====== Postfix ====== * [[https://www.unixwitch.de/de/sysadmin/tools/postfix|Postfix Spickzettel]] * [[https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/|Postfix + HAProxy]] ==== Erstinstallation ==== siehe auch: [[::mailserver#Mails über seinen Provider versenden]] - VM-Installation - Nacharbeiten (in der neuen Umgebung): - ''locale-gen'' - ''%%time (aptitude clean ; dpkg --configure -a ; aptitude update && aptitude -y safe-upgrade && aptitude clean) && echo OK%%'' - ''aptitude install language-pack-en language-pack-de'' - ''aptitude remove nullmailer'' - ''aptitude install mc postfix'' - -> [[http://wiki.ubuntuusers.de/Postfix#Grundkonfiguration|Internet mit Smarthost]] -> SMTP relay host: "tcpandora.tcoqrm.victorvox.net" - ''echo "root: mxuser@dialing.de" >> /etc/aliases'' - ''newaliases'' Rekonfiguration: > dpkg-reconfigure postfix ===== Postfix-Grundwissen ===== Postfix wird Nachrichten, für die es sich als //Final Destination// versteht, nicht eiterleiten, sondern immer versuchen, sie lokal zuzustellen (Liste von Hostnamen und Domains ist Leerzeich getrennt). mydestination wenn lokale Mails nur mit dem User-Namen versendet werden (z.B. "root" oder "CRON"), dann ergänzt Postfix den Mamen mit "@$myhostname", man kann mit "myorigin" aber auch selber bestimmen, womit der User-Namen zu einer vollständigen E-Mail-Adresse erweitert wird (z.B. zu "root@$myorigin"): myorigin Liste der Domains, zu denen weiter geleitet werden darf: relay_domains hier steht, wohin entsprechende Domains, SubDomains oder E-Mail-Adressen weitergeleitet werden: relay_transport hier steht, wohin entsprechende E-Mails weitergeleitet werden: virtual_alias_maps hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie „virtual“ nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird: smtp_generic_maps hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren: canonical_maps ===== wissenswertes ===== * [[http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html]] Mail-Queue ansehen: > mailq komplette Mail-Queue leeren: > postsuper -d ALL * [[https://wiki.ubuntuusers.de/Postfix/Erweiterte_Konfiguration/]] vi /etc/postfix/main.cf ... ### Specifies whether or not mail that would normally be bounced ### should be queued for redelivery attempts. Also converts any ### permanent rejection codes to temporary error codes. This parameter ### is useful for testing out configuration changes ### to make sure that no mail is permanently rejected. soft_bounce = yes ... ### alle unzustellbaren Mails in Fritz seinem lokalen Postfach ablegen luser_relay = fritz ... Wenn man keine Transport-Tabelle eingerichtet hat (''transport_maps = hash:/etc/postfix/transport''), dann wird das Standard-Transportziel verwendet: **''smtp:$myhostname''**\\ Bei dem Verbindungsaufbau meldet der Postfix sich beim ''HELO'' mit dem ''$myhostname'', der muss also mit dem ''CN'' im SSL-Key 100%-ig übereinstimmen!!! ===== Absendeadresse ===== * [[http://wiki.ubuntuusers.de/postfix]] * [[http://dozent.maruweb.de/material/postfix2.shtml]] * [[http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions]] * [[http://www.postfix.org/ADDRESS_REWRITING_README.html#standard]] * [[http://www.postfix.org/ADDRESS_REWRITING_README.html#canonical]] Die ''//Absendeadresse//'' wird aus dem Namen des //Benutzers// und dem //Mailnamen// zusammengesetzt (''benutzer@maildomain.de''). Den //Mailnamen// (''maildomain.de'') kann man bei Ubuntu auf zwei Arten ändern: # sudo dpkg-reconfigure postfix oder so: # echo "maildomain.de" > /etc/mailname # sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf # echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf verwendet man ein SSL-Zertifikat, muss hier der FQDN stehen (identisch mit dem "CN" im SSL-Zertifikat): # hostname -f > /etc/mailname # sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf # echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf Dann den Restart des Dienstes nicht vergessen: # /etc/init.d/postfix restart ===== Exitcodes ===== Wenn Postfix eine Mail per Pipe an ein externes Script weitergeben möchte, es aber aber zu Zwischenfällen kommt, hat das Return-Mails zur Folge, die folgende Exitcodes enthalten können: ^Status ^ $? ^ Description ^ | EX_OK | 0 | successful termination | | EX_USAGE | 64 | command line usage error | | EX_DATAERR | 65 | data format error | | EX_NOINPUT | 66 | cannot open input | | EX_NOUSER | 67 | addressee unknown | | EX_NOHOST | 68 | host name unknown | | EX_UNAVAILABLE | 69 | service unavailable | | EX_SOFTWARE | 70 | internal software error | | EX_OSERR | 71 | system error (e.g., can't fork) | | EX_OSFILE | 72 | critical OS file missing | | EX_CANTCREAT | 73 | can't create (user) output file | | EX_IOERR | 74 | input/output error | | EX_TEMPFAIL | 75 | temp failure; user is invited to retry | | EX_PROTOCOL | 76 | remote error in protocol | | EX_NOPERM | 77 | permission denied | | EX_CONFIG | 78 | configuration error | ===== Installation ===== ==== ohne virtuelle Mail-Boxen ==== Am einfachsten kann man den Mailserver mit Binär-Paketen installieren: # pkg install postfix-tls-2.11.1_2,1 dovecot-1.2.17_4 für die Mail-Verwaltung von System-Benutzern, reichen das aus. verschlüsseltes Mails lesen ist möglich (z.B. IMAP -> Port 143 mit STARTTLS oder Port 993 mit SSL) aber eMails kann man nur unverschlüsselt senden (Port 25) postfix/smtp[38595]: warning: TLS has been selected, but TLS support is not compiled in ==== mit virtuelle Mail-Boxen ==== Für die Verwaltung von virtuellen Mail-Boxen brauchen wir SASL-Unterstützung, leider sind die Binär-Pakete aber ohne SASL-Unterstützung kompiliert worden, deshalb müssen wir die Programme zu Fuß installieren: # pkg search portupgrade portupgrade-2.4.12_2,2 # pkg install portupgrade-2.4.12_2,2 # portupgrade -NRO mail/postfix Da ich Sieve-Unterstützung in Dovecot brauche und zur Zeit nur Dovecot in der Version 1 Sieve unterstützt, muss hier "DOVECOT" markiert werden. Und SSL-Unterstützung brauche ich selbstverständlich auch: [*] PCRE Perl Compatible Regular Expressions [*] SASL2 Cyrus SASLv2 (Simple Auth. and Sec. Layer) [*] DOVECOT Dovecot 1.x SASL authentication method ... [*] TLS Enable SSL and TLS support ... **''SASL2''** benötigt man nur, wenn man virtuelle Mail-Benutzer verwenden möchte. Warning: you still need to edit myorigin/mydestination/mynetworks parameter settings in /usr/local/etc/postfix/main.cf. See also http://www.postfix.org/STANDARD_CONFIGURATION_README.html for information about dialup sites or about sites inside a firewalled network. BTW: Check your /etc/aliases file and be sure to set up aliases that send mail for root and postmaster to a real person, then run /usr/local/bin/newaliases. install -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/rmail/rmail /usr/local/bin/rmail install -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/qshape/qshape.pl /usr/local/bin/qshape install -o root -g wheel -m 444 /usr/ports/mail/postfix/work/postfix-2.8.4/man/man1/qshape.1 /usr/local/man/man1 ===> Installing rc.d startup script(s) Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y To enable postfix startup script please add postfix_enable="YES" in your rc.conf If you not need sendmail anymore, please add in your rc.conf: sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" And you can disable some sendmail specific daily maintenance routines in your /etc/periodic.conf file: daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" If /etc/periodic.conf does not exist please create it and add those values. If you are using SASL, you need to make sure that postfix has access to read the sasldb file. This is accomplished by adding postfix to group mail and making the /usr/local/etc/sasldb* file(s) readable by group mail (this should be the default for new installs). If you are upgrading from Postfix 2.6 or earlier, review the RELEASE_NOTES to familiarize yourself with new features and incompatabilities. This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/postfix If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.postfix.org/ ===> Cleaning for postfix-2.8.4,1 # ldd /usr/local/libexec/postfix/smtp libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x4002d000) ... # postconf -A cyrus # postconf -a dovecot ==== LDA Postfix ==== **Diese Informationen finden Sie in der aktuellen Version in FreeBSD unter ///usr/local/share/doc/dovecot/wiki//** === System users === You can use deliver with a few selected system users (ie. user is found from '/etc/passwd' / NSS) by calling deliver in the user's '~/.forward' file: | "/usr/local/libexec/dovecot/deliver" This should work with any MTA which supports per-user '.forward' files. (For qmail's per-user setup, see LDA.Qmail.txt.) This method doesn't require the authentication socket explained below since it's executed as the user itself. ---- If you wish you use 'deliver' for all system users on a single domain mail host you can do it by editing 'mailbox_command' parameter in "/etc/postfix/main.cf" (postconf(5) [[http://www.postfix.org/postconf.5.html]]): mailbox_command = /usr/local/libexec/dovecot/deliver Then run 'postfix reload' and that is it. === Virtual users === Dovecot LDA is very easy to use on large scale installations with Postfix virtual domains support, just add a 'dovecot' service in "/etc/postfix/master.cf" (master(5) [[http://www.postfix.org/master.5.html]]): dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient} An example using address extensions (ie user+extension@domain.com) to deliver to the folder 'extension' in your maildir (If you wish to preserve the case of ${extension}, remove the 'hu'flags [http://www.postfix.org/pipe.8.html], and be sure to utilize [Variables.txt] in your dovecot.conf for mail locations and other configuration parameters that are expecting lower case): dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m ${extension} # or with v1.1.2+ if you have a INBOX/ namespace prefix: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m INBOX/${extension} This example ignores address extensions (ie user+extension@domain.com delivers just like user@domain.com): dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -d ${user} Replace 'vmail' above with your virtual mail user account. Then set 'virtual_transport' to 'dovecot' in '/etc/postfix/main.cf': dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = your.domain.here virtual_transport = dovecot And remember to run postfix reload === authentication socket === > vi /usr/local/etc/dovecot.conf ... protocol lda { ... # UNIX socket path to master authentication server to find users. #auth_socket_path = /var/run/dovecot/auth-master } auth default { ... socket listen { master { # Master socket provides access to userdb information. It's typically # used to give Dovecot's local delivery agent access to userdb so it # can find mailbox locations. path = /var/run/dovecot/auth-master mode = 0600 # Default user/group is the one who started dovecot-auth (root) #user = #group = group = mail } client { # The client socket is generally safe to export to everyone. Typical use # is to export it to your SMTP server so it can do SMTP AUTH lookups # using it. path = /var/run/dovecot/auth-client mode = 0660 user = postfix group = mail } } } ---- ==== weitere Links ==== http://bsdinn.com/postfix/index.php ==== Beispiel aus Ubuntu 09.10 ==== postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m "${EXTENSION}" mailbox_size_limit = 0 mydestination = hostname, localhost.localdomain, localhost myhostname = hostname mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/dovecot-auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.crt smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom ==== Beispiel aus Ubuntu 12.04 LTS ==== Meistens ist [[http://wiki.ubuntuusers.de/Postfix#Grundkonfiguration|Internet mit Smarthost]] die richtige Einstellung. === SMTP-STARTTLS-Verschlüsselung aktivieren ===== SSL-Schlüssel generieren: #!/bin/bash RECHNERNAME="$(hostname -f)" EMAIL="email@adresse.de" STAAT="DE" LAND="Hessen" STADT="Frankfurt" ORGANISATION="Firma" ABTEILUNG="Abteilung" ZEITRAUM="12000" # Gültigkeitszeitraum BITLANG="16384" # Schlüssellänge openssl req -rand /dev/urandom -sha1 -new -x509 -newkey rsa:${BITLANG} -nodes -keyout /etc/ssl/private/postfix.key -keyform PEM -out /etc/ssl/certs/postfix.crt -outform PEM -subj "/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${RECHNERNAME}" -days ${ZEITRAUM} if [ -r "/etc/ssl/private/postfix.key" ] ; then echo "/etc/ssl/private/postfix.key $(openssl rsa -noout -modulus -in /etc/ssl/private/postfix.key | openssl md5)" fi if [ -r "/etc/ssl/certs/postfix.crt" ] ; then echo "/etc/ssl/certs/postfix.crt $(openssl x509 -noout -modulus -in /etc/ssl/certs/postfix.crt | openssl md5)" openssl x509 -noout -subject -issuer -dates -in /etc/ssl/certs/postfix.crt fi === /etc/postfix/main.cf === * [[http://www.postfix.org/TLS_README.html#server_enable]] Hier müssen folgende Variablen angepasst werden: - **home_mailbox** - **mydestination** - **mynetworks** - **smtpd_tls_cert_file** - **smtpd_tls_key_file** sowie die beiden Variablen um nichtzustellbaren Mails zwischenzuspeichern, wenn der RelayHost mal nicht erreichbar ist: - **smtp_connection_cache_on_demand** - **smtp_connection_cache_destinations** # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters #smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem #smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt smtpd_tls_key_file = /etc/ssl/private/postfix.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = postbote.domain.de alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = postbote.domain.de, localhost.domain.de, localhost relayhost = smtp.domain.de mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 192.168.0.0/16 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/ smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sender_restrictions = reject_unknown_sender_domain mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}" smtp_use_tls = yes smtpd_tls_received_header = yes smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2 smtpd_tls_mandatory_ciphers = medium smtpd_tls_auth_only = yes tls_random_source = dev:/dev/urandom smtp_connection_cache_on_demand = yes smtp_connection_cache_destinations = $relayhost == Postfix für mehr als eine Domain konfigurieren == * [[http://www.postfix.org/STANDARD_CONFIGURATION_README.html|Postfix Standard Configuration Examples]] Postfix nimmt nur Mails an, die in dieses Muster passen bzw. zu diesen Domains gehören. Das bedeutet, wenn man eine eMail verschicken will, muss die Domain, die hinter dem "@" steht, in dieser Zeile zu finden sein: relay_domains = $mydestination domain.de domain.net domain.org ...oder in dieser Datei stehen: vi /etc/postfix/relay_domains gmx.net RELAY gmx.de RELAY web.de RELAY postmap /etc/postfix/relay_domains vi /etc/postfix/main.cf ... relay_domains = $mydestination, hash:/home/etc/postfix/relay_domains ... hier werden ihm die Weiterleitungsziele (quelle@domain.de -> ziel@mein.postfach) mitgeteilt: virtual_alias_maps = hash:/etc/postfix/virtual # # postmap /etc/postfix/virtual # @domain.de fritz@localhost @domain.net fritz @domain.org fritz rechnungen@domain.de fratz news@domain.de fratz freunde@domain.de fratz hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie "virtual" nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird: smtp_generic_maps = hash:/etc/postfix/generic # # postmap /etc/postfix/generic # @internetshop.de rechnungen@domain.de @forum.net news@domain.de @facebook.org freunde@domain.de hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren: canonical_maps = hash:/etc/postfix/canonical === /etc/postfix/master.cf === Um auch den Port 465 zu öffnen, müssen hier die Zeile mit **SMTPS** am Anfang und die dazugehörigen Zeilen darunter aktiviert werden. ... smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING ... === SMTP-STARTTLS-Verschlüsselung testen ===== * [[http://dovecot.org/pipermail/dovecot/2010-May/049128.html]] > telnet mail.domain.de 25 Trying 192.186.1.142... Connected to mail.domain.de. Escape character is '^]'. 220 mail.domain.de ESMTP Postfix (Ubuntu) EHLO mail.domain.de 250-mail.domain.de 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS > openssl s_client -starttls smtp -connect mail.domain.de:smtp ... --- SSL handshake has read 2738 bytes and written 354 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 49862F23385CD9AC3D85F09AE17F25209B358E2A11DE580C3EF2761BE656D75B Session-ID-ctx: Master-Key: A6E58F2E1E3D0D365AB1E2E9AE3E9B4B8F46095FA1583242FCD7FD115B11F4DD6FB720E986A8DEC9208CA335B432C0C3 Key-Arg : None Start Time: 1381866777 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 DSN DONE