- attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.
- 快速、管理簡單、安全, 同時足夠兼容 Sendmail,從而不會影響現有用戶。 因此,從外面看是 sendmail-ish 風格,但內部是完全不同的。
本文基於郵件伺服器。 本文的目標是設置 Postfix 並解釋基本配置文件的功能。 這裡有兩種交付方式的設置說明:本地系統用戶方式 和 虛擬用戶方式。
安裝
配置
請參照軟體開發者提供的: Postfix Basic Configuration 基礎配置項. 默認的配置文件位於/etc/postfix
。 其中兩個非常重要的文件是:
-
master.cf
, 定義了啟用哪些Postfix服務以及客戶端如何連接它們, 請參照 master(5) -
main.cf
, 主配置文件,請參照 postconf(5)(英文)
配置文件更改過後需要重新加載主服務 postfix.service
。
別名 Aliases
請參照在線 man 文件: aliases(5)。
別名配置文件: /etc/postfix/aliases
。你可以在這個文件裡指定別名 (有時候也被稱為 forwarders ) 。
您需要將發往「root」的所有郵件映射到另一個帳戶,因為以root身份閱讀郵件不是一個好主意。
將下面這行取消注釋,並且把 you
替換成你要使用的真實帳戶。
root: you
一旦你完成了對 /etc/postfix/aliases
的編輯, 你就需要運行下面的 postalias 命令:
postalias /etc/postfix/aliases
對於以後的更改,您可以使用:
newaliases
~/.forward
, 例如 /root/.forward
。 指定將root的郵件轉發到哪個用戶, 例如 user@localhost。
/root/.forward
user@localhost
系統本地用戶郵件(Local mail)
要僅向本地系統用戶(也就是/etc/passwd
中存在的用戶)發送郵件,請更新配置文件:/etc/postfix/main.cf
中的以下配置行(取消注釋,更改或添加):
myhostname = localhost mydomain = localdomain mydestination = $myhostname, localhost.$mydomain, $mydomain inet_interfaces = $myhostname, localhost mynetworks_style = host default_transport = error: outside mail is not deliverable
所有其他設置維持不變。 完成上面這個配置後,你可能還想配置一些#別名 Aliases參數,然後#啟動 Postfix。
虛擬用戶郵件(Virtual mail)
虛擬用戶郵件的郵件帳戶不存儲在本地系統的(/etc/passwd
文件中。可以配合資料庫完成對用戶帳戶的存儲。
請參見 Virtual user mail system with Postfix, Dovecot and Roundcube (簡體中文) 那是一個如何設置的詳細介紹。
檢查配置 Check configuration
運行postfix check
命令來完成配置檢查。它會輸出所有你在配置文件中可能寫錯的東西。
運行postconf
命令可以查看所有的配置。運行postconf -n
命令可以查看與默認配置的區別。
啟動 Postfix
newaliases
命令才能讓 Postfix 正常運行。啟動 postfix.service
服務。
TLS
有關更多信息,請參見 Postfix TLS Support.
Secure SMTP (sending)
默認情況下,Postfix/sendmail 不會加密發送到其他 SMTP 伺服器的電子郵件。要在可用時使用 TLS,請在main.cf
中添加以下行:
/etc/postfix/main.cf
smtp_tls_security_level = may
要強制使用TLS (這種情況下如果遠程伺服器不支持的話會導致失敗), 只需要把 may
變更為 encrypt
就行了。 值得注意的是,如果此郵件服務是一個公開的服務(相對於企業內部服務,不對公網提供服務的那種)時,這樣的做法會違反 RFC:2487 ,所以請慎重考慮。
Secure SMTP (receiving)
By default, Postfix will not accept secure mail.默認情況下,Postfix不會接受安全郵件。
要在SMTP上啟用STARTTLS(埠587,這是保護SMTP的正確方法),請在 main.cf
文件中添加以下行:
/etc/postfix/main.cf
smtpd_tls_security_level = may smtpd_tls_cert_file = /path/to/cert.pem smtpd_tls_key_file = /path/to/key.pem
在 master.cf
文件中,找到並取消注釋以下行,以在該埠上啟用服務並設置正確的配置:
/etc/postfix/master.cf
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
The smtpd_*_restrictions
options remain commented because $mua_*_restrictions
are not defined in main.cf by default. If you do decide to set any of $mua_*_restrictions
, uncomment those lines too.
If you need support for the deprecated SMTPS port 465, also follow the next section.
SMTPS (port 465)
The deprecated method of securing SMTP is using the wrapper mode which uses the system service smtps as a non-standard service and runs on port 465.
To enable it, uncomment the following lines in master.cf
:
/etc/postfix/master.cf
smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
The rationale surrounding the $smtpd_*_restrictions
lines is the same as above.
After this, verify that these lines are in /etc/services
:
smtps 465/tcp # Secure SMTP smtps 465/udp # Secure SMTP
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:
postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype
Tips and tricks
Blacklist incoming emails
Manually blacklisting incoming emails by sender address can easily be done with Postfix.
Create and open /etc/postfix/blacklist_incoming
file and append sender email address:
user@example.com REJECT
Then use the postmap
command to create a database:
# postmap hash:blacklist_incoming
Add the following code before the first permit rule in main.cf
:
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming
Finally restart postfix.service
.
Hide the sender's IP and user agent in the Received header
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used. (Original source: AskUbuntu) What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:
Add the following line to main.cf
:
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
Create /etc/postfix/smtp_header_checks
with this content:
/^Received: .*/ IGNORE /^User-Agent: .*/ IGNORE
Finally, restart postfix.service
.
Postfix in a chroot jail
Postfix is not put in a chroot jail by default. The Postfix documentation [1] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.
First, go into the master.cf
file in the directory /etc/postfix
and change all the chroot entries to 'yes' (y) except for the services qmgr
, proxymap
, proxywrite
, local
, and virtual
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)
CP="cp -p"
cond_copy() { # find files as per pattern in $1 # if any, copy to directory $2 dir=`dirname "$1"` pat=`basename "$1"` lr=`find "$dir" -maxdepth 1 -name "$pat"` if test ! -d "$2" ; then exit 1 ; fi if test "x$lr" != "x" ; then $CP $1 "$2" ; fi }
Next, make the new directories for the jail:
set -e umask 022
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix} cd ${POSTFIX_DIR}
mkdir -p etc lib usr/lib/zoneinfo test -d /lib64 && mkdir -p lib64
Find the localtime file
lt=/etc/localtime if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi rm -f etc/localtime
Copy localtime and some other system files into the chroot's etc
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc $CP -f /etc/host.conf /etc/hosts /etc/passwd etc ln -s -f /etc/localtime usr/lib/zoneinfo
Copy required libraries into the chroot using the previously created function cond_copy
cond_copy '/usr/lib/libnss_*.so*' lib cond_copy '/usr/lib/libresolv.so*' lib cond_copy '/usr/lib/libdb.so*' lib
And do not forget to reload Postfix.
DANE (DNSSEC)
Resource Record
DANE supports several types of records, however not all of them are suitable in Postfix.
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record. More on Resource Records.
Configuration
Opportunistic DANE is configured this way:
/etc/postfix/main.cf
smtpd_use_tls = yes smtp_dns_support_level = dnssec smtp_tls_security_level = dane
/etc/postfix/master.cf
dane unix - - n - - smtp -o smtp_dns_support_level=dnssec -o smtp_tls_security_level=dane
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com, use something like this:
/etc/postfix/main.cf
indexed = ${default_database_type}:${config_directory}/ # Per-destination TLS policy # smtp_tls_policy_maps = ${indexed}tls_policy # default_transport = smtp, but some destinations are special: # transport_maps = ${indexed}transport
transport
example.com dane example.org dane
tls_policy
example.com dane-only
smtp_tls_security_level
to dane-only
. Be aware that this makes Postfix tempfail (respond with a 4.X.X
error code) on all deliveries that do not use DANE at all!Full documentation is found here.
Extras
- PostfixAdmin — A web-based administrative interface for Postfix.
Postgrey
Postgrey can be used to enable greylisting for a Postfix mail server.
Installation
Install the postgrey包 package. To get it running quickly edit the Postfix configuration file and add these lines:
/etc/postfix/main.cf
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10030
Then start/enable the postgrey
service. Afterwards, reload the postfix
service. Now greylisting should be enabled.
Configuration
Configuration is done via editing the postgrey.service
file. First copy it over to edit it.
# cp /usr/lib/systemd/system/postgrey.service /etc/systemd/system/
Whitelisting
To add automatic whitelisting (successful deliveries are whitelisted and do not have to wait any more), you could add the --auto-whitelist-clients=N
option and replace N
by a suitably small number (or leave it at its default of 5).
...actually, the preferred method should be the override:
cat /etc/systemd/system/postgrey.service.d/override.conf
[Service] ExecStart= ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \ --pidfile=/run/postgrey/postgrey.pid \ --group=postgrey --user=postgrey \ --daemonize \ --greylist-text="Greylisted for %%s seconds" \ --auto-whitelist-clients
To add your own list of whitelisted clients in addition to the default ones, create the file /etc/postfix/whitelist_clients.local
and enter one host or domain per line, then restart postgrey.service
so the changes take effect.
Troubleshooting
If you specify --unix=/path/to/socket
and the socket file is not created ensure you have removed the default --inet=127.0.0.1:10030
from the service file.
For a full documentation of possible options see perldoc postgrey
.
SpamAssassin
This section describes how to integrate SpamAssassin.
SpamAssassin stand-alone generic setup
Edit /etc/postfix/master.cf
and add the content filter under smtp.
smtp inet n - n - - smtpd -o content_filter=spamassassin
Also add the following service entry for SpamAssassin
spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}
Now you can start and enable spamassassin.service
.
SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering)
Set up LDA and the Sieve-Plugin as described in Dovecot#Sieve. But ignore the last line mailbox_command...
.
Instead add a pipe in /etc/postfix/master.cf
:
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}
And activate it in /etc/postfix/main.cf
:
virtual_transport = dovecot
SpamAssassin combined with Dovecot LMTP / Sieve
Set up the LMTP and Sieve as described in Dovecot#Sieve.
Edit /etc/dovecot/conf.d/90-plugins.conf
and add:
sieve_before = /etc/dovecot/sieve.before.d/ sieve_extensions = +vnd.dovecot.filter sieve_plugins = sieve_extprograms sieve_filter_bin_dir = /etc/dovecot/sieve-filter sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s
Create the directory and put spamassassin in as a binary that can be ran by dovecot:
# mkdir /etc/dovecot/sieve-filter # ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc
Create a new file, /etc/dovecot/sieve.before.d/spamassassin.sieve
which contains:
require [ "vnd.dovecot.filter" ]; filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];
Compile the sieve rules spamassassin.svbin
:
# cd /etc/dovecot/sieve.before.d # sievec spamassassin.sieve
Finally, restart dovecot.service
.
Rule-based mail processing
With policy services one can easily finetune Postfix' behaviour of mail delivery. postfwd包 and policydAUR provide services to do so. This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as SPF policy checking.
Policy services are standalone services and connected to Postfix like this:
/etc/postfix/main.cf
smtpd_recipient_restrictions = ... check_policy_service unix:/run/policyd.sock check_policy_service inet:127.0.0.1:10040
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.
Sender Policy Framework
To use the Sender Policy Framework with Postfix, install python-postfix-policyd-spfAUR.
Edit /etc/python-policyd-spf/policyd-spf.conf
to your needs. An extensively commented version can be found at /etc/python-policyd-spf/policyd-spf.conf.commented
.
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.
In the main.cf add a timeout for the policyd:
/etc/postfix/main.cf
policy-spf_time_limit = 3600s
Then add a transport
/etc/postfix/master.cf
policy-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf
Lastly you need to add the policyd to the smtpd_recipient_restrictions
. To minimize load put it to the end of the restrictions but above any reject_rbl_client
DNSBL line:
/etc/postfix/main.cf
smtpd_recipient_restrictions= ... permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy-spf
You can test your Setup with the following:
/etc/python-policyd-spf/policyd-spf.conf
defaultSeedOnly = 0
Sender Rewriting Scheme
To use the Sender Rewriting Scheme with Postfix, install postsrsdAUR and adjust the settings:
/etc/postsrsd/postsrsd
SRS_DOMAIN=yourdomain.tld SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld SRS_SEPARATOR== SRS_SECRET=/etc/postsrsd/postsrsd.secret SRS_FORWARD_PORT=10001 SRS_REVERSE_PORT=10002 RUN_AS=postsrsd CHROOT=/usr/lib/postsrsd
Enable and start the daemon, making sure it runs after reboot as well. Then configure Postfix accordingly by tweaking the following lines:
/etc/postfix/main.cf
sender_canonical_maps = tcp:localhost:10001 sender_canonical_classes = envelope_sender recipient_canonical_maps = tcp:localhost:10002 recipient_canonical_classes= envelope_recipient,header_recipient
Restart Postfix and start forwarding mail.
Troubleshooting
Warning: "database /etc/postfix/*.db is older than source file .."
If you get one or both warnings with journalctl
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport
then you can fix it by using these commands depending on the messages you get
postmap /etc/postfix/transport postmap /etc/postfix/virtual
and restart postfix.service
See also
- Official documentation
- Postfix Ubuntu documentation
- Out of Office for Squirrelmail