Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| email:configure-postfix [2025/03/05 15:39] – willy | email:configure-postfix [2025/03/13 13:30] (current) – [Configuration: postfix] willy | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Configuration: | + | ====== |
| Postfix is the Mail Transfer Agent, the tool that actually **moves** your email messages from a the sender to the destination (recipient). It speak the Simple Mail Transport Protocol (SMTP) and it has some serious responsibilities which are: | Postfix is the Mail Transfer Agent, the tool that actually **moves** your email messages from a the sender to the destination (recipient). It speak the Simple Mail Transport Protocol (SMTP) and it has some serious responsibilities which are: | ||
| Line 45: | Line 45: | ||
| ===== Mail Security ===== | ===== Mail Security ===== | ||
| - | The SMTP protocol by itself is unencrypted and unsecure. This was maybe ok at the beginning of Internet, but not today. Today you need to enable both authentication and encryption. | + | The SMTP protocol by itself is unencrypted and unsecured. This was maybe ok at the beginning of Internet, but not today. Today you need to enable both authentication and encryption. |
| Encryption is performed using TLS, but for legacy reasons you cannot **require** it. There are three types of SMTP connections: | Encryption is performed using TLS, but for legacy reasons you cannot **require** it. There are three types of SMTP connections: | ||
| * Plain, no TLS (port 25) | * Plain, no TLS (port 25) | ||
| - | * STARTTLS, connection starts unencrypted and can be __upgraded__ to a TLS connection if both parties support it | + | * STARTTLS, connection starts unencrypted and can be __upgraded__ to a TLS connection if both parties support it (port 587) |
| - | * SSL/TLS, connection must be extablished | + | * SSL/TLS, connection must be established |
| Plain must always be provided, but you can at least prohibit authentication on non-encrypted connections. | Plain must always be provided, but you can at least prohibit authentication on non-encrypted connections. | ||
| - | The [[https:// | + | The [[https:// |
| - | Postfix does not provide a SASL authenticator, this is demanded to Dovecot SASL implementation. The added value of this choice is to have the same background for both SMTP and IMAP servers. | + | Postfix does not provide a SASL authentication, this is demanded to Dovecot SASL implementation. The added value of this choice is to have the same background for both SMTP and IMAP servers. |
| ===== Postfix documentation resources ===== | ===== Postfix documentation resources ===== | ||
| Line 163: | Line 163: | ||
| smtpd_reject_unlisted_sender = yes | smtpd_reject_unlisted_sender = yes | ||
| - | # Client connection | + | # Client connection |
| - | smtpd_client_restrictions = permit_sasl_authenticated, reject | + | smtpd_client_restrictions = permit_sasl_authenticated |
| # HELO / EHLO filtering | # HELO / EHLO filtering | ||
| smtpd_helo_restrictions = permit_sasl_authenticated, | smtpd_helo_restrictions = permit_sasl_authenticated, | ||
| Line 173: | Line 173: | ||
| # DATA | # DATA | ||
| smtpd_data_restrictions = reject_unauth_pipelining | smtpd_data_restrictions = reject_unauth_pipelining | ||
| - | # RCPT TO: (after relay) add here spam checks (blacklists etc) | + | # R * |
| - | smtpd_recipient_restrictions = permit_sasl_authenticated | + | |
| + | smtpd_recipient_restrictions = permit_sasl_authenticated | ||
| + | |||
| + | # OpenDKIM & OpenDMARC setup | ||
| + | smtpd_milters | ||
| + | non_smtpd_milters = unix:/ | ||
| + | milter_default_action = accept | ||
| </ | </ | ||
| + | |||
| Line 182: | Line 190: | ||
| The master.cf contains a list of the services (and ports) managed by Postfix on startup: | The master.cf contains a list of the services (and ports) managed by Postfix on startup: | ||
| <file - master.cf> | <file - master.cf> | ||
| + | |||
| + | # Port 25 listener | ||
| smtp inet n | smtp inet n | ||
| + | # Port 587 listener (STARTTLS) | ||
| + | smtps inet n | ||
| + | -o smtpd_tls_wrappermode=yes | ||
| + | |||
| + | # Port 465 listener (pure TLS) | ||
| submission inet n | submission inet n | ||
| + | # SPF inbound check filter | ||
| + | policy-spf | ||
| + | | ||
| + | |||
| pickup | pickup | ||
| cleanup | cleanup | ||
| Line 225: | Line 244: | ||
| To generate a valid Base64 encoding for authentication see [[https:// | To generate a valid Base64 encoding for authentication see [[https:// | ||
| + | |||
| + | To test your unencrypted SMTP service: | ||
| + | <code bash> | ||
| + | telnet 127.0.0.1 25 | ||
| + | Trying 127.0.0.1... | ||
| + | Connected to 127.0.0.1. | ||
| + | Escape character is ' | ||
| + | 220 gardiol.org ESMTP Postfix | ||
| + | EHLO mydomain.com | ||
| + | 250-gardiol.org | ||
| + | 250-PIPELINING | ||
| + | 250-SIZE | ||
| + | 250-ETRN | ||
| + | 250-STARTTLS | ||
| + | 250-ENHANCEDSTATUSCODES | ||
| + | 250-8BITMIME | ||
| + | 250-DSN | ||
| + | 250-SMTPUTF8 | ||
| + | 250 CHUNKING | ||
| + | quit | ||
| + | 221 2.0.0 Bye | ||
| + | Connection closed by foreign host. | ||
| + | </ | ||
| + | |||
| + | ensure that AUTH is not offered! Make sure there is no **250-AUTH PLAIN LOGIN** in the output! This means you have successfully disabled SASL authentication on plain text connections. | ||
| + | |||
| + | To test SSL/TLS: | ||
| + | <code bash> | ||
| + | openssl s_client -starttls smtp -connect 127.0.0.1: | ||
| + | Connecting to 127.0.0.1 | ||
| + | CONNECTED(00000003) | ||
| + | |||
| + | [ ... long TLS handshake omissis ... ] | ||
| + | |||
| + | EHLO mydomain.com | ||
| + | 250-mydomain.com | ||
| + | 250-PIPELINING | ||
| + | 250-SIZE | ||
| + | 250-ETRN | ||
| + | 250-AUTH PLAIN LOGIN | ||
| + | 250-ENHANCEDSTATUSCODES | ||
| + | 250-8BITMIME | ||
| + | 250-DSN | ||
| + | 250-SMTPUTF8 | ||
| + | 250 CHUNKING | ||
| + | AUTH PLAIN -- never post your Base64 strings on internet! -- | ||
| + | 235 2.7.0 Authentication successful | ||
| + | MAIL FROM:< | ||
| + | 250 2.1.0 Ok | ||
| + | RCPT TO:< | ||
| + | 250 2.1.5 Ok | ||
| + | DATA | ||
| + | 354 End data with < | ||
| + | Subject: My Test Email | ||
| + | Test email body | ||
| + | . | ||
| + | 250 2.0.0 Ok: queued as 194869C1AB | ||
| + | quit | ||
| + | 221 2.0.0 Bye | ||
| + | QUIT | ||
| + | </ | ||
| + | Double check that you have that **250-AUTH PLAIN LOGIN**, this means that you have properly setup SASL authentication using TLS. | ||
| + | |||
| + | To tets TLS without STARTLS, repeat the same command above without //-starttls smtp//, but remember to use port 465 instead of 587! | ||
| + | |||
| + | You should now test that: | ||
| + | * You can send an email from yourself to yourself | ||
| + | * You can send an email from yourself to another mailbox of your domain | ||
| + | * You can **not** send emails to other domains if you do not authenticate with SASL on TLS | ||
| + | |||
| + | That should do. | ||
| + | |||
| + | After you are done, go back to your **main.cf** disable soft_bounce and set 550 as error code instead of 450. | ||
| + | |||
| + | |||
| + | |||