Installing and Configuring Postfix

General Information

Postfix is an attempt to provide an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and (hopefully) secure, while at the same time being sendmail-compatible enough to not upset your users.


Installation

Installation Is simple and easy.. So let’s get started.

 # cd /usr/ports/mail/postfix # make install clean 

Now, to avoid any confusion with other applications that use postfix were going to make a quick symbolic link.

 # ln -s /usr/local/etc/postfix /etc/postfix 


Configuration

main.cf

Now lets configure this puppy. Thanks to elmore at screamingelectron.org for providing the configuration we will be using here. blade and soul gold Let’s start off by going into your postfix directory and editing main.cf with your favorite editor.

 # cd /usr/local/etc/postfix # vi main.cf 

The first thing you’re going to modify is the following line:

 myhostname = your.servername.here 

This line will set the mail server host name of your box. This cannot be any arbitrary name; it MUST be a fully qualified domain name!!

The next line to modify is:

 mydomain = some.domain.name 

Again this sets the default domain of the box, this must be a Fully Qualified Domain Name Here!

The next line to look at is the following line:

 myorigin = $mydomain 

Make sure this variable is set correctly! “$mydomain” is a valid global variable for the file so you should be good with that!

The next line to modify is the following:

 mydestination = $myhostname, localhost.$mydomain $mydomain virtualdomain1 virtual domain2 

Obviously this example assumes you’ll be setting up virtual domains. It also assumes you’ll be setting up sendmail style virtual domains. https://www.goldufo.com/ffxiv-items I know the file says to use the virtual file instead I don’t do that, I specify here, sendmail-style, you may not want to do that and that’s fine with me just understand in this how-to we’ll be setting up sendmail-style virtual domains.

Moving on, the next line I modify is the following:

 home_mailbox = Maildir/ 

DO NOT uncomment this line if you do not intend to use imap. If you are using pop or traditional /var/mail spool to deliver mail this is not needed and will undoubtedly mess up your mail delivery. If you are using courier-imap this line needs to be uncommented!

Moving right along the next line I modify is the:

 relay_domains = $mydestination, 127.0.0.1 

This will only allow messages to be accepted where the final destination domain is on this box. adidas stan smith It also allows delivery over the loopback interface.

Now, modify the following:

 mynetworks = xxx.xxx.xxx.xxx/zz, 127.0.0.1 

This only allows mail to be sent out to the Internet from the specified IPs! This can be an entire subnet or just one box you decide.

This brings us to the next lines to modify:

 local_destination_concurrency_limit = 2 default_destination_concurrency_limit = 10 

These lines limit the amount of concurrent connections to a domain. Good to have especially if you have a user that is forwarding mail out of his home via the use of a .forward file.

I actually insert the next lines into the file. They are for the canonical maps, you’ll need these if the following are true:

  1. You have virtual domains
  2. You have virtual usernames like full.name@somehost.com mapped back to username@somehost.com

If you’re using one of the above add it in. avis bottes ugg If not, don’t worry about it.

 sender_canonical_maps = hash:/etc/postfix/canonical recipient_canonical_maps = hash:/etc/postfix/canonical-receive 

We’ll be going over canonical tables in more depth in a little while. For now what you need to know is that on table modifies the incoming mail and one will modify outgoing mail.

The following lines I also add, you may or may not want to add these. It depends on how true you want to be to to the rfc and how strict you want to be on other hosts trying to send mail to you. nike air presto These lines will lay down the framework for cutting down on your spam!

 smtpd_client_restrictions = reject_rbl_client, \ check_client_access hash:/etc/postfix/client_access, reject_unauth_pipelining smtpd_recipient_restrictions = regexp:/etc/postfix/regexp_access, \ check_recipient_access hash:/etc/postfix/access, permit_mynetworks,reject_unknown_recipient_domain, \ reject_unknown_hostname, reject_rbl_client, reject_unauth_pipelining, reject smtpd_sender_restrictions = regexp:/etc/postfix/sender_checks.regexp, \ check_sender_access hash:/etc/postfix/sender_access, reject_unknown_sender_domain, \ reject_non_fqdn_sender, reject_rbl_client, reject_unauth_pipelining 

(That should be 3 lines, thought i would mention that so avoid future frustrations)

The first section specifies rejection if a client is not in an access list. An access list is a list I use which details the exact usernames on the box. This list is a necessity if you are running virtual domains, if you don’t use it userid1@virtualdomain1 can receive an e-mail to userid1@virtualdomain2 and so on and so forth. adidas stan smith This is the most efficient way I know to block this! It is also a good practice to do even if you aren’t running virtual domains (opinion). It also specifies a lookup to the rbl list (a real time black hole list for open-relay mail servers). It also does not allow unauthorized pipelining, not exactly sure why that’s needed but it is. If you know, let me know!

The second section does much of the same but is it for outside connections — people trying to send mail in. ugg chaussons It specifies a regular expression file which sorts through the headers and looks for junk, the access list, it rejects mail from computers that don’t have a fqdn it also reject is it can’t get the computer hostname through nslookup, it also rejects via the rbl list and the pipelining again.

The next section is a lot more of the same. Nothing really new to explain here.

The next line I add is my rbl line, defining what list to use. chaussure timberland homme I personally use the ordb list that can be found at http://ordb.org.

 maps_rbl_domains = relays.ordb.org 

The next things added are the following body and header checks. new balance They specify lookup files to run against all incoming and outgoing messages!

 header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks 

The final things I add are a couple of reject codes and a message size limit self-explanatory, here they are!

 unknown_hostname_reject_code = 554 unknown_client_reject_code = 450 message_size_limit = 5000000 

Now after the SMTP helo is sent, the client needs to tell Postfix who the e-mail is from (MAIL FROM) and where to sent to (RCPT TO). nike air max femme This communication is supposed to follow RFC-821. Some spam software is not strict about its conformance so we can block spam based on this fact.

 strict_rfc821_envelopes = yes 

With this done, we are now through with the main.cf file. nike air max 1 pas cher Save it and let’s move on with our next section to configure the rest of postfix! A keynote here: once you finish editing files you need to cap it. Don’t forget to do this whenever you edit your postfix configuration files.

 # postmap main.cf 

The Access file

This file is the definitive list as that decides who to accept incoming mail from the Internet for. nike air max 2017 soldes If you defined it earlier in the main.cf file it must be defined here. timberland discount adidas superstar nike air max 97 Basic syntax is one user per line followed by an OK so edit /etc/postfix/access now

 userid1@domain1 OK userid2@domain1 OK userid3@domain2 OK 

etc. etc. Now for a little postfix sorcery, don’t specify an account if you don’t want them to have the ability to receive Internet mail. For instance, if you only want the ability for someone to mail local accounts (accounts only contained on your box), leave them out of here. Also, if you are running lots of Virtual domains, you may want to specify system account for each domain, like:

 webmaster@domain1 OK webmaster@domain2 OK postmaster@domain1 OK postmaster@domain2 OK 

Remember if the specific e-mail you want to receive mail from is not listed in this file it will bounce. nike air max 1 pas cher Once you’ve entered in all your info save that file. chaussure de tennis asics From here you must make that file into a hashed db, also after any updates you make to this file in the future you must recompile that hashed db to include your new accounts. asics gel pas cher new balance 2017 Do this by typing the following:

 # postmap access 

Also to avoid any delay you should always reload postfix, but don’t do that now because we haven’t turned postfix on yet! It can be done like this:

 # postfix reload 

CANONICAL FILES

The next files we’ll look at are, /usr/local/etc/postfix/canonical and /usr/local/etc/postfix/canonical-receive. Again, if you’re not using canonical tables specified in your main.cf file, you don’t need to worry about it here.

canonical

The canonical file as defined in this how-to will remap a users e-mail from the default domain to the appropriate virtual domain, if this is the case you need to specify all users except those in the default domain of the box here! Also, if you are mapping a local account to use another name like userid1 -> full.name then you need to specify that here. asics gel kayano Syntax is: userid@domain userid@virtualdomain, or, userid@domain full.name@domain this file handles mail outgoing only! Edit /etc/postfix/canonical now

 userid@defaultdomain userid@virtualdomain userid2@defaultdomain userid2@virtualdomain 

Or

 userid@defaultdomain full.name@defaultdomain 

canonical-receive

This file is used for incoming mail to clean up so that the virtual addresses don’t get remapped to the default domain. Soldes 2017 Asics All users should have an entry here including system accounts unless they are on the default domain of the box alone, and not using virtual usernames. chaussure timberland pas cher timberland discount With that let’s edit /usr/local/etc/postfix/canonical-receive now.

 userid1@defaultdomain userid1@defaultdomain userid1@virtualdomain userid1@virtualdomain userid2@virtualdomain userid2@virtualdomain postmast@virtualdomain userid2@virtualdomain webmaster@defaultdomain webmaster@defaultdomain webmastr@virtualdomain userid2@virtualdomain 

Or for virtual usernames

 full.name@domain userid@domain 

Got it? Good, it’s not that difficult now is it? Again, once you’re done with these files you’ll need to make a hashed db out of them using the postmap command and you’ll need to reload postfix. nike flyknit new balance avis You remember how to do that right? Good! You’re on your way.

CLIENT_ACCESS

The next file we’ll be looking at is the /usr/local/etc/postfix client_access file. This file will specify a list of exceptions and specific denials of mail servers. For instance, your friend, God bless him, has a mail server but is pretty clueless when it comes to dns. He hasn’t configured his dns to reverse lookup properly. nike air max 2012 Well, you could bypass that here. Also, you have some evil spammer that keeps sending you mail and the rbl list isn’t blocking him, you could add a specific block here. Syntax of this file is xxx.xxx.xxx.xxx function where x is an ip address and function is either OK or REJECT.

 xxx.xxx.xxx.xxx OK xxx.xxx.xxx.xxx REJECT 

After making this file, do you know what you need to do? That’s right. You must make a hashed db out of this file as well! Ok that’s, done let’s move on!

SENDER_ACCESS

This file /usr/local/etc/postfix/sender_access is where you can specify specific e-mail addresses or domain to block — usually bogus spam addresses. Syntax is fakeemail@bogusdomain.com function where the function is a reject code.

 fakeemail@fakedomain.com 550 No Spam Accepted fakedomain.com 550 What kind of bogus address is that? 

etc. buy bns gold etc. This file further solidifies your box and your place as an anti-spam ninja! (-For you McDonald!) You’ll need to make this file a hashed db as well once you’re done with it!

BODY_CHECKS

The next file we’ll be looking at is /usr/local/etc/postfix/body_checks. This file is either a regex file or a pcre file (if you compiled postfix with pcre support). louboutin paris I mainly use this file to block troublesome attachments I have no use for anyways. The following blocks certain types of attachments. Self-explanatory.

 /^(.*)name="(.*). ugg mini bailey button (com|vbs|vbe|js|jse|exe|bat|cmd|vxd|scr|hlp|swf|mpeg|mpg|mov|mp3|avi|pif|mpe|shs|ini)"$/ REJECT 

This will help out with viruses among other things. You won’t have to worry about vbs scripts and that sort of stupid thing from now on. This file just needs to be in place. There is NO need to make it a hashed db; although, after making changes DO reload postfix!

HEADER_CHECKS

The next file we’ll take a look at is /usr/local/etc/postfix/header_checks. This file does exactly as it says — it checks mail headers. nike femme solde Again, either regex or pcre. I will give a couple of examples here that I use:

 # This will block 8 non ascii characters in a row, which shouldn't be in the # header anyway according to the RFC...  asics gel lyte 5 Japan and Chinese spammers... /[^[:print:]]{8}/ REJECT # Pegasus uses "Comments: ..." not "Comment: ...". spammers got it wrong. /^Comment: Authenticated sender is/ REJECT 

These are just a couple of examples. My files are actually really large for this. You can spend a lot of time doing this! Try to avoid going crazy as it can be fairly obsessive! Again no hashed db needed, just reload postfix when you finish altering.

REGEXP_ACCESS

The next file to look at is /usr/local/etc/postfix/regexp_access. This file pretty much does some more of the same — kicking spammers where it hurts! Here is an example I have in mine.

 /[%!@].*[%!@]/ 550 Sender specified routing is not supported here. 

There, you see, not too bad huh. Ok, again reload postfix when your done and let’s move on.

ALIASES

Lets edit /etc/aliases

The aliases file is very limited with the configuration we have specified here. It does need some things filled in. chaussure adidas zx flux Standard system aliases should be placed here: aliases for root, postmaster, abuse, etc. etc. Also if you are running majordomo you’ll specify your outgoing secrets here. If you’re forwarding mail to another domain and not using a .forward file in your home, specify that here as well. Other than that you should be good to go.

Speak Your Mind

*