Linuxdoc Linux Questions
Click here to ask our community of linux experts!
Custom Search

6. Configuring Postfix

Postfix needs two major config files: main.cf and master.cf. Both need your attention.

6.1. master.cf

You need to change just one line:

old:

flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

new:

flags= user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user}

What does that change affect?

A look to the cyrus man-pages man deliver clears up that issue:

The Postfix default setup uses a wrong path to cyrus deliver, this is the first change. The parameter »-r« inserts a proper return path. Without that, mail rejected/retured by sieve will be sent to the cyrus user at yourdomain.

6.2. main.cf

Here you need to change some more things like hostname, relaying, alias-lookups etc.

First change the hostname:

myhostname = foo.bar.org

mydestination

Here you have to put all domainnames that are local (corresponding to sendmail's /etc/mail/sendmail.cw). If you have multiple domains, separate them with comma.

mydestination = foo.bar.org, example.com, furchbar-grausam.ch, 
 whatever.domain.tld, mysql:/etc/postfix/mysql-mydestination.cf

Relayhost

Here you define where to deliver outgoing mails. If you do not provide any host, mail is delivered directly to the destination smtp host. Usually your relayhosts are your internet service provider's smtp server.

relayhost = relay01.foobar.net relay02.foobar.net relay03.foobar.net

Mailtransport

Here you define how the mails accepted for local delivery should be handled. In your situation, mail should be delivered by the cyrus delivery program.

mailbox_transport = cyrus

At the end of file you need to add:

virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf

If you don't want to have a overriding /etc/postfix/virtual, skip the hash entry

Outgoing addresses should be rewritten from test0002 at domain to user.name at virtualhost.com. This is important if you want to use a webmail interface.

sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf 

Now you need to create the file /etc/postfix/mysql-virtual.cf:

#
# mysql config file for alias lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = virtual

#
select_field = dest
where_field = alias
additional_conditions = and status = '1'

The file /etc/postfix/mysql-canonical.cf:

# mysql config file for canonical lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = virtual
#
select_field = alias
where_field = username
# Return the first match only
additional_conditions = and status = '1' limit 1

Finally the file /etc/postfix/mysql-mydestination.cf:

# mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = domain
#
select_field = domain_name
where_field = domain_name

SMTP Authentication with SASL and PAM

Put the following in your /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 
broken_sasl_auth_clients = yes

You also need to create the file /usr/local/lib/sasl2/smtpd.conf with the following contents:

pwcheck_method: saslauthd

The next step is to tell postfix how to find the saslauthd socket:

mv /var/run/sasl2 /var/run/sasl2-old
ln -s /var/run/saslauthd /var/run/sasl2

6.3. Fighting against SPAM

This section describes how to implement a basic SPAM protection setup with postfix. It does not use any external software like spamassassin, etc.

Postfix has some built-in filters that allow you to stop obvious SPAM attempts. In particular these are:

  • smtpd_helo_required = yes

    This switch in main.cf means that SMTP clients connecting to your mail server must give a »helo« when connecting.

  • smtpd_recipient_restrictions

    This option in main.cf lets you define different rules on the handling the acceptance of mail. The following example simply rejects all invalid sender and recipient data. Additionally it defines how to lookup known spammers from online blacklists.

    smtpd_recipient_restrictions =
                reject_invalid_hostname,
                reject_non_fqdn_hostname,
                reject_non_fqdn_sender,
                reject_non_fqdn_recipient,
                reject_unknown_sender_domain,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                permit_mynetworks,
                reject_unauth_destination,
                reject_rbl_client zombie.dnsbl.sorbs.net,
                reject_rbl_client relays.ordb.org,
                reject_rbl_client opm.blitzed.org,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client sbl.spamhaus.org,
                permit
    
  • mime_header_checks=pcre:/etc/postfix/body_checks

    MIME header checks let you reject mail which contains malicious MIME content, i.e dangerous attachments such as Windows executables. Create the file /etc/postfix/body_checks. The following example rejects all mail that contains potentially dangerous attachments. In my experience, using this example would filter out most of viruses delivered by e-mail. In any event, a virus scanner should always be installed.

           /^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/      REJECT  attachment type not allowed