Search Site:

About

Linux

Printers?

Programming

Windows?

Download

Skins

Edit - To Do - AllRecentChanges

Recent Changes Printable View Page History Edit Page

This page is part of the EmailServer article.

Switch to Postfix

We need to switch from the sendmail, which Fedora uses by default, to postfix.
This stuff is pretty specific to RedHat's way of thinking: they wanted to make email management totally transparent so that it didn't really matter which MTA (Mail Transport Agent) you were using.

To switch, do the following:

# yum -t install postfix
# yum -t install system-switch-mail
# /usr/sbin/system-switch-mail

The first 2 yum installs may not be necessary if they are already on your system, but it won't hurt if you do it anyway (the -t switch tells yum not to complain if the packages are already installed).

You will be presented with a choice on screen, go for Postfix and press OK. After a few seconds, you should get a succinct report that the switch was completed.

Configuring Postfix

Postfix uses a few configuration files. The most important files are master.cf and main.cf and are located in /etc/postfix.

Let's first make a backup copy of these config files, just in case:

# cp master.cf master.cf.ORIGINAL
# cp main.cf main.cf.ORIGINAL

main.cf parameters

Now, edit the main.cf file and update the following definitions. Alternatively, you can use postconf -e "definition" on the command line for each line below if you don't want to edit the file by hand.

myorigin = $mydomain

This says that mail sent from your server will take the form xxx@example.com.

Note that by default, $myhostname and $mydomain are automatically derived from your machine's name. This name should be a Fully Qualified Domain Name (FQDM) like mail.example.com.
If that's not the case, you can change it editing the /etc/sysconfig/network file or you can declare the myhostname = mail.example.com and mydomain = example.com in the main.cf file itself.

mydestination = $myhostname localhost.$mydomain localhost $mydomain

Defines which domains you want to receive mail for. We should always allow the variations of localhost so the server can accept mail sent to itself, and $myhostname and $mydomain ensure that you will get mail sent to both mail.example.com and example.com.
If you want your server to accept mail sent to multiple domains (say myhome.com and loveme.org), add them to the mydestination list as well.

mynetworks_style = subnet

Allows people on the local network to be able to use the server to relay their emails. People from outside the subnet (outside of the IP addresses defined by your network's netmask, such as 255.255.255.0) will not be able to use the server to send email. This is safe, you never want unknown people from the Internet to be able to relay their mail through your server: it would only take a few minutes for your machine to become a spam hub.

relay_domains = $mydestination

Authorises people from the outside to send email that is supposed to be for us.

notify_classes = resource, software

Defines what sort of information should be sent to the postmaster when there is a problem. There are more options to that, but using too many could flood your mailbox.

relayhost =

Confirms we're not using any external relays as we want the server to deliver our emails directly to other servers. If your ISP doesn't let you send emails by yourself (some block port 25), then you can put their own email server there [mail.isp.com] (including the brackets). Any mail you sent through your server will be given to your ISP's email server for delivery. Note that this is not very reliable as ISP have usually no guarantee that your email will be delivered to its destination: you're in effect sending your mail through a black hole.

proxy_interfaces = 1.2.3.4

Is only needed if your server is not directly connected to the Internet but is for instance behind a firewall that uses Port Forwarding to redirect traffic to it on a local subnet (for instance, your server address is 192.168.0.1 or another reserved LAN IP Class). In that case, you have to tell Postfix what is the outside address of the mail server (replace 1.2.3.4 by whatever is your real IP). Note though that if you don't have a fixed IP, this can be a bit annoying and you may be better off with connecting the server directly to the Internet and using iptables as a good internal firewall.

inet_interfaces = all

Makes Postfix listen to all interfaces for email.

message_size_limit = 20971520

Limits the size of emails. Here we set it to 20MB which should be more than enough for most systems. It's a good idea to set a limit. I've have users trying to send 150MB emails to people who only had a dial-up connection (since delivery to the server from the local network is fast, people tend not to notice much the size of the emails they send).

masquerade_domains = $mydomain

Ensures that mail from other hosts being sent through the server gets rewritten with our domain name correctly appended. this means that if elise@accounts.example.com sends an email through the server, it will be rewritten as elise@example.com.
If you're accepting mail for multiple domains, you must add them to the list as well, separating them by a coma.

mail_name = MyOwnPostOffice

Optional and replaces the default name returned by Postfix. It's not a bad idea to replace the default string as it is par of the messages exchanged every time an email is being delivered. Potentially, it could allow someone to use that information to exploit a known security hole (the default string contains the full version number of Postfix).

home_mailbox = email/

If that directive is present, it will tell Postfix to deliver messages to the email/ folder inside the user's home, as in /mail/joe/email, instead of the default /var/mail/joe mbox file.
Note that the trailing / means that we want to use maildir instead of mbox. This is how we get to save our received emails in directories and files rather than in one single flat file that becomes cumbersome and fragile if there are too many stored emails in it.

Note: you do not need to create the directories: Postfix will do that for you if they don't exist.

SASL Authentication

As we've discussed before, ensuring that your server is locked down is vital if you don't want to become the next spam relay.
However, we must still ensure that we've got a flexible system that allows all our legitimate users to send email from wherever they are.

SASL is a way of authenticating users when they are trying to send mail. It uses a variety of methods and it's fairly flexible, at the expense of being simple.

To ensure proper SASL authentication, add the following to your main.conf file:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  reject_invalid_hostname
  reject_unknown_sender_domain

The first line enables authentication for email being sent through the server from the outside (allowing roaming users to send email from the Internet).
the next directive ensures that Postfix will work around older mail clients with broken implementations of SMTP authentication.
Finally, smtpd_recipient_restrictions lists the steps that an email must pass before being accepted. There are a lot of different possibilities. I have used what I think is reasonable for our system.

For security reasons, Postfix runs as an unprivileged user, meaning that it doesn't have access to your password files.
To be able to authenticate users, it must rely on an external service, saslauthd.

Fortunately, this is already installed on Fedora and probably on most distributions as well. Just to be sure, do the following from the prompt:

# yum -t install cyrus-sasl

The only configuration that tells saslautd that is is needed for mail authentication is in the file /usr/lib/sasl2/smtpd.conf which is installed as part of the Postfix package.
This file contains simply two parameters:

pwcheck_method: saslauthd
mech_list: plain login

Note: on other Linux systems, this file may be missing or may be located under /usr/local/lib/sasl2/smtpd.conf instead.

Make sure you restart the salsauthd server so the changes can be taken into account, otherwise you won't be able to send email as they will fail during the authentication process:

Aliases

The minimum alias that must be set-up is for the postmaster who will receive errors and warnings issued by Postfix:

Edit /etc/aliases and modify the following:

postmaster: administrator
root: administrator

The administrator user must have been created and you should probably the one using that account regularly to check for issues.

Note: after every modification of the alias file, you must run postalias /etc/aliases to rebuild the database that Postfix will use. Your changes won't be taken into account if you don't do that!

To add more aliases, just add them to /etc/aliases:

Email aliases

I usually use a fair number of variation on employee's names as aliases so most misspelling in an email address still end-up going to the right person. You should of course only give one email address to your user, for instance, your company policy could be that emails should be in the form suzan.smith@example.com.

suzan.smith: susan
s.smith:     susan
suzansmith:  susan
ssmith:      suzan
smith.suzan  suzan

accounts:    boss
marketing:   boss
sales:       boss
joe.doe      boss
joedoe       boss

Don't forget to run postalias /etc/aliases to rebuild the aliases database for Postfix.

Virtual map

Aliases are ok, but not very powerful, especially if you're hosting multiple domains and want a mail sent to sales@example.com be redirected to john while a mail to sales@myhome.com should go to suzan.

In that case, edit the /etc/postfix/virtual text file instead of /etc/aliases and add an entry for each possible mail and where you want it to be dropped instead.

suzan.smith: susan@example.com
s.smith:     susan@example.com
suzansmith:  susan@example.com
ssmith:      susan@example.com
smith.suzan  susan@example.com

sales@example.com:   suzan@example.com
sales@myhome.com:    john@example.com

@example.com: john@example.com

Here, anything sent to any variation of Susan's email address will be redirected to Susan's account, regardless of the domain they were sent to: s.smith@example.com and s.smith@myhome.com will be dropped into Susan's mailbox.

For email sent to sales, Suzan will be the recipient for example.com and John for myhome.com.

Any other email sent to invalid addresses (one that does not have a defined account, alias or virtual entry defined on the system) at example.com will be sent to John. This is a catch-all definition, but it is generally preferable to use a separate account for it as it will receive all spam sent to the servers to accounts that do not exist.

After editing /etc/postfix/virtual, you must run postmap /etc/virtual to update the actual binary database used by postfix for fast lookups.

After any change it's also a good idea to run service postfix reload to make sure that postfix will re-read its configuration.

< Users | EmailServer | Dovecot >

Leave your comments below
Enter your comment (no links allowed): Author:

Edit Page - Page History - Printable View - Recent Changes - WikiHelp - Search - RSS -
Page last modified on Friday 23 January 2009, at 05:39 GMT+8 - Viewed 3784 times