Difference between revisions of "Postfix"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
(17 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
I am forced to use Comcast cable at home, obviously no one in their right mind would allow email sent from this network. I settled on placing the sending MTA relay in the could, while using the same relay in conjunction with an MTA at home for receiving emails. The MDA will be on on prem as well running only IMAPS and a web client that is TBD. | I am forced to use Comcast cable at home, obviously no one in their right mind would allow email sent from this network. I settled on placing the sending MTA relay in the could, while using the same relay in conjunction with an MTA at home for receiving emails. The MDA will be on on prem as well running only IMAPS and a web client that is TBD. | ||
− | == | + | ==Basic Postfix Receive Emails for Domain== |
− | + | For receiving emails for a domain and delivering them locally. This uses default certificates and does not enforce the use of encryption. I was able to receive emails to both root and test system users with this from gmail. Root probably shouldn't be receiving emails. | |
+ | *main.cf | ||
+ | <pre> | ||
+ | compatibility_level = 2 | ||
+ | queue_directory = /var/spool/postfix | ||
+ | command_directory = /usr/sbin | ||
+ | daemon_directory = /usr/libexec/postfix | ||
+ | data_directory = /var/lib/postfix | ||
+ | mail_owner = postfix | ||
+ | myhostname = mx1.yourdomain.com | ||
+ | mydomain = yourdomain.com | ||
+ | myorigin = $mydomain | ||
+ | inet_interfaces = all | ||
+ | inet_protocols = all | ||
+ | mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain | ||
+ | unknown_local_recipient_reject_code = 450 | ||
+ | alias_maps = hash:/etc/aliases | ||
+ | alias_database = hash:/etc/aliases | ||
+ | |||
+ | |||
+ | debug_peer_level = 2 | ||
+ | debugger_command = | ||
+ | PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin | ||
+ | ddd $daemon_directory/$process_name $process_id & sleep 5 | ||
+ | sendmail_path = /usr/sbin/sendmail.postfix | ||
+ | newaliases_path = /usr/bin/newaliases.postfix | ||
+ | mailq_path = /usr/bin/mailq.postfix | ||
+ | setgid_group = postdrop | ||
+ | html_directory = no | ||
+ | manpage_directory = /usr/share/man | ||
+ | readme_directory = /usr/share/doc/postfix/README_FILES | ||
+ | smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem | ||
+ | smtpd_tls_key_file = /etc/pki/tls/private/postfix.key | ||
+ | smtpd_tls_security_level = may | ||
+ | smtp_tls_CApath = /etc/pki/tls/certs | ||
+ | smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | ||
+ | smtp_tls_security_level = may | ||
+ | meta_directory = /etc/postfix | ||
+ | shlib_directory = /usr/lib64/postfix | ||
+ | </pre> | ||
+ | |||
+ | ==Client Access== | ||
+ | *https://www.tutorials point.com/linux_admin/linux_admin_set_up_postfix_mta_and_imap_pop3.htm<br> | ||
+ | SMTP and IMAPS access | ||
+ | |||
+ | ==Transport Map== | ||
+ | I needed to specify to my external server to send emails to the internal server when they are received. | ||
+ | <ref>https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery</ref> | ||
+ | *Create the map file showing which relay to use for which domain. In my case I told it to relay mail for my domain to the server in my home. | ||
+ | <pre> | ||
+ | echo 'yourdomain.com :[mx2.yourdomain.com]:587' >> /etc/postfix/transport | ||
+ | postmap /etc/postfix/transport | ||
+ | </pre> | ||
+ | *Then specify it in main.cf | ||
+ | <pre> | ||
+ | transport_maps = hash:/etc/postfix/transport | ||
+ | </pre> | ||
+ | *Restart postfix | ||
==Virtual Domains== | ==Virtual Domains== | ||
Line 12: | Line 69: | ||
===Adding users=== | ===Adding users=== | ||
<ref>https://www.serverwatch.com/guides/adding-users-and-aliases-for-postfix/</ref> | <ref>https://www.serverwatch.com/guides/adding-users-and-aliases-for-postfix/</ref> | ||
+ | Go to the virtual mailbox maps file and add the mapping for the new user | ||
+ | <pre> | ||
+ | echo 'testuser@yourdomain.com yourdomain.com/testuser' >> /etc/postfix/vmailbox | ||
+ | postmap /etc/postfix/vmailbox | ||
+ | mkdir /var/mail/vhosts/yourdomain.com/user | ||
+ | chown 5000:5000 /var/mail/vhosts/yourdomain.com/user | ||
+ | systemctl restart postfix | ||
+ | </pre> | ||
+ | |||
===Maildir=== | ===Maildir=== | ||
− | <ref>https://www.postfix.org/VIRTUAL_README.html#virtual_mailbox</ref>This will be helpful for structuring emails without additional infrastructure. | + | <ref>https://www.postfix.org/VIRTUAL_README.html#virtual_mailbox</ref><ref>https://en.wikipedia.org/wiki/Maildir#:~:text=The%20Maildir%20e%2Dmail%20format,are%20added%2C%20moved%20and%20deleted.</ref>This will be helpful for structuring emails without additional infrastructure. |
+ | Working with non-unix accounts and using the exampled uid:gid of 5000, and using the default example of /var/mail/vhost/yourdomain.com/user : | ||
+ | *First time setup we need to create the directory structure. | ||
+ | <pre> | ||
+ | mkdir -p /var/mail/vhosts/yourdomain.com | ||
+ | chown -R mail:mail /var/mail/vhosts/ | ||
+ | mkdir /var/mail/vhosts/yourdomain.com/user | ||
+ | chown 5000:5000 /var/mail/vhosts/yourdomain.com | ||
+ | setfacl -d -m g:5000:rwx /var/mail/vhosts/yourdomain.com | ||
+ | setfacl -d -m u:5000:rwx /var/mail/vhosts/yourdomain.com | ||
+ | </pre> | ||
+ | |||
+ | ==Security== | ||
+ | ===SMTP Restrictions=== | ||
+ | *Added to main.cf | ||
+ | <pre> | ||
+ | smtpd_helo_required = yes | ||
+ | smtpd_helo_restrictions = reject_unknown_helo_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname | ||
+ | </pre> |
Latest revision as of 09:33, 4 September 2022
Contents
Purpose
General Postfix notes collected while building a self hosted mail solution.
Infrastructure Overview
I am forced to use Comcast cable at home, obviously no one in their right mind would allow email sent from this network. I settled on placing the sending MTA relay in the could, while using the same relay in conjunction with an MTA at home for receiving emails. The MDA will be on on prem as well running only IMAPS and a web client that is TBD.
Basic Postfix Receive Emails for Domain
For receiving emails for a domain and delivering them locally. This uses default certificates and does not enforce the use of encryption. I was able to receive emails to both root and test system users with this from gmail. Root probably shouldn't be receiving emails.
- main.cf
compatibility_level = 2 queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = mx1.yourdomain.com mydomain = yourdomain.com myorigin = $mydomain inet_interfaces = all inet_protocols = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain unknown_local_recipient_reject_code = 450 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man readme_directory = /usr/share/doc/postfix/README_FILES smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem smtpd_tls_key_file = /etc/pki/tls/private/postfix.key smtpd_tls_security_level = may smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_security_level = may meta_directory = /etc/postfix shlib_directory = /usr/lib64/postfix
Client Access
- https://www.tutorials point.com/linux_admin/linux_admin_set_up_postfix_mta_and_imap_pop3.htm
SMTP and IMAPS access
Transport Map
I needed to specify to my external server to send emails to the internal server when they are received. [1]
- Create the map file showing which relay to use for which domain. In my case I told it to relay mail for my domain to the server in my home.
echo 'yourdomain.com :[mx2.yourdomain.com]:587' >> /etc/postfix/transport postmap /etc/postfix/transport
- Then specify it in main.cf
transport_maps = hash:/etc/postfix/transport
- Restart postfix
Virtual Domains
[2]This prevents delivering to local system accounts, which will be important as I will want to manage the accounts independently of the mail servers themselves.
Adding users
[3] Go to the virtual mailbox maps file and add the mapping for the new user
echo 'testuser@yourdomain.com yourdomain.com/testuser' >> /etc/postfix/vmailbox postmap /etc/postfix/vmailbox mkdir /var/mail/vhosts/yourdomain.com/user chown 5000:5000 /var/mail/vhosts/yourdomain.com/user systemctl restart postfix
Maildir
[4][5]This will be helpful for structuring emails without additional infrastructure. Working with non-unix accounts and using the exampled uid:gid of 5000, and using the default example of /var/mail/vhost/yourdomain.com/user :
- First time setup we need to create the directory structure.
mkdir -p /var/mail/vhosts/yourdomain.com chown -R mail:mail /var/mail/vhosts/ mkdir /var/mail/vhosts/yourdomain.com/user chown 5000:5000 /var/mail/vhosts/yourdomain.com setfacl -d -m g:5000:rwx /var/mail/vhosts/yourdomain.com setfacl -d -m u:5000:rwx /var/mail/vhosts/yourdomain.com
Security
SMTP Restrictions
- Added to main.cf
smtpd_helo_required = yes smtpd_helo_restrictions = reject_unknown_helo_hostname reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
- ↑ https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery
- ↑ https://www.postfix.org/VIRTUAL_README.html
- ↑ https://www.serverwatch.com/guides/adding-users-and-aliases-for-postfix/
- ↑ https://www.postfix.org/VIRTUAL_README.html#virtual_mailbox
- ↑ https://en.wikipedia.org/wiki/Maildir#:~:text=The%20Maildir%20e%2Dmail%20format,are%20added%2C%20moved%20and%20deleted.