User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
email:configure-postfix [2025/03/05 16:06] – [Testing] willyemail:configure-postfix [2025/03/13 13:30] (current) – [Configuration: postfix] willy
Line 1: Line 1:
-====== Configuration: postfix ======+====== F) Configuration: postfix ======
  
 Postfix is the Mail Transfer Agent, the tool that actually **moves** your email messages from a the sender to the destination (recipient). It speak the Simple Mail Transport Protocol (SMTP) and it has some serious responsibilities which are: Postfix is the Mail Transfer Agent, the tool that actually **moves** your email messages from a the sender to the destination (recipient). It speak the Simple Mail Transport Protocol (SMTP) and it has some serious responsibilities which are:
Line 45: Line 45:
  
 ===== Mail Security ===== ===== Mail Security =====
-The SMTP protocol by itself is unencrypted and unsecure. This was maybe ok at the beginning of Internet, but not today. Today you need to enable both authentication and encryption.+The SMTP protocol by itself is unencrypted and unsecured. This was maybe ok at the beginning of Internet, but not today. Today you need to enable both authentication and encryption.
  
 Encryption is performed using TLS, but for legacy reasons you cannot **require** it. There are three types of SMTP connections: Encryption is performed using TLS, but for legacy reasons you cannot **require** it. There are three types of SMTP connections:
   * Plain, no TLS (port 25)   * Plain, no TLS (port 25)
-  * STARTTLS, connection starts unencrypted and can be __upgraded__ to a TLS connection if both parties support it +  * STARTTLS, connection starts unencrypted and can be __upgraded__ to a TLS connection if both parties support it (port 587) 
-  * SSL/TLS, connection must be extablished encrypted (port 587)+  * SSL/TLS, connection must be established encrypted (port 465)
  
 Plain must always be provided, but you can at least prohibit authentication on non-encrypted connections. Plain must always be provided, but you can at least prohibit authentication on non-encrypted connections.
  
-The [[https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer~SASL]] (Simple Authentication Security Layer) is used for authentication. This implies the trnasmission on the connection of the username+password combination using a Base64 encoding. Please note, and this is **very important**, that Base64 is //not// an encryption and can easily be de-coded. For this reason, it is mandatory that authentication is enabled only is TLS too is enabled.+The [[https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer~SASL]] (Simple Authentication Security Layer) is used for authentication. This implies the transmission on the connection of the username+password combination using a Base64 encoding. Please note, and this is **very important**, that Base64 is //not// an encryption and can easily be de-coded. For this reason, it is mandatory that authentication is enabled only is TLS too is enabled.
  
-Postfix does not provide a SASL authenticator, this is demanded to Dovecot SASL implementation. The added value of this choice is to have the same background for both SMTP and IMAP servers.+Postfix does not provide a SASL authentication, this is demanded to Dovecot SASL implementation. The added value of this choice is to have the same background for both SMTP and IMAP servers.
  
 ===== Postfix documentation resources ===== ===== Postfix documentation resources =====
Line 163: Line 163:
 smtpd_reject_unlisted_sender = yes smtpd_reject_unlisted_sender = yes
  
-# Client connection +# Client connection (do not put "reject" here or nobody will be able to send you emails) 
-smtpd_client_restrictions = permit_sasl_authenticated, reject+smtpd_client_restrictions = permit_sasl_authenticated
 # HELO / EHLO filtering # HELO / EHLO filtering
 smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_helo_hostname smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_helo_hostname
Line 173: Line 173:
 # DATA # DATA
 smtpd_data_restrictions = reject_unauth_pipelining smtpd_data_restrictions = reject_unauth_pipelining
-RCPT TO: (after relay) add here spam checks (blacklists etc) +R *   smtpd_milters         = unix:/run/opendkim/opendkim.sock 
-smtpd_recipient_restrictions = permit_sasl_authenticated+   non_smtpd_milters = unix:/run/opendkim/opendkim.sockCPT TO: (after relay) add here spam checks (blacklists etc) 
 +smtpd_recipient_restrictions = permit_sasl_authenticated check_policy_service unix:private/policy-spf 
 + 
 +# OpenDKIM & OpenDMARC setup 
 +smtpd_milters     = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock 
 +non_smtpd_milters = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock 
 +milter_default_action = accept 
 </file> </file>
 +
  
  
Line 182: Line 190:
 The master.cf contains a list of the services (and ports) managed by Postfix on startup: The master.cf contains a list of the services (and ports) managed by Postfix on startup:
 <file - master.cf> <file - master.cf>
 +
 +# Port 25 listener
 smtp      inet  n                               smtpd smtp      inet  n                               smtpd
  
 +# Port 587 listener (STARTTLS)
 +smtps      inet  n                               smtpd
 +   -o smtpd_tls_wrappermode=yes
 +
 +# Port 465 listener (pure TLS)
 submission inet n                               smtpd submission inet n                               smtpd
  
 +# SPF inbound check filter
 +policy-spf  unix  -                               spawn
 +     user=nobody argv=/usr/bin/policyd-spf      
 +     
 pickup    fifo  n                   60      1       pickup pickup    fifo  n                   60      1       pickup
 cleanup   unix  n                               cleanup cleanup   unix  n                               cleanup
Line 288: Line 307:
 Double check that you have that **250-AUTH PLAIN LOGIN**, this means that you have properly setup SASL authentication using TLS. Double check that you have that **250-AUTH PLAIN LOGIN**, this means that you have properly setup SASL authentication using TLS.
  
-To tets TLS without STARTLS, repeat the same command above without //-starttls smtp//.+To tets TLS without STARTLS, repeat the same command above without //-starttls smtp//, but remember to use port 465 instead of 587!
  
 You should now test that: You should now test that:

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information