• Postfix Spickzettel
• Postfix + HAProxy

siehe auch: Mails über seinen Provider versenden

1. VM-Installation
   1. Nacharbeiten (in der neuen Umgebung):
   2. locale-gen
   3. time (aptitude clean ; dpkg --configure -a ; aptitude update && aptitude -y safe-upgrade && aptitude clean) && echo OK
   4. aptitude install language-pack-en language-pack-de
2. aptitude remove nullmailer
3. aptitude install mc postfix
   1. → Internet mit Smarthost → SMTP relay host: "tcpandora.tcoqrm.victorvox.net"
4. echo "root: mxuser@dialing.de" » /etc/aliases
5. newaliases

Rekonfiguration:

> dpkg-reconfigure postfix

Postfix wird Nachrichten, für die es sich als Final Destination versteht, nicht eiterleiten, sondern immer versuchen, sie lokal zuzustellen (Liste von Hostnamen und Domains ist Leerzeich getrennt).

mydestination

wenn lokale Mails nur mit dem User-Namen versendet werden (z.B. "root" oder "CRON"), dann ergänzt Postfix den Mamen mit "@$myhostname", man kann mit "myorigin" aber auch selber bestimmen, womit der User-Namen zu einer vollständigen E-Mail-Adresse erweitert wird (z.B. zu "root@$myorigin"):

myorigin

Liste der Domains, zu denen weiter geleitet werden darf:

relay_domains

hier steht, wohin entsprechende Domains, SubDomains oder E-Mail-Adressen weitergeleitet werden:

relay_transport

hier steht, wohin entsprechende E-Mails weitergeleitet werden:

virtual_alias_maps

hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie „virtual“ nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird:

smtp_generic_maps

hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren:

canonical_maps

• http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html

Mail-Queue ansehen:

> mailq

komplette Mail-Queue leeren:

> postsuper -d ALL

• https://wiki.ubuntuusers.de/Postfix/Erweiterte_Konfiguration/

vi /etc/postfix/main.cf

...
### Specifies whether or not mail that would normally be bounced
### should be queued for redelivery attempts. Also converts any
### permanent rejection codes to temporary error codes. This parameter
### is useful for testing out configuration changes
### to make sure that no mail is permanently rejected.
soft_bounce = yes
...
### alle unzustellbaren Mails in Fritz seinem lokalen Postfach ablegen
luser_relay = fritz
...

Wenn man keine Transport-Tabelle eingerichtet hat (transport_maps = hash:/etc/postfix/transport), dann wird das Standard-Transportziel verwendet: smtp:$myhostname
Bei dem Verbindungsaufbau meldet der Postfix sich beim HELO mit dem $myhostname, der muss also mit dem CN im SSL-Key 100%-ig übereinstimmen!!!

• http://wiki.ubuntuusers.de/postfix
• http://dozent.maruweb.de/material/postfix2.shtml
• http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
• http://www.postfix.org/ADDRESS_REWRITING_README.html#standard
• http://www.postfix.org/ADDRESS_REWRITING_README.html#canonical

Die Absendeadresse wird aus dem Namen des Benutzers und dem Mailnamen zusammengesetzt (benutzer@maildomain.de).

Den Mailnamen (maildomain.de) kann man bei Ubuntu auf zwei Arten ändern:

# sudo dpkg-reconfigure postfix

oder so:

# echo "maildomain.de" > /etc/mailname
# sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf
# echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf

verwendet man ein SSL-Zertifikat, muss hier der FQDN stehen (identisch mit dem "CN" im SSL-Zertifikat):

# hostname -f > /etc/mailname
# sed -i -e 's/^[^#.]*myorigin/#&/g' /etc/postfix/main.cf
# echo "myorigin = /etc/mailname" >> /etc/postfix/main.cf

Dann den Restart des Dienstes nicht vergessen:

# /etc/init.d/postfix restart

Wenn Postfix eine Mail per Pipe an ein externes Script weitergeben möchte, es aber aber zu Zwischenfällen kommt, hat das Return-Mails zur Folge, die folgende Exitcodes enthalten können:

Am einfachsten kann man den Mailserver mit Binär-Paketen installieren:

# pkg install postfix-tls-2.11.1_2,1 dovecot-1.2.17_4

für die Mail-Verwaltung von System-Benutzern, reichen das aus.

verschlüsseltes Mails lesen ist möglich (z.B. IMAP → Port 143 mit STARTTLS oder Port 993 mit SSL) aber eMails kann man nur unverschlüsselt senden (Port 25)

postfix/smtp[38595]: warning: TLS has been selected, but TLS support is not compiled in

Für die Verwaltung von virtuellen Mail-Boxen brauchen wir SASL-Unterstützung, leider sind die Binär-Pakete aber ohne SASL-Unterstützung kompiliert worden, deshalb müssen wir die Programme zu Fuß installieren:

# pkg search portupgrade
  portupgrade-2.4.12_2,2
# pkg install portupgrade-2.4.12_2,2
# portupgrade -NRO mail/postfix

Da ich Sieve-Unterstützung in Dovecot brauche und zur Zeit nur Dovecot in der Version 1 Sieve unterstützt, muss hier "DOVECOT" markiert werden. Und SSL-Unterstützung brauche ich selbstverständlich auch:

[*] PCRE       Perl Compatible Regular Expressions
[*] SASL2      Cyrus SASLv2 (Simple Auth. and Sec. Layer)
[*] DOVECOT    Dovecot 1.x SASL authentication method
...
[*] TLS        Enable SSL and TLS support
...

SASL2 benötigt man nur, wenn man virtuelle Mail-Benutzer verwenden möchte.

    Warning: you still need to edit myorigin/mydestination/mynetworks
    parameter settings in /usr/local/etc/postfix/main.cf.

    See also http://www.postfix.org/STANDARD_CONFIGURATION_README.html
    for information about dialup sites or about sites inside a
    firewalled network.

    BTW: Check your /etc/aliases file and be sure to set up aliases
    that send mail for root and postmaster to a real person, then
    run /usr/local/bin/newaliases.

install  -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/rmail/rmail /usr/local/bin/rmail
install  -o root -g wheel -m 555 /usr/ports/mail/postfix/work/postfix-2.8.4/auxiliary/qshape/qshape.pl /usr/local/bin/qshape
install  -o root -g wheel -m 444 /usr/ports/mail/postfix/work/postfix-2.8.4/man/man1/qshape.1 /usr/local/man/man1
===> Installing rc.d startup script(s)
Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y

To enable postfix startup script please add postfix_enable="YES" in
your rc.conf

If you not need sendmail anymore, please add in your rc.conf:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

And you can disable some sendmail specific daily maintenance routines in your
/etc/periodic.conf file:

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

If /etc/periodic.conf does not exist please create it and add those values.

If you are using SASL, you need to make sure that postfix has access to read
the sasldb file.  This is accomplished by adding postfix to group mail and
making the /usr/local/etc/sasldb* file(s) readable by group mail (this should
be the default for new installs).

If you are upgrading from Postfix 2.6 or earlier, review the RELEASE_NOTES to
familiarize yourself with new features and incompatabilities. 

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/postfix

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage: 
http://www.postfix.org/
===>  Cleaning for postfix-2.8.4,1

# ldd /usr/local/libexec/postfix/smtp
        libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x4002d000)
        ...

# postconf -A
cyrus

# postconf -a
dovecot

Diese Informationen finden Sie in der aktuellen Version in FreeBSD unter /usr/local/share/doc/dovecot/wiki

You can use deliver with a few selected system users (ie. user is found from '/etc/passwd' / NSS) by calling deliver in the user's '~/.forward' file:

| "/usr/local/libexec/dovecot/deliver"

This should work with any MTA which supports per-user '.forward' files. (For qmail's per-user setup, see LDA.Qmail.txt.)

This method doesn't require the authentication socket explained below since it's executed as the user itself.

If you wish you use 'deliver' for all system users on a single domain mail host you can do it by editing 'mailbox_command' parameter in

"/etc/postfix/main.cf" (postconf(5) http://www.postfix.org/postconf.5.html):

mailbox_command = /usr/local/libexec/dovecot/deliver

Then run 'postfix reload' and that is it.

Dovecot LDA is very easy to use on large scale installations with Postfix virtual domains support, just add a 'dovecot' service in "/etc/postfix/master.cf" (master(5) http://www.postfix.org/master.5.html):

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}

An example using address extensions (ie user+extension@domain.com) to deliver to the folder 'extension' in your maildir (If you wish to preserve the case of ${extension}, remove the 'hu'flags [http://www.postfix.org/pipe.8.html], and be sure to utilize<Modifiers> [Variables.txt] in your dovecot.conf for mail locations and other configuration parameters that are expecting lower case):

dovecot unix    -       n       n       -       -      pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m ${extension}

# or with v1.1.2+ if you have a INBOX/ namespace prefix:
dovecot unix    -       n       n       -       -      pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -n -m INBOX/${extension}

This example ignores address extensions (ie user+extension@domain.com delivers just like user@domain.com):

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -d ${user}

Replace 'vmail' above with your virtual mail user account.

Then set 'virtual_transport' to 'dovecot' in '/etc/postfix/main.cf':

dovecot_destination_recipient_limit = 1
virtual_mailbox_domains = your.domain.here
virtual_transport = dovecot

And remember to run

postfix reload

> vi /usr/local/etc/dovecot.conf
...
protocol lda {
...
  # UNIX socket path to master authentication server to find users.
  #auth_socket_path = /var/run/dovecot/auth-master
}
auth default {
...
  socket listen {
    master {
      # Master socket provides access to userdb information. It's typically
      # used to give Dovecot's local delivery agent access to userdb so it
      # can find mailbox locations.
      path = /var/run/dovecot/auth-master
      mode = 0600
      # Default user/group is the one who started dovecot-auth (root)
      #user =
      #group =
      group = mail
    }
    client {
      # The client socket is generally safe to export to everyone. Typical use
      # is to export it to your SMTP server so it can do SMTP AUTH lookups
      # using it.
      path = /var/run/dovecot/auth-client
      mode = 0660
      user = postfix
      group = mail
    }
  }
}

http://bsdinn.com/postfix/index.php

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m "${EXTENSION}"
mailbox_size_limit = 0
mydestination = hostname, localhost.localdomain, localhost
myhostname = hostname
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.crt
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

Meistens ist Internet mit Smarthost die richtige Einstellung.

SSL-Schlüssel generieren:

#!/bin/bash

RECHNERNAME="$(hostname -f)"

EMAIL="email@adresse.de"
STAAT="DE"
LAND="Hessen"
STADT="Frankfurt"
ORGANISATION="Firma"
ABTEILUNG="Abteilung"
ZEITRAUM="12000"                                # Gültigkeitszeitraum
BITLANG="16384"                                 # Schlüssellänge


openssl req -rand /dev/urandom -sha1 -new -x509 -newkey rsa:${BITLANG} -nodes -keyout /etc/ssl/private/postfix.key -keyform PEM -out /etc/ssl/certs/postfix.crt -outform PEM -subj "/emailAddress=${EMAIL}/C=${STAAT}/ST=${LAND}/L=${STADT}/O=${ORGANISATION}/OU=${ABTEILUNG}/CN=${RECHNERNAME}" -days ${ZEITRAUM}


if [ -r "/etc/ssl/private/postfix.key" ] ; then
        echo "/etc/ssl/private/postfix.key $(openssl rsa -noout -modulus -in /etc/ssl/private/postfix.key | openssl md5)"
fi

if [ -r "/etc/ssl/certs/postfix.crt" ] ; then
        echo "/etc/ssl/certs/postfix.crt $(openssl x509 -noout -modulus -in /etc/ssl/certs/postfix.crt | openssl md5)"
        openssl x509 -noout -subject -issuer -dates -in /etc/ssl/certs/postfix.crt
fi

• http://www.postfix.org/TLS_README.html#server_enable

Hier müssen folgende Variablen angepasst werden:

1. home_mailbox
2. mydestination
3. mynetworks
4. smtpd_tls_cert_file
5. smtpd_tls_key_file

sowie die beiden Variablen um nichtzustellbaren Mails zwischenzuspeichern, wenn der RelayHost mal nicht erreichbar ist:

1. smtp_connection_cache_on_demand
2. smtp_connection_cache_destinations

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
#smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
#smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = postbote.domain.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = postbote.domain.de, localhost.domain.de, localhost
relayhost = smtp.domain.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 192.168.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = TLSv1.1, TLSv1.2, TLSv1, !SSLv3, !SSLv2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
smtp_connection_cache_on_demand = yes
smtp_connection_cache_destinations = $relayhost

• Postfix Standard Configuration Examples

Postfix nimmt nur Mails an, die in dieses Muster passen bzw. zu diesen Domains gehören. Das bedeutet, wenn man eine eMail verschicken will, muss die Domain, die hinter dem "@" steht, in dieser Zeile zu finden sein:

relay_domains = $mydestination domain.de domain.net domain.org

…oder in dieser Datei stehen:

vi /etc/postfix/relay_domains
gmx.net                         RELAY
gmx.de                          RELAY
web.de                          RELAY

postmap /etc/postfix/relay_domains

vi /etc/postfix/main.cf
...
relay_domains = $mydestination, hash:/home/etc/postfix/relay_domains
...

hier werden ihm die Weiterleitungsziele (quelle@domain.de → ziel@mein.postfach) mitgeteilt:

virtual_alias_maps = hash:/etc/postfix/virtual

#
# postmap /etc/postfix/virtual
#
@domain.de                      fritz@localhost
@domain.net                     fritz
@domain.org                     fritz
rechnungen@domain.de            fratz
news@domain.de                  fratz
freunde@domain.de               fratz

hier werden ihm die Domainersetzungen mitgeteilt, es bewirkt das gleiche wie "virtual" nur das hierbei in der Mail auch noch die Zieladresse ausgetauscht wird:

smtp_generic_maps = hash:/etc/postfix/generic

#
# postmap /etc/postfix/generic
#
@internetshop.de                rechnungen@domain.de
@forum.net                      news@domain.de
@facebook.org                   freunde@domain.de

hiermit werden Absende- und Empfänger-Adresse ausgetauscht, das wird oft verwendet um Adressangaben zu korrigieren:

canonical_maps = hash:/etc/postfix/canonical

Um auch den Port 465 zu öffnen, müssen hier die Zeile mit SMTPS am Anfang und die dazugehörigen Zeilen darunter aktiviert werden.

...
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
...

• http://dovecot.org/pipermail/dovecot/2010-May/049128.html

> telnet mail.domain.de 25
Trying 192.186.1.142...
Connected to mail.domain.de.
Escape character is '^]'.
220 mail.domain.de ESMTP Postfix (Ubuntu)
EHLO mail.domain.de
250-mail.domain.de
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

> openssl s_client -starttls smtp -connect mail.domain.de:smtp
...
---
SSL handshake has read 2738 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 49862F23385CD9AC3D85F09AE17F25209B358E2A11DE580C3EF2761BE656D75B
    Session-ID-ctx: 
    Master-Key: A6E58F2E1E3D0D365AB1E2E9AE3E9B4B8F46095FA1583242FCD7FD115B11F4DD6FB720E986A8DEC9208CA335B432C0C3
    Key-Arg   : None
    Start Time: 1381866777
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN
DONE