Postfix Category

From MattWiki
(Redirected from Postfix)

Postfix is a free open source mail transfer agent (MTA), for the routing and delivery of email, written by Wietse Venema. It is intended as a fast, easy-to-administer, and secure alternative to the widely-used Sendmail MTA.

It is released under the IBM Public License 1.0.

Postfix only sends and receives emails to other server, if your looking for IMAP or POP3 service look at Dovecot.

Also see Postfix SQLite Admin for a quick Postfix interface.

Applicable RFC's[edit | edit source]

Postfix How-To's[edit | edit source]

Postfix Notes[edit | edit source]

Postfix Queue[edit | edit source]

  • To Display the postfix queue
postqueue -p
  • Flush the queue: attempt to deliver all queued mail (Retry)
postqueue -f
  • To Requeue one messages in the message queue (Delete and resend)
postsuper -r <messages-id>
  • To Requeue ALL messages in the message queue (Delete and resend)
postsuper -r ALL
  • To Delete one message from the message queue
postsuper -d <messages-id>
  • To Delete ALL messages from the message queue
postsuper -d ALL

Postfix Terms[edit | edit source]

  • Client - A Client is the sending system.
  • Recipient - A Recipient is the receiving email address.

Postfix Version[edit | edit source]

  • To Display the current running version of Postfix
postconf -d | grep mail_version

Postfix Log[edit | edit source]

How the delay values are defined in the log[edit | edit source]

From the 2.3.13 Release Notes:
[Feature 20051103] This release makes a beginning with a series of
new attributes in Postfix logfile records.

- Better insight into the nature of performance bottle necks, with
  detailed logging of delays in various stages of message delivery.
  Postfix logs additional delay information as "delays=a/b/c/d"

  a=time before queue manager, including message transmission;
  b=time in queue manager; 
  c=connection setup time including DNS, HELO and TLS; 
  d=message transmission time.

Postfix Logging Application[edit | edit source]

Postfix's SMTPD Recipient Restrictions[edit | edit source]

Things to keep in mind when using Postix's smtpd_recipient_restrictions.

  • Evaluate each element in order
  • If the result is DEFER or REJECT, stop! The "RCPT TO" command is rejected (or deferred)
  • If the result is OK, stop! The "RCPT TO" command is accepted, unless implicit recipient validation finds that the recipient address is invalid (in which case the command is rejected).
  • If the result is neutral (DUNNO), continue to the next element
  • If the result is DEFER_IF_PERMIT (or DEFER_IF_REJECT), continue to the next element, but at the end the message will be deferred rather than permitted (or rejected) if not rejected (or permitted).

If permitting relay using client certificates, check_ccert_access and friends can also go above reject_unauth_destination.

Mini How-To's[edit | edit source]

To allow select users permission to send to a cretin address[edit | edit source]

So the idea here is to have an email address that you would only like a select few to have access to email to, for example, a everyone or all address. In this example we will be locking down the email address [email protected] and only allow the address [email protected] to send to it.

In /etc/postfix/ add the following:

smtpd_restrictions_classes =  restricted_recipient
  • note: This is in smtpd_SENDER_restrictions to avoid becoming an open relay because of the "OK" below.
smtpd_sender_restrictions =
  check_recipient_access hash:/etc/postfix/restricted_recipient
restricted_recipient =
  check_sender_access hash:/etc/postfix/privileged_sender


[email protected]         restricted_recipient


[email protected]         OK

To Reject select sender addresses[edit | edit source]

First start out by creating a file named /etc/postfix/rejected_addresses then add the following to it

[email protected]    REJECT

This will be an hashed map table, so we need to create the hash

postmap /etc/postfix/rejected_addresses

Next we need to add the map to our /etc/postfix/main.cffile. We will be adding this to the smtpd_recipient_restrictions section.

smtpd_recipient_restrictions =
  check_sender_access hash:/etc/postfix/rejected_addresses,

Once complete reload postfix

postfix reload

Require FQDN on all but some[edit | edit source]


smtpd_recipient_restrictions =
   check_client_access cidr:/etc/postfix/client_cidr

/etc/postfix/client_cidr:     OK      dunno           reject_non_fqdn_sender, reject_non_fqdn_recipient, ...
   ::/0                reject_non_fqdn_sender, reject_non_fqdn_recipient, ...

The first entry in the above file is the IP address of the known OK client. The "dunno" entry is your local network. dunno stats to act as if this entry failed and move on to the next. Not intuitive, but effective.

To "Freeze" Postfix Delivery[edit | edit source]

By Freezing Postfix, your directing Postfix to queue all inbound mail, but not send any messages from it's queue. This is very use full in an emergency such as a virus attack or even just a internal outage that will prevent mail from being stored correctly. All inbound mail will be stored in the queue until released by the unfreeze command (or removed the config options and restarting Postfix). You will be able to see the message in the queue by running the 'postqueue -p' command.

To Freeze Postfix delivery and hold all mail in queue.

postconf -e master_service_disable=qmgr.fifo in_flow_delay=0 && postfix reload

To Unfreeze Postfix and deliver the queued mail.

postconf -e master_service_disable= in_flow_delay=1 && postfix reload

Relay mail for a single domain to a different MX[edit | edit source]

The below entry will route all traffic destine for '' to port 587 on ''.

  • /etc/postfix/transport:         smtp:[]:587

Suspend delivery of mail per domain[edit | edit source]

  • /etc/postfix/transport:
   [email protected]	retry:4.4.1 Service unavailable	retry:4.4.1 Service unavailable

Also be aware of the current value of maximal_queue_lifetime.

postconf maximal_queue_lifetime

Archiving Mail when sent from or to the outside only[edit | edit source]

Use sender_bcc_maps or recipient_bcc_maps. Configure them so that the archive copy is made when the sender is remote OR the receiver is remote.

  • /etc/postfix/
   sender_bcc_maps = pcre:/etc/postfix/archive-check
   recipient_bcc_maps = pcre:/etc/postfix/archive-check
  • /etc/postfix/archive-check:
   !/@example\.com$/        [email protected]

This is a predicate transformation, from (NOT (local AND local)), what you asked for, into ((NOT local) OR (NOT local)), shown above.

Troubleshooting SMTP/ESMTP problems[edit | edit source]

Troubleshooting with 3rd Party Sites[edit | edit source]

Troubleshooting SMTP[edit | edit source]

With Plan Text Auth

telnet 25
220 ESMTP Postfix
mail from:[email protected] # Can be anything
250 2.1.0 Ok
rcpt to:[email protected]  # Must be a valid address
250 2.1.5 Ok
354 Please start mail input.
subject: test message
This is a test message
250 Mail queued for delivery.

Troubleshooting ESMTP[edit | edit source]

If you are using TLS you will need to encrypt your username & password before transiting it.

  • For PLAIN logins:
perl -MMIME::Base64 -e 'print encode_base64("\0username\0password");'

Troubleshooting TLS[edit | edit source]

To connect to a server using TLS run something like this:

openssl s_client -connect -starttls smtp

Now you can run one of the above telnet sessions. You will most likely still need to log in.

openssl s_client -connect -starttls smtp
220 ESMTP Postfix
250-SIZE 10240000
250 DSN
auth plain AASDF654ASSDF654ASDF  # Output form perl command above
235 2.7.0 Authentication successful
mail from:[email protected] # Depending on server must be same as login
250 2.1.0 Ok
rcpt to:[email protected]  # Must be a valid address
250 2.1.5 Ok
354 Please start mail input.
subject: test message
This is a test message
250 Mail queued for delivery.

Troubleshooting Test Message[edit | edit source]

From: [email protected]
Subject: This is a test message
To: [email protected]

This is a test message.

Troubleshooting SMTP Reciving Problems[edit | edit source]

Troubleshooting Database lookups with postmap[edit | edit source]

  • To see how an address will lookup
postmap -q [email protected] mysql:/etc/postfix/

The above command will display the address of who will receive this message, assuming it's not the same.

Troubleshooting Email Address validation[edit | edit source]

The local part (the section to the left of the @ symbol) may have any of the following characters:

^(?!\.)("([^"\r\\]|\\["\r\\])*"|([-a-z0-9!#$%&'*+/=?^_`{|}~] |([email protected][a-z0-9][\w\.-]*[a-z0-9]\.[a-z][a-z\.]*[a-z]$ 

So according to RFC 2822 & RFC 3696 the following are all valid E-Mail addresses (besides the fact that '' is a invalid domain).

Base configuration[edit | edit source]

The file stores site specific Postfix configuration parameters while defines daemon processes. The Postfix Basic Configuration tutorial covers the core settings that each site needs to consider.

The Postfix Standard Configuration Examples document discusses configuration settings for a few common environments.

The Postfix Address Rewriting document covers address rewriting and mail routing. The full documentation collection is at Postfix Documentation

More complex Postfix implementations include integration with (for example) SpamAssassin and support for multiple (virtual) domain names, where data in databases such as MySQL can drive complex configurations.[1]

Postfix Resources[edit | edit source]

References[edit | edit source]