give a name to your root account (something that helps identify the system)
vipw root@xc
proceed with system-wide mail setup
# Old-school Sendmail cp -pi /etc/mail/aliases /etc/mail/aliases.dist vi /etc/mail/aliases # Postfix cp -pi /etc/aliases /etc/aliases.dist vi /etc/aliases
we don’t want redirections here, for once, as we’re actually hosting the messages locally. Note the abuse mail alias SHOULD be defined
# Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster postmaster: root # General redirections for pseudo accounts bin: root daemon: root named: root nobody: root uucp: root www: root ftp-bugs: root postfix: root # Put your local aliases here. root: REAL-USER SOMEUSER: root ALTUSER: root support: root contact: root info: root sales: root xen: root # Well-known aliases manager: root dumper: root operator: root abuse: postmaster # trap decode to catch security attacks decode: root
eventually get rid of the root alias so you read the bounces locally e.g. w/ Alpine and w/o mixup those up with other messages.
and apply
newaliases #postalias /etc/mail/aliases #postalias /etc/aliases ls -lF /etc/mail/aliases* ls -lF /etc/aliases*
cd /etc/postfix/ diff -bu main.cf.proto main.cf | less # differs diff -bu master.cf.proto master.cf # identical mv -i main.cf main.cf.dist grep -vE '^[[:space:]]*(#|$)' main.cf.dist > main.cf.dist.clean grep -vE '^[[:space:]]*(#|$)' main.cf.dist > main.cf mv -i master.cf master.cf.dist sed '/^#/d; /^$/d' master.cf.dist > master.cf.dist.clean sed '/^#/d; /^$/d' master.cf.dist > master.cf
always check the configuration manual for accuracy of the features. Those merely depend on the exact Postfix version you are using. We are talking Postfix v3.5.7 here.
postconf -d | grep version man 5 postconf
if you are unsure about some restriction, you can evaluate it even on production with
warn_if_reject,
NETWORK
vi /etc/postfix/access.client .compute.amazonaws.com REJECT too much SPAM from compute.amazonaws.com compute.amazonaws.com REJECT too much SPAM from compute.amazonaws.com .smtpout.orange.fr OK smtpout.orange.fr OK .g7.fr OK g7.fr OK postmap /etc/postfix/access.client
EHLO
vi /etc/postfix/access.helo.regexp /^localhost$/ 550 you are not me /^xc$/ 550 you are not me /^xc\.nethence\.com$/ 550 you are not me /^nethence\.com$/ 550 you are not me
MAIL FROM
vi /etc/postfix/access.sender online.net OK ovh.com OK postmap /etc/postfix/access.sender
Make sure the DNSRBL lists you are targeting are still alive
for zone in \
bl.spamcop.net \
cbl.abuseat.org \
psbl.surriel.com \
truncate.gbudb.net \
db.wpbl.info \
spam.spamrats.com \
dnsbl.dronebl.org \
ix.dnsbl.manitu.net \
bl.blocklist.de \
dnsbl.sorbs.net \
dnsbl-1.uceprotect.net \
b.barracudacentral.org \
zen.spamhaus.org \
; do
echo $zone
host 2.0.0.127.$zone
echo
done; unset zone
postfix versions and offered defaults vary across systems
less /etc/postfix/main.cf
we are only fixing those (if not already disabled)
html_directory = no sample_directory = no readme_directory = no shlib_directory = no
and adding those
# BSD alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases # GNU/Linux alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases
here’s what differs on slackware vs. netbsd’s built-in postfix
smtputf8_enable=no inet_protocols = all
enable SMTPUTF8 otherwise you would get
SMTPUTF8 is required, but was not offered by host ...
need to fix those defaults
smtpd_banner = $myhostname ESMTP compatibility_level = 3.5 (remove all smtp*tls smtpd*tls relayhost) (displace smtpd_relay_restrictions myhostname mynetworks)
eventhough we have 3.5, we want the new detauls compatibility_level namely 3.6
note mailbox_size_limit for happy procmail
smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no readme_directory = no compatibility_level = 3.6 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # may break DKIM but gmail wants Message-ID header always_add_missing_headers = yes
eventually add space-separated CIDRs to mynetworks e.g. for Docker (172.17.0.0/16) or local subnets
note myorigin defaults to myhostname and mydomain defaults to FQDN minus the first component
note we are using the simple form of myorigin, pointing to the FQDN, because we are using pools for outbound, so it’s best to differenciate relays.
myhostname = xc.nethence.com
myorigin = nethence.com
mydomain = nethence.com
mydestination = localhost
xc.nethence.com
nethence.com
...
bypass any blacklists and restrictions - we want our own hosts to be able to deliver daily reports
mynetworks = 127.0.0.1/32 [::1]/128 172.17.0.0/16
FRIENDLY-CIDR
# w/o permit_sasl_authenticated - we use a dedicated port for that
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
nothing fancy so far, while disabling SASL on port 25
# 10MB --> 25MB # (default: 10240000) message_size_limit = 26214400 # unused when mbox or procmail #home_mailbox = Maildir/ strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_delay_reject = yes enable_long_queue_ids = yes smtpd_sasl_auth_enable = no
# slow down inbound on errors
# default is 10
smtpd_soft_error_limit = 5
# reduce inbound errors
# default is 20
smtpd_hard_error_limit = 10
# bounce faster when messages get stuck
# graylisting should be fine within 5 hours delay
# default is 5d
bounce_queue_lifetime = 5h
maximal_queue_lifetime = 6h
smtpd_client_restrictions = permit_mynetworks, reject_unauth_pipelining,
reject_unknown_client_hostname,
check_client_access hash:/etc/postfix/access.client,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client db.wpbl.info,
reject_rbl_client dnsbl.dronebl.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client bl.blocklist.de,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org
# this blocks hh.ru
# reject_rbl_client truncate.gbudb.net,
# this blocks nine.pairlist.net / hackrf-dev-bounces@greatscottgadgets.com
# reject_rbl_client spam.spamrats.com,
# this blocks orange.fr...
# reject_rbl_client dnsbl.sorbs.net,
# reject_rbl_client dnsbl-1.uceprotect.net,
# those are gone
# reject_rbl_client dnsbl.inps.de,
# reject_rbl_client public.sarbl.org,
# The RFC-Ignorant.org DNS lists are closed effective 2012-10-30.
# reject_rhsbl_sender bogusmx.rfc-ignorant.org,
# reject_rhsbl_sender dsn.rfc-ignorant.org,
# this is too restrictive
# reject_rhsbl_sender dsn.rfc-clueless.org,
# apews is blocking online.net ip range
# reject_rbl_client l2.apews.org,
#reject_unknown_client_hostname --> unknown_client_reject_code
#reject_unknown_reverse_client_hostname --> unknown_client_reject_code
unknown_client_reject_code = 554
#smtpd_client_port_logging = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
regexp:/etc/postfix/access.helo.regexp
#reject_unknown_helo_hostname --> unknown_hostname_reject_code
unknown_hostname_reject_code = 554
smtpd_sender_restrictions = permit_mynetworks, reject_unauth_pipelining,
check_sender_access hash:/etc/postfix/access.sender,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_policy_service unix:private/policy
#deprecated: policy_time_limit = 3600
smtpd_policy_service_request_limit = 1
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
#reject_unknown_sender_domain --> unknown_address_reject_code
#reject_unknown_recipient_domain --> unknown_address_reject_code
unknown_address_reject_code = 554
#client speaks too early smtpd_data_restrictions = reject_unauth_pipelining
mailbox_command = /usr/bin/procmail #mailbox_command = /usr/pkg/bin/procmail #mailbox_command = /usr/local/bin/procmail
eventually see procmail for more details
see postfix-tls
setup your MX and SPF DNS records accordingly
see SPF INBOUND for installing policyd-spf depending on your system
now enable the SPF inbound check and port 25 WITHOUT SASL
vi /etc/postfix/master.cf
policy unix - n n - 0 spawn
user=nobody argv=/usr/bin/policyd-spf
#user=nobody argv=/usr/pkg/bin/policyd-spf
note check_policy_service unix:private/policy and smtpd_policy_service_request_limit above in smtpd_sender_restrictions
see dkim
this won’t harm – although everything should be fine already
postfix set-permissions postfix upgrade-configuration
systemctl restart opendkim systemctl status opendkim systemctl restart postfix systemctl status postfix
start and enable
chmod +x /etc/rc.d/rc.postfix /etc/rc.d/rc.postfix restart
start and enable
vi /etc/rc.local #self verbose /usr/local/sbin/postfix start
status
postfix status ps auxfww | grep postfix | grep -v grep ls -lF /var/spool/postfix/private/policy
logs
vi logmail tail -F /var/log/maillog /var/log/secure chmod +x logmail
see POSTFIX AND SASL
always check the configuration syntax before restart
postfix check && echo ok
finally operate the daemon and proceed with acceptance testing
ls -lF /var/spool/postfix/etc/ diff /etc/localtime /var/spool/postfix/etc/localtime diff /etc/resolv.conf /var/spool/postfix/etc/resolv.conf diff /etc/services /var/spool/postfix/etc/services
no symlink inside the chroot
#cp -f /etc/localtime /var/spool/postfix/etc/localtime
Warning: I start to consider that this is a bad practice, as it is just too painful to maintain two MXes at once (otherwise spams come through your seconday MX server)
Play with relay_domains, transport_maps and do NOT list example.com into mydestination. Here’s a minimal setup
#backup MX smtpd_banner = ESMTP relay_domains = nethence.com myhostname = ssd.nethence.com myorigin = ssd.nethence.com mydestination = ssd.nethence.com mynetworks = 127.0.0.1/32
You also have to enable outbound STARTTLS in case the primary MX enforces it. Otherwise you would get
530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command)
Finally, on the other side (primary MX), eventually add the backup MX into mynetworks or fine tune everything to make sure the relaying works accordingly. SPF should pass through already, as long as you’ve setup the appropriate DNS record for the backup MX.
eventually enable fail2ban or sshguard as an attempt to protect yourself from bot nets.
however a parser going through logs is less than ideal.
while using mail
postdrop: warning: unable to look up public/pickup: No such file or directory
==> you forgot to start postfix
Postfix memcache client Howto http://www.postfix.org/MEMCACHE_README.html
Director https://wiki2.dovecot.org/Director
Dovecot mailstore performance tuning https://dovecot.org/pipermail/dovecot/2014-July/097120.html
How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin
Difference btw. Dovecot Director and Dovecot Proxy https://dovecot.org/pipermail/dovecot/2014-July/097112.html
vs
Postfix feature overview –> Postfix file system requirements http://www.postfix.org/features.html
Wietse Zweitze Venema http://www.porcupine.org/wietse/ http://www.porcupine.org/forensics/wietse.pgp
vdukhovni / postfix (unofficial mirror) https://github.com/vdukhovni/postfix
Postfix Basic Configuration http://www.postfix.org/BASIC_CONFIGURATION_README.html
Postfix Configuration Parameters http://www.postfix.org/postconf.5.html
master - Postfix master process configuration file format http://www.postfix.org/master.5.html
Changing the Postfix maximum email size https://www.electrictoolbox.com/postfix-email-size-limit/
Increasing Attachment Size in Posfix https://easyengine.io/tutorials/mail/postfix-attachment-size/
RFC2 Realtime List http://rfc-clueless.org/
Hardening Postfix For ISPConfig 3 https://www.howtoforge.com/hardening-postfix-for-ispconfig-3
How To Fight Spam Using Your Postfix Configuration https://www.howtoforge.com/virtual_postfix_antispam
Postfix SMTP relay and access control http://www.postfix.org/SMTPD_ACCESS_README.html
access - Postfix SMTP server access table http://www.postfix.org/access.5.html
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
http://www.postfix.org/access.5.html
http://ftp.uma.es/mirror/postfix/doc/SMTPD_ACCESS_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
POSTFIX LOGGING HOWTO http://rob0.nodns4.us/postfix-logging
https://web.archive.org/web/20140213185822/http://spamlinks.net/filter-dnsbl-dead.htm
https://www.spamhaus.org/faq/section/DNSBL%20Usage
https://www.dnsbl.com/2008/10/shutting-down-blacklists.html
Welcome to DNSBL.info https://www.dnsbl.info/
dnsbl resource https://www.dnsbl.com/
Which DNSBLs work well? https://www.dnsbl.com/2007/03/how-well-do-various-blacklists-work.html
What are spamtraps? https://www.spamresource.com/2007/02/what-are-spamtraps.html
Mail Spam Blacklists https://linuxreviews.org/Mail_Spam_Blacklists
w3bservice/Current Effective RBL Setup for Postfix 2017 https://gist.github.com/w3bservice/16f500e6c745aa6f3e6542ddc239c3c0
Postfix configure anti spam with blacklist https://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
Blacklist & Whitelist with Postfix https://linuxlasse.net/linux/howtos/Blacklist_and_Whitelist_with_Postfix
Mimecast SMTP Error Codes https://community.mimecast.com/docs/DOC-1369
Prevent spam in Postfix https://support.rackspace.com/how-to/prevent-spam-in-postfix/
How-To: Fight SPAM with Postfix RBL https://www.debuntu.org/how-to-fight-spam-with-postfix-rbl/
https://www.linuxmagic.com/power_of_ip_reputation https://www.linuxmagic.com/products/bms/ https://www.linuxmagic.com/products/bms/blacklist_info https://www.linuxmagic.com/products/bms/mail_servers http://linuxmagic.ca/products/bms/install http://www.linuxmagic.ca/products/bms/whitelists
https://www.linuxmagic.com/products/bms/lookup https://www.spamrats.com/about.php https://www.mipspace.com/
atech/postal https://github.com/atech/postal/wiki
Slackware Current - Sendmail - Moving forward https://www.linuxquestions.org/questions/slackware-14/slackware-current-sendmail-moving-forward-4175669439/
Postfix SMTP Access Policy Delegation http://www.postfix.org/SMTPD_POLICY_README.html