{"id":133,"date":"2019-06-02T18:00:25","date_gmt":"2019-06-02T17:00:25","guid":{"rendered":"https:\/\/blog.inplico.uk\/?p=133"},"modified":"2023-06-15T21:44:12","modified_gmt":"2023-06-15T20:44:12","slug":"postfix","status":"publish","type":"post","link":"https:\/\/blog.inplico.uk\/?p=133","title":{"rendered":"Postfix"},"content":{"rendered":"

Installation<\/strong><\/p>\n

Now that we have postfixadmin and the database set up we can install postfix.<\/p>\n

#apt-get install postfix-pgsql<\/pre>\n
NOTE: At this point there is a chance that Debian has pre-empted you and automatically installed a number of packages that you do not want and that conflict with the packages that you intend to use (I love Debian but its \u201cnanny knows best\u201d approach really pisses me off sometimes). If it does then you will need to run<\/p>\n
#apt-get install postfix postfix-pgsql<\/pre>\n
This will probably bring up a window for configuration of exim4 even though it is going to remove it rather than install it; just humour it by excepting the defaults and let it do its thang!<\/p>\n
After this you can run autoremove if you want to get rid of the mysql stuff that debian thinks that you are going to need<\/p>\n
#apt-get autoremove<\/pre>\n
We are going to store the mail in a custom location or \/home\/mailstore so we need to create that directory and set the permissions on it.<\/p>\n
First though we are going to add a user and a group called mailer<\/p>\n
#groupadd mailer\r\n#useradd mailer \u2013g mailer<\/pre>\n
now we can create the directory and set the permissions<\/p>\n
#mkdir \/home\/mailstore\r\n#chown mailer:mailer \/home\/mailstore<\/pre>\n
The other thing that we need to do is obtain the userid and groupid for the mailer user and group so that we can use them in the configuration file<\/p>\n
#id mailer<\/pre>\n
should return something like<\/p>\n
uid=1001(mailer) gid=1001(mailer) groups=1001(mailer)<\/pre>\n
so we now know that the user and group id\u2019s are 1001<\/p>\n
Postfix Configuration<\/strong><\/p>\n
master.cf<\/strong><\/p>\n
Postfix has two main config files: main.cf<\/strong>, which specifies what you would think of as config options, and master.cf<\/strong>, which specifies the services postfix should run.<\/p>\n
First, configure the master.cf<\/strong> file (in \/etc\/postfix\/). Add an extra “smtpd” instance called “submission” that will take mail from trusted clients for delivery to the world at large, which we don’t allow for anyone else.\u00a0 To do that, open master.cf (take a look at man 5 master<\/a> if you want to understand what’s going on) and uncomment the submission config and add options to enable SASL:<\/p>\n
submission inet n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 smtpd\r\n-o syslog_name=postfix\/submission\r\n-o smtpd_tls_wrappermode=no\r\n-o smtpd_tls_security_level=encrypt\r\n-o smtpd_sasl_auth_enable=yes\r\n-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination\r\n-o milter_macro_daemon_name=ORIGINATING\u00a0\u00a0\r\n-o smtpd_sasl_type=dovecot\u00a0\u00a0\r\n-o smtpd_sasl_path=private\/auth<\/pre>\n
Note <\/strong>there are 2 spaces prepending the \u201c-o\u201d, these are necessary for the configuration to load<\/p>\n
taken from https:\/\/kuther.net\/howtos\/soho-mailserver-postfix-postgresql-dovecot-spamassassin-roundcube<\/p>\n
This warrants a bit of explanation. The -o … options override the settings that are taken from defaults or define in the config, which we’ll set later.
\nIn a nutshell what happens here is that this enables the “submission” daemon with TLS to secure the outer connection, and dovecot-mediated SASL to check the username and password of connecting clients. (We will set that up in dovecot later).<\/p>\n
The important detail is smtpd_recipient_restrictions which is missing reject_unauth_destination<\/a>, this is what restricts relaying.<\/p>\n
 <\/p>\n
main.cf<\/strong><\/p>\n
That is it for master.cf, now we want to configure main.cf. Let’s first set the network information: (information about the domains postfix is handling mail for, and a bit of extra info)<\/p>\n
myhostname = fqdn.suffix\r\nmyorigin = \/etc\/mailname\r\nmydestination = fqdn.suffix, domain.com, localhost,\r\nlocalhost.localdomain\r\nrelayhost =\r\nmynetworks = 127.0.0.0\/8\r\n[::ffff:127.0.0.0]\/104 [::1]\/128\r\nmailbox_size_limit = 0\r\nrecipient_delimiter = +\r\ninet_interfaces = all<\/pre>\n
We set the hostname and the default origin, which is sourced from \/etc\/mailname<\/strong> by debian convention. You can set it explicitly if you don’t have \/etc\/mailname<\/strong>. The default origin is used to construct the ‘From’ address for local users. mydestination<\/strong> sets the domains that postfix accepts emails for as final destination, and we set “relayhost” empty to disable relaying mail (relaying means accepting mail and then forwarding to a mail server that is not the final destination for the mail and we have no need for that; that is useful e.g. in a corporate intranet where a central mail server should check mail before it leaves the network.)<\/p>\n
Now we need to set up the virtual mail for postgresql and dovecot transport. Depending on how your server is setup you might want to keep mail in a non default location. If possible I like to make a separate partition to store mail on, but if that is not possible then I will use the \/home directory. Whatever directory is used, it needs to be set in the virtual_mailbox_base directive<\/p>\n
virtual_mailbox_base = \/home\/mailstore<\/pre>\n
virtual_mailbox_limit sets the maximum size of the mailbox, here we have it set to 5gig because space is not really a concern<\/p>\n
virtual_mailbox_limit = 512000000<\/pre>\n
In a moment we are going to create some files that we will use to drag information from the postfix database. The following directives tell postfix what type of database we are connecting to, what the files are called, and their locations.<\/p>\n
virtual_mailbox_domains = proxy:pgsql:\/etc\/postfix\/pgsql\/virtual_domains_maps.cf\r\nvirtual_mailbox_maps = proxy:pgsql:\/etc\/postfix\/pgsql\/virtual_mailbox_maps.cf\r\nvirtual_alias_maps = proxy:pgsql:\/etc\/postfix\/pgsql\/virtual_alias_maps.cf<\/pre>\n
virtual_uid_maps and virtual_gid_maps are what we use to set the user and group ids of the user that has read write access to the mailstore. Earlier we used \u201cid mailer\u201d to obtain the gid and uid and discovered that in this particular instance they were both 1001 so we can set them her<\/p>\n
virtual_uid_maps = static:1001\r\nvirtual_gid_maps = static:1001<\/pre>\n
The only other settings are<\/p>\n
virtual_minimum_uid = 8\r\ninet_protocols = ipv4<\/pre>\n
 <\/p>\n
pgsql config files<\/strong><\/p>\n
As mentioned earlier in the postfixadmin configuration section, postfix uses the postgresql database tables that are managed with postfixadmin to gather the information it needs to operate correctly. The way that it does this is by running a series of SELECT statements depending on its needs. Unfortunately these statements need to be configured manually.<\/p>\n
The first thing we need to do is create a folder to store these files in called pgsql<\/p>\n
#mkdir \/etc\/postfix\/pgsql<\/pre>\n
Once we have done that, we can create each of these files in the directory.<\/p>\n
Create \/etc\/postfix\/pgsql\/relay_domains.cf and add the following to it<\/p>\n
user = postfixro\r\npassword = changeme\r\nhosts = localhost\r\ndbname = postfix\r\nquery = SELECT domain FROM domain WHERE domain='%s' and backupmx = true<\/pre>\n
Note that this is where we use the postfixro user as we only need read only access, if we are connecting to a remote host then its fqdn will need to be put in the hosts directive. The rest of these files should not require any further explanation as it is only the SQL statement that differs.<\/p>\n
Create \/etc\/postfix\/pgsql\/virtual_alias_maps.cf<\/p>\n
user = postfixro\r\npassword = secret\r\nhosts = localhost\r\ndbname = postfix\r\nquery = SELECT goto FROM alias WHERE address='%s' AND active = true<\/pre>\n
Create \/etc\/postfix\/pgsql\/virtual_domains_maps.cf<\/p>\n
user = postfixro\r\npassword = secret\r\nhosts = localhost\r\ndbname = postfix\r\nquery = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true<\/pre>\n
Create \/etc\/postfix\/pgsql\/virtual_mailbox_limits.cf<\/p>\n
user = postfixro\r\npassword = secret\r\nhosts = localhost\r\ndbname = postfix\r\nquery = SELECT quota FROM mailbox WHERE username='%s'<\/pre>\n
Create \/etc\/postfix\/pgsql\/virtual_mailbox_maps.cf<\/p>\n
user = postfixro\r\npassword = secret\r\nhosts = localhost\r\ndbname = postfix\r\nquery = SELECT maildir FROM mailbox WHERE username='%s' AND active = true<\/pre>\n
There is no need to alter the permissions on any of the files. Once this is done you should have fully configured postfix.<\/p>\n
 <\/p>\n
Troubleshooting<\/strong><\/p>\n
#service postfix status<\/pre>\n
Use this to check the status of postfix<\/p>\n
#postconf<\/pre>\n
This checks that the configuration is valid, note that it does not check that the configuration is correct, only that it could be valid, but it is still useful to check for syntax errors. Note that postconf can be used to alter settings, but this is beyond the scope of this manual.<\/p>\n
From the man page<\/strong>: By default, the postconf(1) command displays the values of main.cf configuration parameters, and warns about possible mis-typed parameter names (Postfix 2.9 and later). It can also change main.cf configuration parameter values, or display other configuration information about the Postfix mail system.<\/p>\n
#tail \u2013f \/var\/log\/mail.log<\/pre>\n
Use this command to monitor the log file to check for errors<\/p>\n
#psql -U postfixro -d postfix\r\n\r\npostfix# SELECT * FROM mailbox<\/pre>\n
This can be used to check that your user can query the database. I had to edit pg_hba.conf to allow local access and when I tested it I could not select so had to run the following command on the database:<\/p>\n
GRANT SELECT ON ALL TABLES IN SCHEMA public TO postfixro<\/pre>\n
Reverse PTR record<\/strong><\/p>\n
If your ISP is useless then getting them to assign a reverse PTR record for your given domain is slim to 0.\u00a0 The only way around this is to find the hostname that they have assigned to your ip and use that in your postfix configuration.\u00a0 First thing to do is<\/p>\n
dig -x XXX.XXX.XXX.XXX<\/pre>\n
where xxx.xxx.xxx.xxx is your service provider’s assigned static ip address<\/p>\n
The reverse lookup should return a domain name in the answer section<\/p>\n
static-xxx-xxx-xxx-xxx.vodafonexdsl.co.uk<\/pre>\n
You will need to then edit your \/etc\/postfix\/main.cf file so that it uses this domain name for both the banner and the HELO name. To do that go ahead and open main.cf with your favourite editor and add the line:<\/p>\n
smtp_helo_name = static-xxx-xxx-xxx-xxx.vodafonexdsl.co.uk<\/pre>\n
You will also need to change the banner to match:<\/p>\n
#smtpd_banner = $myhostname ESMTP $mail_name (Debian\/GNU)\r\nsmtpd_banner = static-xxx-xxx-xxx-xxx.vodafonexdsl.co.uk<\/pre>\n
Comment out the existing line and add a new one for your isp assigned hostname.\u00a0 This does not affect how you connect to your mail server, you can carry on using whatever you used previously, it is simply a workaround for poor service from your internet service provider.<\/p>\n","protected":false},"excerpt":{"rendered":"
Installation Now that we have postfixadmin and the database set up we can install postfix. #apt-get install postfix-pgsql NOTE: At this point there is a chance that Debian has pre-empted you and automatically installed a number of packages that you do not want and that conflict with the packages that you intend to use (I […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-133","post","type-post","status-publish","format-standard","hentry","category-debian-server"],"_links":{"self":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=133"}],"version-history":[{"count":3,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/133\/revisions"}],"predecessor-version":[{"id":400,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/133\/revisions\/400"}],"wp:attachment":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}