Postfix: Difference between revisions
mNo edit summary |
m (→FAQ) |
||
(46 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
*[http://www.postfix.org/ Homepage] | *[http://www.postfix.org/ Homepage] | ||
*http://www.postfix.org/ADDRESS_CLASS_README.html | *http://www.postfix.org/ADDRESS_CLASS_README.html | ||
*[http://www.freebsddiary.org/postfix.php Postfix on FreeBSD] | *[http://www.freebsddiary.org/postfix.php Postfix on FreeBSD] | ||
Line 11: | Line 12: | ||
*[http://www.postfix.org/faq.html FAQ] | *[http://www.postfix.org/faq.html FAQ] | ||
*[http://wiki.linuxquestions.org/wiki/Postfix_with_clamav-milter Postfix with clamav-milter] | *[http://wiki.linuxquestions.org/wiki/Postfix_with_clamav-milter Postfix with clamav-milter] | ||
*[[postfix dovecot]] | *[[postfix dovecot]] | ||
*[[postfix amavisd-new freebsd]] | *[[postfix amavisd-new freebsd]] | ||
Line 21: | Line 21: | ||
*https://skrilnetz.net/setup-your-own-mailserver/ | *https://skrilnetz.net/setup-your-own-mailserver/ | ||
*[https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin] | *[https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin] | ||
*[https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-postfix Hands-on: implementing SPF, DKIM and DMARC in Postfix] | |||
==Postfix and smtp auth/sasl== | ==Postfix and smtp auth/sasl== | ||
*http://www.postfix.org/SASL_README.html | *http://www.postfix.org/SASL_README.html | ||
* | *[https://wiki.centos.org/HowTos/postfix_sasl Postfix/dovecot SASL and SSL/TLS guide on CentOS] | ||
*[https://www.linode.com/docs/guides/postfix-smtp-debian7/ Configure Postfix to Send Email Using External SMTP Servers] | |||
*[https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/ Postfix, dovecot and sasl] | |||
*http://adomas.org/2006/08/postfix-dovecot/ | *http://adomas.org/2006/08/postfix-dovecot/ | ||
*http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html | *http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html | ||
*http://forums.macosxhints.com/archive/index.php/t-96919.html | *http://forums.macosxhints.com/archive/index.php/t-96919.html | ||
*[https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-dane-in-postfix Implementing DANE in postfix] | |||
===Postfix and Network Solutions certificates=== | ===Postfix and Network Solutions certificates=== | ||
Line 40: | Line 41: | ||
#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file | #NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file | ||
smtpd_tls_CAfile = /etc/postfix/intermediate.pem | smtpd_tls_CAfile = /etc/postfix/intermediate.pem | ||
===SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available=== | |||
install cyrus-sasl-plain | |||
=HOWTO= | |||
==Test smtp with telnet or openssl== | |||
https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/ | |||
==DANE compliant config== | |||
smtpd_tls_protocols = TLSv1.2, TLSv1.3 | |||
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 | |||
smtpd_tls_exclude_ciphers = | |||
EXP, LOW, MEDIUM, | |||
aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, | |||
ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, | |||
MD5, SHA | |||
smtpd_tls_ciphers = high | |||
smtpd_tls_mandatory_ciphers = high | |||
smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem | |||
#for tlsv1.2, implicit in 1.3 | |||
tls_ssl_options = NO_RENEGOTIATION | |||
smtpd_tls_eecdh_grade = ultra | |||
==Postfix and LDAP== | ==Postfix and LDAP== | ||
Line 73: | Line 97: | ||
man maildirquota | man maildirquota | ||
=Tools= | |||
==Send mail via relay with authentication== | |||
See [https://www.postfix.org/SASL_README.html SASL_README] | |||
===Test relay authentication=== | |||
openssl s_client -connect server:25 -starttls smtp (-crlf if exchange) | |||
smtp_sasl_auth_enable = yes | |||
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd | |||
smtp_use_tls = yes | |||
smtp_sasl_security_options = noanonymous | |||
# if they use some self signed cert | |||
smtp_tls_CAfile = /etc/postfix/cacert.crt | |||
Exchange issues | |||
# fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature? | |||
tls_ssl_options = 0x80 | |||
#you might need this | |||
smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest | |||
relayhost = [smtp.office365.com]:587 | |||
===sasl_password=== | |||
username:password | |||
or | |||
[relayname]:587 username:password | |||
===Relaying via office365=== | |||
https://apiit.atlassian.net/wiki/spaces/ITSM/pages/1205567492/How+to+configure+postfix+relay+to+Office365+on+Ubuntu | |||
====/etc/postfix/sasl_passwd==== | |||
[smtp.office365.com]:587 username@yourdomain:office365password | |||
====/etc/postfix/generic==== | |||
root@whatever username@yourdomain | |||
====/etc/postfix/main.cf==== | |||
relayhost = [smtp.office365.com]:587 | |||
smtp_tls_security_level=may | |||
smtp_sasl_auth_enable = yes | |||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd | |||
smtp_sasl_security_options = noanonymous | |||
smtp_tls_security_level=may | |||
smtp_generic_maps = hash:/etc/postfix/generic | |||
=Tools and commands= | |||
==postconf== | |||
===Fix origin=== | |||
postconf -e 'myorigin=$myhostname' | |||
*[https://internet.nl/test-mail/ Test-mail for DANE compliancy] | |||
*postfwd | *postfwd | ||
==pflogsumm== | ==pflogsumm== | ||
Log analyzer | Log analyzer | ||
==vimbadmin== | ==vimbadmin== | ||
[http://www.vimbadmin.net/ vimbadmin] | [http://www.vimbadmin.net/ vimbadmin] | ||
= Notes = | = Notes = | ||
Line 110: | Line 187: | ||
== tls on outgoing mail == | == tls on outgoing mail == | ||
smtp_use_tls = yes | smtp_use_tls = yes | ||
smtp_tls_security_level = may | smtp_tls_security_level = may | ||
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | TODO is all this really needed?? | ||
smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem | smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | ||
smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key | smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem | ||
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache | smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key | ||
smtp_tls_loglevel = 1 | smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache | ||
smtp_tls_loglevel = 1 | |||
=CentOS packages= | =CentOS packages= | ||
Line 122: | Line 200: | ||
or epel :) | or epel :) | ||
=FAQ= | |||
===Limit CC === | |||
= FAQ = | |||
==smtp vs smtpd== | |||
smtpd = incoming | |||
smtp = outgoing | |||
==Stop trying to bounce to noreply@== | |||
In '''transport_maps''' set | |||
noreply@example.com discard | |||
and in '''main.cf''' | |||
transport_maps = hash:/etc/postfix/transport_maps | |||
remember to | |||
postmap /etc/postfix/transport_maps | |||
and | |||
postfix reload | |||
==warning: no MX host for xxx has a valid address record== | |||
Probably means the defined MX record does not resolve | |||
=== Limit CC === | |||
/etc/postfix/header_checks | /etc/postfix/header_checks | ||
Line 129: | Line 229: | ||
/^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients. | /^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients. | ||
===log subject== | == fatal: bad string length 0 < 1: sendmail_path = == | ||
Looks like a debconf feature, install mailutils and | |||
postconf -e sendmail_path=/usr/sbin/sendmail | |||
and probably also | |||
postconf -e mailq_path=/usr/bin/mailq | |||
postconf -e newaliases_path=/usr/bin/newaliases | |||
then | |||
postfix reload | |||
to check, maybe more broke | |||
== log subject == | |||
https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html | |||
Create file /etc/postfix/header_checks and put in: | Create file /etc/postfix/header_checks and put in: | ||
/^[Ss]ubject:/ WARN | /^[Ss]ubject:/ WARN | ||
and in /etc/postfix/main.cf | and in /etc/postfix/main.cf | ||
header_checks = regexp:/etc/postfix/header_checks | |||
| |||
=== rate limit outgoing mail === | === rate limit outgoing mail === | ||
*[http://steam.io/2013/04/01/postfix-rate-limiting/ Postfix rate limiting – Politeness goes a long way] | *[http://steam.io/2013/04/01/postfix-rate-limiting/ Postfix rate limiting – Politeness goes a long way DEAD LINK] | ||
*[https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling.html limit by domain] | *[https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling.html limit by domain] | ||
Probably start with | Probably start with | ||
smtp_destination_rate_delay = 5s | postconf -e smtp_destination_rate_delay=5s | ||
this seems safe for outlook. | |||
== queue == | == queue == | ||
Line 163: | Line 281: | ||
postsuper -d | postsuper -d | ||
=== Requeue mails === | === Requeue all mails === | ||
postsuper -r ALL | postsuper -r ALL | ||
or | or | ||
postqueue -f | postqueue -f | ||
==Postfix as secondary MX== | |||
===delivery temporarily suspended=== | |||
== Postfix as secondary MX == | |||
relay_domains = foo.com, bar.com | relay_domains = foo.com, bar.com | ||
relay_recipient_maps = | relay_recipient_maps = | ||
hash:/etc/postfix/relay_recipients | hash:/etc/postfix/relay_recipients | ||
| |||
== milter-reject 4.7.0 DNS timeout == | |||
Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it. | |||
== | == postqueue: fatal: Connect to the Postfix showq service: Permission denied == | ||
postfix set-permissions | postfix set-permissions | ||
== warning: SASL authentication failure: No worthy mechs found== | == too many concurrent connections == | ||
If that's what you get sending to a server you don't control, check | |||
initial_destination_limit (??) | |||
smtp_destination_concurrency_limit | |||
| |||
== warning: SASL authentication failure: No worthy mechs found == | |||
could be missing cyrus-sasl-plain | could be missing cyrus-sasl-plain | ||
| |||
== Sender address rejected: need fully-qualified address == | |||
myorigin = /etc/mailname | |||
If you're using mailutils, make sure fqdn is in /etc/hostname, double check with '''hostname -f''' | |||
See also | |||
mail --config-help | |||
about contents of /etc/mailutils.conf, and | |||
man hostname | |||
==newaliases: fatal: bad string length 0 < 1: setgid_group === | |||
Probably Ubuntu (Debian?), comment out the setgid_group line | |||
==warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:== | |||
==delivery temporarily suspended== | |||
Connection timed out | |||
if IP changed in transport, remember to postmap transport, also see | |||
postqueue -i | |||
==Log messages== | |||
===warning: lots of deferred mail, that is bad for performance=== | |||
[[Category: | [[Category:Mail]] |
Latest revision as of 09:35, 21 October 2024
Docs
- http://www.postfix.org/ADDRESS_CLASS_README.html
- Postfix on FreeBSD
- Postfix survival guide
- Postfix and Amavis
- Postfix and SpamAssassin
- postfix+spamd
- postfix with spamassass-milter on freebsd
- FAQ
- Postfix with clamav-milter
- postfix dovecot
- postfix amavisd-new freebsd
- http://souptonuts.sourceforge.net/postfix_tutorial.html
- Setting up automatic relay_recipient_maps in postfix
- http://wiki.kartbuilding.net/index.php/Postfix_SMTP#Blocking_Spam_with_spamhaus_and_Postfix
- Postfix on Debian
- http://www.postfix.org/VIRTUAL_README.html
- https://skrilnetz.net/setup-your-own-mailserver/
- How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin
- Hands-on: implementing SPF, DKIM and DMARC in Postfix
Postfix and smtp auth/sasl
- http://www.postfix.org/SASL_README.html
- Postfix/dovecot SASL and SSL/TLS guide on CentOS
- Configure Postfix to Send Email Using External SMTP Servers
- Postfix, dovecot and sasl
- http://adomas.org/2006/08/postfix-dovecot/
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
- http://forums.macosxhints.com/archive/index.php/t-96919.html
- Implementing DANE in postfix
Postfix and Network Solutions certificates
#The private key you created together with privkey.csr, readable for root only! smtpd_tls_key_file = privkey.pem
#the certificate you received from NS smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt
#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file smtpd_tls_CAfile = /etc/postfix/intermediate.pem
SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available
install cyrus-sasl-plain
HOWTO
Test smtp with telnet or openssl
https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/
DANE compliant config
smtpd_tls_protocols = TLSv1.2, TLSv1.3 smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 smtpd_tls_exclude_ciphers =
EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem
- for tlsv1.2, implicit in 1.3
tls_ssl_options = NO_RENEGOTIATION smtpd_tls_eecdh_grade = ultra
Postfix and LDAP
- Postfix LDAP
- Hosting Multiple Domains with Virtual Accounts
- LDAP Support in Postfix
- Virtual hosting with LDAP
- Postfix LDAP Howto v2.1
- http://www.root-it.fiberworld.nl/vriesman.tk/postfix-courier-ldap-howto.html
- http://swik.net/Postfix+LDAP
- http://gentoo-wiki.com/HOWTO_Postfix-LDAP_virtual_users_with_qmail_schema
- http://www.ldapsource.com/content/ldap_postfix.html
- http://www.boobah.info/howto/postfix-ldap.html
Spam filtering
- http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
- Postfwd
- Postscreen
- Postscreen cheatsheet
- http://www.xnote.com/howto/postfix-spamassassin.html
- http://www.akadia.com/services/postfix_spamassassin.html
- Filtering spam with Postfix
- Postfix and spamass-milter
ldap and aliases
- http://www.postfix.org/LDAP_README.html
- http://www.howtoforge.com/mandriva-directory-server-on-debian-etch-p3
man ldap_table man maildirquota
Send mail via relay with authentication
See SASL_README
Test relay authentication
openssl s_client -connect server:25 -starttls smtp (-crlf if exchange)
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_use_tls = yes smtp_sasl_security_options = noanonymous # if they use some self signed cert smtp_tls_CAfile = /etc/postfix/cacert.crt
Exchange issues
# fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature? tls_ssl_options = 0x80 #you might need this smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest relayhost = [smtp.office365.com]:587
sasl_password
username:password
or
[relayname]:587 username:password
Relaying via office365
/etc/postfix/sasl_passwd
[smtp.office365.com]:587 username@yourdomain:office365password
/etc/postfix/generic
root@whatever username@yourdomain
/etc/postfix/main.cf
relayhost = [smtp.office365.com]:587
smtp_tls_security_level=may smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level=may smtp_generic_maps = hash:/etc/postfix/generic
Tools and commands
postconf
Fix origin
postconf -e 'myorigin=$myhostname'
- Test-mail for DANE compliancy
- postfwd
pflogsumm
Log analyzer
vimbadmin
Notes
- postconf
- postsuper
anti spam measures that work for me
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unverified_recipient, permit_mynetworks, reject_sender_login_mismatch, reject_invalid_hostname, reject_unknown_reverse_client_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_access, reject_rbl_client bl.spamcop.net,
- reject_rbl_client safe.dnsbl.sorbs.net,
reject_rbl_client b.barracudacentral.org, permit
tls on outgoing mail
smtp_use_tls = yes smtp_tls_security_level = may
TODO is all this really needed??
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_loglevel = 1
CentOS packages
gf-plus repository or epel :)
FAQ
smtp vs smtpd
smtpd = incoming
smtp = outgoing
Stop trying to bounce to noreply@
In transport_maps set
noreply@example.com discard
and in main.cf
transport_maps = hash:/etc/postfix/transport_maps
remember to
postmap /etc/postfix/transport_maps
and
postfix reload
warning: no MX host for xxx has a valid address record
Probably means the defined MX record does not resolve
Limit CC
/etc/postfix/header_checks
/^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients. /^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
fatal: bad string length 0 < 1: sendmail_path =
Looks like a debconf feature, install mailutils and
postconf -e sendmail_path=/usr/sbin/sendmail
and probably also
postconf -e mailq_path=/usr/bin/mailq postconf -e newaliases_path=/usr/bin/newaliases
then
postfix reload
to check, maybe more broke
log subject
https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html
Create file /etc/postfix/header_checks and put in:
/^[Ss]ubject:/ WARN
and in /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
rate limit outgoing mail
Probably start with
postconf -e smtp_destination_rate_delay=5s
this seems safe for outlook.
queue
Clean the postfix queue
mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d ${i};done
Or simple:
postsuper -d ALL
View message in queue
postcat
Delete message from queue
postsuper -d
Requeue all mails
postsuper -r ALL
or
postqueue -f
delivery temporarily suspended
Postfix as secondary MX
relay_domains = foo.com, bar.com relay_recipient_maps = hash:/etc/postfix/relay_recipients
milter-reject 4.7.0 DNS timeout
Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.
postqueue: fatal: Connect to the Postfix showq service: Permission denied
postfix set-permissions
too many concurrent connections
If that's what you get sending to a server you don't control, check
initial_destination_limit (??) smtp_destination_concurrency_limit
warning: SASL authentication failure: No worthy mechs found
could be missing cyrus-sasl-plain
Sender address rejected: need fully-qualified address
myorigin = /etc/mailname
If you're using mailutils, make sure fqdn is in /etc/hostname, double check with hostname -f See also
mail --config-help
about contents of /etc/mailutils.conf, and
man hostname
newaliases: fatal: bad string length 0 < 1: setgid_group =
Probably Ubuntu (Debian?), comment out the setgid_group line
warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:
delivery temporarily suspended
Connection timed out
if IP changed in transport, remember to postmap transport, also see
postqueue -i