Postfix | Stéphane D'Alu

Table of content

main.cf
smtpd.conf
access.cf

Installing a postfix server, whose communications will be encrypted to protect passwords and mail contents. User accounts will be managed from an LDAP directory. To limit the receipt of spam, several strategies can be implemented: blacklist, greylist, message analysis, …

Requirement: OpenLDAP, MySQL
Reference: Postfix
Follow-up: SPF, DKIM, Grey-listing, SpamAssassin

Build information

Ensure the following options:

mail/postfix

TODO

main.cf

Directories and files

Paths of directories and programs used by postfix

main.cf

# INSTALL-TIME CONFIGURATION INFORMATION
sendmail_path             = /usr/local/sbin/sendmail
newaliases_path           = /usr/local/bin/newaliases
mailq_path                = /usr/local/bin/mailq

manpage_directory         = /usr/local/man
sample_directory          = /usr/local/etc/postfix
readme_directory          = /usr/local/share/doc/postfix
html_directory            = /usr/local/share/doc/postfix

cfgdir                    = /usr/local/etc/postfix
queue_directory           = /var/spool/postfix
command_directory         = /usr/local/sbin
daemon_directory          = /usr/local/libexec/postfix
data_directory            = /var/db/postfix

# TOOLS DEFAULTS
default_database_type     = lmdb

Information

Presentation of an identification banner when connecting.

main.cf

1 2	`# SOFTWARE VERSION smtpd_banner = $myhostname ESMTP $mail_name`

Communication protocols

Communication with the server can be done either by IPv4 or IPv6. In addition, all network interfaces are allowed to receive mails.

main.cf

1
2
3

# PROTOCOL / ADRESSES
inet_protocols            = ipv4,ipv6
inet_interfaces           = all

To have a correct mail server behaviour, in particular due to the fight against spam, do not forget to include in the DNS the A and AAAA records as well as the corresponding reverse (PTR record).

Resources

The size of a message is limited to 15MB, this limit applies to both, messages sent by a user or to those passing through the server.

main.cf

1 2	`# RESSOURCES message_size_limit = 15728640`

UNIX owner

Unix user accounts that own the different queues and Postfix’s processes.

main.cf

# QUEUE AND PROCESS OWNERSHIP
mail_owner                = postfix
default_privs             = nobody
setgid_group              = maildrop

If these settings are changed, it is necessary to execute the command:

Fix files and directories permissions

1	`postfix set-permissions`

Identity and home network

In the event the computer has multiple names, it is necessary to clarify which one should be used (using myhostname) to represent the service.

main.cf

1
2
3

# INTERNET HOST AND DOMAIN NAMES
myhostname                = mrelay1.example.com
mydomain                  = example.com

Directive mynetworks_style indicates machines that are allowed to pass messages through the server (later validated by the rule permit_mynetworks ), in the configuration shown the value host limits transit to this server. It is also possible to indicate the entire subnet where the server using subnet, or to define mynetworks to get better granularity.

main.cf

1 2	`# TRUST AND RELAY CONTROL mynetworks_style = host`

Addresses rewriting

If the mail is delivered locally with unspecified origin, origin will be added to form an address like user@myorigin
If the address belongs to a sub domain in masquerade_domains then it will be rewritten to show only the domain listed. For example if example.com is listed, then the address foo@devil.example.com will be translated into foo@example.com. This allows for example to a mail gateway to hide the name of the machine sending the message and display only its domain name. Using an exclamation mark (!) can establish an exception to this transformation.

main.cf

1
2
3

# ADDRESS REWRITING
myorigin                  = $mydomain
masquerade_domains        = !ml.example.com, example.com

Relaying, virtual domain, local delivery and transport

relay_domains: domains for which we will act as an intermediary.
virtual_mailbox_domains: domains for which users have a mailbox but not a Unix account.
virtual_alias_domains: domains for which email addresses are to be rewritten to other addresses, local or not.
mydestination: list of hosts or addresses for which messages are to be delivered locally (a redirect is still possible using the aliases file)
transport: explicitly specifies the transport to use to transfer/deliver the message (local, virtual, discard, relay, smtp, …)

main.cf

# RELAY
relay_domains             = friend-domain.com
  
# VIRTUAL DOMAIN AND MAILBOX
virtual_alias_maps        = lmdb:$cfgdir/v_aliases
virtual_alias_domains     = ml.example.com, my-other-domain.com
virtual_mailbox_domains   = example.com, sample.com
virtual_transport         = lmtp:unix:/var/imap/socket/lmtp

# LOCAL DELIVERY
mydestination             = $myhostname, localhost.$mydomain, localhost
alias_maps                = lmdb:$cfgdir/aliases
alias_database            = lmdb:$cfgdir/aliases
mailbox_command           = /usr/local/bin/procmail -Y
mail_spool_directory      = /var/mail

# TRANSPORT
transport_maps            = lmdb:$cfgdir/transport

SASL authentication

SASL authentication use the $mydomain realm (here example.com). Anonymous connection are not allowed. Other parts of the configuration are also based on smtpd.conf file.

main.cf

# SASL
#  configuration is in: smtpd.conf
cyrus_sasl_config_path    = $cfgdir
smtpd_sasl_type           = cyrus
smtpd_sasl_auth_enable    = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain   = $mydomain
smtpd_sasl_path           = smtpd

TLS encryption

Use of TLS is not required (by setting smtpd_tls_security_level to may), this allows to keep a better compatibility with all the clients and mail servers, however they can still decide to authenticate the user (by using the AUTH command) and in this case encryption is required (smtpd_tls_auth_only set to yes) so that the password is protected.

main.cf

# TLS
tls_random_source         = dev:/dev/urandom
tls_append_default_CA     = yes
smtpd_tls_security_level  = may
smtpd_tls_loglevel        = 0
smtpd_tls_auth_only       = yes
smtpd_tls_cert_file       = /etc/cert/wildcard.example.com.crt
smtpd_tls_key_file        = /etc/cert/wildcard.example.com.key
smtpd_tls_CAfile          = /etc/cert/cachain.pem
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert       = yes

Receiption and verification rules

Messages will be accepted on the following criteria:

membership to an authorized network (mynetworks_style, …)
presence and matching of the DNS records of type MX, A, AAAA, and PTR for the different names (server, domain, …)
authenticated user
access list (defined in access.cf)
recipient for the mail, or relaying for an authorized domain (virtual_alias_domains, virtual_mailbox_domains, relay_domains, transport_maps, …)
spam detection policy: black listing, grey listing, SPF, …

main.cf

1 2	`# Milter milter_default_action = accept`

main.cf

# JUNK MAIL CONTROLS

smtpd_helo_required       = yes
smtpd_helo_restrictions       =
    permit_mynetworks,                        reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,             reject_unknown_helo_hostname,
    permit

smtpd_sender_restrictions     =
    check_sender_access mysql:$cfgdir/access.cf, reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    permit

smtpd_recipient_restrictions  =
    reject_non_fqdn_recipient,                reject_unknown_recipient_domain,
    permit_mynetworks,                        permit_sasl_authenticated,
    reject_unauth_destination,                reject_unlisted_recipient,
    reject_rbl_client sbl-xbl.spamhaus.org,
    permit

smtpd.conf

The smtpd.conf configuration file gets its name from the smtpd_sasl_path parameter defined in main.cf. It contains information about the authentication mechanism to be used by SASL.

In this configuration file, spaces at the end of the line are not trimmed and are considered part of the parameter, you must be careful not to put them here.

The authentication mechanism is based on saslauthd which allows querying an LDAP directory without requiring to save the passwords in clear text inside the directory. In counterpart, it is necessary to transmit the passwords in clear text (plain or login) between the client and server. Password protection depends on the use of an encrypted connection.

smptd.conf

1 2	`pwcheck_method: saslauthd mech_list: plain login`

access.cf

access (5)

This file is used in the smtpd_sender_restrictions definition to see if the messages sent by that person (ie: e-mail) are accepted. The action that is most often applied is REJECT.

A table named access is created in order to reject mail based on sender, only the fields pattern and action will be used by postfix, the others being set up for information.

Database creation

CREATE TABLE `access` (
 `pattern` varchar(127)                 NOT NULL,
 `action`  varchar(255)                 NOT NULL DEFAULT 'REJECT',
 `type`    enum('spam','unsub','other') NOT NULL DEFAULT 'other',
 `comment` varchar(255)                          DEFAULT NULL     CHARACTER SET utf8,
 PRIMARY KEY (`pattern`)
) DEFAULT CHARSET=ascii COLLATE=ascii_general_ci

Connection information to the database:

access.cf

user         = postfix
password     = ????????
dbname       = mail_postfix
hosts        = 127.0.0.1

Table and fields used to define the actions to be performed

(REJECT, DEFER, DISCARD, …)

access.cf

1
2
3

table        = access
where_field  = pattern
select_field = action