siehe auch: Mails über seinen Provider versenden
locale-gentime (aptitude clean ; dpkg --configure -a ; aptitude update && aptitude -y safe-upgrade && aptitude clean) && echo OKaptitude install language-pack-en language-pack-deaptitude remove nullmaileraptitude install mc postfixecho "root: mxuser@dialing.de" » /etc/aliasesnewaliasesRekonfiguration:
> dpkg-reconfigure postfix
Postfix wird Nachrichten, für die es sich als Final Destination versteht, nicht eiterleiten, sondern immer versuchen, sie lokal zuzustellen (Liste von Hostnamen und Domains ist Leerzeich getrennt).
mydestination
wenn lokale Mails nur mit dem User-Namen versendet werden (z.B. "root" oder "CRON"), dann ergänzt Postfix den Mamen mit "@$myhostname", man kann mit "myorigin" aber auch selber bestimmen, womit der User-Namen zu einer vollständigen E-Mail-Adresse erweitert wird (z.B. zu "root@$myorigin"):
myorigin
Liste der Domains, zu denen weiter geleitet werden darf:
relay_domains
hier steht, wohin entsprechende Domains, SubDomains oder E-Mail-Adressen weitergeleitet werden:
relay_transport
hier steht, wohin entsprechende E-Mails weitergeleitet werden:
virtual_alias_maps
hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie „virtual“ nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird:
smtp_generic_maps
hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren:
canonical_maps
Mail-Queue ansehen:
> mailq
komplette Mail-Queue leeren:
> postsuper -d ALL
vi /etc/postfix/main.cf
... ### Specifies whether or not mail that would normally be bounced ### should be queued for redelivery attempts. Also converts any ### permanent rejection codes to temporary error codes. This parameter ### is useful for testing out configuration changes ### to make sure that no mail is permanently rejected. soft_bounce = yes ... ### alle unzustellbaren Mails in Fritz seinem lokalen Postfach ablegen luser_relay = fritz ...
Wenn man keine Transport-Tabelle eingerichtet hat (transport_maps = hash:/etc/postfix/transport), dann wird das Standard-Transportziel verwendet: smtp:$myhostname
Bei dem Verbindungsaufbau meldet der Postfix sich beim HELO mit dem $myhostname, der muss also mit dem CN im SSL-Key 100%-ig übereinstimmen!!!
Die Absendeadresse wird aus dem Namen des Benutzers und dem Mailnamen zusammengesetzt (benutzer@maildomain.de).
Den Mailnamen (maildomain.de) kann man bei Ubuntu auf zwei Arten ändern:
# sudo dpkg-reconfigure postfix
oder so:
# echo "maildomain.de" > /etc/mailname # sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf # echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf
verwendet man ein SSL-Zertifikat, muss hier der FQDN stehen (identisch mit dem "CN" im SSL-Zertifikat):
# hostname -f > /etc/mailname # sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf # echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf
Dann den Restart des Dienstes nicht vergessen:
# /etc/init.d/postfix restart
Wenn Postfix eine Mail per Pipe an ein externes Script weitergeben möchte, es aber aber zu Zwischenfällen kommt, hat das Return-Mails zur Folge, die folgende Exitcodes enthalten können:
| Status | $? | Description |
|---|---|---|
| EX_OK | 0 | successful termination |
| EX_USAGE | 64 | command line usage error |
| EX_DATAERR | 65 | data format error |
| EX_NOINPUT | 66 | cannot open input |
| EX_NOUSER | 67 | addressee unknown |
| EX_NOHOST | 68 | host name unknown |
| EX_UNAVAILABLE | 69 | service unavailable |
| EX_SOFTWARE | 70 | internal software error |
| EX_OSERR | 71 | system error (e.g., can't fork) |
| EX_OSFILE | 72 | critical OS file missing |
| EX_CANTCREAT | 73 | can't create (user) output file |
| EX_IOERR | 74 | input/output error |
| EX_TEMPFAIL | 75 | temp failure; user is invited to retry |
| EX_PROTOCOL | 76 | remote error in protocol |
| EX_NOPERM | 77 | permission denied |
| EX_CONFIG | 78 | configuration error |
Am einfachsten kann man den Mailserver mit Binär-Paketen installieren:
# pkg install postfix-tls-2.11.1_2,1 dovecot-1.2.17_4
für die Mail-Verwaltung von System-Benutzern, reichen das aus.
verschlüsseltes Mails lesen ist möglich (z.B. IMAP → Port 143 mit STARTTLS oder Port 993 mit SSL) aber eMails kann man nur unverschlüsselt senden (Port 25)
postfix/smtp[38595]: warning: TLS has been selected, but TLS support is not compiled in
Für die Verwaltung von virtuellen Mail-Boxen brauchen wir SASL-Unterstützung, leider sind die Binär-Pakete aber ohne SASL-Unterstützung kompiliert worden, deshalb müssen wir die Programme zu Fuß installieren:
# pkg search portupgrade portupgrade-2.4.12_2,2 # pkg install portupgrade-2.4.12_2,2 # portupgrade -NRO mail/postfix
Da ich Sieve-Unterstützung in Dovecot brauche und zur Zeit nur Dovecot in der Version 1 Sieve unterstützt, muss hier "DOVECOT" markiert werden. Und SSL-Unterstützung brauche ich selbstverständlich auch:
[*] PCRE Perl Compatible Regular Expressions [*] SASL2 Cyrus SASLv2 (Simple Auth. and Sec. Layer) [*] DOVECOT Dovecot 1.x SASL authentication method ... [*] TLS Enable SSL and TLS support ...
SASL2 benötigt man nur, wenn man virtuelle Mail-Benutzer verwenden möchte.
Warning: you still need to edit myorigin/mydestination/mynetworks
parameter settings in /usr/local/etc/postfix/main.cf.
See also http://www.postfix.org/STANDARD_CONFIGURATION_README.html
for information about dialup sites or about sites inside a
firewalled network.
BTW: Check your /etc/aliases file and be sure to set up aliases
that send mail for root and postmaster to a real person, then
run /usr/local/bin/newaliases.
install -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/rmail/rmail /usr/local/bin/rmail
install -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/qshape/qshape.pl /usr/local/bin/qshape
install -o root -g wheel -m 444 /usr/ports/mail/postfix/work/postfix-2.8.4/man/man1/qshape.1 /usr/local/man/man1
===> Installing rc.d startup script(s)
Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y
To enable postfix startup script please add postfix_enable="YES" in your rc.conf If you not need sendmail anymore, please add in your rc.conf: sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" And you can disable some sendmail specific daily maintenance routines in your /etc/periodic.conf file: daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" If /etc/periodic.conf does not exist please create it and add those values. If you are using SASL, you need to make sure that postfix has access to read the sasldb file. This is accomplished by adding postfix to group mail and making the /usr/local/etc/sasldb* file(s) readable by group mail (this should be the default for new installs). If you are upgrading from Postfix 2.6 or earlier, review the RELEASE_NOTES to familiarize yourself with new features and incompatabilities.
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/postfix
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.postfix.org/
===> Cleaning for postfix-2.8.4,1
# ldd /usr/local/libexec/postfix/smtp
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x4002d000)
...
# postconf -A cyrus
# postconf -a dovecot
Diese Informationen finden Sie in der aktuellen Version in FreeBSD unter /usr/local/share/doc/dovecot/wiki
You can use deliver with a few selected system users (ie. user is found from '/etc/passwd' / NSS) by calling deliver in the user's '~/.forward' file:
| "/usr/local/libexec/dovecot/deliver"
This should work with any MTA which supports per-user '.forward' files. (For qmail's per-user setup, see LDA.Qmail.txt.)
This method doesn't require the authentication socket explained below since it's executed as the user itself.
If you wish you use 'deliver' for all system users on a single domain mail host you can do it by editing 'mailbox_command' parameter in
"/etc/postfix/main.cf" (postconf(5) http://www.postfix.org/postconf.5.html):
mailbox_command = /usr/local/libexec/dovecot/deliver
Then run 'postfix reload' and that is it.
Dovecot LDA is very easy to use on large scale installations with Postfix virtual domains support, just add a 'dovecot' service in "/etc/postfix/master.cf" (master(5) http://www.postfix.org/master.5.html):
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}
An example using address extensions (ie user+extension@domain.com) to deliver to the folder 'extension' in your maildir (If you wish to preserve the case of ${extension}, remove the 'hu'flags [http://www.postfix.org/pipe.8.html], and be sure to utilize<Modifiers> [Variables.txt] in your dovecot.conf for mail locations and other configuration parameters that are expecting lower case):
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m ${extension}
# or with v1.1.2+ if you have a INBOX/ namespace prefix:
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m INBOX/${extension}
This example ignores address extensions (ie user+extension@domain.com delivers just like user@domain.com):
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -d ${user}
Replace 'vmail' above with your virtual mail user account.
Then set 'virtual_transport' to 'dovecot' in '/etc/postfix/main.cf':
dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = your.domain.here virtual_transport = dovecot
And remember to run
postfix reload
> vi /usr/local/etc/dovecot.conf
...
protocol lda {
...
# UNIX socket path to master authentication server to find users.
#auth_socket_path = /var/run/dovecot/auth-master
}
auth default {
...
socket listen {
master {
# Master socket provides access to userdb information. It's typically
# used to give Dovecot's local delivery agent access to userdb so it
# can find mailbox locations.
path = /var/run/dovecot/auth-master
mode = 0600
# Default user/group is the one who started dovecot-auth (root)
#user =
#group =
group = mail
}
client {
# The client socket is generally safe to export to everyone. Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/run/dovecot/auth-client
mode = 0660
user = postfix
group = mail
}
}
}
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m "${EXTENSION}"
mailbox_size_limit = 0
mydestination = hostname, localhost.localdomain, localhost
myhostname = hostname
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.crt
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
Meistens ist Internet mit Smarthost die richtige Einstellung.
SSL-Schlüssel generieren:
#!/bin/bash
RECHNERNAME="$(hostname -f)"
EMAIL="email@adresse.de"
STAAT="DE"
LAND="Hessen"
STADT="Frankfurt"
ORGANISATION="Firma"
ABTEILUNG="Abteilung"
ZEITRAUM="12000" # Gültigkeitszeitraum
BITLANG="16384" # Schlüssellänge
openssl req -rand /dev/urandom -sha1 -new -x509 -newkey rsa:${BITLANG} -nodes -keyout /etc/ssl/private/postfix.key -keyform PEM -out /etc/ssl/certs/postfix.crt -outform PEM -subj "/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${RECHNERNAME}" -days ${ZEITRAUM}
if [ -r "/etc/ssl/private/postfix.key" ] ; then
echo "/etc/ssl/private/postfix.key $(openssl rsa -noout -modulus -in /etc/ssl/private/postfix.key | openssl md5)"
fi
if [ -r "/etc/ssl/certs/postfix.crt" ] ; then
echo "/etc/ssl/certs/postfix.crt $(openssl x509 -noout -modulus -in /etc/ssl/certs/postfix.crt | openssl md5)"
openssl x509 -noout -subject -issuer -dates -in /etc/ssl/certs/postfix.crt
fi
Hier müssen folgende Variablen angepasst werden:
sowie die beiden Variablen um nichtzustellbaren Mails zwischenzuspeichern, wenn der RelayHost mal nicht erreichbar ist:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
#smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
#smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = postbote.domain.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = postbote.domain.de, localhost.domain.de, localhost
relayhost = smtp.domain.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 192.168.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
smtp_connection_cache_on_demand = yes
smtp_connection_cache_destinations = $relayhost
Postfix nimmt nur Mails an, die in dieses Muster passen bzw. zu diesen Domains gehören. Das bedeutet, wenn man eine eMail verschicken will, muss die Domain, die hinter dem "@" steht, in dieser Zeile zu finden sein:
relay_domains = $mydestination domain.de domain.net domain.org
…oder in dieser Datei stehen:
vi /etc/postfix/relay_domains gmx.net RELAY gmx.de RELAY web.de RELAY postmap /etc/postfix/relay_domains vi /etc/postfix/main.cf ... relay_domains = $mydestination, hash:/home/etc/postfix/relay_domains ...
hier werden ihm die Weiterleitungsziele (quelle@domain.de → ziel@mein.postfach) mitgeteilt:
virtual_alias_maps = hash:/etc/postfix/virtual
# # postmap /etc/postfix/virtual # @domain.de fritz@localhost @domain.net fritz @domain.org fritz rechnungen@domain.de fratz news@domain.de fratz freunde@domain.de fratz
hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie "virtual" nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird:
smtp_generic_maps = hash:/etc/postfix/generic
# # postmap /etc/postfix/generic # @internetshop.de rechnungen@domain.de @forum.net news@domain.de @facebook.org freunde@domain.de
hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren:
canonical_maps = hash:/etc/postfix/canonical
Um auch den Port 465 zu öffnen, müssen hier die Zeile mit SMTPS am Anfang und die dazugehörigen Zeilen darunter aktiviert werden.
... smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING ...
> telnet mail.domain.de 25 Trying 192.186.1.142... Connected to mail.domain.de. Escape character is '^]'. 220 mail.domain.de ESMTP Postfix (Ubuntu) EHLO mail.domain.de 250-mail.domain.de 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS
> openssl s_client -starttls smtp -connect mail.domain.de:smtp
...
---
SSL handshake has read 2738 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 49862F23385CD9AC3D85F09AE17F25209B358E2A11DE580C3EF2761BE656D75B
Session-ID-ctx:
Master-Key: A6E58F2E1E3D0D365AB1E2E9AE3E9B4B8F46095FA1583242FCD7FD115B11F4DD6FB720E986A8DEC9208CA335B432C0C3
Key-Arg : None
Start Time: 1381866777
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
DONE