Postfix: Difference between revisions
From DWIKI
m (→FAQ) |
m (→FAQ) |
||
| (20 intermediate revisions by the same user not shown) | |||
| Line 26: | Line 26: | ||
*[https://wiki.centos.org/HowTos/postfix_sasl Postfix/dovecot SASL and SSL/TLS guide on CentOS] | *[https://wiki.centos.org/HowTos/postfix_sasl Postfix/dovecot SASL and SSL/TLS guide on CentOS] | ||
*[https://www.linode.com/docs/guides/postfix-smtp-debian7/ Configure Postfix to Send Email Using External SMTP Servers] | *[https://www.linode.com/docs/guides/postfix-smtp-debian7/ Configure Postfix to Send Email Using External SMTP Servers] | ||
* | *[https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/ Postfix, dovecot and sasl] | ||
*http://adomas.org/2006/08/postfix-dovecot/ | *http://adomas.org/2006/08/postfix-dovecot/ | ||
*http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html | *http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html | ||
| Line 45: | Line 45: | ||
===SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available=== | ===SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available=== | ||
install cyrus-sasl-plain | install cyrus-sasl-plain | ||
=HOWTO= | |||
==Test smtp with telnet or openssl== | |||
https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/ | |||
==DANE compliant config== | |||
smtpd_tls_protocols = TLSv1.2, TLSv1.3 | |||
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 | |||
smtpd_tls_exclude_ciphers = | |||
EXP, LOW, MEDIUM, | |||
aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, | |||
ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, | |||
MD5, SHA | |||
smtpd_tls_ciphers = high | |||
smtpd_tls_mandatory_ciphers = high | |||
smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem | |||
#for tlsv1.2, implicit in 1.3 | |||
tls_ssl_options = NO_RENEGOTIATION | |||
smtpd_tls_eecdh_grade = ultra | |||
==Postfix and LDAP== | ==Postfix and LDAP== | ||
| Line 77: | Line 96: | ||
man ldap_table | man ldap_table | ||
man maildirquota | man maildirquota | ||
==Send mail via relay with authentication== | |||
See [https://www.postfix.org/SASL_README.html SASL_README] | |||
===Test relay authentication=== | |||
openssl s_client -connect server:25 -starttls smtp (-crlf if exchange) | |||
smtp_sasl_auth_enable = yes | |||
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd | |||
smtp_use_tls = yes | |||
smtp_sasl_security_options = noanonymous | |||
# if they use some self signed cert | |||
smtp_tls_CAfile = /etc/postfix/cacert.crt | |||
Exchange issues | |||
# fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature? | |||
tls_ssl_options = 0x80 | |||
#you might need this | |||
smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest | |||
relayhost = [smtp.office365.com]:587 | |||
===sasl_password=== | |||
username:password | |||
or | |||
[relayname]:587 username:password | |||
===Relaying via office365=== | |||
https://apiit.atlassian.net/wiki/spaces/ITSM/pages/1205567492/How+to+configure+postfix+relay+to+Office365+on+Ubuntu | |||
====/etc/postfix/sasl_passwd==== | |||
[smtp.office365.com]:587 username@yourdomain:office365password | |||
====/etc/postfix/generic==== | |||
root@whatever username@yourdomain | |||
====/etc/postfix/main.cf==== | |||
relayhost = [smtp.office365.com]:587 | |||
smtp_tls_security_level=may | |||
smtp_sasl_auth_enable = yes | |||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd | |||
smtp_sasl_security_options = noanonymous | |||
smtp_tls_security_level=may | |||
smtp_generic_maps = hash:/etc/postfix/generic | |||
=Tools= | =Tools= | ||
| Line 115: | Line 182: | ||
== tls on outgoing mail == | == tls on outgoing mail == | ||
smtp_use_tls = yes | smtp_use_tls = yes | ||
smtp_tls_security_level = may | smtp_tls_security_level = may | ||
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | TODO is all this really needed?? | ||
smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem | smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | ||
smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key | smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem | ||
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache | smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key | ||
smtp_tls_loglevel = 1 | smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache | ||
smtp_tls_loglevel = 1 | |||
=CentOS packages= | =CentOS packages= | ||
| Line 131: | Line 199: | ||
= FAQ = | = FAQ = | ||
==smtp vs smtpd== | |||
smtpd = incoming | |||
smtp = outgoing | |||
==Stop trying to bounce to noreply@== | |||
In '''transport_maps''' set | |||
noreply@example.com discard | |||
and in '''main.cf''' | |||
transport_maps = hash:/etc/postfix/transport_maps | |||
remember to | |||
postmap /etc/postfix/transport_maps | |||
and | |||
postfix reload | |||
==warning: no MX host for xxx has a valid address record== | |||
Probably means the defined MX record does not resolve | |||
=== Limit CC === | === Limit CC === | ||
| Line 150: | Line 235: | ||
== log subject == | |||
https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html | |||
Create file /etc/postfix/header_checks and put in: | Create file /etc/postfix/header_checks and put in: | ||
| Line 170: | Line 256: | ||
smtp_destination_rate_delay = 5s | smtp_destination_rate_delay = 5s | ||
this seems safe for outlook. | |||
== queue == | == queue == | ||
| Line 196: | Line 284: | ||
postqueue -f | postqueue -f | ||
===delivery temporarily suspended=== | |||
== Postfix as secondary MX == | == Postfix as secondary MX == | ||
| Line 233: | Line 324: | ||
myorigin = /etc/mailname | myorigin = /etc/mailname | ||
If you're using mailutils, make sure fqdn is in /etc/hostname | If you're using mailutils, make sure fqdn is in /etc/hostname, double check with '''hostname -f''' | ||
See also | See also | ||
mail --config-help | mail --config-help | ||
| Line 243: | Line 334: | ||
==warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:== | ==warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:== | ||
==delivery temporarily suspended== | |||
Connection timed out | |||
if IP changed in transport, remember to postmap transport, also see | |||
postqueue -i | |||
[[Category:Mail]] | [[Category:Mail]] | ||
Latest revision as of 14:11, 18 April 2024
Docs
- http://www.postfix.org/ADDRESS_CLASS_README.html
- Postfix on FreeBSD
- Postfix survival guide
- Postfix and Amavis
- Postfix and SpamAssassin
- postfix+spamd
- postfix with spamassass-milter on freebsd
- FAQ
- Postfix with clamav-milter
- postfix dovecot
- postfix amavisd-new freebsd
- http://souptonuts.sourceforge.net/postfix_tutorial.html
- Setting up automatic relay_recipient_maps in postfix
- http://wiki.kartbuilding.net/index.php/Postfix_SMTP#Blocking_Spam_with_spamhaus_and_Postfix
- Postfix on Debian
- http://www.postfix.org/VIRTUAL_README.html
- https://skrilnetz.net/setup-your-own-mailserver/
- How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin
- Hands-on: implementing SPF, DKIM and DMARC in Postfix
Postfix and smtp auth/sasl
- http://www.postfix.org/SASL_README.html
- Postfix/dovecot SASL and SSL/TLS guide on CentOS
- Configure Postfix to Send Email Using External SMTP Servers
- Postfix, dovecot and sasl
- http://adomas.org/2006/08/postfix-dovecot/
- http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
- http://forums.macosxhints.com/archive/index.php/t-96919.html
- Implementing DANE in postfix
Postfix and Network Solutions certificates
#The private key you created together with privkey.csr, readable for root only! smtpd_tls_key_file = privkey.pem
#the certificate you received from NS smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt
#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file smtpd_tls_CAfile = /etc/postfix/intermediate.pem
SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available
install cyrus-sasl-plain
HOWTO
Test smtp with telnet or openssl
https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/
DANE compliant config
smtpd_tls_protocols = TLSv1.2, TLSv1.3 smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 smtpd_tls_exclude_ciphers =
EXP, LOW, MEDIUM,
aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES,
ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256,
MD5, SHA
smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem
- for tlsv1.2, implicit in 1.3
tls_ssl_options = NO_RENEGOTIATION smtpd_tls_eecdh_grade = ultra
Postfix and LDAP
- Postfix LDAP
- Hosting Multiple Domains with Virtual Accounts
- LDAP Support in Postfix
- Virtual hosting with LDAP
- Postfix LDAP Howto v2.1
- http://www.root-it.fiberworld.nl/vriesman.tk/postfix-courier-ldap-howto.html
- http://swik.net/Postfix+LDAP
- http://gentoo-wiki.com/HOWTO_Postfix-LDAP_virtual_users_with_qmail_schema
- http://www.ldapsource.com/content/ldap_postfix.html
- http://www.boobah.info/howto/postfix-ldap.html
Spam filtering
- http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
- Postfwd
- Postscreen
- Postscreen cheatsheet
- http://www.xnote.com/howto/postfix-spamassassin.html
- http://www.akadia.com/services/postfix_spamassassin.html
- Filtering spam with Postfix
- Postfix and spamass-milter
ldap and aliases
- http://www.postfix.org/LDAP_README.html
- http://www.howtoforge.com/mandriva-directory-server-on-debian-etch-p3
man ldap_table man maildirquota
Send mail via relay with authentication
See SASL_README
Test relay authentication
openssl s_client -connect server:25 -starttls smtp (-crlf if exchange)
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_use_tls = yes smtp_sasl_security_options = noanonymous # if they use some self signed cert smtp_tls_CAfile = /etc/postfix/cacert.crt
Exchange issues
# fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature? tls_ssl_options = 0x80 #you might need this smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest relayhost = [smtp.office365.com]:587
sasl_password
username:password
or
[relayname]:587 username:password
Relaying via office365
/etc/postfix/sasl_passwd
[smtp.office365.com]:587 username@yourdomain:office365password
/etc/postfix/generic
root@whatever username@yourdomain
/etc/postfix/main.cf
relayhost = [smtp.office365.com]:587
smtp_tls_security_level=may smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level=may smtp_generic_maps = hash:/etc/postfix/generic
Tools
- Test-mail for DANE compliancy
- postfwd
pflogsumm
Log analyzer
vimbadmin
Notes
- postconf
- postsuper
anti spam measures that work for me
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unverified_recipient, permit_mynetworks, reject_sender_login_mismatch, reject_invalid_hostname, reject_unknown_reverse_client_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_access, reject_rbl_client bl.spamcop.net,
- reject_rbl_client safe.dnsbl.sorbs.net,
reject_rbl_client b.barracudacentral.org, permit
tls on outgoing mail
smtp_use_tls = yes smtp_tls_security_level = may
TODO is all this really needed??
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_loglevel = 1
CentOS packages
gf-plus repository or epel :)
FAQ
smtp vs smtpd
smtpd = incoming
smtp = outgoing
Stop trying to bounce to noreply@
In transport_maps set
noreply@example.com discard
and in main.cf
transport_maps = hash:/etc/postfix/transport_maps
remember to
postmap /etc/postfix/transport_maps
and
postfix reload
warning: no MX host for xxx has a valid address record
Probably means the defined MX record does not resolve
Limit CC
/etc/postfix/header_checks
/^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
/^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
fatal: bad string length 0 < 1: sendmail_path =
Looks like a debconf feature, install mailutils and
postconf sendmail_path=/usr/sbin/sendmail
and probably also
postconf mailq_path=/usr/bin/mailq postconf newaliases_path=/usr/bin/newaliases
then
postfix reload
to check, maybe more broke
log subject
https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html
Create file /etc/postfix/header_checks and put in:
/^[Ss]ubject:/ WARN
and in /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
rate limit outgoing mail
Probably start with
smtp_destination_rate_delay = 5s
this seems safe for outlook.
queue
Clean the postfix queue
mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d ${i};done
Or simple:
postsuper -d ALL
View message in queue
postcat
Delete message from queue
postsuper -d
Requeue mails
postsuper -r ALL
or
postqueue -f
delivery temporarily suspended
Postfix as secondary MX
relay_domains = foo.com, bar.com
relay_recipient_maps =
hash:/etc/postfix/relay_recipients
milter-reject 4.7.0 DNS timeout
Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.
postqueue: fatal: Connect to the Postfix showq service: Permission denied
postfix set-permissions
too many concurrent connections
If that's what you get sending to a server you don't control, check
initial_destination_limit (??) smtp_destination_concurrency_limit
warning: SASL authentication failure: No worthy mechs found
could be missing cyrus-sasl-plain
Sender address rejected: need fully-qualified address
myorigin = /etc/mailname
If you're using mailutils, make sure fqdn is in /etc/hostname, double check with hostname -f See also
mail --config-help
about contents of /etc/mailutils.conf, and
man hostname
newaliases: fatal: bad string length 0 < 1: setgid_group =
Probably Ubuntu (Debian?), comment out the setgid_group line
warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:
delivery temporarily suspended
Connection timed out
if IP changed in transport, remember to postmap transport, also see
postqueue -i
