Postfix simple tutorial with examples Postfix is an excellent replacement for sendmail. It is a fast and secure message transfer agent (MTA).
It is intended as an easy-to-administer and secure alternative to the widely-used Sendmail MTA. Postfix is powerful enough to allow the flexibility to deliver mail locally just on your own machine, setup as a full mail server for a corporation or with the help of clustering software it can serve as a full mail cluster.
There is no reason you need to be stuck with the options your local ISP gives you. With Postfix as your MTA you can setup your mail the way you want to, abiding by only your rules. If you want to block all spam from China or Russia then do it. You only want to accept mail from trusted associates, then you can. What about setting up an email address for all your friends and family? The best part is it is Open Source, completely free and runs on almost every operating system (Irix Solaris Linux OpenBSD FreeBSD NetBSD).
Install postfix and setup the environment To get started, you need to first install Postfix on your machine. The source code is available from the and practically every distribution has pre-made packages if you prefer those. The install is very easy and it will not take you much time. Once the install is done you need to look at the config file for Postfix called 'main.cf'.
This file is the primary config file and will contain all of the directives needed to make postfix work like you want it to. The main.cf file can normally be found under the /etc directory Postfix was installed under. For example /etc/postfix/main.cf Below you will find the link to the postfix example file and below that is the same main.cf file in a text box. Both formats are available to make it easier for you to review the code. This main.cf is a fully working config file with the exception of setting up a few variables for your environment. # ### Calomel.org Postfix main.cf # ### Verify these directory settings - they are critical to Postfix operation.
Biff = no recipientdelimiter = commanddirectory = /usr/sbin daemondirectory = /usr/libexec/postfix programdirectory = /usr/libexec/postfix ### Interface to listen on inetinterfaces = 127.0.0.1 ### smtp banner mailname = YOURHOST Daemon smtpdbanner = $mailname. All Spam Is Reported. ESMTP ### Who delivers the mail (never root for security). Mailowner = postfix setgidgroup = postdrop ### Default user to deliver mail to (NEVER ENABLE) luserrelay = ### The myorigin parameter specifies the domain that appears in mail that is posted on/through this machine.
Appenddotmydomain = no appendatmyorigin = yes ### alias's aliasmaps = hash:/etc/aliases aliasdatabase = hash:/etc/aliases ### Whitelist of accepted recipients. $aliasmaps means only addreses in ### /etc/aliases are accepted to be locally delivered. # localrecipientmaps = $aliasmaps ### the internet hostname of this mail system myhostname = YOURHOST.com myorigin = $myhostname ### The mydestination parameter specifies what domains this machine will deliver locally, instead ### of forwarding to another machine. The default is to receive mail for the machine itself. Mydestination = $myhostname, localhost.localdomain,localhost ### Relay Host this mail server should send its mail to.
(NONE) relayhost = yourispssmtpserver.com ### External Networks to accept RELAYED mail from. Mynetworks = 127.0.0.0/8 ### Where to send mail that is delivered locally. Mailboxcommand = procmail -a '$EXTENSION' ### How much of the message in bytes will be bounced back to the sender. Bouncesizelimit = 1000 ### No limit on mailbox size. Mailboxsizelimit = 0 ### Message Restrictions # headerchecks = regexp:/etc/postfix/headerchecks ### Limit sent/recieved emails to 100 Megs '(header+body+attachment)x(mime-encoding). Want more speed? Make sure to also check out the.
With a little time and understanding you could easily double your firewall's throughput. Reduce SPAM by greylisting ips using Postgrey with Postfix Greylisting (or graylisting) is a method of defending e-mail users against spam. It is an extremly effective tool. A mail transfer agent (MTA) using greylisting will 'temporarily reject' any email from a sender it does not recognize with a code 450.
If the mail is legitimate the originating server will, after a delay, try again and if sufficient time has elapsed the email will be accepted. If the mail is from a spam sender, sending to many thousands of email addresses, it will probably not be retried and thus spam will never get to the users mail box. NOTE: greylisting is not tarpitting. Tarpitting like what is used in will slowly communicate with the remote server at one character per second thus wasting the spammer's time. Greylisting simply tells the server to go away and check back later. Both methods have their uses depending on how you want to run your mail server. By default, Postgrey will deny the delivery of email for 5 minutes the first time a remote ip is seen.
After 5 minutes the ip is allowed to be white listed and then postfix will use the rest of the checks you have configured. A white listed ip address can deliver mail without being slowed down. If the ip has not been seen in at least 35 days the ip is removed from the database at which time the ip will have to go through the greylisting processes again. To install, most modern OS's already have a package made for postgrey. You can use the package manager or build it from source. ## Ubuntu apt-get install postgrey ## OpenBSD pkgadd -i postgrey Once postgrey is installed we need to tell postfix to check in with the postgrey daemon running on localhost port 60000.
Add The checkpolicyservice directive to the smtpd recipient checks line. We suggest adding this check as the very first check as it is very inexpensive to run.
For example, doing a DNS lookup to check if the doamin is vailid takes more network and CPU time then simply checking with postgrey to see if we should communicate with the remote ip in the first place. Here we see the checkpolicyservice directive added to the checks from our postfix example above. Smtpdrecipientrestrictions = checkpolicyservice inet:127.0.0.1:60000, rejectnonfqdnsender, rejectnonfqdnrecipient, rejectnonfqdnhostname, rejectinvalidhostname, permitmynetworks, rejectunauthpipelining, rejectunknownsenderdomain, rejectunknownrecipientdomain, rejectunauthdestination, rejectunknownclient, permit The last step is to start the postgrey daemon (/etc/init.d/postgrey restart or similar) and then restart the postfix deamon (postfix reload). Comcast now requires sending mail through smtp.comcast.net port 587. What can I do?
In an effort to reduce the amount of spam coming from their networks, certain ISPs are now requiring their users to use authenticated smtp (SASL). Smtp-Auth requires the user to connect to the ISP's mail server on a given port and authenticate with their user-name and password. Our goal here is to:. Relay all outgoing mail through smtp.comcast.net to port 587. Postfix will use authenticated SMTP with Cyrus SASL v2 and our username and password supplied by the ISP.
Continue to accept mail from remote mail servers on port 25 destined for our host. Incoming traffic is unauthenticated. This is so any mail server can deliver mail to our hostname. We can setup Postfix to relay mail through the ISP's mail server using SASL and still accept mail using plain text. Lets get started. First, you must check if the version of postfix you are using is 'cyrus' enabled. If it is NOT you must either build one or find a postfix package that has it built in.
For example, OpenBSD has a postfix package with cyrus as well as sasl2. Execute the following to see a list of allowed SASL client implementations: root@machine: postconf -A cyrus Next, add the following lines into your /etc/postfix/main.cf file. For example, this config relays all outgoing mail through the Comcast server smtp.comcast.net port 587 using SASL authentication (default security type is cyrus). Add these lines to the example configuration above for a complete example.
### Relay Host this mail server should send its mail to. Relayhost = smtp.comcast.net:587 ### Relay Client SASL Authentication smtpsaslauthenable = yes smtpsaslsecurityoptions = smtpsaslpasswordmaps = hash:/etc/postfix/saslpasswd Lastly, we need to setup the SASL password file. Edit or make a file called /etc/postfix/saslpasswd. Use the following format: smtp.comcast.net USERNAME:PASSWORD The username and password were given to you by the ISP. They are the same u/p you would use to pop3 your mail or log into webmail. Once you have all the files edited you need to make a db hash of the saslpasswd file and reload postfix for the changes to take effect. Postmap /etc/postfix/saslpasswd postfix reload Now, send some mail and watch the /var/log/maillog file for any problems.
Also, make sure that mail from external sources can get back to your box and are delivered properly if you have postfix setup to receive mail. OPTIONAL STEP: As a precaution you might want to blocked all traffic out of your box to port 25. This might be a bit paranoid, but you do not want to accidentally contact the comcast servers on port 25 and get blocked. If you use OpenBSD and Pf you can use the following rule: # Relay mail through Comcast (do not allow port 25 out to avoid getting blocked) block out log quick on $ExtIf inet proto tcp from any to any port smtp After this line is in place you can try ' telnet smtp.comcast.net 25'.
Setup Postfix
The firewall will block the packet and give the error, no route to host. How can I use Google's Gmail as a SMTP server instead of using my ISP's mail server? Google offers the ability to relay mail through their servers using TLS encryption and SASL2 authentication. This is a great way to bypass your ISP's mail limitations or aggressive spam filtering like Comcast and Verizon do. They are notorious for incorrectly configured or overly aggressive spam filters that deny outgoing email from their customers. The best part is Gmail is free AND you can relay mail from anywhere in the world through your gmail account. Another positive feature is you can set up any 'From:' addresses you want to.
![]()
This make it easy to send mail through Gmail's SMTP server and have the recipient reply-to a mail account other than gmail. What do we want to accomplish? We want to send out all of our mail through postfix to the Gmail smtp servers using SASL2 and TLS on port 587. We want our mail to have the 'From:' and 'Reply-To' headers set to our private domain email address [email protected] as set in our client and not the gmail email address we signed up with. Sign up for a free Google Gmail account First, you need to sign up for a free gmail account.
Goto and sign up. Once you have the account made make note of your USERNAME and PASSWORD as we will need those two items in a later step. If you have an existing Gmail account that will work too. While logged into your account goto the 'Settings' section and then into the tab called 'Accounts'.
We need to add the email addresses we would like to have mail go out as. The top section labeled, 'Send mail as: (Use Gmail to send from your other email addresses)' is where we will add our addresses. For example, lets say we want all email which people respond to, to be delivered to [email protected]. We would add that email to the 'Send mail as:' section and enter the same email into the sub-option 'Reply-to address:'. Gmail in turn will send a verification email to the [email protected] address which we will get a verification code from.
That verification code will be entered into gmail only once. Then the 'From:' address, [email protected], will be a validated address. Now, when our mail client sends mail though gmail and the From: address is [email protected] gmail will not overwrite the header with our gmail email address.
Copy in a working OpenSSL config file (/etc/ssl/openssl.cnf) We will be making our ssl certificate on an OpenBSD box. The default openssl certificate authority configuration file in /etc/ssl/openssl.cnf on OpenBSD is striped down so much that we need to make a new file. Without a working config you will get the error, 'variable lookup failed for ca::defaultca' when you try to use the 'openssl ca.' You may not need this step on all OS's, but it does not hurt.
The following text block is our new /etc/ssl/openssl.cnf. You are welcome to copy and paste it in place of the original file. # OpenSSL configuration file. ( /etc/ssl/openssl.cnf ) # Calomel.org at # # Establish working directory.
Before we proceed to our part of the configuration we must disable a feature that was set when Tuomos Postfix RPM was installed. Remember it comes built with support for the Cyrus-IMAP Server? We're not going to use the Cyrus-IMAP Server in this HOWTO. So let's disable this setting, as we don't want it to interfere with our setup at the moment. Postfix main configuration is done in the /etc/postfix/main.cf. Use your favorite editor to edit the file.
We are going to use vi throughout this HOWTO. [email protected]# vi /etc/postfix/main.cf. Search for aliasdatabase = and you'll find #aliasdatabase = dbm:/etc/aliases and three more lines that offer different values. We uncomment the third line and set the value to hash: /etc/postfix/aliases. Our aliasdatabase parameter now reads as follows: aliasdatabase = hash:/etc/postfix/aliases That's it for a start.
We're still away from having a sophisticated SMTP server that saves us a lot of work and is a real pain to spammers, but we're very close to fire up Postfix and send our first message. Postfix doesn't want to bother us with information into detailed depth unless we ask it to.
Since we are still setting Postfix up and testing functions we might run into problems while doing that. So we'll have Postfix being more detailed about what's going on when it gets its work done. This will save us lot of time when we look for errors!
In order to enable verbose logging we have to append a string that is passed to the smtpd when it is started. This is done in /etc/postfix/master.cf. [email protected]# vi /etc/postfix/master.cf search for smtpd and append -v. When your done it should look like this: # # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # smtp inet n - n -smtpd -v That's it for our first basic setup. Postfix should now be configured to accept messages from the local machine and from any machine who's IP matches the IP Range you specified when you answered Q3.
Now it's time to start Postfix for the first time: [email protected]# /etc/init.d/postfix start You can tell it's up from the feedback the init script provides; but will the Postfix-Server die after a few seconds because something is wrong? Let's check the process list and pipe it's output to grep which will grab for the string postfix in the output. [email protected]# ps axf grep postfix 7547? S 0:00 /usr/libexec/postfix/master Still there. OK, time to send our first mail. If it's gone check /var/log/maillog for error messages.
Did Postfix deliver our mail? We'll check by simply letting less open the file in /var/spool/mail for the user test. [email protected]# less /var/spool/mail/test From [email protected] Fri Mar 15 21: Return-Path: Delivered-To: [email protected] Received: by mail.example.com (Postfix, from userid 0) id 029E640789; Fri, 15 Mar 2002 21:09:53 +0100 (CET) To: [email protected] Subject: Test from localhost Message-Id: Date: Fri, 15 Mar 2002 21:09:53 +0100 (CET) From: [email protected] (root) Test #1 So it got delivered.
Let's go on to send some mail from another host. Again we telnet 172.16.0.2 25. We'll do as before with the only difference that this time we send to a remote (aka non-local) user.
Since you've just seen the procedure, we'll just summarize this session (S: = server, C: = client): S: 220 mail.example.com ESMTP Postfix C: EHLO example.com S: 250-mail.example.com S: 250-PIPELINING S: 250-SIZE 10240000 S: 250-VRFY S: 250-ETRN S: 250-XVERP S: 250 8BITMIME C: mail from: S: 250 Ok C: rcpt to: S: 250 Ok C: data S: 354 End data with. C: Testmail relaying mail from [email protected] to [email protected] C: Test #3 C:. S: 250 Ok: queued as 84BA64078A C: quit S: 221 Bye Now it's up to you to send mail to a remote user through the Postfix server. But behold, don't close your telnet program after the session. You'll need some of the information that was specific to your session in a few paragraphs from now. Remember that we've just sent a mail to [email protected].
Since the Postfix server in our HOWTO is not connected to the real world it hardly will be able to deliver the message. So what is Postfix doing with the mail at the moment? It's still trying, holding the mail in the queue. Time to learn something about a helper application that comes with Postfix which is used to remove mails from Postfix' mqueue: postsuper When you delete a mail it goes like this: postsuper -d MESSAGEID Every message has it's unique ID provided by Postfix when it accepts a message. This MESSAGEID was given to us, when we did our telnet session.
Have a look at the second last message that Postfix gave us in the HOWTO before we quit the session. 250 Ok: queued as 84BA64078A 84BA64078A is our HOWTOS' MESSAGEID. Look at your telnet program.
What is your MESSAGEID? At the command prompt enter: [email protected]# postsuper -d MESSAGEID postsuper: MESSAGEID: removed postsuper: Deleted: 1 message [email protected]# We removed the undeliverable mail. Postfix should feel better now.;-).
Let's do it the way and define and test a test before we do the configuration. Since our remote machine is part of the network defined in mynetworks it will be allowed to relay no matter if we configured SMTP AUTH correctly or not.
This will not help us to prove, our configuration for SMTP AUTH works. In order to gain valid results whether relaying with SMTP AUTH works the way we want it, we'll have to ensure that we are not part of $mynetworks. We do this by simply removing our subnet from the $mynetworks parameter and only let the IP range for localhost remain.
[email protected]# vi /etc/postfix/main.cf We reduce mynetworks = 172.16.0.0/24, 127.0.0.0/8 to mynetworks = 127.0.0.0/8. It should look like this: mynetworks = 127.0.0.0/8 In order to let the changes be known to Postfix we must restart it. [email protected]# postfix reload postfix/postfix-script: refreshing the Postfix mail system Let's prove that our test setup will not allow us to relay messages. We telnet from our remote machine. Keep in mind that relaying means: Sending a message through Postfix to a remote user. The value we provide with RCPT TO: must not be a local user. This is the transcript from our session: S: 220 mail.example.com ESMTP Postfix C: EHLO example.com S: 250-mail.example.com S: 250-PIPELINING S: 250-SIZE 10240000 S: 250-VRFY S: 250-ETRN S: 250-XVERP S: 250 8BITMIME C: MAIL FROM: S: 250 Ok C: RCPT TO: S: 554: Recipient address rejected: Relay access denied C: QUIT S: 221 Bye.
We gathered informations to use for configuration. We configured Postfix to give us basic functionality. We added a user for testing purposes. Then we sent testmessages from localhost to a local user,. from a remote machine to a local user and. from the remote machine to a remote user.
We did this the hard way in order to exclude failures that could be introduced by more complex Mail clients. We successfully deleted a non-deliverable message from Postfix without stopping it or manually deleting files from it's mail queue. We prepared Postfix to reject relaying for our network in order to prove SASL to work correctly later on.
Applicable to:. Plesk 12.5 for Linux.
Plesk Onyx for Linux. Plesk 12.0 for Linux Question How to change outbound mail IP address for Postfix, if the primary IP address is blacklisted and mail is not going out? Answer It is hardcoded in the Plesk backend that the IP address for outgoing mail in the Postfix configuration file ( /etc/postfix/master.cf ) will be the same as the interface IP to which Postfix is listening. For example: 203.0.113.2- unix - n n -smtp -o smtpbindaddress=203.0.113.2 -o smtpbindaddress6= -o smtpaddresspreference=ipv4 203.0.113.3- unix - n n -smtp -o smtpbindaddress=203.0.113.3 -o smtpbindaddress6= -o smtpaddresspreference=ipv4 Since Plesk 12.0, the ability to change the outbound mail IP address for Postfix. Please note, that several IP addresses.
For older Plesk versions, the following workaround is available:. Edit the /etc/postfix/master.cf file and replace smtpbindaddress=203.0.113.2 with smtpbindaddress=203.0.113.3. Restart Postfix: # service postfix restart Note: the default settings in /etc/postfix/master.cf will be restored after mail reconfiguration on any domain. Consider creating a scheduled task to replace /etc/postfix/master.cf with a custom file. The script for the scheduled task would be: #!/bin/bash /bin/grep 'smtpbindaddress=203.0.113.2' /etc/postfix/master.cf if $? -ne 1 ; then /bin/sed -i 's/smtpbindaddress=203.0.113.2/smtpbindaddress=203.0.113.3/g' /etc/postfix/master.cf /etc/init.d/postfix reload fi exit 0.
I'm trying to trigger a script when receiving a mail on a PostFix Linux Server. I could do it on my local server, working on a simple postfix with configuration files. To do it, I'm following those tutorials: My problem is that on my VPS, Postfix works with parallels plesk. So, it is not configured via locafiles (in /etc/postfix) but via databases ( in /var/spool/postfix/plesk/ ), and I just can't update those files. I need to update /var/spool/postfix/plesk/transport.db, to add the line: mydomain.com. Myhook So I edited the file /etc/postfix/transport, I added the line, and then performed a: # postmap /etc/postfix/transport # postfix reload But it's not working. And I don't know what is not working.
Is the /var/spool/postfix/plesk/transport.db file updated? I don't know. Could someone help me with this problem? The file transort.db generated is located in /etc/postfix, whereas in main.cf the hash was configured in /var/spool/postfix/plesk/. So, I tried to copy it to there.
But, it froze postfix (the process die within a second, without loging any error). So I used the access rather than the transport to filter my email. Whereas I thought it didn't work, the scripted has finally been executed 40 minutes. But, in the default configuration, mails reach the server within a second. So, I suppose that this delay come from my configuration. Could you give some direction to reduce this delay? – Mar 5 '14 at 14:58.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |