User Tools

Site Tools


build:postfix

Postfix

We chose Postfix due to its modern design and security record. It also has a license that we can live with more easily than qmail.

We generally configure Postfix in one of 2 configurations: outbound only, and outbound plus inbound. Outbound only is pretty simple; inbound configuration is quite a bit more complex.

Prerequisites

Be sure that the "Firewall" procedure has been completed. Several ports will need to be open for testing inbound email.

Debian comes with Exim 4 installed. We'll need to remove that, so we can replace it with Postfix. It's best to remove it before-hand, so that we can reliably remove all the associated configurations files:

sudo apt-get purge 'exim4*'

Installation

Install the package:

sudo apt-get install postfix

You will (probably) be presented with some warnings and instructions in text menus. Hit OK after reading the instructions. Select No Configuration when prompted for the type of configuration – we'll configure everything manually.

Configuration

All Postfix configuration options are detailed in the postconf(5) man page.

The postconf utility won't create a config file if it doesn't exist, so create it manually:

sudo touch /etc/postfix/main.cf

Basic Configuration

Set the host and domain names:

sudo postconf -e "myhostname=`hostname -f`"
sudo postconf -e "mydomain=`hostname -d`"

Tell the SMTP server what domains to accept email for. (Do NOT list any VIRTUAL domains here. The distinguishing feature of non-virtual domains is that any real user ID that exists on the box – or is listed in the aliases file – is a valid address in the domain; the valid addresses in a virtual domain have to be explicitly listed in the virtual alias map.) For outbound-only systems, we only want to list "localhost" and "$myhostname":

sudo postconf -e 'mydestination=localhost, $myhostname'

Add our domain name to any addresses that are not specified:

sudo postconf -e 'myorigin=$mydomain'

Denote which systems can send outbound email (without having to authenticate). We also include a separate file to list any additional IPs that are allowed to relay through us. See the Relay section below.

sudo postconf -e 'mynetworks=127.0.0.0/8, hash:/etc/postfix/mynetworks'

Assuming /etc/postfix/mynetworks doesn't already exist, create it. We shouldn't need to add any addresses for an outbound-only email server:

sudo sh -c 'cat > /etc/postfix/mynetworks' << 'EOD'
# These IPs are allowed to relay through our SMTP servers.
# NOTE: The 2nd field is not used, but you'll get warnings from postmap if you leave it out.
EOD
sudo postmap /etc/postfix/mynetworks

Set what the SMTP server should say when a client connects. We keep the version info out, for security reasons:

sudo postconf -e 'smtpd_banner=$myhostname ESMTP $mail_name'

Set the mail aliases file. (Note that the aliases file is special in 3 ways: it exists outside the /etc/postfix directory for historical reasons; it uses a colon (':') to separate the left side from the right; and you use the newaliases command after updating it, instead of the postmap command.)

sudo postconf -e 'alias_maps=hash:/etc/aliases'
sudo postconf -e 'alias_database=hash:/etc/aliases'

Set maximum sizes for messages (50 MB) and mailboxes (1 GB):

sudo postconf -e 'message_size_limit=50000000'
sudo postconf -e 'mailbox_size_limit=1000000000'

By default, Postfix will keep trying to send an email for 5 days, before it gives up and tells you that it had a problem. That seems rather long, so we reduce it to 1 day:

sudo postconf -e 'maximal_queue_lifetime=1d'
sudo postconf -e 'bounce_queue_lifetime=1d'

Allow email addressed to 'username+foo', so the user can have multiple virtual sub-addresses:

sudo postconf -e 'recipient_delimiter=+'

For outbound-only email servers, we want the SMTP server listen only on the localhost interface:

sudo postconf -e 'inet_interfaces=127.0.0.1'

The Mailman documentation recommends the following setting. It ensures that emails to unknown local addresses will generate a permanent error, not a transient error in which the client will keep re-trying.

sudo postconf -e 'unknown_local_recipient_reject_code=550'

Startup Postfix

First check to ensure that the configuration files are valid. (If it returns without printing anything, then the configuration is valid.)

sudo postfix check

Make sure that there's an /etc/aliases.db file:

sudo newaliases

Start the Postfix daemons:

sudo /etc/init.d/postfix start

To make sure the daemons are running, you can check the process table:

ps auxw | grep postfix

This should show the 3 daemon processes. It should look something like this:

root     14126  0.0  0.2  3656 1328 ? Ss 22:04 0:00 /usr/lib/postfix/master
postfix  14129  0.0  0.2  2964 1096 ? S  22:04 0:00 pickup -l -t fifo -u -c
postfix  14130  0.0  0.2  2996 1116 ? S  22:04 0:00 qmgr -l -t fifo -u -c

Testing before adding other support packages

There are several things to test in the email system architecture.

  1. Make sure Postfix' SMTP daemon is listening:

    sudo netstat -nlp | grep -E ':25|Recv-Q'

    This should show the Postfix master process listening on port 25. In our configuration, it's listening only on local address 127.0.0.1.

  2. Test connecting to port 25 on the loopback interface:

    telnet localhost 25

    Make sure the banner looks OK, then type quit to close the connection.

  3. Test that you can send email out to the Internet:

    sendmail your_email@address.com <<EOF
    Subject: Testing outbound email.
    
    This is a test.
    EOF

    Make sure it's delivered. Check /var/log/mail.log

  1. Test that you can send an email locally.

Notes

To completely wipe away the installation and configuration:

sudo apt-get purge postfix

The Postfix web site has a lot of good documentation.

The Debian install is chrooted by default.

To get a list of all the default configuration options, run postconf -d.

TODO

  • Enable inbound email for our domains.
    • Enable MSA (Mail Submission Agent) on port 587 for outbound emails from our domains.
  • Run through all the tests. (And develop more/better tests.)
  • We can probably allow (some admins) to view the /var/log/mail.log file without having to use sudo.
build/postfix.txt · Last modified: 2012/12/31 16:20 by Admin