Postfix Category

Postfix is a free open source mail transfer agent (MTA), for the routing and delivery of email, written by Wietse Venema. It is intended as a fast, easy-to-administer, and secure alternative to the widely-used Sendmail MTA.

It is released under the IBM Public License 1.0.

Postfix only sends and receives emails to other server, if your looking for IMAP or POP3 service look at Dovecot.

Also see Postfix SQLite Admin for a quick Postfix interface.

Applicable RFC's[edit | edit source]

• SMTP - RFC 5321
• TLS - RFC 5246
• SMTP-AUTH - RFC 4954
• SASL - RFC 4422
• IMAP - RFC 3501

Postfix How-To's[edit | edit source]

• Installing Postfix on Fedora using MySQL
• Installing Postfix on Fedora using SQLite
• Installing Postfix on Fedora using LDAP
• Installing Postfix on Fedora using Local Users
• Compiling Postfix From Source on Fedora

Postfix Notes[edit | edit source]

Postfix Queue[edit | edit source]

• To Display the postfix queue

postqueue -p

• Flush the queue: attempt to deliver all queued mail (Retry)

postqueue -f

• To Requeue one messages in the message queue (Delete and resend)

postsuper -r <messages-id>

• To Requeue ALL messages in the message queue (Delete and resend)

postsuper -r ALL

• To Delete one message from the message queue

postsuper -d <messages-id>

• To Delete ALL messages from the message queue

postsuper -d ALL

Postfix Terms[edit | edit source]

• Client - A Client is the sending system.
• Recipient - A Recipient is the receiving email address.

Postfix Version[edit | edit source]

• To Display the current running version of Postfix

postconf -d | grep mail_version

Postfix Log[edit | edit source]

How the delay values are defined in the log[edit | edit source]

From the 2.3.13 Release Notes:
[Feature 20051103] This release makes a beginning with a series of
new attributes in Postfix logfile records.

- Better insight into the nature of performance bottle necks, with
  detailed logging of delays in various stages of message delivery.
  Postfix logs additional delay information as "delays=a/b/c/d"
  where:

  a=time before queue manager, including message transmission;
  b=time in queue manager; 
  c=connection setup time including DNS, HELO and TLS; 
  d=message transmission time.

Postfix Logging Application[edit | edit source]

• http://www.enderunix.org/isoqlog/ - Isoqlog is an MTA log analysis program written in C with http pages

Postfix's SMTPD Recipient Restrictions[edit | edit source]

Things to keep in mind when using Postix's smtpd_recipient_restrictions.

• Evaluate each element in order
• If the result is DEFER or REJECT, stop! The "RCPT TO" command is rejected (or deferred)
• If the result is OK, stop! The "RCPT TO" command is accepted, unless implicit recipient validation finds that the recipient address is invalid (in which case the command is rejected).
• If the result is neutral (DUNNO), continue to the next element

• If the result is DEFER_IF_PERMIT (or DEFER_IF_REJECT), continue to the next element, but at the end the message will be deferred rather than permitted (or rejected) if not rejected (or permitted).

If permitting relay using client certificates, check_ccert_access and friends can also go above reject_unauth_destination.

Mini How-To's[edit | edit source]

To allow select users permission to send to a cretin address[edit | edit source]

So the idea here is to have an email address that you would only like a select few to have access to email to, for example, a everyone or all address. In this example we will be locking down the email address [email protected] and only allow the address [email protected] to send to it.

In /etc/postfix/main.cf add the following:

smtpd_restrictions_classes =  restricted_recipient

• note: This is in smtpd_SENDER_restrictions to avoid becoming an open relay because of the "OK" below.

smtpd_sender_restrictions =
  check_recipient_access hash:/etc/postfix/restricted_recipient

restricted_recipient =
  check_sender_access hash:/etc/postfix/privileged_sender
  reject

restricted_recipient:

[email protected]         restricted_recipient

privileged_sender:

[email protected]         OK

To Reject select sender addresses[edit | edit source]

First start out by creating a file named /etc/postfix/rejected_addresses then add the following to it

[email protected]    REJECT

This will be an hashed map table, so we need to create the hash

postmap /etc/postfix/rejected_addresses

Next we need to add the map to our /etc/postfix/main.cffile. We will be adding this to the smtpd_recipient_restrictions section.

smtpd_recipient_restrictions =
  ...
  check_sender_access hash:/etc/postfix/rejected_addresses,
  ...
  reject_unauth_destination

Once complete reload postfix

postfix reload

Require FQDN on all but some[edit | edit source]

/etc/postfix/main.cf:

smtpd_recipient_restrictions =
   ...
   check_client_access cidr:/etc/postfix/client_cidr
   ...

/etc/postfix/client_cidr:

   123.123.123.123     OK
   192.168.0.1/32      dunno
   0.0.0.0/0           reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
   ::/0                reject_non_fqdn_sender, reject_non_fqdn_recipient, ...

The first entry in the above file is the IP address of the known OK client. The "dunno" entry is your local network. dunno stats to act as if this entry failed and move on to the next. Not intuitive, but effective.

To "Freeze" Postfix Delivery[edit | edit source]

By Freezing Postfix, your directing Postfix to queue all inbound mail, but not send any messages from it's queue. This is very use full in an emergency such as a virus attack or even just a internal outage that will prevent mail from being stored correctly. All inbound mail will be stored in the queue until released by the unfreeze command (or removed the config options and restarting Postfix). You will be able to see the message in the queue by running the 'postqueue -p' command.

To Freeze Postfix delivery and hold all mail in queue.

postconf -e master_service_disable=qmgr.fifo in_flow_delay=0 && postfix reload

To Unfreeze Postfix and deliver the queued mail.

postconf -e master_service_disable= in_flow_delay=1 && postfix reload

Relay mail for a single domain to a different MX[edit | edit source]

The below entry will route all traffic destine for 'example.com' to port 587 on 'smtp.example.net'.

• /etc/postfix/transport:

   example.com         smtp:[smtp.example.net]:587

Suspend delivery of mail per domain[edit | edit source]

• /etc/postfix/transport:

   [email protected]	retry:4.4.1 Service unavailable
   mx.example.com	retry:4.4.1 Service unavailable

Also be aware of the current value of maximal_queue_lifetime.

postconf maximal_queue_lifetime

Archiving Mail when sent from or to the outside only[edit | edit source]

Use sender_bcc_maps or recipient_bcc_maps. Configure them so that the archive copy is made when the sender is remote OR the receiver is remote.

• /etc/postfix/main.cf:

   sender_bcc_maps = pcre:/etc/postfix/archive-check
   recipient_bcc_maps = pcre:/etc/postfix/archive-check

• /etc/postfix/archive-check:

   !/@example\.com$/        [email protected]

This is a predicate transformation, from (NOT (local AND local)), what you asked for, into ((NOT local) OR (NOT local)), shown above.

Troubleshooting SMTP/ESMTP problems[edit | edit source]

• See mini_sendmail for a quick and easy SMTP testing option.
• Or just download it from here Mini Sendmail 1.3.6.

Troubleshooting with 3rd Party Sites[edit | edit source]

• http://www.mxtoolbox.com/blacklists.aspx
• http://www.mxtoolbox.com/diagnostic.aspx

Troubleshooting SMTP[edit | edit source]

With Plan Text Auth

telnet mail.example.com 25
220 mail.example.com ESMTP Postfix
helo mail.example.com
250 mail.example.com
mail from:[email protected] # Can be anything
250 2.1.0 Ok
rcpt to:[email protected]  # Must be a valid address
250 2.1.5 Ok
data
354 Please start mail input.
subject: test message
This is a test message
.
250 Mail queued for delivery.
quit

Troubleshooting ESMTP[edit | edit source]

If you are using TLS you will need to encrypt your username & password before transiting it.

• For PLAIN logins:

perl -MMIME::Base64 -e 'print encode_base64("\0username\0password");'

Troubleshooting TLS[edit | edit source]

To connect to a server using TLS run something like this:

openssl s_client -connect mail.example.com:587 -starttls smtp

Now you can run one of the above telnet sessions. You will most likely still need to log in.

openssl s_client -connect mail.example.com:587 -starttls smtp
220 mail.example.com ESMTP Postfix
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES 
250-8BITMIME
250 DSN
auth plain AASDF654ASSDF654ASDF  # Output form perl command above
235 2.7.0 Authentication successful
mail from:[email protected] # Depending on server must be same as login
250 2.1.0 Ok
rcpt to:[email protected]  # Must be a valid address
250 2.1.5 Ok
data
354 Please start mail input.
subject: test message
This is a test message
.
250 Mail queued for delivery.
quit

Troubleshooting Test Message[edit | edit source]

From: [email protected]
Subject: This is a test message
To: [email protected]

This is a test message.

Troubleshooting SMTP Reciving Problems[edit | edit source]

• To change the greeting when you receive mail, please see
  • http://www.postfix.org/postconf.5.html#smtpd_banner
  • http://www.postfix.org/postconf.5.html#myhostname

Troubleshooting Database lookups with postmap[edit | edit source]

• To see how an address will lookup

postmap -q [email protected] mysql:/etc/postfix/mysql_virtual_sender_maps.cf

The above command will display the address of who will receive this message, assuming it's not the same.

Troubleshooting Email Address validation[edit | edit source]

• Validator: http://www.mythic-beasts.com/~pdw/cgi-bin/emailvalidate
• Article: http://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx

The local part (the section to the left of the @ symbol) may have any of the following characters:

^(?!\.)("([^"\r\\]|\\["\r\\])*"|([-a-z0-9!#$%&'*+/=?^_`{|}~] |([email protected][a-z0-9][\w\.-]*[a-z0-9]\.[a-z][a-z\.]*[a-z]$ 

So according to RFC 2822 & RFC 3696 the following are all valid E-Mail addresses (besides the fact that 'example.com' is a invalid domain).

• "Abc\@def"@example.com
• "Fred Bloggs"@example.com
• "Joe\\Blow"@example.com
• "[email protected]"@example.com
• customer/[email protected]
• [email protected]
• !def!xyz%[email protected]
• [email protected]

Base configuration[edit | edit source]

The main.cf file stores site specific Postfix configuration parameters while master.cf defines daemon processes. The Postfix Basic Configuration tutorial covers the core settings that each site needs to consider.

The Postfix Standard Configuration Examples document discusses configuration settings for a few common environments.

The Postfix Address Rewriting document covers address rewriting and mail routing. The full documentation collection is at Postfix Documentation

More complex Postfix implementations include integration with (for example) SpamAssassin and support for multiple (virtual) domain names, where data in databases such as MySQL can drive complex configurations.^[1]

Postfix Resources[edit | edit source]

• Postfix Email Status Codes
• Content Filter
• Postfix before-queue Milter
• DomainKeys message signing and verification (dkfilter)
• Postfix Admin - Full Management system, and allows users to update there auto reply's and passwords.
• Korreio - Postfix Queue Manager

References[edit | edit source]