Postfix is a free, simple, and secure MTA (e-mail server). It has been ported to most Unixes and it's configuration files are the same across all platforms. It is Sendmail compatible also. The install below will be for OpenBSD 3.8 using Postfix version 2.3. Any of the config files below could be used on any other type of Unix that Postfix has been ported to. Paths, mailowner, setgid, etc will have to be changed to the local systems settings.
I'll leave it up to you to put in the mx records in DNS for this mail servers hostname. If this will be your only mail server then you don't need an MX record. If a mail server recieves an e-mail and there is no corresponding MX record for mail delivery it will default to using the A record for that host. A mx record is best practice though.
A quick description on what Postfix does when it recieves mail. Postfix will be started and listen on port 25 by default. If you have a firewall open port 25. Postfix will eventaully recieve a connection from another mail server on port 25. It will process the e-mail (header and body checks, real time blacklist, RFC compliance, etc) and if all of our checks pass it is handed off to procmail for delivery. Procmail is an mail delivery agent (MDA). Procmail will take the e-mail do any processing it has been told to do (.procmailrc scripts) and place the e-mail into the users mailbox.
Install the latest Postfix and Procmail. For this install example it will be for OpenBSD 3.8.
pkg_add -v http://openbsd.secsup.org/3.8/packages/i386/postfix-2.3.20050716.tgz
pkg_add -v http://openbsd.secsup.org/3.8/packages/i386/procmail-3.22p0.tgz
Now that the software is installed we need to setup the config files. The config files will be listed below. Edit to your configuration needs.
First file is OpenBSD's startup file. It's in /etc/rc.conf. Edit this file and change the lines in it already to look like the lines below. First line will start Postfix when the system boots. The second line will open a socket for Postfix logging.
sendmail_flags="-bd -q30m" syslogd_flags="-a /var/spool/postfix/dev/log"
The postfix setup will be used on a server that will not deliver mail itself but will forward it's mail to another mail server to deliver it. On this host the mail is being sent to what is called a relay host (smarthost). I beleive if you leave this blank postfix will deliver the mail itself. Check your /etc/aliases file and be sure to set up aliases that send mail for root and postmaster to a real person, then run /usr/local/sbin/newaliases. To setup postfix as the primary mailer on the system run: /usr/local/sbin/postfix-enable. To put it back to sendmail run: /usr/local/sbin/postfix-disable. Make sure to change the myorigin/mydestination/mynetworks sections below to your configuration needs.
For procmail to deliver the mail it will need access to the /var/mail directory. Procmail will run as the user to deliver the mail. It will try to place the mail in a file with the users account name on the system. You might have to create this file and give it the correct permissions before procmail will deliver the mail to it. If mail is not being delivered right check the mail logfile or the system log file. If it mentions procmail and permissions blah blah blah then try these commands as root: "touch /var/mail/username" then "chown username.wheel /var/mail/username" then "chmod 600 /var/log/username".
Put the settings below in the file /etc/postfix/main.cf. Remember the config below is for OpenBSD so the directories settings are set for OpenBSD. So are the mail_owner and setgid_group settings. You will need to change these to what your install is using. If your using OpenBSD then you will be ok unless something has changed in later versions. Also be aware of the smtp restricitons area at the bottom. I use these settings to cut down on my spam considerably. They are not conserative by any means but you will have to try them yourself.
### see /usr/share/postfix/main.cf.dist for a commented, fuller
### version of this file.
### Do not change these directory settings - they are critical to Postfix
### operation.
biff = no
recipient_delimiter = +
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
program_directory = /usr/local/libexec/postfix
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
### No one needs to know what we run. So I'll give them this.
mail_name = mail.yourdomain.org
smtpd_banner = ESMTP $mail_name
### Who delivers the mail (never root for security).
mail_owner = _postfix
setgid_group = _postdrop
### appending .domain should be the MUA's job.
append_dot_mydomain = no
append_at_myorigin = yes
### Relay Host this mail server should send its mail to if need be.
relayhost = smtp.yourisp.net
### Valid hostname of this system known as the mail server (must be a fqdn !)
### What other mailservers see us as.
myhostname = mail.yourdomain.org
### The mydestination parameter specifies what domains this machine will deliver locally, instead
### of forwarding to another machine. The default is to receive mail for the machine itself.
mydestination = yourdomain.org,blah.yourdomain.com,$myhostname,localhost.localdomain, ,localhost
### maps for virtual domains
virtual_alias_maps = hash:/etc/postfix/virtual
### External Networks to accept RELAYED mail from.
mynetworks = 192.168.0.0/24, 127.0.0.0/8
### Where to send mail that is delivered locally.
mailbox_command = procmail -a "$EXTENSION"
### How much of the message in bytes will be bounced back to the sender.
bounce_size_limit = 2000
### No limit on mailbox size.
mailbox_size_limit = 0
### Limit sent/recieved emails to 100 Megs "(header+body+attachment)x(mime-encoding) <= 100 meg"
message_size_limit = 102400000
### How long do messages stay in the queue before being sent back to the sender. (in days)
### By default, postfix attempts to resend the message every (1000 secs)x(# attempts)x(days).
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
### Parrallel delivery force (local=2 and dest=20 are default)
local_destination_concurrency_limit = 2
initial_destination_concurrency = 10
default_destination_concurrency_limit = 50
### Limits the mail inflow to 100 messages per second above the number of messages delivered per second.
in_flow_delay = 1s
###Clients must send a HELO (or EHLO) command at the beginning of an SMTP session.
smtpd_helo_required = yes
### No one needs to ask our server who is on it. If you do, you get smacked with the tarpit and then an error.
disable_vrfy_command = yes
### Reject immediately. Do not delay until RCPT TO: to reject the email
smtpd_delay_reject = yes
### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10
smtpd_soft_error_limit = 2
smtpd_hard_error_limit = 5
smtpd_junk_command_limit = 3
### Require strict RFC 821-style envelope addresses
strict_rfc821_envelopes = yes
### Limit the info given to outside servers
show_user_unknown_table_name = no
### Message Limitations. Uncomment and use if needed.
#header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks
### Reject codes
access_map_reject_code = 554
defer_code = 554
invalid_hostname_reject_code = 554
maps_rbl_reject_code = 554
non_fqdn_reject_code = 554
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
### SMTP Restrictions
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client,
check_client_access regexp:/etc/postfix/client_restrictions
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
check_helo_access hash:/etc/postfix/access,
warn_if_reject reject_invalid_hostname
smtpd_etrn_restrictions = permit_mynetworks,
reject
smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_multi_recipient_bounce,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unknown_client,
warn_if_reject reject_unknown_hostname,
reject_unauth_pipelining,
reject_rhsbl_sender dsn.rfc-ignorant.org
reject_rhsbl_sender bogusmx.rfc-ignorant.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
# reject_unverified_sender
permit
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
########################## END #########################################
Client restrictions for postfix. Put these settings in the file /etc/postfix/client_restrictions. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.
# List taken from http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
# To test regular expressions below use "grep -e" from the command line. If you see the hostname echo'ed the regex worked.
# For example: echo 'blah.hotmail.com' | grep -e '\.hotmail\.com$'
### WHITE LIST ###
/\.amazon\.com$/ OK
/\.dell\.com$/ OK
/\.ibm\.com$/ OK
/\.yahoo\.com$/ OK
/\.hotmail\.com$/ OK
/\.paypal\.com$/ OK
# mc1-s3.bay6.hotmail.com, etc.
/\.bay[0-9]+\.hotmail\.com$/ OK
# Whitelist Examples
#
# h04-a1.data-hotel.net, etc.
# /\.data-hotel\.net$/ OK
#
# web10902.mail.bbt.yahoo.co.jp
# /^web[0-9]+\.mail\.(.+\.)?yahoo\.co\.jp$/ OK
#
# web35509.mail.mud.yahoo.com
# /^web[0-9]+\.mail\.(.+\.)?yahoo\.com$/ OK
#
# c151240.vh.plala.or.jp
# /\.vh\.plala\.or\.jp$/ OK
#
# n2.59-106-41-68.mixi.jp, etc.
# /\.mixi\.jp$/ OK
#
# mta12.m2.home.ne.jp, etc.
# /\.m2\.home\.ne\.jp$/ OK
#
# mmrts006p01c.softbank.ne.jp, etc.
# tgmsmtkn01sc1.softbank.ne.jp, etc.
# /\.softbank\.ne\.jp$/ OK
#
# imt1omta04-s0.ezweb.ne.jp, etc.
# /\.ezweb\.ne\.jp$/ OK
#
# bay-w1-inf5.verisign.net
# benicia-w2-inf30.verisign.net
# /\.verisign\.net$/ OK
#
# web10902.mail.bbt.yahoo.co.jp
#/^web[0-9]+\.mail\.(.+\.)?yahoo\.co\.jp$/ OK
#
# ip address
# /^202\.222\.18\.17$/ OK
### BLACK LIST ###
/\.(internetdsl|adsl|sdi)\.tpnet\.pl$/ 450 domain check tpnet
/^user.+\.mindspring\.com$/ 450 domain check mind
/[0-9a-f]{4}\.[a-z]+\.pppool\.de$/ 450 domain check pppool
/\.dip\.t-dialin\.net$/ 450 domain check t-dialin
/\.(adsl|cable)\.wanadoo\.nl$/ 450 domain check wanadoo
/\.ipt\.aol\.com$/ 450 domain check aol
# 85.155.10.73.dyn.user.ono.com
/\.user\.ono\.com$/ 450 domain check ono
# Blacklist Examples
#
# pr86.internetdsl.tpnet.pl
# fq217.neoplus.adsl.tpnet.pl
# pa148.braniewo.sdi.tpnet.pl
#/\.(internetdsl|adsl|sdi)\.tpnet\.pl$/ 450 domain check
#
# user-0cetcbr.cable.mindspring.com
# user-vc8fldi.biz.mindspring.com
#/^user.+\.mindspring\.com$/ 450 domain check
#
# c9531ecc.virtua.com.br (hexadecimal used)
#/^[0-9a-f]{8}\.virtua\.com\.br$/ 450 domain check
#
# catv-5984bdee.catv.broadband.hu (hexadecimal used)
#/\.catv\.broadband\.hu$/ 450 domain check
#
# Edc3e.e.pppool.de
# BAA1408.baa.pppool.de
#/[0-9a-f]{4}\.[a-z]+\.pppool\.de$/ 450 domain check
#
# xdsl-5790.lubin.dialog.net.pl
#/^xdsl.+\.dialog\.net\.pl$/ 450 domain check
#
# pD9EB80CB.dip0.t-ipconnect.de (hexadecimal used)
#/\.dip[0-9]+\.t-ipconnect\.de$/ 450 domain check
#
# pD9E799A1.dip.t-dialin.net (hexadecimal used)
#/\.dip\.t-dialin\.net$/ 450 domain check
#
# ool-43511bdc.dyn.optonline.net (hexadecimal used)
#/\.dyn\.optonline\.net$/ 450 domain check
#
# rt-dkz-1699.adsl.wanadoo.nl
# c3eea5738.cable.wanadoo.nl (hexadecimal used)
#/\.(adsl|cable)\.wanadoo\.nl$/ 450 domain check
#
# ACBBD419.ipt.aol.com (hexadecimal used)
#/\.ipt\.aol\.com$/
### Generic Block ###
/^(pool|cable|dhcp|dialup|ppp|adsl)[^.]*[0-9]/ 450 checking dynamic isp
#Generic Examples
#
# ex: evrtwa1-ar3-4-65-157-048.evrtwa1.dsl-verizon.net
# ex: a12a190.neo.rr.com
/^[^.]*[0-9][^0-9.]+[0-9]/ 450 S25R check1
#
# ex: pcp04083532pcs.levtwn01.pa.comcast.net
/^[^.]*[0-9]{5}/ 450 S25R check2
#
# ex: 398pkj.cm.chello.no
# ex: host.101.169.23.62.rev.coltfrance.com
/^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/ 450 S25R check3
#
# ex: wbar9.chi1-4-11-085-222.dsl-verizon.net
/^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/ 450 S25R check4
#
# ex: d5.GtokyoFL27.vectant.ne.jp
/^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./ 450 S25R check5
#
# ex: dhcp0339.vpm.resnet.group.upenn.edu
# ex: dialupM107.ptld.uswest.net
# ex: PPPbf708.tokyo-ip.dti.ne.jp
# ex: adsl-1415.camtel.net
# /^(dhcp|dialup|ppp|adsl)[^.]*[0-9]/ 450 S25R check
Header checks for postfix. Put these settings in the file /etc/postfix/header_checks. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.
#### Header checks file
#### Checks are done in order, top to bottom.
#### /etc/postfix/header_checks
#### non-RFC Compliance
/[^[:print:]]{7}/ REJECT RFC2047
/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT RFC822
/(.*)?\{6,\}/ REJECT RFC822
/(.*)[X|x]\{3,\}/ REJECT RFC822
#### Unreadable NON-acsii un-printable text
/^Subject:.*=\?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8)\?/ REJECT Unreadable
/^Content-Type:.*charset="?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8|iso-2022-jp)/ REJECT Unreadable
#### Subject checks
/^Subject:.* / REJECT Space
/^Subject:.*r[ _\.\*\-]+o[ _\.\*\-]+l[ _\.\*\-]+e[ _\.\*\-]+x/ REJECT Hidden Words
/^Subject:.*p[ _\.\*\-]+o[ _\.\*\-]+r[ _\.\*\-]+n/ REJECT Hidden Words
#### Character Set Checks
/^(Content-Type:.*|\s+)charset\s*=\s*"?(Windows-1251)\?/ REJECT Bad Content Type
#### Attachments
/^Content-(Type|Disposition):.*(file)?name=.*\.(ade|adp|asd|asf|asx|bat|bhx|chm|cil|cmd|com|cpl|dll|elm|exe|gif|hlp|hta|jse|lnk|mda|mdb|mde|mdw|mim|msi|msp|nws|ocx|pif|reg|scr|sct|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wmf|wms|wmz|wmd|wsc|wsf|wsh|wsz)/
REJECT Bad Attachment .${3}
#### Backscatter mail from virus scanners
/^Subject:.*Anti-Virus Notification/ REJECT Virus Notification
/^Subject:.*due to virus/ REJECT Virus Notification
/^Subject:.*email contains VIRUS/ REJECT Virus Notification
/^Subject:.*InterScanMSS/ REJECT Virus Notification
/^Subject:.*ScanMail for Lotus/ REJECT Virus Notification
/^Subject:.*Symantec AntiVirus/ REJECT Virus Notification
/^Subject:.*Virus Detected by Network Associates/ REJECT Virus Notification
/^subject:.*virus found/ REJECT Virus Notification
/^subject:.*Virus Infection Alert/ REJECT Virus Notification
#### Known Spammers or Unsolicited Commercial Email
/^Received:.*bellevuellc.com/ REJECT Blacklisted
/^Received:.*ccsurvey.com/ REJECT Blacklisted
/^Received:.*cmptechdirect.com/ REJECT Blacklisted
/^Received:.*constantcontact.com/ REJECT Blacklisted
/^Received:.*dartmail.net/ REJECT Blacklisted
/^Received:.*ema10.net/ REJECT Blacklisted
/^Received:.*evmailer.com/ REJECT Blacklisted
/^Received:.*netline.com/ REJECT Blacklisted
#/^From:.*163.com/ REJECT Blacklisted
Body checks for Postfix. Put these settings in the file /etc/postfix/body_checks. Edit to your needs or just don't use. Comment the line in main.cf if you don't use these.
# Postfix body_checks # /etc/postfix/body_checks #### General body checks. Uncomment and change examples if needed. #/http:\/\/.*\.info/ REJECT dotinfo #/lottery/ REJECT lottery #/Viagra/ REJECT viagra #/Cialis/ REJECT cialis #/Valium/ REJECT valium #/Xanax/ REJECT xanax #/Tramadol/ REJECT tramadol
Helo checks for Postfix. Put the names and ip's of your domains in the file /etc/postfix/helo_access. No sender should ever give a helo statement with the name of the server or the ip address of the mail server (example uses 1.1.1.1). Uncomment in config if you need to use it. Not a must but the more filters the better. Comment the line in main.cf if you don't use these.
localhost REJECT 554 misconfigured sender mail.yourservername.org REJECT 554 misconfigured sender 1.1.1.1 REJECT 554 misconfigured sender
Alias file for Postfix. Put these settings in the file /etc/aliases. Edit to your needs. It system-wide mechanism to redirect mail for local recipients. You will need to use this.
# Don't forget to run the command "newaliases" after editing this file! postmaster: root abuse: root root: username1 #bob: username2 #everyone: username1,username2 #roger: [email protected]
This is virtual delivery file for Postfix. Put these settings in the file /etc/postfix/virtual. Edit to your needs. The virtual delivery file is designed for virtual mail hosting services. If you have virtual domains put them here. Mail is delivered by the virtual delivery agent in postfix. Virtual alias lookups are useful to redirect mail for virtual alias domains to real user mailboxes, and to redirect mail for domains that no longer exist. Virtual alias lookups can also be used to transform Firstname.Lastname back into UNIX login names, although local aliases may be better for that. Don't forget to run the command: "postmap /etc/postfix/virtual" after editing this file.
#The left hand side are virtual e-mail aliases. The right hand side #are local system login names or names that reference the alias file. #After editing this file run the command: postmap /etc/postfix/virtual # example1.org username [email protected] bob [email protected] roger [email protected] bob # example2.org username [email protected] bob [email protected] roger [email protected] roger [email protected] bob
You can start Postfix with the "postfix start" command. It should start if you setup all your paths and configs correctly. If not check the mail log file. OpenBSD's is /var/log/mail. Other systems use this also so look in it for any errors. Thats it. You should be close to rolling. There are some hints and tips below to check out.
Check out a perl script called pflogsumm. It will e-mail you very helpful Postfix stats everyday. Fantastic program.
Here is a list some helpful postfix commands that I don't want to forget. They are below with comments.
postfix start # start postfix postfix stop # stop postfix postfix reload # reload postfix like after changing the main.conf file mailq # see what mail is in the mail queue. same as command: postqueue -p postqueue -f # do a mail queue run and try to deliver the mail in the queue postqueue -s site # do a queue run for a certain "site" (domain) postsuper -d queue_id # delete a specific message from the mail queue by it's id. postsuper -d ALL # delete all mail from the mail queue postsuper -h queue_id # put a message in the mail queue on hold postsuper -H queue_id # take a message off hold postconf # shows you all the parameters (settings) of the running postfix
