Difference between revisions of "Postfix (2.9)"
(Created page with "The following describes a postfix site installation. You will want to get nearly everything else regarding your mail working first - MySQL, the tables, and any components you ...") |
|||
Line 1: | Line 1: | ||
− | The following describes a postfix site installation. You will want to get nearly everything else regarding your mail working first - MySQL, the tables, and any components you may be using (ClamAV, Spamassassin, OpenDKIM), etc. | + | The following describes a postfix site installation, using MySQL as a backend and Dovecot as the MDA. You will want to get nearly everything else regarding your mail working first - MySQL, the tables, and any components you may be using (ClamAV, Spamassassin, OpenDKIM), etc. |
This installation is somewhat involved - but between it and the Spamassassin configuration given, you will have very little spam to deal with. Barely a piece of spam a day even makes it to spamassassin - and this is with e-mail addresses that have been public for years. About than one in a thousand make it through Spamassassin. My gmail accounts are let more spam through than this. | This installation is somewhat involved - but between it and the Spamassassin configuration given, you will have very little spam to deal with. Barely a piece of spam a day even makes it to spamassassin - and this is with e-mail addresses that have been public for years. About than one in a thousand make it through Spamassassin. My gmail accounts are let more spam through than this. | ||
Line 329: | Line 329: | ||
== Supporting Files == | == Supporting Files == | ||
+ | |||
+ | You might have noticed that the above configuration refers to a lot of supporting map files. Don't | ||
{{Bottom_Wheezy}} | {{Bottom_Wheezy}} |
Revision as of 18:01, 6 May 2014
The following describes a postfix site installation, using MySQL as a backend and Dovecot as the MDA. You will want to get nearly everything else regarding your mail working first - MySQL, the tables, and any components you may be using (ClamAV, Spamassassin, OpenDKIM), etc.
This installation is somewhat involved - but between it and the Spamassassin configuration given, you will have very little spam to deal with. Barely a piece of spam a day even makes it to spamassassin - and this is with e-mail addresses that have been public for years. About than one in a thousand make it through Spamassassin. My gmail accounts are let more spam through than this.
There are three key rules that drastically cut down on spam:
- Requiring forward-confirmed reverse DNS (reject_unknown_client_hostname in the following config)
- Block generic domain names that pass the above test.
- Block spammers claiming to be your users.
While it does not solve all spam, it makes what is left a great deal more manageable. The resulting successful spam-friendly providers get addressed in one fashion or another.
/etc/postfix/main.cf
# There's not much left of Debian's default postfix configuration here.
smtpd_banner = $myhostname ESMTP $mail_name biff = no
# appending .domain is the MUA's job. append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters # This should probably be done master.cf, but that file is ugly enough. smtpd_tls_cert_file=/etc/maincert/example.crt smtpd_tls_key_file=/etc/maincert/example.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_sasl_security_options = noanonymous smtpd_tls_protocols = TLSv1, SSLv3 smtp_tls_block_early_mail_reply = yes smtp_tls_mandatory_ciphers = high smtp_tls_exclude_ciphers = aNULL, NULL, MD5, ADH # smtpd_sasl_auth_enable = yes
# Because we will be using dovecot... smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client.
myhostname = mail.example.com # Most providers will use IPv4 if available. Google likes IPv6, it seems. smtp_bind_address = 68.233.227.82 smtp_bind_address6 = 2604:4500:0:7:3::2 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = example.com mydestination = examplename, localhost, , relayhost = # In mynetworks, IPv6 addresses need to be in brackets, like so. mynetworks = 127.0.0.0/8 [::1]/128 198.51.100.187 [2001:db8::4]/128 mailbox_size_limit = 0 # Having a nonstandard recipient delimiter is exceedingly handy. recipient_delimiter = _ inet_interfaces = all html_directory = /usr/share/doc/postfix/html
# Be strict. Somewhat. smtpd_hard_error_limit = 3 smtpd_soft_error_limit = 1 smtpd_junk_command_limit = 20 smtpd_helo_required = yes disable_vrfy_command = no strict_rfc821_envelopes = no
# The next five lines were when I was dealing with Yahoo headaches. The defaults are probably fine. maximal_backoff_time = 19200s qmgr_message_active_limit = 65000 qmgr_message_recipient_limit = 65000 bounce_queue_lifetime = 1w maximal_queue_lifetime = 1w
message_size_limit = 33554432
authorized_submit_users = !banusera, !banusertoo, static:all
# Milters milter_default_action = accept milter_protocol = 2 smtpd_milters = local:/var/run/opendkim/opendkim.sock non_smtpd_milters = local:/var/run/opendkim/opendkim.sock
# Blocking non-FCrDNS hostnames stops about 300 pieces of spam per day, generic hostnames about 100. This would be much worse if they weren't blocked. smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname, reject_unauth_pipelining, check_client_access pcre:/etc/postfix/valid-domains, check_client_access pcre:/etc/postfix/reject-domains, permit
# reject-mydomains got hit hundreds of times per day just after turning it on. Have not had a peep lately. smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/reject-nomailfrom, check_helo_access mysql:/etc/postfix/reject-mydomains.cf, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access pcre:/etc/postfix/reject-nomailfrom, check_sender_access mysql:/etc/postfix/reject-mydomains.cf, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_recipient_access pcre:/etc/postfix/reject-users, reject_non_fqdn_recipient, permit
# Currently such a rare occurance that I don't see the need to discriminate yet. Saved for posterity, though. # These block 'new' domains. See spameatingmonkey.net for details. # reject_rhsbl_client fresh15.spameatingmonkey.net, # reject_rhsbl_helo fresh15.spameatingmonkey.net, # reject_rhsbl_sender fresh15.spameatingmonkey.net,
smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, permit
virtual_mailbox_base = /var/vmail/ virtual_mailbox_limit = 536870912 virtual_minimum_uid = 999 virtual_uid_maps = static:999 virtual_gid_maps = static:999 virtual_mailbox_domains = mysql:/etc/postfix/virtual-domains.cf smtpd_sender_login_maps = mysql:/etc/postfix/virtual-accounts.cf virtual_mailbox_maps = mysql:/etc/postfix/virtual-users.cf virtual_alias_maps = mysql:/etc/postfix/virtual-aliases.cf virtual_transport = dovecot
dovecot_destination_recipient_limit = 1 spamassassin_destination_recipient_limit = 1
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport_maps
/etc/postfix/master.cf
# Some of this stuff covers a few odd things you may want to do, I will highlight # them in these comments. # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== localhost:smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes # Run spamassassin and clamav only on incoming mail. 198.51.100.187:smtp inet n - n - - smtpd -o content_filter=spamassassin -o smtpd_milters=local:/var/run/clamav/clamav-milter.ctl [2001:db8::4]:smtp inet n - n - - smtpd -o content_filter=spamassassin -o smtpd_milters=local:/var/run/clamav/clamav-milter.ctl # I use the submission port to actually accept mail from users, including my own forums. # They need different rules, obviously. 198.51.100.187:submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_recipient_rate_limit=60 -o smtpd_client_message_rate_limit=60 -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_helo_restrictions=permit -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_data_restrictions=permit -o cleanup_service_name=submission_cleanup -o milter_macro_daemon_name=ORIGINATING [2001:db8::4]:submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_recipient_rate_limit=60 -o smtpd_client_message_rate_limit=60 -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_helo_restrictions=permit -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_data_restrictions=permit -o cleanup_service_name=submission_cleanup -o milter_macro_daemon_name=ORIGINATING # Some policies may suggest that you setup a second mailing ip to segregate e.g. marketing mail from your # more mission-critical mail. 'secondmailer' here and in sdd_transport_maps shows how to go about this. secondmailer unix - - n - - smtp -o smtp_bind_address=secondmaileripv4address -o smtp_bind_address6=secondmaileripv6address -o myhostname=example.com -o myorigin=example.com -o smtp_helo_name=example.com -o syslog_name=postfix-example # The second mailer acts as its own mailserver, down to receiving mail. secondmaileripv4address:smtp inet n - n - - smtpd -o content_filter=spamassassin -o myhostname=example.com -o myorigin=example.com -o syslog_name=postfix-example -o smtpd_milters=local:/var/run/clamav/clamav-milter.ctl [secondmaileripv6address]:smtp inet n - n - - smtpd -o content_filter=spamassassin -o myhostname=example.com -o myorigin=example.com -o syslog_name=postfix-example -o smtpd_milters=local:/var/run/clamav/clamav-milter.ctl #smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy #submission inet n - - - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - n - 0 cleanup # Cleanup for header checks. This prevents user's IP addresses from leaking # out to nosy people. submission_cleanup unix n - n - 0 cleanup -o header_checks=pcre:/etc/postfix/header_checks -o syslog_name=postfix/submission/cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} # The following are for dovecot and spamassassin, obviously. # -m ${extension} lets us sent delimited mail straight to the appropriate folder. dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -m ${extension} spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Supporting Files
You might have noticed that the above configuration refers to a lot of supporting map files. Don't