give a name to your root account (something that helps identify the system)
vipw root@HOST
proceed with system-wide mail setup
# BSD and sendmail cp -pi /etc/mail/aliases /etc/mail/aliases.dist vi /etc/mail/aliases # postfix cp -pi /etc/aliases /etc/aliases.dist vi /etc/aliases
we don’t want redirections here, for once, as we’re actually hosting the messages locally.
note the abuse
mail alias SHOULD be defined.
eventually get rid of the root
alias so you read the bounces locally e.g. w/ Alpine and w/o mixup those up with other messages.
postmaster: root abuse: root www: root webmaster: root root: MAILUSER USER: MAILUSER
and apply
newaliases #postalias /etc/mail/aliases #postalias /etc/aliases
cd /etc/postfix/ diff -bu main.cf.proto main.cf | less -r # differs diff -bu master.cf.proto master.cf # identical mv -i main.cf main.cf.dist grep -vE '^[[:space:]]*(#|$)' main.cf.dist > main.cf.clean grep -vE '^[[:space:]]*(#|$)' main.cf.dist > main.cf mv -i master.cf master.cf.dist sed '/^#/d; /^$/d' master.cf.dist > master.cf.clean sed '/^#/d; /^$/d' master.cf.dist > master.cf
always check the configuration manual for accuracy of the features. Those merely depend on the exact Postfix version you are using. We are talking Postfix v3.5.7 here.
postconf -d | grep version man 5 postconf
if you are unsure about some restriction, you can evaluate it even on production with
warn_if_reject,
NETWORK
vi /etc/postfix/access.client .compute.amazonaws.com REJECT too much SPAM from compute.amazonaws.com compute.amazonaws.com REJECT too much SPAM from compute.amazonaws.com .smtpout.orange.fr OK smtpout.orange.fr OK .g7.fr OK g7.fr OK postmap /etc/postfix/access.client
EHLO
vi /etc/postfix/access.helo.regexp /^localhost$/ 550 you are not me /^mx$/ 550 you are not me /^mx\.nethence\.com$/ 550 you are not me /^nethence\.com$/ 550 you are not me
MAIL FROM
vi /etc/postfix/access.sender # http://www.postfix.org/access.5.html online.net OK .online.net OK ovh.com OK .ovh.com OK dhcp.yndx.net OK .dhcp.yndx.net OK onmicrosoft.com REJECT .onmicrosoft.com REJECT postmap /etc/postfix/access.sender vi /etc/postfix/access.backscatterer <> reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org postmap /etc/postfix/access.backscatterer
see dnsrbl
keep vx. fix those defaults
note mailbox_size_limit
for happy procmail
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> A GOOD START
and eventually see procmail for more details
eventually add space-separated CIDRs to mynetworks
e.g. for Docker (172.17.0.0/16
) or local subnets
note myorigin defaults to myhostname and mydomain defaults to FQDN minus the first component
note we are using the simple form of myorigin
, pointing to the FQDN, because we are using pools for outbound, so it’s best to differenciate relays.
also bypass any blacklists and restrictions – we want our own hosts to be able to deliver daily reports
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to MAIN CONFIG & RELAY
nothing fancy so far, while disabling SASL on port 25
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to CASUAL
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to NETWORK
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to EHLO
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to MAIL FROM & SPF
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to RCPT TO
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to DATA
see postfix-tls
setup your MX and SPF DNS records accordingly
see SPF INBOUND for installing policyd-spf
depending on your system
now enable the SPF inbound check and port 25 WITHOUT SASL
vi /etc/postfix/master.cf policy unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf # netbsd #user=nobody argv=/usr/pkg/bin/policyd-spf # freebsd #user=nobody argv=/usr/local/libexec/postfix-policyd-spf-perl
note check_policy_service unix:private/policy
and smtpd_policy_service_request_limit
above in smtpd_sender_restrictions
see dkim
this won’t harm – although everything should be fine already
postfix set-permissions postfix upgrade-configuration
systemctl restart opendkim systemctl status opendkim systemctl restart postfix systemctl status postfix
start and enable
chmod +x /etc/rc.d/rc.postfix /etc/rc.d/rc.postfix restart
start and enable
vi /etc/rc.local #self verbose /usr/local/sbin/postfix start
status
postfix status ps auxfww | grep postfix | grep -v grep ls -lF /var/spool/postfix/private/policy
logs
vi logmail tail -F /var/log/maillog /var/log/secure chmod +x logmail
see POSTFIX AND SASL
always check the configuration syntax before restart
postfix check && echo ok
finally operate the daemon and proceed with acceptance testing
ls -lF /var/spool/postfix/etc/ diff /etc/localtime /var/spool/postfix/etc/localtime diff /etc/resolv.conf /var/spool/postfix/etc/resolv.conf diff /etc/services /var/spool/postfix/etc/services
no symlink inside the chroot
#cp -f /etc/localtime /var/spool/postfix/etc/localtime
Warning: I start to consider that this is a bad practice, as it is just too painful to maintain two MXes at once (otherwise spams come through your seconday MX server)
Play with relay_domains
, transport_maps
and do NOT list example.com
into mydestination
. Here’s a minimal setup
#backup MX smtpd_banner = ESMTP relay_domains = nethence.com myhostname = ssd.nethence.com myorigin = ssd.nethence.com mydestination = ssd.nethence.com mynetworks = 127.0.0.1/32
You also have to enable outbound STARTTLS in case the primary MX enforces it. Otherwise you would get
530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command)
Finally, on the other side (primary MX), eventually add the backup MX into mynetworks
or fine tune everything to make sure the relaying works accordingly. SPF should pass through already, as long as you’ve setup the appropriate DNS record for the backup MX.
eventually enable sshguard as an attempt to protect yourself from bot nets. however a parser going through logs is less than ideal.
while using mail
postdrop: warning: unable to look up public/pickup: No such file or directory
==> you forgot to start postfix
it might be convenient to checkup all mail services at once
vi /root/STATUS echo postfix pgrep -a master echo echo dkim pgrep -a opendkim ls -lF /var/run/opendkim/opendkim.sock ls -lF /var/spool/postfix/run/opendkim/opendkim.sock echo echo dovecot pgrep -a dovecot echo
Wietse Zweitze Venema http://www.porcupine.org/wietse/ http://www.porcupine.org/forensics/wietse.pgp
vdukhovni / postfix (unofficial mirror) https://github.com/vdukhovni/postfix
Postfix Basic Configuration http://www.postfix.org/BASIC_CONFIGURATION_README.html
Postfix Configuration Parameters http://www.postfix.org/postconf.5.html
master - Postfix master process configuration file format http://www.postfix.org/master.5.html
Changing the Postfix maximum email size https://www.electrictoolbox.com/postfix-email-size-limit/
Increasing Attachment Size in Posfix https://easyengine.io/tutorials/mail/postfix-attachment-size/
RFC2 Realtime List http://rfc-clueless.org/
Hardening Postfix For ISPConfig 3 https://www.howtoforge.com/hardening-postfix-for-ispconfig-3
How To Fight Spam Using Your Postfix Configuration https://www.howtoforge.com/virtual_postfix_antispam
Postfix SMTP relay and access control http://www.postfix.org/SMTPD_ACCESS_README.html
access - Postfix SMTP server access table http://www.postfix.org/access.5.html
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
http://www.postfix.org/access.5.html
http://ftp.uma.es/mirror/postfix/doc/SMTPD_ACCESS_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
POSTFIX LOGGING HOWTO http://rob0.nodns4.us/postfix-logging