Difference between revisions of "Postfix"

From HackerNet
Jump to: navigation, search
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Postfix är en mail transfer agent(MTA) som kan skicka och ta emot email. Postfix används ofta tillsammans med [[Dovecot]]. Postfix kom redan 1986 men skrevs om 1997, ca 32% av dagens publika mailservrar kör Postfix.
+
#REDIRECT [[Mailserver]]
 
+
[[Category:Guider]]
==Förberedelse==
 
Öppna port i brandväggen.
 
*25 (SMTP)
 
 
 
Och skapa ett A och MX record i DNSen som spekar mot mailservern.
 
 
 
==Installation==
 
apt-get install postfix postfix-pcre
 
 
 
Om man vill kunna skicka testmails(swaks) och enkelt styra mailboxen(mutt).
 
apt-get install mutt swaks
 
 
 
==Konfiguration==
 
Konfigurations filerna finns under <code>/etc/postfix</code>
 
 
 
===LDAP===
 
Man kan enkelt koppla Postfix mot en LDAP server för autentisering, vilken mail och mailalias en användare ska ha och hur mycket lagring användare får.
 
 
 
'''Förberedelse'''
 
 
 
En uppsatt [[OpenLDAP]] server med ett [[OpenLDAP#Postfix_Schema|postfix schema]] inlagt. Och en [[Dovecot]] server som också är LDAP ansluten.
 
 
 
'''Installation'''
 
apt-get install postfix-ldap
 
 
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>main.cf</code> Detta är main konfigurations filen.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
###################################################################################################
 
### Base Settings ###
 
#####################
 
 
 
# Listen on all interfaces
 
inet_interfaces = all
 
 
 
# Use TCP IPv4
 
inet_protocols = ipv4
 
 
 
# Greet connecting clients with this banner
 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
 
 
 
# Fully-qualified hostname
 
myhostname = mail.example.com
 
 
 
# Do not append domain part to incomplete addresses (this is the MUA's job)
 
append_dot_mydomain = no
 
 
 
# Trusted networks/hosts (these are allowed to relay without authentication)
 
mynetworks =
 
    # Local
 
    127.0.0.0/8
 
    # External
 
    1.2.3.4/32
 
 
 
 
 
###################################################################################################
 
### Local Transport ###
 
#######################
 
 
 
# Disable local transport (so that system accounts can't receive mail)
 
local_transport = error:Local Transport Disabled
 
 
 
# Don't use local alias maps
 
alias_maps =
 
 
 
# Local domain (could be omitted, since it is automatically derived from $myhostname)
 
mydomain = example.com
 
 
 
# Mails for these domains will be transported locally
 
mydestination =
 
    $myhostname
 
    localhost.$mydomain
 
    localhost
 
 
 
 
 
###################################################################################################
 
### Virtual Transport ###
 
#########################
 
 
 
# Deliver mail for virtual recipients to Dovecot
 
virtual_transport = dovecot
 
 
 
# Process one mail at one time
 
dovecot_destination_recipient_limit = 1
 
 
 
# Valid virtual domains
 
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
 
 
 
# Valid virtual recipients
 
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
 
 
 
# Virtual aliases
 
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
 
 
 
 
 
###################################################################################################
 
### ESMTP Settings ###
 
######################
 
 
 
### SASL ###
 
 
 
# Enable SASL (required for SMTP authentication)
 
smtpd_sasl_auth_enable = yes
 
 
 
# Enable SASL for Outlook-Clients as well
 
broken_sasl_auth_clients = yes
 
 
 
### TLS ###
 
 
 
# Enable TLS (required to encrypt the plaintext SASL authentication)
 
smtpd_tls_security_level = may
 
 
 
# Only offer SASL in a TLS session
 
smtpd_tls_auth_only = yes
 
 
 
# Certification Authority
 
smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
 
 
 
# Public Certificate
 
smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
 
 
 
# Private Key (without passphrase)
 
smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
 
 
 
# Randomizer for key creation
 
tls_random_source = dev:/dev/urandom
 
 
 
# TLS related logging (set to 2 for debugging)
 
smtpd_tls_loglevel = 0
 
 
 
# Avoid Denial-Of-Service-Attacks
 
smtpd_client_new_tls_session_rate_limit = 10
 
 
 
# Activate TLS Session Cache
 
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
 
 
 
# Deny some TLS-Ciphers
 
smtpd_tls_exclude_ciphers =
 
        EXP
 
        EDH-RSA-DES-CBC-SHA
 
        ADH-DES-CBC-SHA
 
        DES-CBC-SHA
 
        SEED-SHA
 
 
 
# Diffie-Hellman Parameters for Perfect Forward Secrecy
 
# Can be created with:
 
# openssl dhparam -2 -out dh_512.pem 512
 
# openssl dhparam -2 -out dh_1024.pem 1024
 
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
 
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
 
 
 
 
 
###################################################################################################
 
### Connection Policies ###
 
###########################
 
 
 
# Reject Early Talkers
 
postscreen_greet_action = enforce
 
 
 
 
 
###################################################################################################
 
### Session Policies ###
 
########################
 
 
 
# Recipient Restrictions (RCPT TO related)
 
smtpd_recipient_restrictions =
 
        # Allow relaying for SASL authenticated clients and trusted hosts/networks
 
        # This can be put to smtpd_relay_restrictions in Postfix 2.10 and later
 
        permit_sasl_authenticated
 
        permit_mynetworks
 
        reject_non_fqdn_recipient
 
        reject_unknown_recipient_domain
 
        reject_unauth_destination
 
        # Reject the following hosts
 
        check_sender_ns_access cidr:/etc/postfix/drop.cidr
 
        check_sender_mx_access cidr:/etc/postfix/drop.cidr
 
        # Additional blacklist
 
        reject_rbl_client ix.dnsbl.manitu.net
 
        # Finally permit (relaying still requires SASL auth)
 
        permit
 
 
 
# Reject the request if the sender is the null address and there are multiple recipients
 
smtpd_data_restrictions = reject_multi_recipient_bounce
 
 
 
# Sender Restrictions
 
smtpd_sender_restrictions =
 
        reject_non_fqdn_sender
 
        reject_unknown_sender_domain
 
 
 
# HELO/EHLO Restrictions
 
smtpd_helo_restrictions =
 
permit_mynetworks
 
        check_helo_access pcre:/etc/postfix/identitycheck.pcre
 
        #reject_non_fqdn_helo_hostname
 
        reject_invalid_hostname
 
 
 
# Deny VRFY recipient checks
 
disable_vrfy_command = yes
 
 
 
# Require HELO
 
smtpd_helo_required = yes
 
 
 
# Reject instantly if a restriction applies (do not wait until RCPT TO)
 
smtpd_delay_reject = no
 
 
 
# Client Restrictions (IP Blacklist)
 
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
 
</syntaxhighlight>
 
</div>
 
</div>
 
 
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>virtual_domains</code> Innehåller vilka domäner server tar emot mail för.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
# Domain Anything
 
example.com OK
 
</syntaxhighlight>
 
</div>
 
</div>
 
 
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>ldap_virtual_recipients.cf</code> LDAP fråga för att validera mottagaren.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
bind = yes
 
bind_dn = uid=postfix,ou=services,dc=example,dc=com
 
bind_pw = secret
 
server_host = ldap://127.0.0.1:389
 
search_base = ou=people,dc=example,dc=com
 
domain = example.com
 
query_filter = (&(mail=%s)(mailEnabled=TRUE))
 
result_attribute = mail
 
</syntaxhighlight>
 
</div>
 
</div>
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>ldap_virtual_aliases.cf</code> LDAP fråga för att få fram aliases och forwarding adress. 
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
bind = yes
 
bind_dn = uid=postfix,ou=services,dc=example,dc=com
 
bind_pw = secret
 
server_host = ldap://127.0.0.1:389
 
search_base = ou=people,dc=example,dc=com
 
domain = example.com
 
query_filter = (&(mailAlias=%s)(mailEnabled=TRUE))
 
result_attribute = mail, email
 
</syntaxhighlight>
 
</div>
 
</div>
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>identitycheck.pcre</code> Regexp för att blocka klienter som använder ditt hostnamn.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
# Identity (RegEx) Action
 
 
 
/^(mail\.example\.com)$/ REJECT Hostname Abuse: $1
 
/^(1\.2\.3\.4)$/ REJECT Hostname Abuse: $1
 
/^(\[1\.2\.3\.4\])$/ REJECT Hostname Abuse: $1
 
</syntaxhighlight>
 
</div>
 
</div>
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
 
<code>drop.cidr</code> Innehåller svartlistade IP-adresser.
 
<div class="mw-collapsible-content">
 
<syntaxhighlight lang=bash>#!/bin/bash
 
# IP/CIDR Action
 
 
 
1.2.3.0/24 REJECT Blacklisted
 
</syntaxhighlight>
 
</div>
 
</div>
 
 
 
Temporärt kommentera ut följande rader eftersom att [[Dovecot]] och TLS inte är konfigurerat i main.cf:
 
*dovecot_destination_recipient_limit = 1
 
*smtpd_tls_security_level = may
 
*smtpd_tls_auth_only = yes
 
*smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
 
*smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
 
*smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
 
 
 
Skapa en postmap db fil för din domän.
 
postmap hash:/etc/postfix/virtual_domains
 
 
 
Starta postfix och anslut mot servern med telnet mot port 25. Prova att skicka <code>EHLO client</code>, då ska du få följande svar:
 
<syntaxhighlight lang=text>
 
Trying 127.0.0.1...
 
Connected to 127.0.0.1.
 
Escape character is '^]'.
 
220 mail.example.com ESMTP Postfix (Ubuntu)
 
EHLO client
 
250-mail.example.com
 
250-PIPELINING
 
250-SIZE 10240000
 
250-ETRN
 
250-AUTH DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
 
250-AUTH=DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
 
250-ENHANCEDSTATUSCODES
 
250-8BITMIME
 
250 DSN
 
QUIT
 
221 2.0.0 Bye
 
</syntaxhighlight>
 
 
 
Testa att ställa en LDAP fråga.
 
postmap -q user@example.com ldap:/etc/postfix/ldap_virtual_recipients.cf
 
postmap -q postmaster@example.com ldap:/etc/postfix/ldap_virtual_aliases.cf
 
 
 
Båda frågorna bör ge user@example.com som svar.
 

Latest revision as of 23:43, 22 October 2015

Redirect to: