pantz.org banner
Setting up a Postfix mail server
Posted on 12-02-2005 03:33:00 UTC | Updated on 12-02-2005 03:33:00 UTC
Section: /software/postfix/ | Permanent Link

Postfix is a free, simple, and secure MTA (e-mail server). It has been ported to most Unixes and it's configuration files are the same across all platforms. It is Sendmail compatible also. The install below will be for OpenBSD 3.8 using Postfix version 2.3. Any of the config files below could be used on any other type of Unix that Postfix has been ported to. Paths, mailowner, setgid, etc will have to be changed to the local systems settings.

I'll leave it up to you to put in the mx records in DNS for this mail servers hostname. If this will be your only mail server then you don't need an MX record. If a mail server recieves an e-mail and there is no corresponding MX record for mail delivery it will default to using the A record for that host. A mx record is best practice though.

A quick description on what Postfix does when it recieves mail. Postfix will be started and listen on port 25 by default. If you have a firewall open port 25. Postfix will eventaully recieve a connection from another mail server on port 25. It will process the e-mail (header and body checks, real time blacklist, RFC compliance, etc) and if all of our checks pass it is handed off to procmail for delivery. Procmail is an mail delivery agent (MDA). Procmail will take the e-mail do any processing it has been told to do (.procmailrc scripts) and place the e-mail into the users mailbox.

Install the latest Postfix and Procmail. For this install example it will be for OpenBSD 3.8.

pkg_add -v http://openbsd.secsup.org/3.8/packages/i386/postfix-2.3.20050716.tgz
pkg_add -v http://openbsd.secsup.org/3.8/packages/i386/procmail-3.22p0.tgz

Now that the software is installed we need to setup the config files. The config files will be listed below. Edit to your configuration needs.

First file is OpenBSD's startup file. It's in /etc/rc.conf. Edit this file and change the lines in it already to look like the lines below. First line will start Postfix when the system boots. The second line will open a socket for Postfix logging.

sendmail_flags="-bd -q30m"
syslogd_flags="-a /var/spool/postfix/dev/log"

The postfix setup will be used on a server that will not deliver mail itself but will forward it's mail to another mail server to deliver it. On this host the mail is being sent to what is called a relay host (smarthost). I beleive if you leave this blank postfix will deliver the mail itself. Check your /etc/aliases file and be sure to set up aliases that send mail for root and postmaster to a real person, then run /usr/local/sbin/newaliases. To setup postfix as the primary mailer on the system run: /usr/local/sbin/postfix-enable. To put it back to sendmail run: /usr/local/sbin/postfix-disable. Make sure to change the myorigin/mydestination/mynetworks sections below to your configuration needs.

For procmail to deliver the mail it will need access to the /var/mail directory. Procmail will run as the user to deliver the mail. It will try to place the mail in a file with the users account name on the system. You might have to create this file and give it the correct permissions before procmail will deliver the mail to it. If mail is not being delivered right check the mail logfile or the system log file. If it mentions procmail and permissions blah blah blah then try these commands as root: "touch /var/mail/username" then "chown username.wheel /var/mail/username" then "chmod 600 /var/log/username".

Put the settings below in the file /etc/postfix/main.cf. Remember the config below is for OpenBSD so the directories settings are set for OpenBSD. So are the mail_owner and setgid_group settings. You will need to change these to what your install is using. If your using OpenBSD then you will be ok unless something has changed in later versions. Also be aware of the smtp restricitons area at the bottom. I use these settings to cut down on my spam considerably. They are not conserative by any means but you will have to try them yourself.

### see /usr/share/postfix/main.cf.dist for a commented, fuller
### version of this file.

### Do not change these directory settings - they are critical to Postfix
### operation.
biff = no
recipient_delimiter = +
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
program_directory = /usr/local/libexec/postfix
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

### No one needs to know what we run. So I'll give them this.
mail_name = mail.yourdomain.org
smtpd_banner = ESMTP $mail_name

### Who delivers the mail (never root for security).
mail_owner = _postfix
setgid_group = _postdrop

### appending .domain should be the MUA's job.
append_dot_mydomain = no
append_at_myorigin = yes

### Relay Host this mail server should send its mail to if need be.
relayhost = smtp.yourisp.net

### Valid hostname of this system known as the mail server (must be a fqdn !)
### What other mailservers see us as.
myhostname = mail.yourdomain.org

### The mydestination parameter specifies what domains this machine will deliver locally, instead
### of forwarding to another machine. The default is to receive mail for the machine itself.
mydestination = yourdomain.org,blah.yourdomain.com,$myhostname,localhost.localdomain, ,localhost

### maps for virtual domains
virtual_alias_maps = hash:/etc/postfix/virtual

### External Networks to accept RELAYED mail from.
mynetworks = 192.168.0.0/24, 127.0.0.0/8

### Where to send mail that is delivered locally.
mailbox_command = procmail -a "$EXTENSION"

### How much of the message in bytes will be bounced back to the sender.
bounce_size_limit = 2000

### No limit on mailbox size.
mailbox_size_limit = 0

### Limit sent/recieved emails to 100 Megs "(header+body+attachment)x(mime-encoding) <= 100 meg"
message_size_limit = 102400000

### How long do messages stay in the queue before being sent back to the sender. (in days)
### By default, postfix attempts to resend the message every (1000 secs)x(# attempts)x(days).
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d

### Parrallel delivery force (local=2 and dest=20 are default)
local_destination_concurrency_limit = 2
initial_destination_concurrency = 10
default_destination_concurrency_limit = 50

### Limits the mail inflow to 100 messages per second above the number of messages delivered per second.
in_flow_delay = 1s

###Clients must send a HELO (or EHLO) command at the beginning of an SMTP session.
smtpd_helo_required = yes

### No one needs to ask our server who is on it. If you do, you get smacked with the tarpit and then an error.
disable_vrfy_command = yes

### Reject immediately. Do not delay until RCPT TO: to reject the email
smtpd_delay_reject = yes

### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10
smtpd_soft_error_limit = 2
smtpd_hard_error_limit = 5
smtpd_junk_command_limit = 3

### Require strict RFC 821-style envelope addresses
strict_rfc821_envelopes = yes

### Limit the info given to outside servers
show_user_unknown_table_name = no

### Message Limitations. Uncomment and use if needed.
#header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks

### Reject codes
access_map_reject_code = 554
defer_code = 554
invalid_hostname_reject_code = 554
maps_rbl_reject_code = 554
non_fqdn_reject_code = 554
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554

### SMTP Restrictions
smtpd_client_restrictions = permit_mynetworks,
                            reject_unknown_client,
                            check_client_access regexp:/etc/postfix/client_restrictions

smtpd_helo_restrictions = permit_mynetworks,
                          reject_non_fqdn_hostname,
                          check_helo_access hash:/etc/postfix/access,
                          warn_if_reject reject_invalid_hostname

smtpd_etrn_restrictions = permit_mynetworks,
                          reject

smtpd_sender_restrictions = permit_mynetworks,
                            reject_non_fqdn_sender,
                            reject_unknown_sender_domain,
                            reject_unknown_address

smtpd_recipient_restrictions = reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unknown_sender_domain,
                               reject_unknown_recipient_domain,
                               permit_mynetworks,
                               reject_unauth_destination,
                               reject_multi_recipient_bounce,
                               reject_non_fqdn_hostname,
                               reject_invalid_hostname,
                               reject_unknown_client,
                               warn_if_reject reject_unknown_hostname,
                               reject_unauth_pipelining,
                               reject_rhsbl_sender dsn.rfc-ignorant.org
                               reject_rhsbl_sender bogusmx.rfc-ignorant.org,
                               reject_rbl_client bl.spamcop.net,
                               reject_rbl_client sbl-xbl.spamhaus.org,
                               reject_rbl_client list.dsbl.org,
#                              reject_unverified_sender
                               permit

smtpd_data_restrictions = reject_unauth_pipelining,
                          reject_multi_recipient_bounce,
                          permit

########################## END #########################################

Client restrictions for postfix. Put these settings in the file /etc/postfix/client_restrictions. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.

# List taken from http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
# To test regular expressions below use "grep -e" from the command line. If you see the hostname echo'ed the regex worked. 
# For example:  echo 'blah.hotmail.com' | grep -e '\.hotmail\.com$'

### WHITE LIST ###

/\.amazon\.com$/                OK
/\.dell\.com$/                  OK
/\.ibm\.com$/                   OK
/\.yahoo\.com$/                 OK
/\.hotmail\.com$/               OK
/\.paypal\.com$/                OK

# mc1-s3.bay6.hotmail.com, etc.
/\.bay[0-9]+\.hotmail\.com$/                    OK

# Whitelist Examples
#
# h04-a1.data-hotel.net, etc.
# /\.data-hotel\.net$/                            OK
#
# web10902.mail.bbt.yahoo.co.jp
# /^web[0-9]+\.mail\.(.+\.)?yahoo\.co\.jp$/       OK
#
# web35509.mail.mud.yahoo.com
# /^web[0-9]+\.mail\.(.+\.)?yahoo\.com$/          OK
#
# c151240.vh.plala.or.jp
# /\.vh\.plala\.or\.jp$/                          OK
#
# n2.59-106-41-68.mixi.jp, etc.
# /\.mixi\.jp$/                                   OK
#
# mta12.m2.home.ne.jp, etc.
# /\.m2\.home\.ne\.jp$/                           OK
#
# mmrts006p01c.softbank.ne.jp, etc.
# tgmsmtkn01sc1.softbank.ne.jp, etc.
# /\.softbank\.ne\.jp$/                           OK
#
# imt1omta04-s0.ezweb.ne.jp, etc.
# /\.ezweb\.ne\.jp$/                              OK
#
# bay-w1-inf5.verisign.net
# benicia-w2-inf30.verisign.net
# /\.verisign\.net$/                              OK
#
# web10902.mail.bbt.yahoo.co.jp
#/^web[0-9]+\.mail\.(.+\.)?yahoo\.co\.jp$/       OK
#
# ip address
# /^202\.222\.18\.17$/                           OK


### BLACK LIST ###

/\.(internetdsl|adsl|sdi)\.tpnet\.pl$/          450 domain check tpnet
/^user.+\.mindspring\.com$/                     450 domain check mind
/[0-9a-f]{4}\.[a-z]+\.pppool\.de$/              450 domain check pppool
/\.dip\.t-dialin\.net$/                         450 domain check t-dialin
/\.(adsl|cable)\.wanadoo\.nl$/                  450 domain check wanadoo
/\.ipt\.aol\.com$/                              450 domain check aol
# 85.155.10.73.dyn.user.ono.com
/\.user\.ono\.com$/                             450 domain check ono

# Blacklist Examples
#
# pr86.internetdsl.tpnet.pl
# fq217.neoplus.adsl.tpnet.pl
# pa148.braniewo.sdi.tpnet.pl
#/\.(internetdsl|adsl|sdi)\.tpnet\.pl$/          450 domain check
#
# user-0cetcbr.cable.mindspring.com
# user-vc8fldi.biz.mindspring.com
#/^user.+\.mindspring\.com$/                     450 domain check
#
# c9531ecc.virtua.com.br (hexadecimal used)
#/^[0-9a-f]{8}\.virtua\.com\.br$/                450 domain check
#
# catv-5984bdee.catv.broadband.hu (hexadecimal used)
#/\.catv\.broadband\.hu$/                        450 domain check
#
# Edc3e.e.pppool.de
# BAA1408.baa.pppool.de
#/[0-9a-f]{4}\.[a-z]+\.pppool\.de$/              450 domain check
#
# xdsl-5790.lubin.dialog.net.pl
#/^xdsl.+\.dialog\.net\.pl$/                     450 domain check
#
# pD9EB80CB.dip0.t-ipconnect.de (hexadecimal used)
#/\.dip[0-9]+\.t-ipconnect\.de$/                 450 domain check
#
# pD9E799A1.dip.t-dialin.net (hexadecimal used)
#/\.dip\.t-dialin\.net$/                         450 domain check
#
# ool-43511bdc.dyn.optonline.net (hexadecimal used)
#/\.dyn\.optonline\.net$/                        450 domain check
#
# rt-dkz-1699.adsl.wanadoo.nl
# c3eea5738.cable.wanadoo.nl (hexadecimal used)
#/\.(adsl|cable)\.wanadoo\.nl$/                  450 domain check
#
# ACBBD419.ipt.aol.com (hexadecimal used)
#/\.ipt\.aol\.com$/

### Generic Block ###
/^(pool|cable|dhcp|dialup|ppp|adsl)[^.]*[0-9]/             450 checking dynamic isp

#Generic Examples
#
# ex: evrtwa1-ar3-4-65-157-048.evrtwa1.dsl-verizon.net
# ex: a12a190.neo.rr.com
/^[^.]*[0-9][^0-9.]+[0-9]/                      450 S25R check1
#
# ex: pcp04083532pcs.levtwn01.pa.comcast.net
/^[^.]*[0-9]{5}/                                450 S25R check2
#
# ex: 398pkj.cm.chello.no
# ex: host.101.169.23.62.rev.coltfrance.com
/^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/       450 S25R check3
#
# ex: wbar9.chi1-4-11-085-222.dsl-verizon.net
/^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/                 450 S25R check4
#
# ex: d5.GtokyoFL27.vectant.ne.jp
/^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./          450 S25R check5
#
# ex: dhcp0339.vpm.resnet.group.upenn.edu
# ex: dialupM107.ptld.uswest.net
# ex: PPPbf708.tokyo-ip.dti.ne.jp
# ex: adsl-1415.camtel.net
# /^(dhcp|dialup|ppp|adsl)[^.]*[0-9]/             450 S25R check

Header checks for postfix. Put these settings in the file /etc/postfix/header_checks. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.

#### Header checks file
#### Checks are done in order, top to bottom.
#### /etc/postfix/header_checks

#### non-RFC Compliance
/[^[:print:]]{7}/  REJECT RFC2047
/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT RFC822
/(.*)?\{6,\}/ REJECT RFC822
/(.*)[X|x]\{3,\}/ REJECT RFC822

#### Unreadable NON-acsii un-printable text
/^Subject:.*=\?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8)\?/ REJECT Unreadable
/^Content-Type:.*charset="?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8|iso-2022-jp)/ REJECT Unreadable

#### Subject checks
/^Subject:.*      / REJECT Space
/^Subject:.*r[ _\.\*\-]+o[ _\.\*\-]+l[ _\.\*\-]+e[ _\.\*\-]+x/ REJECT Hidden Words
/^Subject:.*p[ _\.\*\-]+o[ _\.\*\-]+r[ _\.\*\-]+n/ REJECT Hidden Words

#### Character Set Checks
/^(Content-Type:.*|\s+)charset\s*=\s*"?(Windows-1251)\?/ REJECT Bad Content Type

#### Attachments
/^Content-(Type|Disposition):.*(file)?name=.*\.(ade|adp|asd|asf|asx|bat|bhx|chm|cil|cmd|com|cpl|dll|elm|exe|gif|hlp|hta|jse|lnk|mda|mdb|mde|mdw|mim|msi|msp|nws|ocx|pif|reg|scr|sct|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wmf|wms|wmz|wmd|wsc|wsf|wsh|wsz)/ 
REJECT Bad Attachment .${3}

#### Backscatter mail from virus scanners
/^Subject:.*Anti-Virus Notification/ REJECT Virus Notification
/^Subject:.*due to virus/ REJECT Virus Notification
/^Subject:.*email contains VIRUS/ REJECT Virus Notification
/^Subject:.*InterScanMSS/ REJECT Virus Notification
/^Subject:.*ScanMail for Lotus/ REJECT Virus Notification
/^Subject:.*Symantec AntiVirus/ REJECT Virus Notification
/^Subject:.*Virus Detected by Network Associates/ REJECT Virus Notification
/^subject:.*virus found/ REJECT Virus Notification
/^subject:.*Virus Infection Alert/ REJECT Virus Notification

#### Known Spammers or Unsolicited Commercial Email
/^Received:.*bellevuellc.com/ REJECT Blacklisted
/^Received:.*ccsurvey.com/ REJECT Blacklisted
/^Received:.*cmptechdirect.com/ REJECT Blacklisted
/^Received:.*constantcontact.com/ REJECT Blacklisted
/^Received:.*dartmail.net/ REJECT Blacklisted
/^Received:.*ema10.net/ REJECT Blacklisted
/^Received:.*evmailer.com/ REJECT Blacklisted
/^Received:.*netline.com/ REJECT Blacklisted
#/^From:.*163.com/ REJECT Blacklisted

Body checks for Postfix. Put these settings in the file /etc/postfix/body_checks. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.

# Postfix body_checks
# /etc/postfix/body_checks

#### General body checks. Uncomment and change examples if needed.
#/http:\/\/.*\.info/ REJECT dotinfo
#/lottery/ REJECT lottery
#/Viagra/ REJECT viagra
#/Cialis/ REJECT cialis
#/Valium/ REJECT valium
#/Xanax/ REJECT xanax
#/Tramadol/ REJECT tramadol

Helo checks for Postfix. Put the names and ip's of your domains in the file /etc/postfix/helo_access. No sender should ever give a helo statement with the name of the server or the ip address of the mail server (example uses 1.1.1.1). Uncomment in config if you need to use it. Not a must but the more filters the better. Comment the line in main.cf if you don't use these.

localhost                       REJECT 554 misconfigured sender
mail.yourservername.org         REJECT 554 misconfigured sender
1.1.1.1				REJECT 554 misconfigured sender

Alias file for Postfix. Put these settings in the file /etc/aliases. Edit to your needs. It system-wide mechanism to redirect mail for local recipients. You will need to use this.

# Don't forget to run the command "newaliases" after editing this file!
postmaster:     root
abuse:          root
root:		username1
#bob:		username2
#everyone:	username1,username2
#roger:		roger@domainnothere.net

This is virtual delivery file for Postfix. Put these settings in the file /etc/postfix/virtual. Edit to your needs. The virtual delivery file is designed for virtual mail hosting services. If you have virtual domains put them here. Mail is delivered by the virtual delivery agent in postfix. Virtual alias lookups are useful to redirect mail for virtual alias domains to real user mailboxes, and to redirect mail for domains that no longer exist. Virtual alias lookups can also be used to transform Firstname.Lastname back into UNIX login names, although local aliases may be better for that. Don't forget to run the command: "postmap /etc/postfix/virtual" after editing this file.

#The left hand side are virtual e-mail aliases. The right hand side
#are local system login names or names that reference the alias file.
#After editing this file run the command: postmap /etc/postfix/virtual

# example1.org                username
bobby@example1.org            bob
abuse@example1.org            roger
postmaster@example1.org       bob

# example2.org                  username
robert@example2.org             bob
roger@example2.org		roger
abuse@example2.org              roger
postmaster@example2.org         bob

You can start Postfix with the "postfix start" command. It should start if you setup all your paths and configs correctly. If not check the mail log file. OpenBSD's is /var/log/mail. Other systems use this also so look in it for any errors. Thats it. You should be close to rolling. There are some hints and tips below to check out.

Check out a perl script called pflogsumm. It will e-mail you very helpful Postfix stats everyday. Fantastic program.

Here is a list some helpful postfix commands that I don't want to forget. They are below with comments.

postfix start           # start postfix
postfix stop            # stop postfix
postfix reload          # reload postfix like after changing the main.conf file 
mailq                   # see what mail is in the mail queue. same as command: postqueue -p
postqueue -f            # do a mail queue run and try to deliver the mail in the queue
postqueue -s site       # do a queue run for a certain "site" (domain)
postsuper -d queue_id   # delete a specific message from the mail queue by it's id.
postsuper -d ALL        # delete all mail from the mail queue
postsuper -h queue_id   # put a message in the mail queue on hold
postsuper -H queue_id   # take a message off hold
postconf                # shows you all the parameters (settings) of the running postfix

Reddit!

Related stories


RSS Feed RSS feed logo

About


3com

3ware

alsa

alsactl

alsamixer

amd

android

apache

areca

arm

ati

auditd

awk

badblocks

bash

bind

bios

bonnie

cable

carp

cat5

cdrom

cellphone

centos

chart

chrome

chromebook

cifs

cisco

cloudera

comcast

commands

comodo

compiz-fusion

corsair

cpufreq

cpufrequtils

cpuspeed

cron

crontab

crossover

cu

cups

cvs

database

dbus

dd

dd_rescue

ddclient

debian

decimal

dhclient

dhcp

diagnostic

diskexplorer

disks

dkim

dns

dos

dovecot

drac

dsniff

dvdauthor

e-mail

echo

editor

emerald

ethernet

expect

ext3

ext4

fat32

fedora

fetchmail

fiber

filesystems

firefox

firewall

flac

flexlm

floppy

flowtools

fonts

format

freebsd

ftp

gdm

gmail

gnome

google

greasemonkey

greylisting

growisofs

grub

hacking

hadoop

harddrive

hba

hex

hfsc

html

html5

http

https

hulu

idl

ie

ilo

intel

ios

iperf

ipmi

iptables

ipv6

irix

javascript

kde

kernel

kickstart

kmail

kprinter

krecord

kubuntu

kvm

lame

ldap

linux

logfile

lp

lpq

lpr

maradns

matlab

memory

mencoder

mhdd

mkinitrd

mkisofs

moinmoin

motherboard

mouse

movemail

mplayer

multitail

mutt

myodbc

mysql

mythtv

nagios

nameserver

netflix

netflow

nginx

nic

ntfs

ntp

nvidia

odbc

openbsd

openntpd

openoffice

openssh

openssl

openvpn

opteron

parted

partimage

patch

perl

pf

pfflowd

pfsync

photorec

php

pop3

pop3s

ports

postfix

power

procmail

proftpd

proxy

pulseaudio

putty

pxe

python

qemu

r-studio

raid

recovery

redhat

router

rpc

rsync

ruby

saltstack

samba

schedule

screen

scsi

seagate

seatools

sed

sendmail

sgi

shell

siw

smtp

snort

solaris

soundcard

sox

spam

spamd

spf

sql

sqlite

squid

srs

ssh

ssh.com

ssl

su

subnet

subversion

sudo

sun

supermicro

switches

symbols

syslinux

syslog

systemrescuecd

t1

tcpip

tcpwrappers

telnet

terminal

testdisk

tftp

thttpd

thunderbird

timezone

ting

tls

tools

tr

trac

tuning

tunnel

ubuntu

unbound

vi

vpn

wget

wiki

windows

windowsxp

wireless

wpa_supplicant

x

xauth

xfree86

xfs

xinearama

xmms

youtube

zdump

zeromq

zic

zlib