Postfix: Difference between revisions
Line 259: | Line 259: | ||
Probably start with | Probably start with | ||
postconf smtp_destination_rate_delay=5s | postconf -e smtp_destination_rate_delay=5s | ||
this seems safe for outlook. | this seems safe for outlook. |
Revision as of 09:38, 2 September 2024
Docs
- http://www.postfix.org/ADDRESS_CLASS_README.html
- Postfix on FreeBSD
- Postfix survival guide
- Postfix and Amavis
- Postfix and SpamAssassin
- postfix+spamd
- postfix with spamassass-milter on freebsd
- FAQ
- Postfix with clamav-milter
- postfix dovecot
- postfix amavisd-new freebsd
- http://souptonuts.sourceforge.net/postfix_tutorial.html
- Setting up automatic relay_recipient_maps in postfix
- http://wiki.kartbuilding.net/index.php/Postfix_SMTP#Blocking_Spam_with_spamhaus_and_Postfix
- Postfix on Debian
- http://www.postfix.org/VIRTUAL_README.html
- https://skrilnetz.net/setup-your-own-mailserver/
- How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin
- Hands-on: implementing SPF, DKIM and DMARC in Postfix
Postfix and smtp auth/sasl
- http://www.postfix.org/SASL_README.html
- Postfix/dovecot SASL and SSL/TLS guide on CentOS
- Configure Postfix to Send Email Using External SMTP Servers
- Postfix, dovecot and sasl
- http://adomas.org/2006/08/postfix-dovecot/
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
- http://forums.macosxhints.com/archive/index.php/t-96919.html
- Implementing DANE in postfix
Postfix and Network Solutions certificates
#The private key you created together with privkey.csr, readable for root only! smtpd_tls_key_file = privkey.pem
#the certificate you received from NS smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt
#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file smtpd_tls_CAfile = /etc/postfix/intermediate.pem
SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available
install cyrus-sasl-plain
HOWTO
Test smtp with telnet or openssl
https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/
DANE compliant config
smtpd_tls_protocols = TLSv1.2, TLSv1.3 smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 smtpd_tls_exclude_ciphers =
EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem
- for tlsv1.2, implicit in 1.3
tls_ssl_options = NO_RENEGOTIATION smtpd_tls_eecdh_grade = ultra
Postfix and LDAP
- Postfix LDAP
- Hosting Multiple Domains with Virtual Accounts
- LDAP Support in Postfix
- Virtual hosting with LDAP
- Postfix LDAP Howto v2.1
- http://www.root-it.fiberworld.nl/vriesman.tk/postfix-courier-ldap-howto.html
- http://swik.net/Postfix+LDAP
- http://gentoo-wiki.com/HOWTO_Postfix-LDAP_virtual_users_with_qmail_schema
- http://www.ldapsource.com/content/ldap_postfix.html
- http://www.boobah.info/howto/postfix-ldap.html
Spam filtering
- http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
- Postfwd
- Postscreen
- Postscreen cheatsheet
- http://www.xnote.com/howto/postfix-spamassassin.html
- http://www.akadia.com/services/postfix_spamassassin.html
- Filtering spam with Postfix
- Postfix and spamass-milter
ldap and aliases
- http://www.postfix.org/LDAP_README.html
- http://www.howtoforge.com/mandriva-directory-server-on-debian-etch-p3
man ldap_table man maildirquota
Send mail via relay with authentication
See SASL_README
Test relay authentication
openssl s_client -connect server:25 -starttls smtp (-crlf if exchange)
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_use_tls = yes smtp_sasl_security_options = noanonymous # if they use some self signed cert smtp_tls_CAfile = /etc/postfix/cacert.crt
Exchange issues
# fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature? tls_ssl_options = 0x80 #you might need this smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest relayhost = [smtp.office365.com]:587
sasl_password
username:password
or
[relayname]:587 username:password
Relaying via office365
/etc/postfix/sasl_passwd
[smtp.office365.com]:587 username@yourdomain:office365password
/etc/postfix/generic
root@whatever username@yourdomain
/etc/postfix/main.cf
relayhost = [smtp.office365.com]:587
smtp_tls_security_level=may smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level=may smtp_generic_maps = hash:/etc/postfix/generic
Tools and commands
postconf
Fix origin
postconf -e 'myorigin=$myhostname'
- Test-mail for DANE compliancy
- postfwd
pflogsumm
Log analyzer
vimbadmin
Notes
- postconf
- postsuper
anti spam measures that work for me
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unverified_recipient, permit_mynetworks, reject_sender_login_mismatch, reject_invalid_hostname, reject_unknown_reverse_client_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_access, reject_rbl_client bl.spamcop.net,
- reject_rbl_client safe.dnsbl.sorbs.net,
reject_rbl_client b.barracudacentral.org, permit
tls on outgoing mail
smtp_use_tls = yes smtp_tls_security_level = may
TODO is all this really needed??
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_loglevel = 1
CentOS packages
gf-plus repository or epel :)
FAQ
smtp vs smtpd
smtpd = incoming
smtp = outgoing
Stop trying to bounce to noreply@
In transport_maps set
noreply@example.com discard
and in main.cf
transport_maps = hash:/etc/postfix/transport_maps
remember to
postmap /etc/postfix/transport_maps
and
postfix reload
warning: no MX host for xxx has a valid address record
Probably means the defined MX record does not resolve
Limit CC
/etc/postfix/header_checks
/^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients. /^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
fatal: bad string length 0 < 1: sendmail_path =
Looks like a debconf feature, install mailutils and
postconf -e sendmail_path=/usr/sbin/sendmail
and probably also
postconf -e mailq_path=/usr/bin/mailq postconf -e newaliases_path=/usr/bin/newaliases
then
postfix reload
to check, maybe more broke
log subject
https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html
Create file /etc/postfix/header_checks and put in:
/^[Ss]ubject:/ WARN
and in /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
rate limit outgoing mail
Probably start with
postconf -e smtp_destination_rate_delay=5s
this seems safe for outlook.
queue
Clean the postfix queue
mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d ${i};done
Or simple:
postsuper -d ALL
View message in queue
postcat
Delete message from queue
postsuper -d
Requeue all mails
postsuper -r ALL
or
postqueue -f
delivery temporarily suspended
Postfix as secondary MX
relay_domains = foo.com, bar.com relay_recipient_maps = hash:/etc/postfix/relay_recipients
milter-reject 4.7.0 DNS timeout
Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.
postqueue: fatal: Connect to the Postfix showq service: Permission denied
postfix set-permissions
too many concurrent connections
If that's what you get sending to a server you don't control, check
initial_destination_limit (??) smtp_destination_concurrency_limit
warning: SASL authentication failure: No worthy mechs found
could be missing cyrus-sasl-plain
Sender address rejected: need fully-qualified address
myorigin = /etc/mailname
If you're using mailutils, make sure fqdn is in /etc/hostname, double check with hostname -f See also
mail --config-help
about contents of /etc/mailutils.conf, and
man hostname
newaliases: fatal: bad string length 0 < 1: setgid_group =
Probably Ubuntu (Debian?), comment out the setgid_group line
warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:
delivery temporarily suspended
Connection timed out
if IP changed in transport, remember to postmap transport, also see
postqueue -i