Synopsis

"Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different..."

Postfix is an MTA. An MTA is responsible for sending and recieving email accross the internet, and of course, locally. This HOWTO will assist you in setting up Postfix for use with [[vMail.Admin]]. You will, however, need to verify that you can send and recieve email with a basic Postfix configuration before procceeding.

Installation

You will need to consult the Postfix Documentation for compiling Postfix from source.

Gentoo users

 USE="hardened mailwrapper mysql nis pam postgres ssl vda"
 
 $ emerge =mail-mta/postfix

Post installation

Files to be modified: * /etc/postfix/main.cf * /etc/postfix/master.cf

main.cf

First and foremost, visit Postfix's main.cf page which contains all Postfix Configuration Parameters.

main.cf is the primary configuration file used by Postfix. You should already have a fully function mail system before continuing as we do not provide any type of support for Postfix. If you wish to implement SSL, don't forget to [[HOWTO_Create_SSL_Certs|create an SSL certificate]]. Otherwise, comment out all SASL parameters.

Please note that the parameter virtual_alias_domains, while not currently utilized by vMail.Admin, should be set to an empty value unless actively used.

(pgsql|mysql) are your SQL engines to choose from. The following are examples using both engines: 

 virtual_alias_maps = mysql:/etc/postfix/maps/sql-valiases.cf
 virtual_alias_maps = pgsql:/etc/postfix/maps/sql-valiases.cf

You may also choose to proxy your SQL queries. This requires Postfix to be compiled with proxy support: 

 virtual_alias_maps = proxy:mysql:/etc/postfix/maps/sql-valiases.cf
 virtual_alias_maps = proxy:pgsql:/etc/postfix/maps/sql-valiases.cf

{{Box File|/etc/postfix/main.cf| 

####################################################################################
# General configuration
mydomain = mydomain.tld                         # Set 'mydomain'to a fake domain if not
myhostname = mail.$mydomain                     # implementing only virtual users (no
myorigin = $mydomain                            #  system users)
mydestination =
 $myhostname,
 $mydomain,
 localhost.$mydomain
mynetworks =
 192.168.1.0/24
 127.0.0.0/8
relay_domains = $mynetworks
inet_interfaces = 192.168.1.240                 # Interface IP Address
mailbox_size_limit = 51200000
queue_run_delay = 1h
maximal_backoff_time = 2h
minimal_backoff_time = 1h 
maximal_queue_lifetime = 2d
bounce_queue_lifetime = 2d
message_size_limit = 7680000                    # Customize limit
setgid_group = postdrop
html_directory = no
default_privs = nobody
recipient_delimiter = +
home_mailbox = .maildir/
biff = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes

####################################################################################
# System Tools
syslog_facility = mail
syslog_name = postfix
config_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mailq_path = /usr/bin/mailq

####################################################################################
# Post SMTPD checks
header_checks = pcre:$config_directory/maps/header_checks
body_checks =

####################################################################################
# SMTPD client restrictions
smtpd_client_restrictions =
 permit_mynetworks,
 reject_rbl_client rbl_domain=countries.blackholes.us

####################################################################################
# SMTPD helo restrictions
smtpd_helo_restrictions =
 permit_mynetworks,
 reject_invalid_hostname,
 pcre:$config_directory/maps/helo

####################################################################################
# SMTPD sender restrictions
smtpd_sender_restrictions =
 permit_mynetworks,
 reject_non_fqdn_sender

####################################################################################
# SMTPD recipient restrictions
smtpd_recipient_restrictions =
 permit_mynetworks,
 check_recipient_access pcre:$config_directory/maps/protected_aliases,      # DSPAM protected retrain aliases
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_helo_hostname,
 reject_unauth_destination,
 reject_unauth_pipelining,
 reject_invalid_hostname,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client sbl.spamhaus.org,
 reject_rbl_client cbl.abuseat.org,
 reject_rbl_client dul.dnsbl.sorbs.net,
 check_policy_service inet:127.0.0.1:1025,                                  # SQLGrey service
 check_client_access pcre:$config_directory/maps/dspam-catch                # DSPAM content filter service

####################################################################################
# SMTPD data restrictions
smtpd_data_restrictions =
 reject_unauth_pipelining

#################################################################################################################
# SASL authentication (I choose not to implement SASL here because it requires passwords to be in plain-text,
# but here is the code and the choice it yours) 
smtpd_sasl_auth_enable = no
smtpd_sasl_application_name = smtpd
smtp_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous, nodictionary, noplaintext
broken_sasl_auth_clients = no
smtpd_sasl_local_domain = $myhostname

####################################################################################
# TLS
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = $config_directory/ssl/newkey.pem
smtpd_tls_cert_file = $config_directory/ssl/newcert.pem
smtpd_tls_CAfile = $config_directory/ssl/demoCA/cacert.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache

####################################################################################
# Required Transports (Maildrop support)
mailbox_command = /usr/bin/maildrop -d $USER 0 $USER $DOMAIN $SENDER
virtual_transport = maildrop
default_destination_concurrency_limit = 10
local_destination_concurrency_limit = 2
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
maildrop_destination_recipient_limit = $default_destination_concurrency_limit

####################################################################################
# DSPAM Transports [+ support for] (optional)
dspam-catchall_destination_recipient_limit = $default_destination_concurrency_limit
dspam-retrain_destination_recipient_limit = $default_destination_concurrency_limit
transport_maps = pcre:$config_directory/maps/dspam-retrain
local_recipient_maps = proxy:unix:passwd.byname $transport_maps

####################################################################################
# Virtual domain support
virtual_minimum_uid = 1000
virtual_gid_maps = static:5000
virtual_uid_maps = static:5000
virtual_mailbox_base = static:/home/vmail
virtual_mailbox_domains = pgsql:$config_directory/maps/sql-vdomains.cf
virtual_mailbox_maps = pgsql:$config_directory/maps/sql-vmailboxes.cf
virtual_alias_maps = pgsql:$config_directory/maps/sql-valiases.cf
virtual_alias_domains =                             # Set virtual_alias_domains to empty
virtual_maildir_limit_message =                     # Set virtual_maildir_limit_message since Maildrop
                                                    # will handle quotas

####################################################################################
# Relay/MX domains
relay_domains = pgsql:$config_directory/maps/sql-mx-domains.cf

####################################################################################
# Proxy maps (this is optional but required if using proxy)
proxy_read_maps = 
 $local_recipient_maps
 $mydestination
 $virtual_alias_maps
 $virtual_alias_domains
 $virtual_mailbox_maps
 $virtual_mailbox_domains
 $relay_recipient_maps
 $relay_domains
 $canonical_maps
 $sender_canonical_maps
 $recipient_canonical_maps
 $relocated_maps
 $transport_maps
 $mynetworks
 $virtual_mailbox_limit_maps

####################################################################################
# Reject elements
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450

####################################################################################
# Bounce elements
soft_bounce = no                                      # Set 'soft_bounce' to yes while testing
2bounce_notice_recipient = postmaster@$mydomain
bounce_notice_recipient = postmaster@$mydomain
error_notice_recipient = postmaster@$mydomain

####################################################################################
# Debugger
debug_peer_level = 2
debug_peer_list = 192.168.1.240                    # Interface IP Address or any trivial
debugger_command =                                 # remote IP to debug 
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
 xxgdb $daemon_directory/$process_name $process_id & sleep 5

}}

Important: Postmail bounces mail for domains not defined by mydomain, virtual_mailbox_domains and relay_domains. All of your domains, including virtual domains, must be defined by these variables. In addition, not setting relay_domains turns your Postfix server into an open relay for spammers to freely use. Running an open relay on the internet is rude, irresponsible, not acceptable, and if you do, you will soon be blacklisted by the various open-relay blacklists such as Spamhaus, Spamcop, ORBS and RSS which serves you right.

master.cf

master.cf is a configuration file used by Postfix that contains available services. These services are commands to other programs, whether provided by Postfix or not, that Postfix can pipe to. We need to make Postfix aware of the maildrop and DSPAM services so we need to add the following (if it is not already present) to master.cf: {{Box File|/etc/postfix/master.cf| 

###################################################################################################################################
# Maildrop service
maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail:vmail argv=/usr/bin/maildrop -w 90 -d $user@$nexthop 1 $user $nexthop $sender

###################################################################################################################################
# DSPAM services
dspam-catchall   unix    -       n       n       -       10      pipe
 flags=Ruq user=dspam:dspam argv=/usr/bin/dspam --client --deliver=innocent,spam --user $recipient -i -f $sender -- $recipient

dspam-retrain   unix    -       n       n       -       10      pipe
 flags=Ruq user=dspam:dspam argv=/usr/bin/dspam_feeder -p $nexthop $sender $recipient

###################################################################################################################################
# To implement TLS
tlsmgr    unix  -       -       n       300     1       tlsmgr

}}

<span style="font-size:14px;font-weight:bold;">Maildrop service</span> (required)<br /> maildrop: -d 90 tells Maildrop to send the user a message informing of 90% quota usage. All arguments following -d MUST present. '$user@$nexthop' is the recipients full email address. The '1' tells maildrop to delivery for a virtual user (this is a unique setting for use with maildrop as configured [[HOWTO_Maildrop#maildroprc|here]]). '$user' is everything before the @ sign. '$nexthop' is everything after the @ sign, or the domain. '$sender' is, well, the sender. =)

<span style="font-size:14px;font-weight:bold;">DSPAM services</span> (optional)<br /> dspam: --client tells DSPAM to use client/server mode. --deliver=innocent,spam tells DSPAM to deliver all mail to recipient, spam or not. --user $recipient tells DSPAM to learn and ID the message for the recipient. -i -f $sender -- $recipient tells DSPAM to re-inject the message back to Postfix (does not queue) for further processing.

<span style="color:#FF0000;font-weight:bold;">NOTE</span> The dspam-retrain service is currently being explored as a training method. It is here for educational purposes and should not be used as displayed above (it calls a custom perl program currently being written). This notice does not apply to administrators that already implement this method to (re)train spam/ham. The example displayed, when available, will be based on Dspam Retrain Script, written in perl.

[[HOWTO_DSPAM|This wiki]] is dedicated to DSPAM.

<span style="font-size:14px;font-weight:bold;">INFO</span><br /> Please do not blindly cut and paste. You may need to modify some entries to satisfy your installation. This means you may need to change the value of user and argv. user is the user the maildrop or dspam will run as. argv is the path to the maildrop or dspam executable. Additionally, maildrop must be suid (chmod 4711). According to maildrop documentation, maildrop is suid by default.

===SQL/DB maps=== One of the many key features of Postfix and Courier-IMAP is the ability to perform database lookups to retrieve user and mailbox information. This is the basic foundation on which [[vMail.Admin]] is built upon. This puts to rest the need to manually modify hash files when adding domain and/or users. To my knowledge, there are no other MTA's nor POP3/IMAP server's available with this ability.

Since you are storing your users and mailbox information in a SQL database, we need to configure Postfix to use SQL rather than hashed files (hash files are file based databases). These configuration files contain information pertentent to the lookup in question. We do just that with by mapping specific Postfix parameters to specific database map files.

Other DB files types used here are pcre (Perl Compatible Regular Expressions) favored over regexp (regular expressions).

[[SQL_Lookup_Maps#sql-valiases.cf|sql-valiases.cf]]<br /> [[SQL_Lookup_Maps#sql-vdomains.cf|sql-vdomains.cf]]<br /> [[SQL_Lookup_Maps#sql-vmailboxes.cf|sql-vmailboxes.cf]]<br /> [[SQL_Lookup_Maps#sql-mx-domains.cf|sql-mx-domains.cf]]<br /> [[SQL_Lookup_Maps#header_checks|header_checks]] (optional)<br /> [[SQL_Lookup_Maps#helo|helo]] (optional)<br /> [[SQL_Lookup_Maps#protected_aliases|protected_aliases]] (optional, DSPAM)<br /> [[SQL_Lookup_Maps#dspam-catchall|dspam-catchall]] (optional, DSPAM)<br /> [[SQL_Lookup_Maps#dspam-retrain|dspam-retrain]] (optional, DSPAM)

Follow up

Start Postfix and don't forget to add Postfix to your default run level so that it will start when your system is rebooted.

Gentoo users

 $ /etc/init.d/postfix start
 $ rc-update -a postfix default

Final notes

===User Types=== If you do not plan on implementing system user mailboxes, you should make the following changes to main.cf: 

 mydomain = domain.tld
 mailbox_command = /usr/bin/maildrop -d $USER 1 $USER $DOMAIN $SENDER

TO 

 mydomain = fake.domain
 # mailbox_command = /usr/bin/maildrop -d $USER 1 $USER $DOMAIN $SENDER

mailbox_command are specific to system users and do not need to be set if you will not be delivering mail to system users.

===Default Settings=== To view Postfix's default settings (execute as superuser): 

 $ postconf -d

===Configured Settings=== To view your run time settings configured in main.cf (execute as superuser): 

 $ postconf -n

===Service Support=== To verify what services Postfix was compiled with (execute as superuser): 

 $ postconf -m

===Hash File=== When you modify a Postfix lookup file (execute as superuser): 

 $ postmap /etc/postfix/map/file_to_hash

===Clearing Queue=== Delete all messages from Postfix queue (execute as superuser): 

 $ postsuper -d ALL

===Anti-UCE/Anti-Virus processing=== Anti-UCE/Anti-Virus processing is applied in the following order: # SMTPD Restrictions # Header/Body Checks # Content Filters

The order of checks by restriction stages are important. In a nutshell, the first match WINS!

===Restriction stages=== Restriction stages are as follows, and are processed in the following order (regardless of main.cf order): # smtpd_client_restrictions # smtpd_helo_restrictions # smtpd_sender_restrictions # smtpd_recipient_restrictions # smtpd_data_restrictions

The order of checks by restriction stages are important. In a nutshell, the first match WINS!