|
|
(3 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
− | Postfix är en mail transfer agent(MTA) som kan skicka och ta emot email. Postfix används ofta tillsammans med [[Dovecot]]. Postfix kom redan 1986 men skrevs om 1997, ca 32% av dagens publika mailservrar kör Postfix.
| + | #REDIRECT [[Mailserver]] |
− | | + | [[Category:Guider]] |
− | ==Förberedelse==
| |
− | Öppna port i brandväggen.
| |
− | *25 (SMTP)
| |
− | | |
− | Och skapa ett A och MX record i DNSen som spekar mot mailservern.
| |
− | | |
− | ==Installation==
| |
− | apt-get install postfix postfix-pcre
| |
− | | |
− | Om man vill kunna skicka testmails(swaks) och enkelt styra mailboxen(mutt).
| |
− | apt-get install mutt swaks
| |
− | | |
− | ==Konfiguration==
| |
− | Konfigurations filerna finns under <code>/etc/postfix</code>
| |
− | | |
− | ===LDAP===
| |
− | Man kan enkelt koppla Postfix mot en LDAP server för autentisering, vilken mail och mailalias en användare ska ha och hur mycket lagring användare får.
| |
− | | |
− | '''Förberedelse'''
| |
− | | |
− | En uppsatt [[OpenLDAP]] server med ett [[OpenLDAP#Postfix_Schema|postfix schema]] inlagt. Och en [[Dovecot]] server som också är LDAP ansluten.
| |
− | | |
− | '''Installation'''
| |
− | apt-get install postfix-ldap
| |
− | | |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
| |
− | <code>main.cf</code> Detta är main konfigurations filen.
| |
− | <div class="mw-collapsible-content">
| |
− | <syntaxhighlight lang=bash>#!/bin/bash
| |
− | ###################################################################################################
| |
− | ### Base Settings ###
| |
− | #####################
| |
− | | |
− | # Listen on all interfaces
| |
− | inet_interfaces = all
| |
− | | |
− | # Use TCP IPv4
| |
− | inet_protocols = ipv4
| |
− | | |
− | # Greet connecting clients with this banner
| |
− | smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
| |
− | | |
− | # Fully-qualified hostname
| |
− | myhostname = mail.example.com
| |
− | | |
− | # Do not append domain part to incomplete addresses (this is the MUA's job)
| |
− | append_dot_mydomain = no
| |
− | | |
− | # Trusted networks/hosts (these are allowed to relay without authentication)
| |
− | mynetworks =
| |
− | # Local
| |
− | 127.0.0.0/8
| |
− | # External
| |
− | 1.2.3.4/32
| |
− | | |
− | | |
− | ###################################################################################################
| |
− | ### Local Transport ###
| |
− | #######################
| |
− | | |
− | # Disable local transport (so that system accounts can't receive mail)
| |
− | local_transport = error:Local Transport Disabled
| |
− | | |
− | # Don't use local alias maps
| |
− | alias_maps =
| |
− | | |
− | # Local domain (could be omitted, since it is automatically derived from $myhostname)
| |
− | mydomain = example.com
| |
− | | |
− | # Mails for these domains will be transported locally
| |
− | mydestination =
| |
− | $myhostname
| |
− | localhost.$mydomain
| |
− | localhost
| |
− | | |
− | | |
− | ###################################################################################################
| |
− | ### Virtual Transport ###
| |
− | #########################
| |
− | | |
− | # Deliver mail for virtual recipients to Dovecot
| |
− | virtual_transport = dovecot
| |
− | | |
− | # Process one mail at one time
| |
− | dovecot_destination_recipient_limit = 1
| |
− | | |
− | # Valid virtual domains
| |
− | virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
| |
− | | |
− | # Valid virtual recipients
| |
− | virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
| |
− | | |
− | # Virtual aliases
| |
− | virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
| |
− | | |
− | | |
− | ###################################################################################################
| |
− | ### ESMTP Settings ###
| |
− | ######################
| |
− | | |
− | ### SASL ###
| |
− | | |
− | # Enable SASL (required for SMTP authentication)
| |
− | smtpd_sasl_auth_enable = yes
| |
− | | |
− | # Enable SASL for Outlook-Clients as well
| |
− | broken_sasl_auth_clients = yes
| |
− | | |
− | ### TLS ###
| |
− | | |
− | # Enable TLS (required to encrypt the plaintext SASL authentication)
| |
− | smtpd_tls_security_level = may
| |
− | | |
− | # Only offer SASL in a TLS session
| |
− | smtpd_tls_auth_only = yes
| |
− | | |
− | # Certification Authority
| |
− | smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
| |
− | | |
− | # Public Certificate
| |
− | smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
| |
− | | |
− | # Private Key (without passphrase)
| |
− | smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
| |
− | | |
− | # Randomizer for key creation
| |
− | tls_random_source = dev:/dev/urandom
| |
− | | |
− | # TLS related logging (set to 2 for debugging)
| |
− | smtpd_tls_loglevel = 0
| |
− | | |
− | # Avoid Denial-Of-Service-Attacks
| |
− | smtpd_client_new_tls_session_rate_limit = 10
| |
− | | |
− | # Activate TLS Session Cache
| |
− | smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
| |
− | | |
− | # Deny some TLS-Ciphers
| |
− | smtpd_tls_exclude_ciphers =
| |
− | EXP
| |
− | EDH-RSA-DES-CBC-SHA
| |
− | ADH-DES-CBC-SHA
| |
− | DES-CBC-SHA
| |
− | SEED-SHA
| |
− | | |
− | # Diffie-Hellman Parameters for Perfect Forward Secrecy
| |
− | # Can be created with:
| |
− | # openssl dhparam -2 -out dh_512.pem 512
| |
− | # openssl dhparam -2 -out dh_1024.pem 1024
| |
− | smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
| |
− | smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
| |
− | | |
− | | |
− | ###################################################################################################
| |
− | ### Connection Policies ###
| |
− | ###########################
| |
− | | |
− | # Reject Early Talkers
| |
− | postscreen_greet_action = enforce
| |
− | | |
− | | |
− | ###################################################################################################
| |
− | ### Session Policies ###
| |
− | ########################
| |
− | | |
− | # Recipient Restrictions (RCPT TO related)
| |
− | smtpd_recipient_restrictions =
| |
− | # Allow relaying for SASL authenticated clients and trusted hosts/networks
| |
− | # This can be put to smtpd_relay_restrictions in Postfix 2.10 and later
| |
− | permit_sasl_authenticated
| |
− | permit_mynetworks
| |
− | reject_non_fqdn_recipient
| |
− | reject_unknown_recipient_domain
| |
− | reject_unauth_destination
| |
− | # Reject the following hosts
| |
− | check_sender_ns_access cidr:/etc/postfix/drop.cidr
| |
− | check_sender_mx_access cidr:/etc/postfix/drop.cidr
| |
− | # Additional blacklist
| |
− | reject_rbl_client ix.dnsbl.manitu.net
| |
− | # Finally permit (relaying still requires SASL auth)
| |
− | permit
| |
− | | |
− | # Reject the request if the sender is the null address and there are multiple recipients
| |
− | smtpd_data_restrictions = reject_multi_recipient_bounce
| |
− | | |
− | # Sender Restrictions
| |
− | smtpd_sender_restrictions =
| |
− | reject_non_fqdn_sender
| |
− | reject_unknown_sender_domain
| |
− | | |
− | # HELO/EHLO Restrictions
| |
− | smtpd_helo_restrictions =
| |
− | permit_mynetworks
| |
− | check_helo_access pcre:/etc/postfix/identitycheck.pcre
| |
− | #reject_non_fqdn_helo_hostname
| |
− | reject_invalid_hostname
| |
− | | |
− | # Deny VRFY recipient checks
| |
− | disable_vrfy_command = yes
| |
− | | |
− | # Require HELO
| |
− | smtpd_helo_required = yes
| |
− | | |
− | # Reject instantly if a restriction applies (do not wait until RCPT TO)
| |
− | smtpd_delay_reject = no
| |
− | | |
− | # Client Restrictions (IP Blacklist)
| |
− | smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
| |
− | </syntaxhighlight>
| |
− | </div>
| |
− | </div>
| |
− | | |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
| |
− | <code>virtual_domains</code> Innehåller vilka domäner server tar emot mail för.
| |
− | <div class="mw-collapsible-content">
| |
− | <syntaxhighlight lang=bash>#!/bin/bash
| |
− | # Domain Anything
| |
− | example.com OK
| |
− | </syntaxhighlight>
| |
− | </div>
| |
− | </div>
| |
− | | |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
| |
− | <code>ldap_virtual_recipients.cf</code> LDAP fråga för att validera mottagaren.
| |
− | <div class="mw-collapsible-content">
| |
− | <syntaxhighlight lang=bash>#!/bin/bash
| |
− | bind = yes
| |
− | bind_dn = uid=postfix,ou=services,dc=example,dc=com
| |
− | bind_pw = secret
| |
− | server_host = ldap://127.0.0.1:389
| |
− | search_base = ou=people,dc=example,dc=com
| |
− | domain = example.com
| |
− | query_filter = (&(mail=%s)(mailEnabled=TRUE))
| |
− | result_attribute = mail
| |
− | </syntaxhighlight>
| |
− | </div>
| |
− | </div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
| |
− | <code>ldap_virtual_aliases.cf</code> LDAP fråga för att få fram aliases och forwarding adress.
| |
− | <div class="mw-collapsible-content">
| |
− | <syntaxhighlight lang=bash>#!/bin/bash
| |
− | bind = yes
| |
− | bind_dn = uid=postfix,ou=services,dc=example,dc=com
| |
− | bind_pw = secret
| |
− | server_host = ldap://127.0.0.1:389
| |
− | search_base = ou=people,dc=example,dc=com
| |
− | domain = example.com
| |
− | query_filter = (&(mailAlias=%s)(mailEnabled=TRUE))
| |
− | result_attribute = mail, email
| |
− | </syntaxhighlight>
| |
− | </div>
| |
− | </div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
| |
− | <code>identitycheck.pcre</code> Regexp för att blocka klienter som använder ditt hostnamn.
| |
− | <div class="mw-collapsible-content">
| |
− | <syntaxhighlight lang=bash>#!/bin/bash
| |
− | # Identity (RegEx) Action
| |
− | | |
− | /^(mail\.example\.com)$/ REJECT Hostname Abuse: $1
| |
− | /^(1\.2\.3\.4)$/ REJECT Hostname Abuse: $1
| |
− | /^(\[1\.2\.3\.4\])$/ REJECT Hostname Abuse: $1
| |
− | </syntaxhighlight>
| |
− | </div>
| |
− | </div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
| |
− | <code>drop.cidr</code> Innehåller svartlistade IP-adresser.
| |
− | <div class="mw-collapsible-content">
| |
− | <syntaxhighlight lang=bash>#!/bin/bash
| |
− | # IP/CIDR Action
| |
− | | |
− | 1.2.3.0/24 REJECT Blacklisted
| |
− | </syntaxhighlight>
| |
− | </div>
| |
− | </div>
| |
− | | |
− | Temporärt kommentera ut följande rader eftersom att [[Dovecot]] och TLS inte är konfigurerat i main.cf:
| |
− | *dovecot_destination_recipient_limit = 1
| |
− | *smtpd_tls_security_level = may
| |
− | *smtpd_tls_auth_only = yes
| |
− | *smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
| |
− | *smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
| |
− | *smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
| |
− | | |
− | Skapa en postmap db fil för din domän.
| |
− | postmap hash:/etc/postfix/virtual_domains
| |
− | | |
− | Starta postfix och anslut mot servern med telnet mot port 25. Prova att skicka <code>EHLO client</code>, då ska du få följande svar:
| |
− | <syntaxhighlight lang=text>
| |
− | Trying 127.0.0.1...
| |
− | Connected to 127.0.0.1.
| |
− | Escape character is '^]'.
| |
− | 220 mail.example.com ESMTP Postfix (Ubuntu)
| |
− | EHLO client
| |
− | 250-mail.example.com
| |
− | 250-PIPELINING
| |
− | 250-SIZE 10240000
| |
− | 250-ETRN
| |
− | 250-AUTH DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
| |
− | 250-AUTH=DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
| |
− | 250-ENHANCEDSTATUSCODES
| |
− | 250-8BITMIME
| |
− | 250 DSN
| |
− | QUIT
| |
− | 221 2.0.0 Bye
| |
− | </syntaxhighlight>
| |
− | | |
− | Testa att ställa en LDAP fråga.
| |
− | postmap -q user@example.com ldap:/etc/postfix/ldap_virtual_recipients.cf
| |
− | postmap -q postmaster@example.com ldap:/etc/postfix/ldap_virtual_aliases.cf
| |
− | | |
− | Båda frågorna bör ge user@example.com som svar.
| |