@@ Line 1: / Line 1: @@
-Postfix är en mail transfer agent(MTA) som kan skicka och ta emot email. Postfix används ofta tillsammans med [[Dovecot]]. Postfix kom redan 1986 men skrevs om 1997, ca 32% av dagens publika mailservrar kör Postfix.
+#REDIRECT [[Mailserver]]
+[[Category:Guider]]
-==Förberedelse==
-Öppna port i brandväggen.
-*25 (SMTP)
-Och skapa ett A och MX record i DNSen som spekar mot mailservern.
-==Installation==
- apt-get install postfix postfix-pcre
-Om man vill kunna skicka testmails(swaks) och enkelt styra mailboxen(mutt).
- apt-get install mutt swaks
-==Konfiguration==
-Konfigurations filerna finns under <code>/etc/postfix</code>
-===LDAP===
-Man kan enkelt koppla Postfix mot en LDAP server för autentisering, vilken mail och mailalias en användare ska ha och hur mycket lagring användare får.
-'''Förberedelse'''
-En uppsatt [[OpenLDAP]] server med ett [[OpenLDAP#Postfix_Schema|postfix schema]] inlagt. Och en [[Dovecot]] server som också är LDAP ansluten.
-'''Installation'''
- apt-get install postfix-ldap
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>main.cf</code> Detta är main konfigurations filen.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-###################################################################################################
-### Base Settings ###
-#####################
-# Listen on all interfaces
-inet_interfaces = all
-# Use TCP IPv4
-inet_protocols = ipv4
-# Greet connecting clients with this banner
-smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
-# Fully-qualified hostname
-myhostname = mail.example.com
-# Do not append domain part to incomplete addresses (this is the MUA's job)
-append_dot_mydomain = no
-# Trusted networks/hosts (these are allowed to relay without authentication)
-mynetworks =
-    # Local
-.0.0.0/8
-    # External
-.2.3.4/32
-###################################################################################################
-### Local Transport ###
-#######################
-# Disable local transport (so that system accounts can't receive mail)
-local_transport = error:Local Transport Disabled
-# Don't use local alias maps
-alias_maps =
-# Local domain (could be omitted, since it is automatically derived from $myhostname)
-mydomain = example.com
-# Mails for these domains will be transported locally
-mydestination =
-    $myhostname
-    localhost.$mydomain
-    localhost
-###################################################################################################
-### Virtual Transport ###
-#########################
-# Deliver mail for virtual recipients to Dovecot
-virtual_transport = dovecot
-# Process one mail at one time
-dovecot_destination_recipient_limit = 1
-# Valid virtual domains
-virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
-# Valid virtual recipients
-virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
-# Virtual aliases
-virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
-###################################################################################################
-### ESMTP Settings ###
-######################
-### SASL ###
-# Enable SASL (required for SMTP authentication)
-smtpd_sasl_auth_enable = yes
-# Enable SASL for Outlook-Clients as well
-broken_sasl_auth_clients = yes
-### TLS ###
-# Enable TLS (required to encrypt the plaintext SASL authentication)
-smtpd_tls_security_level = may
-# Only offer SASL in a TLS session
-smtpd_tls_auth_only = yes
-# Certification Authority
-smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
-# Public Certificate
-smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
-# Private Key (without passphrase)
-smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
-# Randomizer for key creation
-tls_random_source = dev:/dev/urandom
-# TLS related logging (set to 2 for debugging)
-smtpd_tls_loglevel = 0
-# Avoid Denial-Of-Service-Attacks
-smtpd_client_new_tls_session_rate_limit = 10
-# Activate TLS Session Cache
-smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
-# Deny some TLS-Ciphers
-smtpd_tls_exclude_ciphers =
-        EXP
-        EDH-RSA-DES-CBC-SHA
-        ADH-DES-CBC-SHA
-        DES-CBC-SHA
-        SEED-SHA
-# Diffie-Hellman Parameters for Perfect Forward Secrecy
-# Can be created with:
-# openssl dhparam -2 -out dh_512.pem 512
-# openssl dhparam -2 -out dh_1024.pem 1024
-smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
-smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
-###################################################################################################
-### Connection Policies ###
-###########################
-# Reject Early Talkers
-postscreen_greet_action = enforce
-###################################################################################################
-### Session Policies ###
-########################
-# Recipient Restrictions (RCPT TO related)
-smtpd_recipient_restrictions =
-        # Allow relaying for SASL authenticated clients and trusted hosts/networks
-        # This can be put to smtpd_relay_restrictions in Postfix 2.10 and later
-        permit_sasl_authenticated
-        permit_mynetworks
-        reject_non_fqdn_recipient
-        reject_unknown_recipient_domain
-        reject_unauth_destination
-        # Reject the following hosts
-        check_sender_ns_access cidr:/etc/postfix/drop.cidr
-        check_sender_mx_access cidr:/etc/postfix/drop.cidr
-        # Additional blacklist
-        reject_rbl_client ix.dnsbl.manitu.net
-        # Finally permit (relaying still requires SASL auth)
-        permit
-# Reject the request if the sender is the null address and there are multiple recipients
-smtpd_data_restrictions = reject_multi_recipient_bounce
-# Sender Restrictions
-smtpd_sender_restrictions =
-        reject_non_fqdn_sender
-        reject_unknown_sender_domain
-# HELO/EHLO Restrictions
-smtpd_helo_restrictions =
-		permit_mynetworks
-        check_helo_access pcre:/etc/postfix/identitycheck.pcre
-        #reject_non_fqdn_helo_hostname
-        reject_invalid_hostname
-# Deny VRFY recipient checks
-disable_vrfy_command = yes
-# Require HELO
-smtpd_helo_required = yes
-# Reject instantly if a restriction applies (do not wait until RCPT TO)
-smtpd_delay_reject = no
-# Client Restrictions (IP Blacklist)
-smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>virtual_domains</code> Innehåller vilka domäner server tar emot mail för.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-# Domain		Anything
-example.com		OK
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>ldap_virtual_recipients.cf</code> LDAP fråga för att validera mottagaren.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-bind = yes
-bind_dn = uid=postfix,ou=services,dc=example,dc=com
-bind_pw = secret
-server_host = ldap://127.0.0.1:389
-search_base = ou=people,dc=example,dc=com
-domain = example.com
-query_filter = (&(mail=%s)(mailEnabled=TRUE))
-result_attribute = mail
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>ldap_virtual_aliases.cf</code> LDAP fråga för att få fram aliases och forwarding adress.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-bind = yes
-bind_dn = uid=postfix,ou=services,dc=example,dc=com
-bind_pw = secret
-server_host = ldap://127.0.0.1:389
-search_base = ou=people,dc=example,dc=com
-domain = example.com
-query_filter = (&(mailAlias=%s)(mailEnabled=TRUE))
-result_attribute = mail, email
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>identitycheck.pcre</code> Regexp för att blocka klienter som använder ditt hostnamn.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-# Identity (RegEx)		Action
-/^(mail\.example\.com)$/	REJECT Hostname Abuse: $1
-/^(1\.2\.3\.4)$/		REJECT Hostname Abuse: $1
-/^(\[1\.2\.3\.4\])$/		REJECT Hostname Abuse: $1
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>drop.cidr</code> Innehåller svartlistade IP-adresser.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-# IP/CIDR			Action
-.2.3.0/24			REJECT Blacklisted
-</syntaxhighlight>
-</div>
-</div>
-Temporärt kommentera ut följande rader eftersom att [[Dovecot]] och TLS inte är konfigurerat i main.cf:
-*dovecot_destination_recipient_limit = 1
-*smtpd_tls_security_level = may
-*smtpd_tls_auth_only = yes
-*smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
-*smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
-*smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
-Skapa en postmap db fil för din domän.
- postmap hash:/etc/postfix/virtual_domains
-Starta postfix och anslut mot servern med telnet mot port 25. Prova att skicka <code>EHLO client</code>, då ska du få följande svar:
-<syntaxhighlight lang=text>
-Trying 127.0.0.1...
-Connected to 127.0.0.1.
-Escape character is '^]'.
-mail.example.com ESMTP Postfix (Ubuntu)
-EHLO client
--mail.example.com
--PIPELINING
--SIZE 10240000
--ETRN
--AUTH DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
--AUTH=DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
--ENHANCEDSTATUSCODES
--8BITMIME
-DSN
-QUIT
-2.0.0 Bye
-</syntaxhighlight>
-Testa att ställa en LDAP fråga.
- postmap -q user@example.com ldap:/etc/postfix/ldap_virtual_recipients.cf
- postmap -q postmaster@example.com ldap:/etc/postfix/ldap_virtual_aliases.cf
-Båda frågorna bör ge user@example.com som svar.

Difference between revisions of "Postfix"

Latest revision as of 00:43, 23 October 2015