Difference between revisions of "Postfix"

Revision as of 00:40, 23 October 2015

Postfix är en mail transfer agent(MTA) som kan skicka och ta emot email. Postfix används ofta tillsammans med Dovecot. Postfix kom redan 1986 men skrevs om 1997, ca 32% av dagens publika mailservrar kör Postfix.

Förberedelse

Öppna port i brandväggen.

25 (SMTP)

Och skapa ett A och MX record i DNSen som spekar mot mailservern.

Installation

apt-get install postfix postfix-pcre

Om man vill kunna skicka testmails(swaks) och enkelt styra mailboxen(mutt).

apt-get install mutt swaks

REDIRECT Mailserver

@@ Line 13: / Line 13: @@
   apt-get install mutt swaks
-==Konfiguration==
+#REDIRECT [[Mailserver]]
-Konfigurations filerna finns under <code>/etc/postfix</code>
-===LDAP===
-Man kan enkelt koppla Postfix mot en LDAP server för autentisering, vilken mail och mailalias en användare ska ha och hur mycket lagring användare får.
-'''Förberedelse'''
-En uppsatt [[OpenLDAP]] server med ett [[OpenLDAP#Postfix_Schema|postfix schema]] inlagt. Och en [[Dovecot]] server som också är LDAP ansluten.
-'''Installation'''
- apt-get install postfix-ldap
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>main.cf</code> Detta är main konfigurations filen.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-###################################################################################################
-### Base Settings ###
-#####################
-# Listen on all interfaces
-inet_interfaces = all
-# Use TCP IPv4
-inet_protocols = ipv4
-# Greet connecting clients with this banner
-smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
-# Fully-qualified hostname
-myhostname = mail.example.com
-# Do not append domain part to incomplete addresses (this is the MUA's job)
-append_dot_mydomain = no
-# Trusted networks/hosts (these are allowed to relay without authentication)
-mynetworks =
-    # Local
-.0.0.0/8
-    # External
-.2.3.4/32
-###################################################################################################
-### Local Transport ###
-#######################
-# Disable local transport (so that system accounts can't receive mail)
-local_transport = error:Local Transport Disabled
-# Don't use local alias maps
-alias_maps =
-# Local domain (could be omitted, since it is automatically derived from $myhostname)
-mydomain = example.com
-# Mails for these domains will be transported locally
-mydestination =
-    $myhostname
-    localhost.$mydomain
-    localhost
-###################################################################################################
-### Virtual Transport ###
-#########################
-# Deliver mail for virtual recipients to Dovecot
-virtual_transport = dovecot
-# Process one mail at one time
-dovecot_destination_recipient_limit = 1
-# Valid virtual domains
-virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
-# Valid virtual recipients
-virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
-# Virtual aliases
-virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
-###################################################################################################
-### ESMTP Settings ###
-######################
-### SASL ###
-# Enable SASL (required for SMTP authentication)
-smtpd_sasl_auth_enable = yes
-# Enable SASL for Outlook-Clients as well
-broken_sasl_auth_clients = yes
-### TLS ###
-# Enable TLS (required to encrypt the plaintext SASL authentication)
-smtpd_tls_security_level = may
-# Only offer SASL in a TLS session
-smtpd_tls_auth_only = yes
-# Certification Authority
-smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
-# Public Certificate
-smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
-# Private Key (without passphrase)
-smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
-# Randomizer for key creation
-tls_random_source = dev:/dev/urandom
-# TLS related logging (set to 2 for debugging)
-smtpd_tls_loglevel = 0
-# Avoid Denial-Of-Service-Attacks
-smtpd_client_new_tls_session_rate_limit = 10
-# Activate TLS Session Cache
-smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
-# Deny some TLS-Ciphers
-smtpd_tls_exclude_ciphers =
-        EXP
-        EDH-RSA-DES-CBC-SHA
-        ADH-DES-CBC-SHA
-        DES-CBC-SHA
-        SEED-SHA
-# Diffie-Hellman Parameters for Perfect Forward Secrecy
-# Can be created with:
-# openssl dhparam -2 -out dh_512.pem 512
-# openssl dhparam -2 -out dh_1024.pem 1024
-smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
-smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
-###################################################################################################
-### Connection Policies ###
-###########################
-# Reject Early Talkers
-postscreen_greet_action = enforce
-###################################################################################################
-### Session Policies ###
-########################
-# Recipient Restrictions (RCPT TO related)
-smtpd_recipient_restrictions =
-        # Allow relaying for SASL authenticated clients and trusted hosts/networks
-        # This can be put to smtpd_relay_restrictions in Postfix 2.10 and later
-        permit_sasl_authenticated
-        permit_mynetworks
-        reject_non_fqdn_recipient
-        reject_unknown_recipient_domain
-        reject_unauth_destination
-        # Reject the following hosts
-        check_sender_ns_access cidr:/etc/postfix/drop.cidr
-        check_sender_mx_access cidr:/etc/postfix/drop.cidr
-        # Additional blacklist
-        reject_rbl_client ix.dnsbl.manitu.net
-        # Finally permit (relaying still requires SASL auth)
-        permit
-# Reject the request if the sender is the null address and there are multiple recipients
-smtpd_data_restrictions = reject_multi_recipient_bounce
-# Sender Restrictions
-smtpd_sender_restrictions =
-        reject_non_fqdn_sender
-        reject_unknown_sender_domain
-# HELO/EHLO Restrictions
-smtpd_helo_restrictions =
-		permit_mynetworks
-        check_helo_access pcre:/etc/postfix/identitycheck.pcre
-        #reject_non_fqdn_helo_hostname
-        reject_invalid_hostname
-# Deny VRFY recipient checks
-disable_vrfy_command = yes
-# Require HELO
-smtpd_helo_required = yes
-# Reject instantly if a restriction applies (do not wait until RCPT TO)
-smtpd_delay_reject = no
-# Client Restrictions (IP Blacklist)
-smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>virtual_domains</code> Innehåller vilka domäner server tar emot mail för.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-# Domain		Anything
-example.com		OK
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>ldap_virtual_recipients.cf</code> LDAP fråga för att validera mottagaren.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-bind = yes
-bind_dn = uid=postfix,ou=services,dc=example,dc=com
-bind_pw = secret
-server_host = ldap://127.0.0.1:389
-search_base = ou=people,dc=example,dc=com
-domain = example.com
-query_filter = (&(mail=%s)(mailEnabled=TRUE))
-result_attribute = mail
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>ldap_virtual_aliases.cf</code> LDAP fråga för att få fram aliases och forwarding adress.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-bind = yes
-bind_dn = uid=postfix,ou=services,dc=example,dc=com
-bind_pw = secret
-server_host = ldap://127.0.0.1:389
-search_base = ou=people,dc=example,dc=com
-domain = example.com
-query_filter = (&(mailAlias=%s)(mailEnabled=TRUE))
-result_attribute = mail, email
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>identitycheck.pcre</code> Regexp för att blocka klienter som använder ditt hostnamn.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-# Identity (RegEx)		Action
-/^(mail\.example\.com)$/	REJECT Hostname Abuse: $1
-/^(1\.2\.3\.4)$/		REJECT Hostname Abuse: $1
-/^(\[1\.2\.3\.4\])$/		REJECT Hostname Abuse: $1
-</syntaxhighlight>
-</div>
-</div>
-<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
-<code>drop.cidr</code> Innehåller svartlistade IP-adresser.
-<div class="mw-collapsible-content">
-<syntaxhighlight lang=bash>#!/bin/bash
-# IP/CIDR			Action
-.2.3.0/24			REJECT Blacklisted
-</syntaxhighlight>
-</div>
-</div>
-Temporärt kommentera ut följande rader eftersom att [[Dovecot]] och TLS inte är konfigurerat i main.cf:
-*dovecot_destination_recipient_limit = 1
-*smtpd_tls_security_level = may
-*smtpd_tls_auth_only = yes
-*smtpd_tls_CAfile = /etc/postfix/certs/example-cacert.pem
-*smtpd_tls_cert_file = /etc/postfix/certs/mail_public_cert.pem
-*smtpd_tls_key_file = /etc/postfix/certs/mail_private_key.pem
-Skapa en postmap db fil för din domän.
- postmap hash:/etc/postfix/virtual_domains
-Starta postfix och anslut mot servern med telnet mot port 25. Prova att skicka <code>EHLO client</code>, då ska du få följande svar:
-<syntaxhighlight lang=text>
-Trying 127.0.0.1...
-Connected to 127.0.0.1.
-Escape character is '^]'.
-mail.example.com ESMTP Postfix (Ubuntu)
-EHLO client
--mail.example.com
--PIPELINING
--SIZE 10240000
--ETRN
--AUTH DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
--AUTH=DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN
--ENHANCEDSTATUSCODES
--8BITMIME
-DSN
-QUIT
-2.0.0 Bye
-</syntaxhighlight>
-Testa att ställa en LDAP fråga.
- postmap -q user@example.com ldap:/etc/postfix/ldap_virtual_recipients.cf
- postmap -q postmaster@example.com ldap:/etc/postfix/ldap_virtual_aliases.cf
-Båda frågorna bör ge user@example.com som svar.
-[[Category:Guider]]