Table of Contents
MTA (mail transfer agent)
Below a configuration for an MTA with the config and user-info in files on the system.
For a configuration with the user-info stored in LDAP see:
This system is only the MTA itself, it routes the e-mail to one or more mailstores on separate machines. Cyrus, Dovecot, Zarafa, pick your choice.
To service an RBL yourself, see: https://hannibal.solstice.nl/hannibalwiki/picoenterprise:email-rbl
Service description
This configuration has a submission listener on port 587/tcp, which only accepts TLS connections, and authenticated users (out of a sasl-passwordfile).
Destination mail has to be delivered on port 25/tcp.
Installation
apt-get install postfix postfix-doc sasl2-bin libsasl2-modules
Extra stuff:
apt-get install postgrey apt-get install postfix-policyd-spf-python
Configuration
Add the postfix user to the group sasl:
usermod -a -G sasl postfix
Configure SASL: /etc/default/saslauthd
START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="sasldb" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/run/saslauthd"
/etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd mech_list: plain login
/etc/postfix/main.cf
maximal_queue_lifetime = 12w
bounce_queue_lifetime = 12w
smtpd_banner = postoffice.example.com ESMTP
disable_vrfy_command = yes
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = smtp.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = intra.example.com
mydestination = smtp.intra.example.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
virtual_alias_domains = example2.com example3.com example4.com
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = no
#broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_sasl_authenticated_header = yes
policy-spf_time_limit=3600s
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/whitelist,
reject_unauth_destination,
check_policy_service unix:private/policy-spf,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:10023
/etc/postfix/virtual
info1@example.com me@intra.example.com info2@example.com me@intra.example.com info3@example.com me@intra.example.com info4@example.com you@intra.example.com info5@example.com you@intra.example.com info6@example.com we@intra.example.com info7@example.com we@intra.example.com info8@example.com me@intra.example.com,we@intra.example.com
/etc/postfix/transport
me@intra.example.com smtp:cyrus1.intra.example.com:25 you@intra.example.com lmtp:cyrus2.intra.example.com:24 we@intra.example.com lmtp:dovecot1.intra.example.com:24 * smtp:[172.16.50.2]
/etc/default/postgrey
POSTGREY_OPTS="--inet=10023 --delay=250 --max-age=400" POSTGREY_TEXT="Lots of work now but welcome in five minutes"
/etc/postfix-policyd-spf-python/policyd-spf.conf
debugLevel = 1 defaultSeedOnly = 1 HELO_reject = SPF_Not_Pass Mail_From_reject = Fail PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128
/etc/postfix/master.cf
...
# smtp-submission:
587 inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
# SPF:
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
...
