Postfix: Difference between revisions

From DWIKI
(10 intermediate revisions by the same user not shown)
Line 21: Line 21:
*https://skrilnetz.net/setup-your-own-mailserver/  
*https://skrilnetz.net/setup-your-own-mailserver/  
*[https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin]
*[https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin]
 
*[https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-postfix Hands-on: implementing SPF, DKIM and DMARC in Postfix]
==Postfix and smtp auth/sasl==
==Postfix and smtp auth/sasl==
*http://mirrors.loonybin.net/postfix_tls/doc/setup.html (this is a good one!)
*http://mirrors.loonybin.net/postfix_tls/doc/setup.html (this is a good one!)
Line 40: Line 40:
  #NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file
  #NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file
  smtpd_tls_CAfile = /etc/postfix/intermediate.pem
  smtpd_tls_CAfile = /etc/postfix/intermediate.pem
===SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available===
install cyrus-sasl-plain


==Postfix and LDAP==
==Postfix and LDAP==
Line 80: Line 84:
[http://www.vimbadmin.net/ vimbadmin]
[http://www.vimbadmin.net/ vimbadmin]


=Notes=
*postconf
*postsuper


==anti spam measures that work for me==
= Notes =
 
*postconf
*postsuper
 
== anti spam measures that work for me ==


  smtpd_recipient_restrictions =
  smtpd_recipient_restrictions =
Line 101: Line 107:
     check_recipient_access  hash:/etc/postfix/recipient_access,
     check_recipient_access  hash:/etc/postfix/recipient_access,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client bl.spamcop.net,
#   reject_rbl_client safe.dnsbl.sorbs.net,
 
#reject_rbl_client safe.dnsbl.sorbs.net,  
 
     reject_rbl_client b.barracudacentral.org,
     reject_rbl_client b.barracudacentral.org,
     permit
     permit


== tls on outgoing mail ==
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem
smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_loglevel = 1


=CentOS packages=
=CentOS packages=
Line 110: Line 126:
or epel :)
or epel :)


=FAQ=
 
===Limit CC ===
 
 
= FAQ =
 
=== Limit CC ===
 
/etc/postfix/header_checks
/etc/postfix/header_checks


Line 117: Line 138:
  /^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
  /^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.


===log subject===
== fatal: bad string length 0 < 1: sendmail_path =  ==
Looks like a debconf feature, install mailutils and
postconf sendmail_path=/usr/sbin/sendmail
and probably also
postconf mailq_path=/usr/bin/mailq
postconf newaliases_path=/usr/bin/newaliases
then
postfix reload
to check, maybe more broke
 
 
=== log subject ===
 
Create file /etc/postfix/header_checks and put in:
Create file /etc/postfix/header_checks and put in:
  /^[Ss]ubject:/  WARN
  /^[Ss]ubject:/  WARN
and in /etc/postfix/main.cf
and in /etc/postfix/main.cf
header_checks: regexp:/etc/postfix/header_checks


===rate limit outgoing mail===
header_checks = regexp:/etc/postfix/header_checks
http://steam.io/2013/04/01/postfix-rate-limiting/
 
&nbsp;
 
=== rate limit outgoing mail ===
 
*[http://steam.io/2013/04/01/postfix-rate-limiting/ Postfix rate limiting – Politeness goes a long way]
*[https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling.html limit by domain]


Probably start with
Probably start with
  smtp_destination_rate_delay = 5s
  smtp_destination_rate_delay = 5s


==queue==
== queue ==
===Clean the postfix queue===
 
=== Clean the postfix queue ===
 
  mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d  ${i};done
  mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d  ${i};done
Or simple:
Or simple:
  postsuper -d ALL
  postsuper -d ALL


===View message in queue===
=== View message in queue ===
 
  postcat
  postcat


===Delete message from queue===
=== Delete message from queue ===
  postsuper -d  
 
  postsuper -d
 
=== Requeue mails ===
 
postsuper -r ALL
 
or
 
postqueue -f
 
== Postfix as secondary MX ==


==Postfix as secondary MX==
  relay_domains = foo.com, bar.com
  relay_domains = foo.com, bar.com
  relay_recipient_maps =
  relay_recipient_maps =
           hash:/etc/postfix/relay_recipients
           hash:/etc/postfix/relay_recipients


&nbsp;


==milter-reject 4.7.0 DNS timeout==
== milter-reject 4.7.0 DNS timeout ==
Most likely caused by sid-filter, aka milter-sid, aka sid-milter.
 
Try adding "-D" to the rc.conf or defaults or whatever file starting it.
Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.
 
== postqueue: fatal: Connect to the Postfix showq service: Permission denied ==


==postqueue: fatal: Connect to the Postfix showq service: Permission denied==
  postfix set-permissions
  postfix set-permissions


== warning: SASL authentication failure: No worthy mechs found==
== too many concurrent connections ==
 
If that's what you get sending to a server you don't control, check
 
initial_destination_limit (??)
smtp_destination_concurrency_limit
 
&nbsp;
 
== warning: SASL authentication failure: No worthy mechs found ==
 
could be missing cyrus-sasl-plain
could be missing cyrus-sasl-plain


&nbsp;
== Sender address rejected: need fully-qualified address ==
myorigin = /etc/mailname
==newaliases: fatal: bad string length 0 < 1: setgid_group ===
Probably Ubuntu (Debian?), comment out the setgid_group line






[[Category: mail]]
  [[Category:Mail]]

Revision as of 15:27, 2 June 2022

Docs

Postfix and smtp auth/sasl


Postfix and Network Solutions certificates

#The private key you created together with privkey.csr, readable for root only!
smtpd_tls_key_file = privkey.pem
#the certificate you received from NS
smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt
#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file
smtpd_tls_CAfile = /etc/postfix/intermediate.pem


SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available

install cyrus-sasl-plain

Postfix and LDAP

Spam filtering

ldap and aliases



man ldap_table
man maildirquota

Tools

  • postfwd

pflogsumm

Log analyzer

vimbadmin

vimbadmin


Notes

  • postconf
  • postsuper

anti spam measures that work for me

smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_unverified_recipient,
   permit_mynetworks,
   reject_sender_login_mismatch,
   reject_invalid_hostname,
   reject_unknown_reverse_client_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   check_recipient_access  hash:/etc/postfix/recipient_access,
   reject_rbl_client bl.spamcop.net,
  1. reject_rbl_client safe.dnsbl.sorbs.net,
   reject_rbl_client b.barracudacentral.org,
   permit

tls on outgoing mail

smtp_use_tls = yes smtp_tls_security_level = may smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_loglevel = 1

CentOS packages

gf-plus repository or epel :)



FAQ

Limit CC

/etc/postfix/header_checks

/^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
/^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.

fatal: bad string length 0 < 1: sendmail_path =

Looks like a debconf feature, install mailutils and

postconf sendmail_path=/usr/sbin/sendmail

and probably also

postconf mailq_path=/usr/bin/mailq
postconf newaliases_path=/usr/bin/newaliases

then

postfix reload

to check, maybe more broke


log subject

Create file /etc/postfix/header_checks and put in:

/^[Ss]ubject:/  WARN

and in /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks

 

rate limit outgoing mail

Probably start with

smtp_destination_rate_delay = 5s

queue

Clean the postfix queue

mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d  ${i};done

Or simple:

postsuper -d ALL

View message in queue

postcat

Delete message from queue

postsuper -d

Requeue mails

postsuper -r ALL

or

postqueue -f

Postfix as secondary MX

relay_domains = foo.com, bar.com
relay_recipient_maps =
          hash:/etc/postfix/relay_recipients

 

milter-reject 4.7.0 DNS timeout

Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.

postqueue: fatal: Connect to the Postfix showq service: Permission denied

postfix set-permissions

too many concurrent connections

If that's what you get sending to a server you don't control, check

initial_destination_limit (??)

smtp_destination_concurrency_limit

 

warning: SASL authentication failure: No worthy mechs found

could be missing cyrus-sasl-plain

 

Sender address rejected: need fully-qualified address

myorigin = /etc/mailname


newaliases: fatal: bad string length 0 < 1: setgid_group =

Probably Ubuntu (Debian?), comment out the setgid_group line