Postfix

From DWIKI
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Docs

Postfix and smtp auth/sasl

Postfix and Network Solutions certificates

#The private key you created together with privkey.csr, readable for root only!
smtpd_tls_key_file = privkey.pem

#the certificate you received from NS
smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt

#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file
smtpd_tls_CAfile = /etc/postfix/intermediate.pem


SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available

install cyrus-sasl-plain

HOWTO

Test smtp with telnet or openssl

https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/

DANE compliant config

smtpd_tls_protocols = TLSv1.2, TLSv1.3 smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 smtpd_tls_exclude_ciphers = 

     EXP, LOW, MEDIUM,
     aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES,
     ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256,
     MD5, SHA

smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem

  1. for tlsv1.2, implicit in 1.3

tls_ssl_options = NO_RENEGOTIATION smtpd_tls_eecdh_grade = ultra

Postfix and LDAP

Spam filtering

ldap and aliases



man ldap_table
man maildirquota


Send mail via relay with authentication

See SASL_README

Test relay authentication

openssl s_client -connect server:25 -starttls smtp (-crlf if exchange)



smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
# if they use some self signed cert
smtp_tls_CAfile = /etc/postfix/cacert.crt

Exchange issues 

# fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature?
tls_ssl_options = 0x80
#you might need this
smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest
relayhost = [smtp.office365.com]:587

sasl_password

username:password

or 

[relayname]:587 username:password


Relaying via office365

https://apiit.atlassian.net/wiki/spaces/ITSM/pages/1205567492/How+to+configure+postfix+relay+to+Office365+on+Ubuntu


/etc/postfix/sasl_passwd

[smtp.office365.com]:587 username@yourdomain:office365password

/etc/postfix/generic

root@whatever username@yourdomain

/etc/postfix/main.cf

relayhost = [smtp.office365.com]:587

smtp_tls_security_level=may
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level=may
smtp_generic_maps = hash:/etc/postfix/generic

Tools

pflogsumm

Log analyzer

vimbadmin

vimbadmin

Notes

  • postconf
  • postsuper

anti spam measures that work for me

smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_unverified_recipient,
   permit_mynetworks,
   reject_sender_login_mismatch,
   reject_invalid_hostname,
   reject_unknown_reverse_client_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   check_recipient_access  hash:/etc/postfix/recipient_access,
   reject_rbl_client bl.spamcop.net,
  1. reject_rbl_client safe.dnsbl.sorbs.net,
   reject_rbl_client b.barracudacentral.org,
   permit

tls on outgoing mail

smtp_use_tls = yes
smtp_tls_security_level = may

TODO is all this really needed?? 

smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem
smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_loglevel = 1

CentOS packages

gf-plus repository or epel :)



FAQ

smtp vs smtpd

smtpd = incoming

smtp = outgoing


Stop trying to bounce to noreply@

In transport_maps set 

noreply@example.com discard

and in main.cf 

transport_maps = hash:/etc/postfix/transport_maps

remember to 

postmap /etc/postfix/transport_maps

and 

postfix reload

warning: no MX host for xxx has a valid address record

Probably means the defined MX record does not resolve

Limit CC

/etc/postfix/header_checks 

/^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
/^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.

fatal: bad string length 0 < 1: sendmail_path =

Looks like a debconf feature, install mailutils and 

postconf sendmail_path=/usr/sbin/sendmail

and probably also 

postconf mailq_path=/usr/bin/mailq
postconf newaliases_path=/usr/bin/newaliases

then 

postfix reload

to check, maybe more broke


log subject

https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html

Create file /etc/postfix/header_checks and put in: 

/^[Ss]ubject:/  WARN

and in /etc/postfix/main.cf 

header_checks = regexp:/etc/postfix/header_checks

 

rate limit outgoing mail

Probably start with 

smtp_destination_rate_delay = 5s

this seems safe for outlook.

queue

Clean the postfix queue

mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d  ${i};done

Or simple: 

postsuper -d ALL

View message in queue

postcat

Delete message from queue

postsuper -d

Requeue mails

postsuper -r ALL

or 

postqueue -f


delivery temporarily suspended

Postfix as secondary MX

relay_domains = foo.com, bar.com
relay_recipient_maps =
          hash:/etc/postfix/relay_recipients

 

milter-reject 4.7.0 DNS timeout

Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.

postqueue: fatal: Connect to the Postfix showq service: Permission denied

postfix set-permissions

too many concurrent connections

If that's what you get sending to a server you don't control, check 

initial_destination_limit (??)

smtp_destination_concurrency_limit

 

warning: SASL authentication failure: No worthy mechs found

could be missing cyrus-sasl-plain

 

Sender address rejected: need fully-qualified address

myorigin = /etc/mailname

If you're using mailutils, make sure fqdn is in /etc/hostname, double check with hostname -f See also 

mail --config-help

about contents of /etc/mailutils.conf, and 

man hostname

newaliases: fatal: bad string length 0 < 1: setgid_group =

Probably Ubuntu (Debian?), comment out the setgid_group line

warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:

delivery temporarily suspended

Connection timed out

if IP changed in transport, remember to postmap transport, also see 

postqueue -i
Retrieved from "https://wiki.dhits.nl/index.php?title=Postfix&oldid=8849"