Postfix

From DWIKI
Revision as of 13:11, 15 November 2022 by Tony (talk | contribs)

Docs

Postfix and smtp auth/sasl

Postfix and Network Solutions certificates

#The private key you created together with privkey.csr, readable for root only!
smtpd_tls_key_file = privkey.pem
#the certificate you received from NS
smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt
#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file
smtpd_tls_CAfile = /etc/postfix/intermediate.pem


SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available

install cyrus-sasl-plain

HOWTO

DANE compliant config

smtpd_tls_protocols = TLSv1.2, TLSv1.3 smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 smtpd_tls_exclude_ciphers =

     EXP, LOW, MEDIUM,
     aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES,
     ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256,
     MD5, SHA

smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem

  1. for tlsv1.2, implicit in 1.3

tls_ssl_options = NO_RENEGOTIATION smtpd_tls_eecdh_grade = ultra

Postfix and LDAP

Spam filtering

ldap and aliases



man ldap_table
man maildirquota

Tools

pflogsumm

Log analyzer

vimbadmin

vimbadmin

Notes

  • postconf
  • postsuper

anti spam measures that work for me

smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_unverified_recipient,
   permit_mynetworks,
   reject_sender_login_mismatch,
   reject_invalid_hostname,
   reject_unknown_reverse_client_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   check_recipient_access  hash:/etc/postfix/recipient_access,
   reject_rbl_client bl.spamcop.net,
  1. reject_rbl_client safe.dnsbl.sorbs.net,
   reject_rbl_client b.barracudacentral.org,
   permit

tls on outgoing mail

smtp_use_tls = yes smtp_tls_security_level = may smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_loglevel = 1

CentOS packages

gf-plus repository or epel :)



FAQ

Limit CC

/etc/postfix/header_checks

/^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
/^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.

fatal: bad string length 0 < 1: sendmail_path =

Looks like a debconf feature, install mailutils and

postconf sendmail_path=/usr/sbin/sendmail

and probably also

postconf mailq_path=/usr/bin/mailq
postconf newaliases_path=/usr/bin/newaliases

then

postfix reload

to check, maybe more broke


log subject

Create file /etc/postfix/header_checks and put in:

/^[Ss]ubject:/  WARN

and in /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks

 

rate limit outgoing mail

Probably start with

smtp_destination_rate_delay = 5s

queue

Clean the postfix queue

mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d  ${i};done

Or simple:

postsuper -d ALL

View message in queue

postcat

Delete message from queue

postsuper -d

Requeue mails

postsuper -r ALL

or

postqueue -f

Postfix as secondary MX

relay_domains = foo.com, bar.com
relay_recipient_maps =
          hash:/etc/postfix/relay_recipients

 

milter-reject 4.7.0 DNS timeout

Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.

postqueue: fatal: Connect to the Postfix showq service: Permission denied

postfix set-permissions

too many concurrent connections

If that's what you get sending to a server you don't control, check

initial_destination_limit (??)

smtp_destination_concurrency_limit

 

warning: SASL authentication failure: No worthy mechs found

could be missing cyrus-sasl-plain

 

Sender address rejected: need fully-qualified address

myorigin = /etc/mailname

If you're using mailutils, make sure fqdn is in /etc/hostname See also

mail --config-help

about contents of /etc/mailutils.conf, and

man hostname

newaliases: fatal: bad string length 0 < 1: setgid_group =

Probably Ubuntu (Debian?), comment out the setgid_group line

warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686: