Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- postfix [2018-12-20 10:04:48] – manfred
+++ postfix [2025-05-26 00:48:29] (aktuell) – david
@@ Zeile 1: / Zeile 1: @@
+====== Postfix ======
+  * [[https://www.unixwitch.de/de/sysadmin/tools/postfix|Postfix Spickzettel]]
+  * [[https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/|Postfix + HAProxy]]
+==== Erstinstallation ====
+siehe auch: [[::mailserver#Mails über seinen Provider versenden]]
+  - VM-Installation
+    - Nacharbeiten (in der neuen Umgebung):
+    - ''locale-gen''
+    - ''%%time (aptitude clean ; dpkg --configure -a ; aptitude update && aptitude -y safe-upgrade && aptitude clean) && echo OK%%''
+    - ''aptitude install language-pack-en language-pack-de''
+  - ''aptitude remove nullmailer''
+  - ''aptitude install mc postfix''
+    - -> [[http://wiki.ubuntuusers.de/Postfix#Grundkonfiguration|Internet mit Smarthost]] -> SMTP relay host: "tcpandora.tcoqrm.victorvox.net"
+  - ''echo "root:    mxuser@dialing.de" >> /etc/aliases''
+  - ''newaliases''
+Rekonfiguration:
+  > dpkg-reconfigure postfix
+===== Postfix-Grundwissen =====
+Postfix wird Nachrichten, für die es sich als //Final Destination// versteht, nicht eiterleiten, sondern immer versuchen, sie lokal zuzustellen (Liste von Hostnamen und Domains ist Leerzeich getrennt).
+  mydestination
+wenn lokale Mails nur mit dem User-Namen versendet werden (z.B. "root" oder "CRON"), dann ergänzt Postfix den Mamen mit "@$myhostname", man kann mit "myorigin" aber auch selber bestimmen, womit der User-Namen zu einer vollständigen E-Mail-Adresse erweitert wird (z.B. zu "root@$myorigin"):
+  myorigin
+Liste der Domains, zu denen weiter geleitet werden darf:
+  relay_domains
+hier steht, wohin entsprechende Domains, SubDomains oder E-Mail-Adressen weitergeleitet werden:
+  relay_transport
+hier steht, wohin entsprechende E-Mails weitergeleitet werden:
+  virtual_alias_maps
+hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie „virtual“ nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird:
+  smtp_generic_maps
+hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren:
+  canonical_maps
+===== wissenswertes =====
+  * [[http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html]]
+Mail-Queue ansehen:
+  > mailq
+komplette Mail-Queue leeren:
+  > postsuper -d ALL
+  * [[https://wiki.ubuntuusers.de/Postfix/Erweiterte_Konfiguration/]]
+vi /etc/postfix/main.cf
+  ...
+  ### Specifies whether or not mail that would normally be bounced
+  ### should be queued for redelivery attempts. Also converts any
+  ### permanent rejection codes to temporary error codes. This parameter
+  ### is useful for testing out configuration changes
+  ### to make sure that no mail is permanently rejected.
+  soft_bounce = yes
+  ...
+  ### alle unzustellbaren Mails in Fritz seinem lokalen Postfach ablegen
+  luser_relay = fritz
+  ...
+Wenn man keine Transport-Tabelle eingerichtet hat (''transport_maps = hash:/etc/postfix/transport''), dann wird das Standard-Transportziel verwendet: **''smtp:$myhostname''**\\
+Bei dem Verbindungsaufbau meldet der Postfix sich beim ''HELO'' mit dem ''$myhostname'', der muss also mit dem ''CN'' im SSL-Key 100%-ig übereinstimmen!!!
+===== Absendeadresse =====
+  * [[http://wiki.ubuntuusers.de/postfix]]
+  * [[http://dozent.maruweb.de/material/postfix2.shtml]]
+  * [[http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions]]
+  * [[http://www.postfix.org/ADDRESS_REWRITING_README.html#standard]]
+  * [[http://www.postfix.org/ADDRESS_REWRITING_README.html#canonical]]
+Die ''//Absendeadresse//'' wird aus dem Namen des //Benutzers// und dem //Mailnamen// zusammengesetzt (''benutzer@maildomain.de'').
+Den //Mailnamen// (''maildomain.de'') kann man bei Ubuntu auf zwei Arten ändern:
+  # sudo dpkg-reconfigure postfix
+oder so:
+  # echo "maildomain.de" > /etc/mailname
+  # sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf
+  # echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf
+verwendet man ein SSL-Zertifikat, muss hier der FQDN stehen (identisch mit dem "CN" im SSL-Zertifikat):
+  # hostname -f > /etc/mailname
+  # sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf
+  # echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf
+Dann den Restart des Dienstes nicht vergessen:
+  # /etc/init.d/postfix restart
+===== Exitcodes =====
+Wenn Postfix eine Mail per Pipe an ein externes Script weitergeben möchte,
+es aber aber zu Zwischenfällen kommt, hat das Return-Mails zur Folge,
+die folgende Exitcodes enthalten können:
+^Status	^ $? ^ Description ^
+| EX_OK		|  0 | successful termination |
+| EX_USAGE 	| 64 | command line usage error |
+| EX_DATAERR 	| 65 | data format error |
+| EX_NOINPUT 	| 66 | cannot open input |
+| EX_NOUSER 	| 67 | addressee unknown |
+| EX_NOHOST 	| 68 | host name unknown |
+| EX_UNAVAILABLE 	| 69 | service unavailable |
+| EX_SOFTWARE 	| 70 | internal software error |
+| EX_OSERR 	| 71 | system error (e.g., can't fork) |
+| EX_OSFILE 	| 72 | critical OS file missing |
+| EX_CANTCREAT 	| 73 | can't create (user) output file |
+| EX_IOERR 	| 74 | input/output error |
+| EX_TEMPFAIL 	| 75 | temp failure; user is invited to retry |
+| EX_PROTOCOL 	| 76 | remote error in protocol |
+| EX_NOPERM 	| 77 | permission denied |
+| EX_CONFIG 	| 78 | configuration error |
+===== Installation =====
+==== ohne virtuelle Mail-Boxen ====
+Am einfachsten kann man den Mailserver mit Binär-Paketen installieren:
+  # pkg install postfix-tls-2.11.1_2,1 dovecot-1.2.17_4
+für die Mail-Verwaltung von System-Benutzern, reichen das aus.
+verschlüsseltes Mails lesen ist möglich (z.B. IMAP -> Port 143 mit STARTTLS oder Port 993 mit SSL) aber eMails kann man nur unverschlüsselt senden (Port 25)
+  postfix/smtp[38595]: warning: TLS has been selected, but TLS support is not compiled in
+==== mit virtuelle Mail-Boxen ====
+Für die Verwaltung von virtuellen Mail-Boxen brauchen wir SASL-Unterstützung,
+leider sind die Binär-Pakete aber ohne SASL-Unterstützung kompiliert worden,
+deshalb müssen wir die Programme zu Fuß installieren:
+  # pkg search portupgrade
+    portupgrade-2.4.12_2,2
+  # pkg install portupgrade-2.4.12_2,2
+  # portupgrade -NRO mail/postfix
+Da ich Sieve-Unterstützung in Dovecot brauche und zur Zeit nur Dovecot in der Version 1
+Sieve unterstützt, muss hier "DOVECOT" markiert werden.
+Und SSL-Unterstützung brauche ich selbstverständlich auch:
+  [*] PCRE       Perl Compatible Regular Expressions
+  [*] SASL2      Cyrus SASLv2 (Simple Auth. and Sec. Layer)
+  [*] DOVECOT    Dovecot 1.x SASL authentication method
+  ...
+  [*] TLS        Enable SSL and TLS support
+  ...
+**''SASL2''** benötigt man nur, wenn man virtuelle Mail-Benutzer verwenden möchte.
+      Warning: you still need to edit myorigin/mydestination/mynetworks
+      parameter settings in /usr/local/etc/postfix/main.cf.
+      See also http://www.postfix.org/STANDARD_CONFIGURATION_README.html
+      for information about dialup sites or about sites inside a
+      firewalled network.
+      BTW: Check your /etc/aliases file and be sure to set up aliases
+      that send mail for root and postmaster to a real person, then
+      run /usr/local/bin/newaliases.
+  install  -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/rmail/rmail /usr/local/bin/rmail
+  install  -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/qshape/qshape.pl /usr/local/bin/qshape
+  install  -o root -g wheel -m 444 /usr/ports/mail/postfix/work/postfix-2.8.4/man/man1/qshape.1 /usr/local/man/man1
+  ===> Installing rc.d startup script(s)
+  Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y
+  To enable postfix startup script please add postfix_enable="YES" in
+  your rc.conf
+  If you not need sendmail anymore, please add in your rc.conf:
+  sendmail_enable="NO"
+  sendmail_submit_enable="NO"
+  sendmail_outbound_enable="NO"
+  sendmail_msp_queue_enable="NO"
+  And you can disable some sendmail specific daily maintenance routines in your
+  /etc/periodic.conf file:
+  daily_clean_hoststat_enable="NO"
+  daily_status_mail_rejects_enable="NO"
+  daily_status_include_submit_mailq="NO"
+  daily_submit_queuerun="NO"
+  If /etc/periodic.conf does not exist please create it and add those values.
+  If you are using SASL, you need to make sure that postfix has access to read
+  the sasldb file.  This is accomplished by adding postfix to group mail and
+  making the /usr/local/etc/sasldb* file(s) readable by group mail (this should
+  be the default for new installs).
+  If you are upgrading from Postfix 2.6 or earlier, review the RELEASE_NOTES to
+  familiarize yourself with new features and incompatabilities.
+        This port has installed the following startup scripts which may cause
+        these network services to be started at boot time.
+  /usr/local/etc/rc.d/postfix
+        If there are vulnerabilities in these programs there may be a security
+        risk to the system. FreeBSD makes no guarantee about the security of
+        ports included in the Ports Collection. Please type 'make deinstall'
+        to deinstall the port if this is a concern.
+        For more information, and contact details about the security
+        status of this software, see the following webpage:
+  http://www.postfix.org/
+  ===>  Cleaning for postfix-2.8.4,1
+  # ldd /usr/local/libexec/postfix/smtp
+          libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x4002d000)
+          ...
+  # postconf -A
+  cyrus
+  # postconf -a
+  dovecot
+==== LDA Postfix ====
+**Diese Informationen finden Sie in der aktuellen Version in FreeBSD unter ///usr/local/share/doc/dovecot/wiki//**
+=== System users ===
+You can use deliver with a few selected system users (ie. user is found from
+'/etc/passwd' / NSS) by calling deliver in the user's '~/.forward' file:
+  | "/usr/local/libexec/dovecot/deliver"
+This should work with any MTA which supports per-user '.forward' files.
+(For qmail's per-user setup, see LDA.Qmail.txt.)
+This method doesn't require the authentication socket explained below since
+it's executed as the user itself.
+----
+If you wish you use 'deliver' for all system users on a single domain mail host
+you can do it by editing 'mailbox_command' parameter in
+"/etc/postfix/main.cf" (postconf(5) [[http://www.postfix.org/postconf.5.html]]):
+  mailbox_command = /usr/local/libexec/dovecot/deliver
+Then run 'postfix reload' and that is it.
+=== Virtual users ===
+Dovecot LDA is very easy to use on large scale installations with Postfix
+virtual domains support, just add a 'dovecot' service in
+"/etc/postfix/master.cf" (master(5) [[http://www.postfix.org/master.5.html]]):
+  dovecot   unix  -       n       n       -       -       pipe
+    flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}
+An example using address extensions (ie user+extension@domain.com) to deliver
+to the folder 'extension' in your maildir (If you wish to preserve the case of
+${extension}, remove the 'hu'flags [http://www.postfix.org/pipe.8.html], and be
+sure to utilize<Modifiers> [Variables.txt] in your dovecot.conf for mail
+locations and other configuration parameters that are expecting lower case):
+  dovecot unix    -       n       n       -       -      pipe
+    flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m ${extension}
+  # or with v1.1.2+ if you have a INBOX/ namespace prefix:
+  dovecot unix    -       n       n       -       -      pipe
+    flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m INBOX/${extension}
+This example ignores address extensions (ie user+extension@domain.com delivers
+just like user@domain.com):
+  dovecot   unix  -       n       n       -       -       pipe
+    flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
+  dovecot   unix  -       n       n       -       -       pipe
+    flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -d ${user}
+Replace 'vmail' above with your virtual mail user account.
+Then set 'virtual_transport' to 'dovecot' in '/etc/postfix/main.cf':
+  dovecot_destination_recipient_limit = 1
+  virtual_mailbox_domains = your.domain.here
+  virtual_transport = dovecot
+And remember to run
+  postfix reload
+=== authentication socket ===
+  > vi /usr/local/etc/dovecot.conf
+  ...
+  protocol lda {
+  ...
+    # UNIX socket path to master authentication server to find users.
+    #auth_socket_path = /var/run/dovecot/auth-master
+  }
+  auth default {
+  ...
+    socket listen {
+      master {
+        # Master socket provides access to userdb information. It's typically
+        # used to give Dovecot's local delivery agent access to userdb so it
+        # can find mailbox locations.
+        path = /var/run/dovecot/auth-master
+        mode = 0600
+        # Default user/group is the one who started dovecot-auth (root)
+        #user =
+        #group =
+        group = mail
+      }
+      client {
+        # The client socket is generally safe to export to everyone. Typical use
+        # is to export it to your SMTP server so it can do SMTP AUTH lookups
+        # using it.
+        path = /var/run/dovecot/auth-client
+        mode = 0660
+        user = postfix
+        group = mail
+      }
+    }
+  }
+----
+==== weitere Links ====
+http://bsdinn.com/postfix/index.php
+==== Beispiel aus Ubuntu 09.10 ====
+  postconf -n
+  alias_database = hash:/etc/aliases
+  alias_maps = hash:/etc/aliases
+  append_dot_mydomain = no
+  biff = no
+  broken_sasl_auth_clients = yes
+  config_directory = /etc/postfix
+  home_mailbox = Maildir/
+  inet_interfaces = all
+  mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m "${EXTENSION}"
+  mailbox_size_limit = 0
+  mydestination = hostname, localhost.localdomain, localhost
+  myhostname = hostname
+  mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+  readme_directory = no
+  recipient_delimiter = +
+  relayhost =
+  smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+  smtp_use_tls = yes
+  smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+  smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+  smtpd_sasl_auth_enable = yes
+  smtpd_sasl_authenticated_header = yes
+  smtpd_sasl_local_domain = $myhostname
+  smtpd_sasl_path = private/dovecot-auth
+  smtpd_sasl_security_options = noanonymous
+  smtpd_sasl_type = dovecot
+  smtpd_sender_restrictions = reject_unknown_sender_domain
+  smtpd_tls_auth_only = yes
+  smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.crt
+  smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
+  smtpd_tls_mandatory_ciphers = medium
+  smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2
+  smtpd_tls_received_header = yes
+  smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+  smtpd_use_tls = yes
+  tls_random_source = dev:/dev/urandom
+==== Beispiel aus Ubuntu 12.04 LTS ====
+Meistens ist [[http://wiki.ubuntuusers.de/Postfix#Grundkonfiguration|Internet mit Smarthost]] die richtige Einstellung.
+=== SMTP-STARTTLS-Verschlüsselung aktivieren =====
+SSL-Schlüssel generieren:
+<file>
+#!/bin/bash
+RECHNERNAME="$(hostname -f)"
+EMAIL="email@adresse.de"
+STAAT="DE"
+LAND="Hessen"
+STADT="Frankfurt"
+ORGANISATION="Firma"
+ABTEILUNG="Abteilung"
+ZEITRAUM="12000"                                # Gültigkeitszeitraum
+BITLANG="16384"                                 # Schlüssellänge
+openssl req -rand /dev/urandom -sha1 -new -x509 -newkey rsa:${BITLANG} -nodes -keyout /etc/ssl/private/postfix.key -keyform PEM -out /etc/ssl/certs/postfix.crt -outform PEM -subj "/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${RECHNERNAME}" -days ${ZEITRAUM}
+if [ -r "/etc/ssl/private/postfix.key" ] ; then
+        echo "/etc/ssl/private/postfix.key $(openssl rsa -noout -modulus -in /etc/ssl/private/postfix.key | openssl md5)"
+fi
+if [ -r "/etc/ssl/certs/postfix.crt" ] ; then
+        echo "/etc/ssl/certs/postfix.crt $(openssl x509 -noout -modulus -in /etc/ssl/certs/postfix.crt | openssl md5)"
+        openssl x509 -noout -subject -issuer -dates -in /etc/ssl/certs/postfix.crt
+fi
+</file>
+=== /etc/postfix/main.cf ===
+  * [[http://www.postfix.org/TLS_README.html#server_enable]]
+Hier müssen folgende Variablen angepasst werden:
+  - **home_mailbox**
+  - **mydestination**
+  - **mynetworks**
+  - **smtpd_tls_cert_file**
+  - **smtpd_tls_key_file**
+sowie die beiden Variablen um nichtzustellbaren Mails zwischenzuspeichern, wenn der RelayHost mal nicht erreichbar ist:
+  - **smtp_connection_cache_on_demand**
+  - **smtp_connection_cache_destinations**
+  # See /usr/share/postfix/main.cf.dist for a commented, more complete version
+  # Debian specific:  Specifying a file name will cause the first
+  # line of that file to be used as the name.  The Debian default
+  # is /etc/mailname.
+  #myorigin = /etc/mailname
+  smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+  biff = no
+  # appending .domain is the MUA's job.
+  append_dot_mydomain = no
+  # Uncomment the next line to generate "delayed mail" warnings
+  #delay_warning_time = 4h
+  readme_directory = no
+  # TLS parameters
+  #smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
+  #smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
+  smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt
+  smtpd_tls_key_file = /etc/ssl/private/postfix.key
+  smtpd_use_tls = yes
+  smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+  smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+  # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+  # information on enabling SSL in the smtp client.
+  myhostname = postbote.domain.de
+  alias_maps = hash:/etc/aliases
+  alias_database = hash:/etc/aliases
+  myorigin = /etc/mailname
+  mydestination = postbote.domain.de, localhost.domain.de, localhost
+  relayhost = smtp.domain.de
+  mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 192.168.0.0/16
+  mailbox_size_limit = 0
+  recipient_delimiter = +
+  inet_interfaces = all
+  home_mailbox = Maildir/
+  smtpd_sasl_auth_enable = yes
+  smtpd_sasl_type = dovecot
+  smtpd_sasl_path = private/dovecot-auth
+  smtpd_sasl_authenticated_header = yes
+  smtpd_sasl_security_options = noanonymous
+  smtpd_sasl_local_domain = $myhostname
+  broken_sasl_auth_clients = yes
+  smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+  smtpd_sender_restrictions = reject_unknown_sender_domain
+  mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
+  smtp_use_tls = yes
+  smtpd_tls_received_header = yes
+  smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2
+  smtpd_tls_mandatory_ciphers = medium
+  smtpd_tls_auth_only = yes
+  tls_random_source = dev:/dev/urandom
+  smtp_connection_cache_on_demand = yes
+  smtp_connection_cache_destinations = $relayhost
+== Postfix für mehr als eine Domain konfigurieren ==
+  * [[http://www.postfix.org/STANDARD_CONFIGURATION_README.html|Postfix Standard Configuration Examples]]
+Postfix nimmt nur Mails an, die in dieses Muster passen bzw. zu diesen Domains gehören. Das bedeutet, wenn man eine eMail verschicken will, muss die Domain, die hinter dem "@" steht, in dieser Zeile zu finden sein:
+  relay_domains = $mydestination domain.de domain.net domain.org
+...oder in dieser Datei stehen:
+  vi /etc/postfix/relay_domains
+  gmx.net                         RELAY
+  gmx.de                          RELAY
+  web.de                          RELAY
+  postmap /etc/postfix/relay_domains
+  vi /etc/postfix/main.cf
+  ...
+  relay_domains = $mydestination, hash:/home/etc/postfix/relay_domains
+  ...
+hier werden ihm die Weiterleitungsziele (quelle@domain.de -> ziel@mein.postfach) mitgeteilt:
+  virtual_alias_maps = hash:/etc/postfix/virtual
+<file>
+#
+# postmap /etc/postfix/virtual
+#
+@domain.de                      fritz@localhost
+@domain.net                     fritz
+@domain.org                     fritz
+rechnungen@domain.de            fratz
+news@domain.de                  fratz
+freunde@domain.de               fratz
+</file>
+hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie "virtual" nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird:
+  smtp_generic_maps = hash:/etc/postfix/generic
+<file>
+#
+# postmap /etc/postfix/generic
+#
+@internetshop.de                rechnungen@domain.de
+@forum.net                      news@domain.de
+@facebook.org                   freunde@domain.de
+</file>
+hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren:
+  canonical_maps = hash:/etc/postfix/canonical
+=== /etc/postfix/master.cf ===
+Um auch den Port 465 zu öffnen, müssen hier die Zeile mit **SMTPS** am Anfang
+und die dazugehörigen Zeilen darunter aktiviert werden.
+  ...
+  smtps     inet  n       -       -       -       -       smtpd
+    -o syslog_name=postfix/smtps
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+    -o milter_macro_daemon_name=ORIGINATING
+  ...
+=== SMTP-STARTTLS-Verschlüsselung testen =====
+  * [[http://dovecot.org/pipermail/dovecot/2010-May/049128.html]]
+  > telnet mail.domain.de 25
+  Trying 192.186.1.142...
+  Connected to mail.domain.de.
+  Escape character is '^]'.
+mail.domain.de ESMTP Postfix (Ubuntu)
+  EHLO mail.domain.de
+-mail.domain.de
+-PIPELINING
+-SIZE 10240000
+-VRFY
+-ETRN
+-STARTTLS
+-ENHANCEDSTATUSCODES
+-8BITMIME
+DSN
+  STARTTLS
+2.0.0 Ready to start TLS
+  > openssl s_client -starttls smtp -connect mail.domain.de:smtp
+  ...
+  ---
+  SSL handshake has read 2738 bytes and written 354 bytes
+  ---
+  New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
+  Server public key is 4096 bit
+  Secure Renegotiation IS supported
+  Compression: NONE
+  Expansion: NONE
+  SSL-Session:
+      Protocol  : TLSv1
+      Cipher    : DHE-RSA-AES256-SHA
+      Session-ID: 49862F23385CD9AC3D85F09AE17F25209B358E2A11DE580C3EF2761BE656D75B
+      Session-ID-ctx:
+      Master-Key: A6E58F2E1E3D0D365AB1E2E9AE3E9B4B8F46095FA1583242FCD7FD115B11F4DD6FB720E986A8DEC9208CA335B432C0C3
+      Key-Arg   : None
+      Start Time: 1381866777
+      Timeout   : 300 (sec)
+      Verify return code: 18 (self signed certificate)
+  ---
+DSN
+  DONE