pantz.org banner
Setting up a Postfix mail server
Posted on 12-02-2005 03:33:00 UTC | Updated on 12-02-2005 03:33:00 UTC
Section: /software/postfix/ | Permanent Link

Postfix is a free, simple, and secure MTA (e-mail server). It has been ported to most Unixes and it's configuration files are the same across all platforms. It is Sendmail compatible also. The install below will be for OpenBSD 3.8 using Postfix version 2.3. Any of the config files below could be used on any other type of Unix that Postfix has been ported to. Paths, mailowner, setgid, etc will have to be changed to the local systems settings.

I'll leave it up to you to put in the mx records in DNS for this mail servers hostname. If this will be your only mail server then you don't need an MX record. If a mail server recieves an e-mail and there is no corresponding MX record for mail delivery it will default to using the A record for that host. A mx record is best practice though.

A quick description on what Postfix does when it recieves mail. Postfix will be started and listen on port 25 by default. If you have a firewall open port 25. Postfix will eventaully recieve a connection from another mail server on port 25. It will process the e-mail (header and body checks, real time blacklist, RFC compliance, etc) and if all of our checks pass it is handed off to procmail for delivery. Procmail is an mail delivery agent (MDA). Procmail will take the e-mail do any processing it has been told to do (.procmailrc scripts) and place the e-mail into the users mailbox.

Install the latest Postfix and Procmail. For this install example it will be for OpenBSD 3.8.

pkg_add -v http://openbsd.secsup.org/3.8/packages/i386/postfix-2.3.20050716.tgz
pkg_add -v http://openbsd.secsup.org/3.8/packages/i386/procmail-3.22p0.tgz

Now that the software is installed we need to setup the config files. The config files will be listed below. Edit to your configuration needs.

First file is OpenBSD's startup file. It's in /etc/rc.conf. Edit this file and change the lines in it already to look like the lines below. First line will start Postfix when the system boots. The second line will open a socket for Postfix logging.

sendmail_flags="-bd -q30m"
syslogd_flags="-a /var/spool/postfix/dev/log"

The postfix setup will be used on a server that will not deliver mail itself but will forward it's mail to another mail server to deliver it. On this host the mail is being sent to what is called a relay host (smarthost). I beleive if you leave this blank postfix will deliver the mail itself. Check your /etc/aliases file and be sure to set up aliases that send mail for root and postmaster to a real person, then run /usr/local/sbin/newaliases. To setup postfix as the primary mailer on the system run: /usr/local/sbin/postfix-enable. To put it back to sendmail run: /usr/local/sbin/postfix-disable. Make sure to change the myorigin/mydestination/mynetworks sections below to your configuration needs.

For procmail to deliver the mail it will need access to the /var/mail directory. Procmail will run as the user to deliver the mail. It will try to place the mail in a file with the users account name on the system. You might have to create this file and give it the correct permissions before procmail will deliver the mail to it. If mail is not being delivered right check the mail logfile or the system log file. If it mentions procmail and permissions blah blah blah then try these commands as root: "touch /var/mail/username" then "chown username.wheel /var/mail/username" then "chmod 600 /var/log/username".

Put the settings below in the file /etc/postfix/main.cf. Remember the config below is for OpenBSD so the directories settings are set for OpenBSD. So are the mail_owner and setgid_group settings. You will need to change these to what your install is using. If your using OpenBSD then you will be ok unless something has changed in later versions. Also be aware of the smtp restricitons area at the bottom. I use these settings to cut down on my spam considerably. They are not conserative by any means but you will have to try them yourself.

### see /usr/share/postfix/main.cf.dist for a commented, fuller
### version of this file.

### Do not change these directory settings - they are critical to Postfix
### operation.
biff = no
recipient_delimiter = +
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
program_directory = /usr/local/libexec/postfix
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

### No one needs to know what we run. So I'll give them this.
mail_name = mail.yourdomain.org
smtpd_banner = ESMTP $mail_name

### Who delivers the mail (never root for security).
mail_owner = _postfix
setgid_group = _postdrop

### appending .domain should be the MUA's job.
append_dot_mydomain = no
append_at_myorigin = yes

### Relay Host this mail server should send its mail to if need be.
relayhost = smtp.yourisp.net

### Valid hostname of this system known as the mail server (must be a fqdn !)
### What other mailservers see us as.
myhostname = mail.yourdomain.org

### The mydestination parameter specifies what domains this machine will deliver locally, instead
### of forwarding to another machine. The default is to receive mail for the machine itself.
mydestination = yourdomain.org,blah.yourdomain.com,$myhostname,localhost.localdomain, ,localhost

### maps for virtual domains
virtual_alias_maps = hash:/etc/postfix/virtual

### External Networks to accept RELAYED mail from.
mynetworks = 192.168.0.0/24, 127.0.0.0/8

### Where to send mail that is delivered locally.
mailbox_command = procmail -a "$EXTENSION"

### How much of the message in bytes will be bounced back to the sender.
bounce_size_limit = 2000

### No limit on mailbox size.
mailbox_size_limit = 0

### Limit sent/recieved emails to 100 Megs "(header+body+attachment)x(mime-encoding) <= 100 meg"
message_size_limit = 102400000

### How long do messages stay in the queue before being sent back to the sender. (in days)
### By default, postfix attempts to resend the message every (1000 secs)x(# attempts)x(days).
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d

### Parrallel delivery force (local=2 and dest=20 are default)
local_destination_concurrency_limit = 2
initial_destination_concurrency = 10
default_destination_concurrency_limit = 50

### Limits the mail inflow to 100 messages per second above the number of messages delivered per second.
in_flow_delay = 1s

###Clients must send a HELO (or EHLO) command at the beginning of an SMTP session.
smtpd_helo_required = yes

### No one needs to ask our server who is on it. If you do, you get smacked with the tarpit and then an error.
disable_vrfy_command = yes

### Reject immediately. Do not delay until RCPT TO: to reject the email
smtpd_delay_reject = yes

### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10
smtpd_soft_error_limit = 2
smtpd_hard_error_limit = 5
smtpd_junk_command_limit = 3

### Require strict RFC 821-style envelope addresses
strict_rfc821_envelopes = yes

### Limit the info given to outside servers
show_user_unknown_table_name = no

### Message Limitations. Uncomment and use if needed.
#header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks

### Reject codes
access_map_reject_code = 554
defer_code = 554
invalid_hostname_reject_code = 554
maps_rbl_reject_code = 554
non_fqdn_reject_code = 554
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554

### SMTP Restrictions
smtpd_client_restrictions = permit_mynetworks,
                            reject_unknown_client,
                            check_client_access regexp:/etc/postfix/client_restrictions

smtpd_helo_restrictions = permit_mynetworks,
                          reject_non_fqdn_hostname,
                          check_helo_access hash:/etc/postfix/access,
                          warn_if_reject reject_invalid_hostname

smtpd_etrn_restrictions = permit_mynetworks,
                          reject

smtpd_sender_restrictions = permit_mynetworks,
                            reject_non_fqdn_sender,
                            reject_unknown_sender_domain,
                            reject_unknown_address

smtpd_recipient_restrictions = reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unknown_sender_domain,
                               reject_unknown_recipient_domain,
                               permit_mynetworks,
                               reject_unauth_destination,
                               reject_multi_recipient_bounce,
                               reject_non_fqdn_hostname,
                               reject_invalid_hostname,
                               reject_unknown_client,
                               warn_if_reject reject_unknown_hostname,
                               reject_unauth_pipelining,
                               reject_rhsbl_sender dsn.rfc-ignorant.org
                               reject_rhsbl_sender bogusmx.rfc-ignorant.org,
                               reject_rbl_client bl.spamcop.net,
                               reject_rbl_client sbl-xbl.spamhaus.org,
                               reject_rbl_client list.dsbl.org,
#                              reject_unverified_sender
                               permit

smtpd_data_restrictions = reject_unauth_pipelining,
                          reject_multi_recipient_bounce,
                          permit

########################## END #########################################

Client restrictions for postfix. Put these settings in the file /etc/postfix/client_restrictions. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.

# List taken from http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
# To test regular expressions below use "grep -e" from the command line. If you see the hostname echo'ed the regex worked. 
# For example:  echo 'blah.hotmail.com' | grep -e '\.hotmail\.com$'

### WHITE LIST ###

/\.amazon\.com$/                OK
/\.dell\.com$/                  OK
/\.ibm\.com$/                   OK
/\.yahoo\.com$/                 OK
/\.hotmail\.com$/               OK
/\.paypal\.com$/                OK

# mc1-s3.bay6.hotmail.com, etc.
/\.bay[0-9]+\.hotmail\.com$/                    OK

# Whitelist Examples
#
# h04-a1.data-hotel.net, etc.
# /\.data-hotel\.net$/                            OK
#
# web10902.mail.bbt.yahoo.co.jp
# /^web[0-9]+\.mail\.(.+\.)?yahoo\.co\.jp$/       OK
#
# web35509.mail.mud.yahoo.com
# /^web[0-9]+\.mail\.(.+\.)?yahoo\.com$/          OK
#
# c151240.vh.plala.or.jp
# /\.vh\.plala\.or\.jp$/                          OK
#
# n2.59-106-41-68.mixi.jp, etc.
# /\.mixi\.jp$/                                   OK
#
# mta12.m2.home.ne.jp, etc.
# /\.m2\.home\.ne\.jp$/                           OK
#
# mmrts006p01c.softbank.ne.jp, etc.
# tgmsmtkn01sc1.softbank.ne.jp, etc.
# /\.softbank\.ne\.jp$/                           OK
#
# imt1omta04-s0.ezweb.ne.jp, etc.
# /\.ezweb\.ne\.jp$/                              OK
#
# bay-w1-inf5.verisign.net
# benicia-w2-inf30.verisign.net
# /\.verisign\.net$/                              OK
#
# web10902.mail.bbt.yahoo.co.jp
#/^web[0-9]+\.mail\.(.+\.)?yahoo\.co\.jp$/       OK
#
# ip address
# /^202\.222\.18\.17$/                           OK


### BLACK LIST ###

/\.(internetdsl|adsl|sdi)\.tpnet\.pl$/          450 domain check tpnet
/^user.+\.mindspring\.com$/                     450 domain check mind
/[0-9a-f]{4}\.[a-z]+\.pppool\.de$/              450 domain check pppool
/\.dip\.t-dialin\.net$/                         450 domain check t-dialin
/\.(adsl|cable)\.wanadoo\.nl$/                  450 domain check wanadoo
/\.ipt\.aol\.com$/                              450 domain check aol
# 85.155.10.73.dyn.user.ono.com
/\.user\.ono\.com$/                             450 domain check ono

# Blacklist Examples
#
# pr86.internetdsl.tpnet.pl
# fq217.neoplus.adsl.tpnet.pl
# pa148.braniewo.sdi.tpnet.pl
#/\.(internetdsl|adsl|sdi)\.tpnet\.pl$/          450 domain check
#
# user-0cetcbr.cable.mindspring.com
# user-vc8fldi.biz.mindspring.com
#/^user.+\.mindspring\.com$/                     450 domain check
#
# c9531ecc.virtua.com.br (hexadecimal used)
#/^[0-9a-f]{8}\.virtua\.com\.br$/                450 domain check
#
# catv-5984bdee.catv.broadband.hu (hexadecimal used)
#/\.catv\.broadband\.hu$/                        450 domain check
#
# Edc3e.e.pppool.de
# BAA1408.baa.pppool.de
#/[0-9a-f]{4}\.[a-z]+\.pppool\.de$/              450 domain check
#
# xdsl-5790.lubin.dialog.net.pl
#/^xdsl.+\.dialog\.net\.pl$/                     450 domain check
#
# pD9EB80CB.dip0.t-ipconnect.de (hexadecimal used)
#/\.dip[0-9]+\.t-ipconnect\.de$/                 450 domain check
#
# pD9E799A1.dip.t-dialin.net (hexadecimal used)
#/\.dip\.t-dialin\.net$/                         450 domain check
#
# ool-43511bdc.dyn.optonline.net (hexadecimal used)
#/\.dyn\.optonline\.net$/                        450 domain check
#
# rt-dkz-1699.adsl.wanadoo.nl
# c3eea5738.cable.wanadoo.nl (hexadecimal used)
#/\.(adsl|cable)\.wanadoo\.nl$/                  450 domain check
#
# ACBBD419.ipt.aol.com (hexadecimal used)
#/\.ipt\.aol\.com$/

### Generic Block ###
/^(pool|cable|dhcp|dialup|ppp|adsl)[^.]*[0-9]/             450 checking dynamic isp

#Generic Examples
#
# ex: evrtwa1-ar3-4-65-157-048.evrtwa1.dsl-verizon.net
# ex: a12a190.neo.rr.com
/^[^.]*[0-9][^0-9.]+[0-9]/                      450 S25R check1
#
# ex: pcp04083532pcs.levtwn01.pa.comcast.net
/^[^.]*[0-9]{5}/                                450 S25R check2
#
# ex: 398pkj.cm.chello.no
# ex: host.101.169.23.62.rev.coltfrance.com
/^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/       450 S25R check3
#
# ex: wbar9.chi1-4-11-085-222.dsl-verizon.net
/^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/                 450 S25R check4
#
# ex: d5.GtokyoFL27.vectant.ne.jp
/^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./          450 S25R check5
#
# ex: dhcp0339.vpm.resnet.group.upenn.edu
# ex: dialupM107.ptld.uswest.net
# ex: PPPbf708.tokyo-ip.dti.ne.jp
# ex: adsl-1415.camtel.net
# /^(dhcp|dialup|ppp|adsl)[^.]*[0-9]/             450 S25R check

Header checks for postfix. Put these settings in the file /etc/postfix/header_checks. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.

#### Header checks file
#### Checks are done in order, top to bottom.
#### /etc/postfix/header_checks

#### non-RFC Compliance
/[^[:print:]]{7}/  REJECT RFC2047
/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT RFC822
/(.*)?\{6,\}/ REJECT RFC822
/(.*)[X|x]\{3,\}/ REJECT RFC822

#### Unreadable NON-acsii un-printable text
/^Subject:.*=\?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8)\?/ REJECT Unreadable
/^Content-Type:.*charset="?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8|iso-2022-jp)/ REJECT Unreadable

#### Subject checks
/^Subject:.*      / REJECT Space
/^Subject:.*r[ _\.\*\-]+o[ _\.\*\-]+l[ _\.\*\-]+e[ _\.\*\-]+x/ REJECT Hidden Words
/^Subject:.*p[ _\.\*\-]+o[ _\.\*\-]+r[ _\.\*\-]+n/ REJECT Hidden Words

#### Character Set Checks
/^(Content-Type:.*|\s+)charset\s*=\s*"?(Windows-1251)\?/ REJECT Bad Content Type

#### Attachments
/^Content-(Type|Disposition):.*(file)?name=.*\.(ade|adp|asd|asf|asx|bat|bhx|chm|cil|cmd|com|cpl|dll|elm|exe|gif|hlp|hta|jse|lnk|mda|mdb|mde|mdw|mim|msi|msp|nws|ocx|pif|reg|scr|sct|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wmf|wms|wmz|wmd|wsc|wsf|wsh|wsz)/ 
REJECT Bad Attachment .${3}

#### Backscatter mail from virus scanners
/^Subject:.*Anti-Virus Notification/ REJECT Virus Notification
/^Subject:.*due to virus/ REJECT Virus Notification
/^Subject:.*email contains VIRUS/ REJECT Virus Notification
/^Subject:.*InterScanMSS/ REJECT Virus Notification
/^Subject:.*ScanMail for Lotus/ REJECT Virus Notification
/^Subject:.*Symantec AntiVirus/ REJECT Virus Notification
/^Subject:.*Virus Detected by Network Associates/ REJECT Virus Notification
/^subject:.*virus found/ REJECT Virus Notification
/^subject:.*Virus Infection Alert/ REJECT Virus Notification

#### Known Spammers or Unsolicited Commercial Email
/^Received:.*bellevuellc.com/ REJECT Blacklisted
/^Received:.*ccsurvey.com/ REJECT Blacklisted
/^Received:.*cmptechdirect.com/ REJECT Blacklisted
/^Received:.*constantcontact.com/ REJECT Blacklisted
/^Received:.*dartmail.net/ REJECT Blacklisted
/^Received:.*ema10.net/ REJECT Blacklisted
/^Received:.*evmailer.com/ REJECT Blacklisted
/^Received:.*netline.com/ REJECT Blacklisted
#/^From:.*163.com/ REJECT Blacklisted

Body checks for Postfix. Put these settings in the file /etc/postfix/body_checks. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.

# Postfix body_checks
# /etc/postfix/body_checks

#### General body checks. Uncomment and change examples if needed.
#/http:\/\/.*\.info/ REJECT dotinfo
#/lottery/ REJECT lottery
#/Viagra/ REJECT viagra
#/Cialis/ REJECT cialis
#/Valium/ REJECT valium
#/Xanax/ REJECT xanax
#/Tramadol/ REJECT tramadol

Helo checks for Postfix. Put the names and ip's of your domains in the file /etc/postfix/helo_access. No sender should ever give a helo statement with the name of the server or the ip address of the mail server (example uses 1.1.1.1). Uncomment in config if you need to use it. Not a must but the more filters the better. Comment the line in main.cf if you don't use these.

localhost                       REJECT 554 misconfigured sender
mail.yourservername.org         REJECT 554 misconfigured sender
1.1.1.1				REJECT 554 misconfigured sender

Alias file for Postfix. Put these settings in the file /etc/aliases. Edit to your needs. It system-wide mechanism to redirect mail for local recipients. You will need to use this.

# Don't forget to run the command "newaliases" after editing this file!
postmaster:     root
abuse:          root
root:		username1
#bob:		username2
#everyone:	username1,username2
#roger:		roger@domainnothere.net

This is virtual delivery file for Postfix. Put these settings in the file /etc/postfix/virtual. Edit to your needs. The virtual delivery file is designed for virtual mail hosting services. If you have virtual domains put them here. Mail is delivered by the virtual delivery agent in postfix. Virtual alias lookups are useful to redirect mail for virtual alias domains to real user mailboxes, and to redirect mail for domains that no longer exist. Virtual alias lookups can also be used to transform Firstname.Lastname back into UNIX login names, although local aliases may be better for that. Don't forget to run the command: "postmap /etc/postfix/virtual" after editing this file.

#The left hand side are virtual e-mail aliases. The right hand side
#are local system login names or names that reference the alias file.
#After editing this file run the command: postmap /etc/postfix/virtual

# example1.org                username
bobby@example1.org            bob
abuse@example1.org            roger
postmaster@example1.org       bob

# example2.org                  username
robert@example2.org             bob
roger@example2.org		roger
abuse@example2.org              roger
postmaster@example2.org         bob

You can start Postfix with the "postfix start" command. It should start if you setup all your paths and configs correctly. If not check the mail log file. OpenBSD's is /var/log/mail. Other systems use this also so look in it for any errors. Thats it. You should be close to rolling. There are some hints and tips below to check out.

Check out a perl script called pflogsumm. It will e-mail you very helpful Postfix stats everyday. Fantastic program.

Here is a list some helpful postfix commands that I don't want to forget. They are below with comments.

postfix start           # start postfix
postfix stop            # stop postfix
postfix reload          # reload postfix like after changing the main.conf file 
mailq                   # see what mail is in the mail queue. same as command: postqueue -p
postqueue -f            # do a mail queue run and try to deliver the mail in the queue
postqueue -s site       # do a queue run for a certain "site" (domain)
postsuper -d queue_id   # delete a specific message from the mail queue by it's id.
postsuper -d ALL        # delete all mail from the mail queue
postsuper -h queue_id   # put a message in the mail queue on hold
postsuper -H queue_id   # take a message off hold
postconf                # shows you all the parameters (settings) of the running postfix

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dkim
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gmail
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
ruby
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
spf
sql
sqlite
squid
srs
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
vi
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib