Postfix Category

From MattWiki
(Redirected from Postfix)
Jump to: navigation, search

Postfix is a free open source mail transfer agent (MTA), for the routing and delivery of email, written by Wietse Venema. It is intended as a fast, easy-to-administer, and secure alternative to the widely-used Sendmail MTA.

It is released under the IBM Public License 1.0.

Postfix only sends and receives emails to other server, if your looking for IMAP or POP3 service look at Dovecot.

Also see Postfix SQLite Admin for a quick Postfix interface.

Applicable RFC's

Postfix How-To's

Postfix Notes

Postfix Queue

  • To Display the postfix queue
postqueue -p
  • Flush the queue: attempt to deliver all queued mail (Retry)
postqueue -f
  • To Requeue one messages in the message queue (Delete and resend)
postsuper -r <messages-id>
  • To Requeue ALL messages in the message queue (Delete and resend)
postsuper -r ALL
  • To Delete one message from the message queue
postsuper -d <messages-id>
  • To Delete ALL messages from the message queue
postsuper -d ALL

Postfix Terms

  • Client - A Client is the sending system.
  • Recipient - A Recipient is the receiving email address.

Postfix Version

  • To Display the current running version of Postfix
postconf -d | grep mail_version

Postfix Log

How the delay values are defined in the log

From the 2.3.13 Release Notes:
[Feature 20051103] This release makes a beginning with a series of
new attributes in Postfix logfile records.

- Better insight into the nature of performance bottle necks, with
  detailed logging of delays in various stages of message delivery.
  Postfix logs additional delay information as "delays=a/b/c/d"
  where:

  a=time before queue manager, including message transmission;
  b=time in queue manager; 
  c=connection setup time including DNS, HELO and TLS; 
  d=message transmission time.

Postfix Logging Application

Postfix's SMTPD Recipient Restrictions

Things to keep in mind when using Postix's smtpd_recipient_restrictions.

  • Evaluate each element in order
  • If the result is DEFER or REJECT, stop! The "RCPT TO" command is rejected (or deferred)
  • If the result is OK, stop! The "RCPT TO" command is accepted, unless implicit recipient validation finds that the recipient address is invalid (in which case the command is rejected).
  • If the result is neutral (DUNNO), continue to the next element
  • If the result is DEFER_IF_PERMIT (or DEFER_IF_REJECT), continue to the next element, but at the end the message will be deferred rather than permitted (or rejected) if not rejected (or permitted).

If permitting relay using client certificates, check_ccert_access and friends can also go above reject_unauth_destination.

Mini How-To's

To allow select users permission to send to a cretin address

So the idea here is to have an email address that you would only like a select few to have access to email to, for example, a everyone or all address. In this example we will be locking down the email address all@example.com and only allow the address abc@example.com to send to it.

In /etc/postfix/main.cf add the following:

smtpd_restrictions_classes =  restricted_recipient
  • note: This is in smtpd_SENDER_restrictions to avoid becoming an open relay because of the "OK" below.
smtpd_sender_restrictions =
  check_recipient_access hash:/etc/postfix/restricted_recipient
restricted_recipient =
  check_sender_access hash:/etc/postfix/privileged_sender
  reject

restricted_recipient:

all@example.com         restricted_recipient

privileged_sender:

abc@example.com         OK

To Reject select sender addresses

First start out by creating a file named /etc/postfix/rejected_addresses then add the following to it

bad_sender@example.com    REJECT

This will be an hashed map table, so we need to create the hash

postmap /etc/postfix/rejected_addresses

Next we need to add the map to our /etc/postfix/main.cffile. We will be adding this to the smtpd_recipient_restrictions section.

smtpd_recipient_restrictions =
  ...
  check_sender_access hash:/etc/postfix/rejected_addresses,
  ...
  reject_unauth_destination

Once complete reload postfix

postfix reload

Require FQDN on all but some

/etc/postfix/main.cf:

smtpd_recipient_restrictions =
   ...
   check_client_access cidr:/etc/postfix/client_cidr
   ...

/etc/postfix/client_cidr:

   123.123.123.123     OK
   192.168.0.1/32      dunno
   0.0.0.0/0           reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
   ::/0                reject_non_fqdn_sender, reject_non_fqdn_recipient, ...

The first entry in the above file is the IP address of the known OK client. The "dunno" entry is your local network. dunno stats to act as if this entry failed and move on to the next. Not intuitive, but effective.

To "Freeze" Postfix Delivery

By Freezing Postfix, your directing Postfix to queue all inbound mail, but not send any messages from it's queue. This is very use full in an emergency such as a virus attack or even just a internal outage that will prevent mail from being stored correctly. All inbound mail will be stored in the queue until released by the unfreeze command (or removed the config options and restarting Postfix). You will be able to see the message in the queue by running the 'postqueue -p' command.

To Freeze Postfix delivery and hold all mail in queue.

postconf -e master_service_disable=qmgr.fifo in_flow_delay=0 && postfix reload

To Unfreeze Postfix and deliver the queued mail.

postconf -e master_service_disable= in_flow_delay=1 && postfix reload

Relay mail for a single domain to a different MX

The below entry will route all traffic destine for 'example.com' to port 587 on 'smtp.example.net'.

  • /etc/postfix/transport:
   example.com         smtp:[smtp.example.net]:587

Suspend delivery of mail per domain

  • /etc/postfix/transport:
   user@example.com	retry:4.4.1 Service unavailable
   mx.example.com	retry:4.4.1 Service unavailable

Also be aware of the current value of maximal_queue_lifetime.

postconf maximal_queue_lifetime

Archiving Mail when sent from or to the outside only

Use sender_bcc_maps or recipient_bcc_maps. Configure them so that the archive copy is made when the sender is remote OR the receiver is remote.

  • /etc/postfix/main.cf:
   sender_bcc_maps = pcre:/etc/postfix/archive-check
   recipient_bcc_maps = pcre:/etc/postfix/archive-check
  • /etc/postfix/archive-check:
   !/@example\.com$/        archive@example.com

This is a predicate transformation, from (NOT (local AND local)), what you asked for, into ((NOT local) OR (NOT local)), shown above.

Troubleshooting SMTP/ESMTP problems

Troubleshooting with 3rd Party Sites

Troubleshooting SMTP

With Plan Text Auth

telnet mail.example.com 25
220 mail.example.com ESMTP Postfix
helo mail.example.com
250 mail.example.com
mail from:test@example.com # Can be anything
250 2.1.0 Ok
rcpt to:user@example.net  # Must be a valid address
250 2.1.5 Ok
data
354 Please start mail input.
subject: test message
This is a test message
.
250 Mail queued for delivery.
quit

Troubleshooting ESMTP

If you are using TLS you will need to encrypt your username & password before transiting it.

  • For PLAIN logins:
perl -MMIME::Base64 -e 'print encode_base64("\0username\0password");'

Troubleshooting TLS

To connect to a server using TLS run something like this:

openssl s_client -connect mail.example.com:587 -starttls smtp

Now you can run one of the above telnet sessions. You will most likely still need to log in.

openssl s_client -connect mail.example.com:587 -starttls smtp
220 mail.example.com ESMTP Postfix
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES 
250-8BITMIME
250 DSN
auth plain AASDF654ASSDF654ASDF  # Output form perl command above
235 2.7.0 Authentication successful
mail from:from@example.com # Depending on server must be same as login
250 2.1.0 Ok
rcpt to:user@example.net  # Must be a valid address
250 2.1.5 Ok
data
354 Please start mail input.
subject: test message
This is a test message
.
250 Mail queued for delivery.
quit

Troubleshooting Test Message

From: no-one@example.com
Subject: This is a test message
To: test@example.com

This is a test message.

Troubleshooting SMTP Reciving Problems

Troubleshooting Database lookups with postmap

  • To see how an address will lookup
postmap -q postmaster@example.com mysql:/etc/postfix/mysql_virtual_sender_maps.cf

The above command will display the address of who will receive this message, assuming it's not the same.

Troubleshooting Email Address validation

The local part (the section to the left of the @ symbol) may have any of the following characters:

^(?!\.)("([^"\r\\]|\\["\r\\])*"|([-a-z0-9!#$%&'*+/=?^_`{|}~] |(?@[a-z0-9][\w\.-]*[a-z0-9]\.[a-z][a-z\.]*[a-z]$ 

So according to RFC 2822 & RFC 3696 the following are all valid E-Mail addresses (besides the fact that 'example.com' is a invalid domain).

  • "Abc\@def"@example.com
  • "Fred Bloggs"@example.com
  • "Joe\\Blow"@example.com
  • "Abc@def"@example.com
  • customer/department=shipping@example.com
  • $A12345@example.com
  • !def!xyz%abc@example.com
  • _somename@example.com

Base configuration

The main.cf file stores site specific Postfix configuration parameters while master.cf defines daemon processes. The Postfix Basic Configuration tutorial covers the core settings that each site needs to consider.

The Postfix Standard Configuration Examples document discusses configuration settings for a few common environments.

The Postfix Address Rewriting document covers address rewriting and mail routing. The full documentation collection is at Postfix Documentation

More complex Postfix implementations include integration with (for example) SpamAssassin and support for multiple (virtual) domain names, where data in databases such as MySQL can drive complex configurations.[1]

Postfix Resources

References