directory, readme_directory**: leave to no, you don't want to expose postfix documentation
-  * **inet_protocols**: which protocol to use. ipv4 is the typical one. You can feel lucky and enable also IPv6.
-  * **meta_directory, shlib_directory**: don't touch them
-  * **virtual_mailbox_domains, virtual_mailbox_maps, virtual_alias_maps**: see the SQL link section above
-  * **virtual_mailbox_base**: where postfix will store the incoming emails
-  * **local_transport**: set to virtual, since you want virtual delivery
-  * **biff**: enable or disable the use of biff to notify local users of incoming email. There are no local users as already stated, so disable it.
-  * **message_size_limit**: set maximum email message size. 0 to disable any size check.
-  * **disable_vrfy_command**: prevent email harvesting via VRFY command. Set to yes.
-  * **local_recipient_maps**: allow local delivery for your users. Set to your virtual map
-  * **virtual_transport**: which transport to use for virtual delivery. Set as below to use dovecot delivery.
-  * **virtual_uid_maps, virtual_gid_maps**: UID and GID to use for virtual maps. Match your //vmail// user.
-Also check the SASL and TLS related rows, as enabling encryption layer and authentication is mandatory from a security point of view. For the TLS settings, //smtpd_tls_auth_only// should be set to yes to prevent unencrypted transfer of passwords.
 For more details on all the possible options, see [[http://www.postfix.org/postconf.5.html|Postfix documentation]].
-This is the overall file. **Do not copy it blindly**, double check everything:
+This is the overall file. **Do not copy it blindly**, double check everything, because there are comments that will cause postfix **not** to start if ignored:
 <file - main.cf>
 compatibility_level = 3.9
-soft_bounce = yes
-queue_directory = /var/spool/postfix
+# Generic stuff
-command_directory = /usr/sbin
-daemon_directory = /usr/libexec/postfix
-data_directory = /var/lib/postfix
 mail_owner = postfix
-myhostname = mail.mydomain.com
+myhostname = mydomain.com
-mydomain = mydomain.com
+mydomain = mydomain.com <- this and the above line should be identical, not a typo!
 myorigin = $mydomain
 inet_interfaces = all
+biff = no
+message_size_limit = 0 <- this is unlimited, you might want to set a mail size limit here
+disable_vrfy_command = yes
+syslog_facility = mail
+syslog_name = postfix
+# Protection from lost mail
+soft_bounce = yes <- switch to no in production
+unknown_local_recipient_reject_code = 450 <- switch to 550 in production
+# Important to keep as is to avoid delivery loops with the virtual domains
 mydestination = localhost.localdomain
-unknown_local_recipient_reject_code = 550
 mynetworks_style = host
-in_flow_delay = 1s
-home_mailbox = .maildir/
+# Local delivery is actually managed by virtual delivery
-smtpd_banner = $myhostname ESMTP NO UCE
+local_transport = virtual
-sendmail_path = /usr/sbin/sendmail
+local_recipient_maps = $virtual_mailbox_maps
-newaliases_path = /usr/bin/newaliases
-mailq_path = /usr/bin/mailq
+# Manage postfix virtual delivery mechanism via dovecot lmtp service
-setgid_group = postdrop
+virtual_transport = lmtp:unix:private/dovecot-lmtp
-html_directory = no
-readme_directory = no
-inet_protocols = ipv4
-meta_directory = /etc/postfix
-shlib_directory = /usr/lib64/postfix/${mail_version}
 virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf
 virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf
 virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf
-virtual_mailbox_base = /home/vmail/storage
-local_transport = virtual
+# SMTPD (server) SASL + TLS setup
-biff = no
+smtpd_sasl_auth_enable = yes
-message_size_limit = 0
+broken_sasl_auth_clients = no
-disable_vrfy_command = yes
+smtpd_tls_auth_only = yes
-local_recipient_maps = $alias_maps $virtual_mailbox_maps
-virtual_transport = lmtp:unix:private/dovecot-lmtp
-virtual_uid_maps = static:5000
-virtual_gid_maps = static:5000
-# SASL - The following rows for SASL authentication
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous, noplaintext
-smtpd_sasl_security_options = noanonymous
+smtpd_sasl_tls_security_options = noanonymous
-smtpd_sasl_local_domain =
-broken_sasl_auth_clients = no
-smtpd_sasl_authenticated_header = yes
-# Setup TLS - use Let's Encrypt certificates
-smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
-smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
-smtpd_tls_loglevel = 0
 smtpd_tls_security_level = may
-smtpd_tls_auth_only = yes
+smtpd_tls_cert_file = /etc/letsencrypt/live/casa.gardiol.org/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/casa.gardiol.org/privkey.pem
+smtpd_tls_mandatory_protocols = >=TLSv1.2
 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
-# Some ANTISPAM
-smtpd_delay_reject = yes
+# Generic access rules
+strict_rfc821_envelopes = yes
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
+smtpd_reject_unlisted_sender = yes
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, permit
-smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient,  check_policy_service unix:private/policy-spf, permit
-smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
-#, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
-body_checks = regexp:/etc/postfix/body_checks
-# DKIM, SPF, DMARC connection
-smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
-non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
-# Some lmits and timeouts (adapt as needed)
-#policy-spf_time_limit = 3600s
-#default_process_limit = 200
-#smtpd_timeout = 60s
-#smtputf8_enable = no
-#smtp_data_done_timeout = 1800
-#maximal_queue_lifetime = 60m
-#bounce_queue_lifetime = 60m
-#smtp_connect_timeout  = 15s
-#smtp_helo_timeout = 60s
-# Logging defaults
-syslog_facility = mail
-syslog_name = postfix
-#smtpd_relay_before_recipient_restrictions = no
+# Client connection (do not put "reject" here or nobody will be able to send you emails)
-</file>
+smtpd_client_restrictions = permit_sasl_authenticated
+# HELO / EHLO filtering
+smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_helo_hostname
+# MAIL FROM
+smtpd_sender_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain
+# RCPT TO: (before recipient)
+smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
+# DATA
+smtpd_data_restrictions = reject_unauth_pipelining
+# R *   smtpd_milters         = unix:/run/opendkim/opendkim.sock
+ *   non_smtpd_milters = unix:/run/opendkim/opendkim.sockCPT TO: (after relay) add here spam checks (blacklists etc)
+smtpd_recipient_restrictions = permit_sasl_authenticated check_policy_service unix:private/policy-spf
-The following file implements some basic checks to discard spam or worse. It's needed if you specified **body_checks** above.
+# OpenDKIM & OpenDMARC setup
+smtpd_milters     = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
+non_smtpd_milters = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
+milter_default_action = accept
-File **/etc/postfix/body_checks**:
-<file - body_checks>
-/Listed in Razor2/ DISCARD
-/RBL: Received via a relay in Spamhaus XBL/ DISCARD
-/Delivered to internal network by a host with no rDNS/ DISCARD
-/Listed in Pyzor/ DISCARD
-/URIBL_BLACK/ DISCARD
-/Content-Type only seen in 419 spam/ DISCARD
-/BODY: Mentions millions of/ DISCARD
-/BODY: Dear Beneficiary/ DISCARD
-/Advance Fee fraud/ DISCARD
-/FILL_THIS_FORM_FRAUD_PHISH/ DISCARD
-/RBL: Received via a relay in PSBL/ DISCARD
-/Delivered to internal network by a host with no rDNS/ DISCARD
-/Forged mail pretending to/ DISCARD
-/Message-Id is not valid, according to RFC 2822/ DISCARD
-/RCVD_IN_PSBL/ DISCARD
 </file>
+===== master.cf: configuration =====
+The master.cf contains a list of the services (and ports) managed by Postfix on startup:
+<file - master.cf>
+# Port 25 listener
+smtp      inet  n       -       n       -       -       smtpd
+# Port 587 listener (STARTTLS)
+smtps      inet  n       -       n       -       -       smtpd
+   -o smtpd_tls_wrappermode=yes
+# Port 465 listener (pure TLS)
+submission inet n       -       n       -       -       smtpd
+# SPF inbound check filter
+policy-spf  unix  -       n       n       -       -       spawn
+     user=nobody argv=/usr/bin/policyd-spf
+pickup    fifo  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+</file>
+===== Aliases =====
+Before starting postfix you need to generate the aliases database:
+<code bash>
+newaliases
+</code>
-===== Installation: DKIM, SPF and DKIM =====
+that's it.
-This step is **mandatory** and critical for proper email delivery.
+===== Testing =====
+To test Postfix you need your Dovecot to be running, so set it up, ensure Dovecot SASL is working, then come back here.
-===== Installation: Antispam =====
+To generate a valid Base64 encoding for authentication see [[https://www.mailslurp.com/tools/plain-authentication-encoder/|here]].
-Install spamassassin & amavisd-new
+To test your unencrypted SMTP service:
+<code bash>
+telnet 127.0.0.1 25
+Trying 127.0.0.1...
+Connected to 127.0.0.1.
+Escape character is '^]'.
+gardiol.org ESMTP Postfix
+EHLO mydomain.com
+-gardiol.org
+-PIPELINING
+-SIZE
+-ETRN
+-STARTTLS
+-ENHANCEDSTATUSCODES
+-8BITMIME
+-DSN
+-SMTPUTF8
+CHUNKING
+quit
+2.0.0 Bye
+Connection closed by foreign host.
+</code>
+ensure that AUTH is not offered! Make sure there is no **250-AUTH PLAIN LOGIN** in the output! This means you have successfully disabled SASL authentication on plain text connections.
-FILE /etc/postfix/main.cf Binding UID and GID's to postfix
+To test SSL/TLS:
-<code>
+<code bash>
-# Link the mailbox uid and gid to postfix.
+openssl s_client -starttls smtp -connect 127.0.0.1:587
-virtual_uid_maps = static:5000
+Connecting to 127.0.0.1
-virtual_gid_maps = static:5000
+CONNECTED(00000003)
-# Set the base address for all virtual mailboxes
+[ ... long TLS handshake omissis ... ]
-virtual_mailbox_base = /var/vmail
+EHLO mydomain.com
+-mydomain.com
+-PIPELINING
+-SIZE
+-ETRN
+-AUTH PLAIN LOGIN
+-ENHANCEDSTATUSCODES
+-8BITMIME
+-DSN
+-SMTPUTF8
+CHUNKING
+AUTH PLAIN -- never post your Base64 strings on internet! --
+2.7.0 Authentication successful
+MAIL FROM:<user@mydomain.com>
+2.1.0 Ok
+RCPT TO:<user@mydomain.com>
+2.1.5 Ok
+DATA
+End data with <CR><LF>.<CR><LF>
+Subject: My Test Email
+Test email body
+.
+2.0.0 Ok: queued as 194869C1AB
+quit
+2.0.0 Bye
+QUIT
 </code>
+Double check that you have that **250-AUTH PLAIN LOGIN**, this means that you have properly setup SASL authentication using TLS.
+To tets TLS without STARTLS, repeat the same command above without //-starttls smtp//, but remember to use port 465 instead of 587!
+You should now test that:
+  * You can send an email from yourself to yourself
+  * You can send an email from yourself to another mailbox of your domain
+  * You can **not** send emails to other domains if you do not authenticate with SASL on TLS
+That should do.
+After you are done, go back to your **main.cf** disable soft_bounce and set 550 as error code instead of 450.

Willy's Wiki

User Tools

Differences