Difference between revisions of "Postfix"

From HackerNet
Jump to: navigation, search
(Created page with "Postfix är en mail transfer agent(MTA) som kan skicka och ta emot email. Postfix används ofta tillsammans med Dovecot. Postfix kom redan 1986 men skrevs om 1997, ca 32%...")
 
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Postfix är en mail transfer agent(MTA) som kan skicka och ta emot email. Postfix används ofta tillsammans med [[Dovecot]]. Postfix kom redan 1986 men skrevs om 1997, ca 32% av dagens publika mailservrar kör Postfix.
+
#REDIRECT [[Mailserver]]
 
+
[[Category:Guider]]
==Förberedelse==
 
Öppna port i brandväggen.
 
*25 (SMTP)
 
 
 
Och skapa ett A och MX record i DNSen som spekar mot mailservern.
 
 
 
==Installation==
 
apt-get install postfix postfix-pcre
 
 
 
Om man vill kunna skicka testmails(swaks) och enkelt styra mailboxen(mutt).
 
apt-get install mutt swaks
 
 
 
==Konfiguration==
 
Konfigurations filerna finns under <code>/etc/postfix</code>
 
 
 
===LDAP===
 
Man kan enkelt koppla Postfix mot en LDAP server för autentisering, vilken mail och mailalias en användare ska ha och hur mycket lagring användare får.
 
 
 
'''Förberedelse'''
 
 
 
En uppsatt [[OpenLDAP]] server med ett postfix schema inlagt. Och en [[Dovecot]] server som också ska LDAP anslutas.
 
 
 
'''Installation'''
 
apt-get install postfix-ldap
 
 
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>main.cf</code> Detta är main konfigurations filen.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
###################################################################################################
 
### Base Settings ###
 
#####################
 
 
 
# Listen on all interfaces
 
inet_interfaces = all
 
 
 
# Use TCP IPv4
 
inet_protocols = ipv4
 
 
 
# Greet connecting clients with this banner
 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
 
 
 
# Fully-qualified hostname
 
myhostname = mail.example.com
 
 
 
# Do not append domain part to incomplete addresses (this is the MUA's job)
 
append_dot_mydomain = no
 
 
 
# Trusted networks/hosts (these are allowed to relay without authentication)
 
mynetworks =
 
    # Local
 
    127.0.0.0/8
 
    # External
 
    1.2.3.4/32
 
 
 
 
 
###################################################################################################
 
### Local Transport ###
 
#######################
 
 
 
# Disable local transport (so that system accounts can't receive mail)
 
local_transport = error:Local Transport Disabled
 
 
 
# Don't use local alias maps
 
alias_maps =
 
 
 
# Local domain (could be omitted, since it is automatically derived from $myhostname)
 
mydomain = example.com
 
 
 
# Mails for these domains will be transported locally
 
mydestination =
 
    $myhostname
 
    localhost.$mydomain
 
    localhost
 
 
 
 
 
###################################################################################################
 
### Virtual Transport ###
 
#########################
 
 
 
# Deliver mail for virtual recipients to Dovecot
 
virtual_transport = dovecot
 
 
 
# Process one mail at one time
 
dovecot_destination_recipient_limit = 1
 
 
 
# Valid virtual domains
 
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
 
 
 
# Valid virtual recipients
 
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
 
 
 
# Virtual aliases
 
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
 
 
 
 
 
###################################################################################################
 
### ESMTP Settings ###
 
######################
 
 
 
### SASL ###
 
 
 
# Enable SASL (required for SMTP authentication)
 
smtpd_sasl_auth_enable = yes
 
 
 
# Enable SASL for Outlook-Clients as well
 
broken_sasl_auth_clients = yes
 
 
 
### TLS ###
 
 
 
# Enable TLS (required to encrypt the plaintext SASL authentication)
 
smtpd_tls_security_level = may
 
 
 
# Only offer SASL in a TLS session
 
smtpd_tls_auth_only = yes
 
 
 
# Certification Authority
 
smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
 
 
 
# Public Certificate
 
smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
 
 
 
# Private Key (without passphrase)
 
smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
 
 
 
# Randomizer for key creation
 
tls_random_source = dev:/dev/urandom
 
 
 
# TLS related logging (set to 2 for debugging)
 
smtpd_tls_loglevel = 0
 
 
 
# Avoid Denial-Of-Service-Attacks
 
smtpd_client_new_tls_session_rate_limit = 10
 
 
 
# Activate TLS Session Cache
 
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
 
 
 
# Deny some TLS-Ciphers
 
smtpd_tls_exclude_ciphers =
 
        EXP
 
        EDH-RSA-DES-CBC-SHA
 
        ADH-DES-CBC-SHA
 
        DES-CBC-SHA
 
        SEED-SHA
 
 
 
# Diffie-Hellman Parameters for Perfect Forward Secrecy
 
# Can be created with:
 
# openssl dhparam -2 -out dh_512.pem 512
 
# openssl dhparam -2 -out dh_1024.pem 1024
 
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
 
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
 
 
 
 
 
###################################################################################################
 
### Connection Policies ###
 
###########################
 
 
 
# Reject Early Talkers
 
postscreen_greet_action = enforce
 
 
 
 
 
###################################################################################################
 
### Session Policies ###
 
########################
 
 
 
# Recipient Restrictions (RCPT TO related)
 
smtpd_recipient_restrictions =
 
        # Allow relaying for SASL authenticated clients and trusted hosts/networks
 
        # This can be put to smtpd_relay_restrictions in Postfix 2.10 and later
 
        permit_sasl_authenticated
 
        permit_mynetworks
 
        reject_non_fqdn_recipient
 
        reject_unknown_recipient_domain
 
        reject_unauth_destination
 
        # Reject the following hosts
 
        check_sender_ns_access cidr:/etc/postfix/drop.cidr
 
        check_sender_mx_access cidr:/etc/postfix/drop.cidr
 
        # Additional blacklist
 
        reject_rbl_client ix.dnsbl.manitu.net
 
        # Finally permit (relaying still requires SASL auth)
 
        permit
 
 
 
# Reject the request if the sender is the null address and there are multiple recipients
 
smtpd_data_restrictions = reject_multi_recipient_bounce
 
 
 
# Sender Restrictions
 
smtpd_sender_restrictions =
 
        reject_non_fqdn_sender
 
        reject_unknown_sender_domain
 
 
 
# HELO/EHLO Restrictions
 
smtpd_helo_restrictions =
 
permit_mynetworks
 
        check_helo_access pcre:/etc/postfix/identitycheck.pcre
 
        #reject_non_fqdn_helo_hostname
 
        reject_invalid_hostname
 
 
 
# Deny VRFY recipient checks
 
disable_vrfy_command = yes
 
 
 
# Require HELO
 
smtpd_helo_required = yes
 
 
 
# Reject instantly if a restriction applies (do not wait until RCPT TO)
 
smtpd_delay_reject = no
 
 
 
# Client Restrictions (IP Blacklist)
 
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
 
</syntaxhighlight>
 
</div>
 
</div>
 
 
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>virtual_domains</code> Innehåller vilka domäner server tar emot mail för.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
# Domain Anything
 
example.com OK
 
</syntaxhighlight>
 
</div>
 
</div>
 
 
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>ldap_virtual_recipients.cf</code> LDAP fråga för att validera mottagaren.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
bind = yes
 
bind_dn = uid=postfix,ou=services,dc=example,dc=com
 
bind_pw = secret
 
server_host = ldap://127.0.0.1:389
 
search_base = ou=people,dc=example,dc=com
 
domain = example.com
 
query_filter = (&(mail=%s)(mailEnabled=TRUE))
 
result_attribute = mail
 
</syntaxhighlight>
 
</div>
 
</div>
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>ldap_virtual_aliases.cf</code> LDAP fråga för att få fram aliases och forwarding adress. 
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
bind = yes
 
bind_dn = uid=postfix,ou=services,dc=example,dc=com
 
bind_pw = secret
 
server_host = ldap://127.0.0.1:389
 
search_base = ou=people,dc=example,dc=com
 
domain = example.com
 
query_filter = (&(mailAlias=%s)(mailEnabled=TRUE))
 
result_attribute = mail, email
 
</syntaxhighlight>
 
</div>
 
</div>
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>identitycheck.pcre</code> Regexp för att blocka klienter som använder ditt hostnamn.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
# Identity (RegEx) Action
 
 
 
/^(mail\.example\.com)$/ REJECT Hostname Abuse: $1
 
/^(1\.2\.3\.4)$/ REJECT Hostname Abuse: $1
 
/^(\[1\.2\.3\.4\])$/ REJECT Hostname Abuse: $1
 
</syntaxhighlight>
 
</div>
 
</div>
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>drop.cidr</code> Innehåller svartlistade IP-adresser.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
# IP/CIDR Action
 
 
 
1.2.3.0/24 REJECT Blacklisted
 
</syntaxhighlight>
 
</div>
 
</div>
 
 
 
Temporärt kommentera ut följande rader eftersom att [[Dovecot]] och TLS inte är konfigurerat i main.cf:
 
*dovecot_destination_recipient_limit = 1
 
*smtpd_tls_security_level = may
 
*smtpd_tls_auth_only = yes
 
*smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
 
*smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
 
*smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
 
 
 
Skapa en postmap db fil för din domän.
 
postmap hash:/etc/postfix/virtual_domains
 
 
 
Starta postfix och anslut mot servern med telnet mot port 25. Prova att skicka <code>EHLO client</code>, då ska du få följande svar:
 
<syntaxhighlight lang=text>
 
Trying 127.0.0.1...
 
Connected to 127.0.0.1.
 
Escape character is '^]'.
 
220 mail.example.com ESMTP Postfix (Ubuntu)
 
EHLO client
 
250-mail.example.com
 
250-PIPELINING
 
250-SIZE 10240000
 
250-ETRN
 
250-AUTH DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
 
250-AUTH=DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
QUIT
 
221 2.0.0 Bye
 
</syntaxhighlight>
 
 
 
Testa att ställa en LDAP fråga.
 
postmap -q user@example.com ldap:/etc/postfix/ldap_virtual_recipients.cf
 
postmap -q postmaster@example.com ldap:/etc/postfix/ldap_virtual_aliases.cf
 
 
 
Båda frågorna bör ge user@example.com som svar.
 

Latest revision as of 23:43, 22 October 2015

Redirect to: