Postfix is a replacement tool for the well known Sendmail. I prefered Postfix over Sendmail because of the numerous security leaks that were found in the Sendmail-daemon. Postfix is robust and easy to setup. It acts as a MTA (mail transfer agent) that can receive your mail and drop it into a local-mailbox.

First of all, what is Postfix?

I quote http://www.redhat.com/support/docs/faqs/RH-postfix-FAQ/c14.html

It is Wietse Venema's attempt to provide an alternative to the widely-used sendmail program. Sendmail is responsible for most of the e-mail delivered on the Internet. With an estimated 100 million users, that's billions of messages daily. A stunning number. Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users.

2. Useful resources

The homepage of Postfix http://www.postfix.org/
Red Hat Postfix HowTo http://www.redhat.com/support/resources/faqs/RH-postfix-FAQ/book1.html
Postfix stuff http://www.kagekaze.org/postfix/
Protect against SPAM on http://www.ordb.org/faq/#usage_postfix or http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt.

3. Getting the packages

As I'm using a Red-Hat system to install Postfix, the easiest way to install it is by downloading the latest RPM.

One word of advice...don't install the package yet...just download it. Installation-techniques follow in the next session.

4. Install

Before you can install the Postfix packages, you need to remove the existing sendmail-packages. If you havn't installed them, you can skip to the part where we start installing Postfix.

To check wether Sendmail exists use this :

rpm -qa | grep "sendmail"

Before erasing all of Sendmail, it would be wise to backup the existing files which you could need for Postfix. This can be your aliases file (/etc/aliases by default). Just copy these to a save location.

First thing to do would be to stop the existing Sendmail daemon.

/etc/init.d/sendmail stop

The fact is that even when you remove the sendmail-packages, the daemon will still run because it's already loaded in memory.

You can't just remove the Sendmail packages one by one. When you try to do this, there will be a dependency-error. The trick is to remove them all in one step with :

rpm -e sendmail sendmail-doc sendmail-cf --nodeps

Now the installation of Postfix is quite straightforward :

rpm -Uvh postfix.rpm

5. Configuration

Postfix installs his config-files in /etc/postfix/

In fact, there are only two files you should really consider when configuring Postfix. First of them is install.cf. This file contains the data that Postfix needs to start up with. Take a look at the contents of my file.

# This file was generated by INSTALL.sh
config_directory=/etc/postfix
daemon_directory=/usr/libexec/postfix
command_directory=/usr/sbin
queue_directory=/var/spool/postfix
sendmail_path=/usr/sbin/sendmail
newaliases_path=/usr/bin/newaliases
mailq_path=/usr/bin/mailq
mail_owner=postfix
setgid=no
manpages=/usr/man

The other file is main.cf. With this config-file you can adjust the settings how Postfix really works.

I'll cover the settings that needs adjustments for your own personal domain.

First, you need to specify where Postfix can stores his queues. Normally, this will be the same directory where the previous Sendmail stores his queues.

queue_directory = /var/spool/postfix

Next, specify the command-directory and daemon-directory.

command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix

Now, you have to specify the user that will be the owner of most Postfix processes. This has to be an existing user. I think it is wise to dedicate one user for this purpose and make sure that this user doesn't own any other files or directories.

mail_owner = mail

You have to specify an internet-hostname and domainname. This value is used as a parameter for many other configuration parameters. The domainname is in normal circumstances the hostname minus the host-part.

myhostname = mail.mydomain.com
mydomain = mydomain.com

In order to send mail correctly, you need to specify an origin.

myorigin = $myhostname

And off course when you want to send mail, you would also like to receive mail, don't you? Specify the network interface on which postfix should listen and the domains for which Postfix should receive mail.

inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain

In order to do some address-rewriting you should add something in the section covering "address rewriting" :

masquerade_domains = mydomain.com

With aliases you can bind several mail-addresses to an account. This is handled by :

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

The mail_spool_directory parameter specifies the directory where UNIX-style mailboxes are kept.

mail_spool_directory = /var/mail

The mailbox_command parameter specifies the optional external command to use instead of mailbox delivery.

mailbox_command = /usr/bin/procmail

You need to specify a list of networks that are local to this machine (for relay-considerations).

mynetworks = 192.168.0.0/24, 127.0.0.0/8

When you want to specify a specific banner when someone logs into the mail-server you can do this with :

smtpd_banner = $myhostname ESMTP Welcome to my mailserver

To limit the message and mailbox size and the number of consecutive recipients, you can use these settings :

message_size_limit = 5240000
mailbox_size_limit = 12240000
smtpd_recipient_limit = 150

That's about all for a standard configuration. It is always possible to review all the settings of Postfix with a single command-tool

postconf

This will result in a long list that contains all the settings.

I would like to add some special notes. When you're sending mail from a machine on your LAN, the local-ip will be visible in the message-header. To avoid this, add this rule to the main.cf file.

header_checks = regexp:/etc/postfix/header_filter.regexp

This rule rewrites the header and depends on the file /etc/postfix/header_filter.regexp. This file contains the following :

content of /etc/postfix/header_filter.regexp

/^Received:.*192\.168\.0.*/ IGNORE
/^Received:.*127\.0\.0\.1.*/ IGNORE

Make sure that after each line, there are no trailing spaces.

Also, if your provider insists on using his SMTP-server (you are prevented from contacting any other mail-server), you should use the relay-setting. This is done with :

relayhost = smtp.myisp.com

6. Using aliases

One of the first things you should do is set an alias for the root-mail. Once you have installed Postfix, it will be impossible to receive mail as root. So you need to setup an aliases for this account. These settings are handled by the file /etc/postfix/aliases. When you edit this there will be a line saying :

root: johndoe

By this setting, all mail for root will be moved to the local-mailbox of johndoe. You can specify as many aliases as you want with the syntax

<original-name>: <new-name>

After you have specified the new aliases, save your file. To activate the changes, issue the command :

newaliases

7. Starting and stopping

With the RPM-installation of Postfix, it's extremely easy to start and stop the service.

/etc/init.d/postfix start | stop

When you have changed some settings you don't need to restart everything, you only need to reload the settings with

postfix reload

That's all there is what is concerning my configuration. Don't forget that there are lots of other options that you can change when using Postfix. Please read carefully through the documentation. Have fun!

8. Some security issues

There are still some security-related issues I'de like to mention here. Some of them are already noted above (like the default message size and mailbox size).

By default the installation of Postfix is already security-minded. An out-of-the-box install could be enough for most users but still, some tweaking could not hurt. All of the following settings are in the main.cf-file (except if otherwise stated).

mailbanner
Replace your mailbanner (the text one sees when telnetting to your port 25) with something meaningless.

smtpd_banner = $myhostname ESMTP Mailshredder has some goodies for you

The $myhostname is RFC-required.

resource restrictions
When your mailhost isn't a super-beast in way of performance, it would be wise to restrict the number of Postfix processes. This can be done with

default_process_limit = 50

You can also control the number of processes on a service-by-service basis in master.cf.

concurrent connections
There's a way in which you can restrict the numbers of connection that are made to your server.

number of messages to the same local recipient to be delivered at the same time
local_destination_concurrency_limit = 2

number of messages to the same local recipient sent at the same time
default_destination_concurrency_limit = 10

9. Use Postfix as a backup mailer

When you want to use Postfix as a backup mailserver change these settings in main.cf

relay_domains = $mydestination the.backed-up.domain.tld
smtpd_recipient_restrictions = permit_mynetworks check_relay_domains

10. Reject mail from certain hosts

Create a map-file with the hosts to reject :

badguy.fbi.com REJECT
goodguy.fbi.com OK
10.0.0.20 OK
bill@mydomain.com REJECT

When you have saved this file you need to create a postmap-file from this plain-text file with :

postmap mymapfile

Now open up main.cf in your favorite editor and add this line

smtpd_client_restrictions = check_sender_access hash:/etc/postfix/mymapfile

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/mymapfile

I'm not sure if it's _client_ or _sender_; I had some trouble getting it to work with _client_ (in fact, it never did); _sender_ gave no problem at all. If some Postfix-guru can point this out for me, I'de be very happy.

For the changes to take effect, you will need to restart the Postfix-daemon.

A good guide on stopping spam and other things can be found at SecurityFocus

11. Using catch-all

If you want to forward e-mail that's for an in-existant account there's a solution with the luser directive.

luser = postmaster@mydomain.com

This will redirect all undeliverable e-mail to postmaster@mydomain.com.

12. Compile failures with ldb

If you receive any errors during compilation like

missing ldb

this could be the indication that you are either missing the Berkeley DB support or that it resides somewhere in a non-default location on your system. Perhaps you have installed Berkeley DB from source and not through any package-system. In order to compile postfix, you have to use these commands :

make tidy
make makefiles CCARGS="-DHAS_DB -I/usr/local//BerkeleyDB.4.1/include" \
AUXLIBS="-L/usr/local//BerkeleyDB.4.1/lib -db"
make

Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.be	top
Fortune : Q: How many existentialists does it take to screw in a light bulb? A: Two. One to screw it in and one to observe how the light bulb itself symbolizes a single incandescent beacon of subjective reality in a netherworld of endless absurdity reaching out toward a maudlin cosmos of nothingness.

Postfix

Contents