User Tools

Site Tools


Mail transfer agent

Wietse Venema's Postfix hasn't caused us a single bug or security issue in several years of usage, pretty impressive right!?

In order to fight spam the deployment of greylisting software (we chose postgrey) appeared very adequate. Tnx. to Arjen Baart for mentioning this!


Configure your SMTP-server as a LDAP-client. The required configuration is described here.


apt-get install postfix postfix-ldap postfix-doc sasl2-bin libsasl2-modules


Your current configuration can be viewed by issuing

postconf -n

Postfix configuration files:


smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# ## optional:
#smtpd_tls_CAfile = /etc/ssl/private/CA_public-key.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =,, localhost
relayhost = 
mynetworks =
mailbox_size_limit = 0
mail_name = Postfix
recipient_delimiter = +
inet_interfaces = all
mailbox_transport = lmtp:
content_filter = amavis:[]:10024
disable_vrfy_command = yes
local_recipient_maps =
smtpd_recipient_restrictions =
   check_helo_access hash:/etc/postfix/whitelist,
#   reject_rbl_client
#   reject_rbl_client
virtual_alias_maps = proxy:ldap:PostfixUser
PostfixUser_server_host =
PostfixUser_server_port = 389
PostfixUser_search_base = dc=intra,dc=example,dc=com
PostfixUser_scope = sub
PostfixUser_version = 3 
PostfixUser_query_filter = (mailacceptinggeneralid=%s)
PostfixUser_result_attribute = maildrop
best_mx_transport = local
ignore_mx_lookup_error = yes
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_authenticated_header = yes

Create your ow whitelist file /etc/postfix/whitelist with an editor. I can contain rules like: ok ok

Make a hashed db file from the ascii file:

postmap /etc/postfix/whitelist


smtp      inet  n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/
  ${nexthop} ${user}
amavis    unix  -       -       n       -       5       lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20    inet    n    -    n    -    -    smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

The older SSL wrapper-mode, which operated on port 465, is deprecated. If you really need it, add these lines to /etc/postfix/

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Postfix uses SASL for authenticated SMTP. Modify /etc/postfix/sasl/smtpd.conf like so:

pwcheck_method: saslauthd
mech_list: plain login

Set proper permissions on the postfix/saslauthd environment:

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

Add the Postfix user to the sasl group. This is required for authenticated SMTP.

adduser postfix sasl

Restart Postfix:

/etc/init.d/postfix restart

(and _please_ don't do that all the time as for most changes to /etc/postfix/ and the postfix lookup tables /etc/init.d/postfix reload will do!)

You can direct SASL to make use of pam. Another option is to direct SASL itself to connect to LDAP.

SASL to pam


  • ldap-authentication

Advantage (over sasl to ldap):

  • auth-smtp (with group membership)


OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"


auth required        /lib/security/
account required     /lib/security/
password required    /lib/security/ use_authtok
session required     /lib/security/

Restart the saslauthd:

/etc/init.d/saslauthd restart

If you want to limit authenticated smtp usage to members of a certain group you might use the pam-module 'pam_succeed_if'. Insert a line in the file /etc/pam.d/smtp just above the existing line that starts with 'account':

account     required user ingroup asmtp



OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Create the configuration file /etc/saslauthd.conf

ldap_servers: ldap:// ldap://
ldap_search_base: dc=intra,dc=example,dc=com
ldap_start_tls: yes

Restart the saslauthd:

/etc/init.d/saslauthd restart

Spam control

Postgrey configuration

Install the software with

apt-get install postgrey

Configure it in the file: /etc/defaults/postgrey. The defaults are normally OK, but have to match with for example the host/port combination in the postfix/ file.

Site specific whitelisting can be placed in two files. Place for example trusted neighbours in the file /etc/postgrey/whitelist_clients.local like this:

Or extra e-mail adresses in the file /etc/postgrey/whitelist_recipients.local like this:

Edit /etc/postfix/ and add in the smtpd_recipient_restrictions paragraph an extra 'check_policy_service' line to let postfix connect to the postgrey daemon. Like this:

smtpd_recipient_restrictions =
   check_policy_service inet:

Virus control

Spamassassin configuration

Apart from the Postgrey greylisting filter we use Spamassassin to fight spam. Clamav is open source anti-virus software.

The mailrouting to both filters is streamlined by Amavisd-new.

Install the software

apt-get install amavisd-new spamassassin clamav clamav-freshclam clamav-docs clamav-testfiles clamav-daemon


Make sure that spamd is allowed to start.

edit /etc/default/spamassassin

# Change to one to enable spamd

Customize the files in /etc/amavis/conf.d By default virus and spam checks are disabled in Amavisd-new 2.4.2. Re-enable them in the file /etc/amavis/conf.d/15-content_filter_mode

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

# Default antivirus checking mode
# Uncomment the two lines below to enable it back

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

# Default SPAM checking mode
# Uncomment the two lines below to enable it back

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

Reload amavisd

/etc/init.d/amavis reload


LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
User clamav
AllowSupplementaryGroups true
ScanMail true
ScanArchive true
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ArchiveMaxCompressionRatio 250
ArchiveLimitMemoryUsage false
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
StreamMaxLength 10M
LogSyslog false
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PidFile /var/run/clamav/
DatabaseDirectory /var/lib/clamav
TemporaryDirectory /tmp
SelfCheck 3600
Foreground false
Debug false
ScanPE true
ScanOLE2 true
ScanHTML true
DetectBrokenExecutables false
MailFollowURLs false
ArchiveBlockMax false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
NodalCoreAcceleration false
IdleTimeout 30
MailMaxRecursion 64
PhishingSignatures true
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0

Also have a look at freshclam.conf:

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav/
AllowSupplementaryGroups false
PidFile /var/run/clamav/
ConnectTimeout 30
ReceiveTimeout 30
ScriptedUpdates yes
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24

If necessary, restart clamav

/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart

Statistics and reporting

Business intelligence of the e-mail usage.

A daily summary of usage statistics in an e-mail report:

apt-get install  pflogsumm

RRDTool graphs of all sent and received messages by the MTA. This requires a webserver:

apt-get install  mailgraph
hannibal/postfix.txt · Last modified: 2013/11/04 21:22 by Luc Nieland