Postfix TlS SASL SPF

Postfix TlS SASL SPF
From: https://wiki.debian.org/Postfix

Postfix Installing and Configuring Postfix Router, firewall and domain configuration anti-spam: smtp restrictions anti-spam: Using RBL Lists authenticated mail delivery Forward Emails Virtual Emails Maildir Postfix and mailing lists	Mailman with Postfix Postfix and TLS/SSL Adding TLS/SSL Alternate TLS/SSL Ports Connections from Fetchmail to Postfix Sending With SSL Advanced options SPF and multiple external ip addresses Postfix and Sasl See also

Postfix



Postfix is a Secure Mail Transfer Agent.



Postfix



Installing and Configuring Postfix on Debian
Install postfix (this will remove exim since there can't be two mail
systems). (If you have a website, choose "Internet Site" if the configuration prompts ask
for it.): 
	apt install postfix

Check the log mail.log, mail.err, mail.info, mail.warn to see if postfix
runs. 
	cat /var/log/mail.log

You may call the dpkg reconfiguration assistant if you missed some
configuration steps during package installation: 
	dpkg-reconfigure postfix

You should review /etc/postfix/main.cf with Postfix: Basic configuration
readme to ensure main variables have been set according to your needs.
Reload Postfix Server: 
	postfix reload




Test the mailserver

Type 
	telnet localhost 25

You should see: 
	Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (Debian/GNU)

Send an email to yourself: 
	mail from:
rcpt to:
data
To: user@example.com
From: you@youremail.com
Subject: Hey my first email
This is my first email on debian postfix after installing configuring it.
It was easy.

To end data hit enter, type in a dot, and hit enter again: 
	.

Then 
	quit

You're done. Type "mail" in the command-line terminal and see if you have some. 




Some useful commands
	mailq
qshape
qshape deferred
postsuper
postsuper -r ALL # requeue all emails



Router, firewall and domain configuration

If you have a router with firewall, enable port 25 and forward that port to
your computer.

Some ISPs are blocking port 25, and may require specific steps in order for
for you to send/receive mails. See Postfix and sbcglobal/yahoo/att below.
Enter your MX records in your domain provider. You have to have MX record
otherwise other computers won't be able to see you when sending emails.
Check your MX records: 
	host -t MX yourdomain.tld

And their A records: 
	host -t A mx1.yourdomain.tld



anti-spam: smtp restrictions

The first fight starts at your server so this should be added to any email
server that you setup. This makes sure that any computer that tries to send
an email to you has a valid domain name. (spammers use ex. myhomepc as a
domain name. This will stop them from spamming you.)

Insert this in your /etc/postfix/main.cf: 
	smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
permit

smtpd_helo_restrictions = reject_invalid_helo_hostname,
 reject_non_fqdn_helo_hostname,
 reject_unknown_helo_hostname




anti-spam: Using RBL Lists

RBL list is a list of domains which says whether they are spammers or not.


Insert this in your /etc/postfix/main.cf:
	smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net

See what rbl is about: http://www.us.sorbs.net/mailsystems/postfix.shtml for
pre 2.3 and http://www.sorbs.net/mailsystems/postfix-2.3.shtml for 2.3 and
later and avoid such blacklists



authenticated mail delivery
This subsection describes how to configure postfix to send authenticated
emails using DKIM standard protocols.
See opendkim to configure DKIM 

ToDo document SPF and DMARC



Forward Emails

Forwarding emails can be done via alias file located in /etc/aliases
Run this command to add alias maps: 
	postconf -e "alias_maps = hash:/etc/aliases"

You can now add your user to /etc/aliases like this: 
	root: lucas

You can forward your emails to a different email address 
	lucas: myemail@example.com

Or you could forward your email while still getting a copy in your local mailbox 
	lucas: lucas myemail@example.com

When done adding aliases run this command which will create a database like
file. 
	newaliases

Reload postfix 
	service postfix reload




Virtual Emails

If you want virtual emails such as abuse or postmaster you can do the following.
Run this command to add virtual alias maps: 
	postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"

Create a /etc/postfix/virtual file 
	vi /etc/postfix/virtual

And add your virtual emails 
	postmaster info@example.com
abuse info@example.com
someemail lucas

Create a database like file out of it 
	postmap /etc/postfix/virtual

Reload postfix 
	service postfix reload 



Maildir

To use maildir format in your mailbox which creates separate files for each
email you can use the following commands:
Maildir has few advantages over mbox format. (It keeps emails in separate
files, allows for multiple applications to read mail, etc.)
Issue these commands: 
	postconf -e "home_mailbox = Maildir/"
postconf -e "mailbox_command ="

You are done. Now your mail goes to Maildir format.



Mutt

If you want to read your new maildir format you have to tell mutt to use it
as well. Edit this file: 
	vi /etc/Muttrc

Add these lines to the bottom of the file: 
	set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

Now start mutt and send an email to yourself to see if it all works.



Postfix and mailing lists



Mailman with Postfix
(!) The instructions below are WRONG! You should not postfix-to-mailman.py
and alias at the same time. Please read /etc/mailman/postfix-to-mailman.py
instead.

Install mailman: 
	apt install mailman

When done type: 
	newlist mailman

Start mailman 
	/etc/init.d/mailman start

You should be able to see mailman running now. Visit:
	http://www.yourwebsite.com/cgi-bin/mailman/admin or

http://localhost/cgi-bin/mailman/admin
or
http://localhost/cgi-bin/mailman/admin

Because postfix is a secondary choice for Debian we need to add:

Edit /etc/postfix/main.cf; where you see "relay_domains" add 
lists.yourdomain.com. You would get something like this: 
	relay_domains = example.com, lists.example.com

In same file add, hash:/var/lib/mailman/data/aliases after alias_maps 
	alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases

Now type: 
	postconf -e "transport_maps = hash:/etc/postfix/transport"
postconf -e "mailman_destination_recipient_limit = 1"

In /etc/postfix/master.cf add: 
	mailman unix - n n - - pipe
flags=FR user=list
argv=/var/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

Edit or create /etc/postfix/transport. Add this line: 
	lists.example.com mailman:

Then postmap it: 
	postmap /etc/postfix/transport

Now edit /etc/mailman/mm_cfg.py and add: 
	MTA = 'Postfix'
DEB_LISTMASTER = 'postmaster@example.com'
POSTFIX_STYLE_VIRTUAL_DOMAIN = ['lists.example.com']

Done. Now restart postfix, mailman 
	/etc/init.d/postfix reload
/etc/init.d/mailman restart

Create a mailing list: 
	newlist list_name

If you want archives add this to /etc/apache2/apache2.conf 
	Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/

Then you need to reload apache:
	/etc/init.d/apache2 reload

Done. Go to 
	http://lists.yourwebsite.com/cgi-bin/mailman/listinfo/list_name/



Mailman Troubleshooting
Connection refused

Assuming your postfix is running and listening on localhost, another
possible problem is that postfix is not configured to run in IPv6 mode, but
your /etc/hosts file specifies ::1 as localhost. In that case mailman tries
to send mails to ::1 which has no postfix listening, thus resulting in a
(111, 'connection refused') error.



Postfix and TLS/SSL



Adding TLS/SSL
There are three options for transferring data to Postfix (smtpd):
Do not use TLS/SSL at all (only unsecure connections are available).
Use TLS/SSL, if possible. Fall back to unsecure connections otherwise.
Only allow TLS/SSL (unsecure connections are not available).


The second option (called STARTTLS) is recommended for general purpose mail servers.
It provides some sort of "compatibility mode". Secure data transfer is enabled 
but not enforced.

STARTTLS connections start unencrypted via the regular smtp port 25. If both
sides agree the rest of the data transfer is encrypted, still using port 25.

Pure TLS/SSL uses it own port, usually smtps (465). See below.

Postfix version 2.3 and later employ's the parameter
smtpd_tls_security_level to control TLS encryption (valid values are none,
may or encrypt).

Previously two parameters (smtpd_use_tls and smtpd_enforce_tls) were used.
They can be unset. See also the Debian bug report 520936.

With the following commands TLS is enforced (no STARTTLS) and the old
configuration parameters are reset to default values:
	~# postconf -e smtpd_tls_security_level=encrypt
~# postconf -e smtpd_use_tls
~# postconf -e smtpd_enforce_tls



Alternate TLS/SSL Ports
You may be interested in supporting the smtps and/or submission ports (see 
/etc/services) so that your mobile/remote users who may be on a system that
blocks, filters or poorly proxies SMTP (port 25) traffic can still send mail
through your server. Since these ports are not also used for MTA to MTA
traffic, you can enforce extra restrictions such as requiring SSL/TLS.

We do this by modifying the file /etc/postfix/master.cf to run additional
smtpd services with special parameters on dedicated ports.



Submission
The submission port (587), covered in RFC 2476, is reserved for mail user
agents (MUA)/ mail submission agents (MSA) to send email to a mail transfer
agent (MTA).

In order to enable an additional service edit the file /etc/postfix/master.cf.

In this example we disallow ETRN, require TLS and enable SASL Auth on the
submission port.
	submission inet n - - - - smtpd
 -o smtpd_etrn_restrictions=reject
 -o smtpd_enforce_tls=yes 
 -o smtpd_sasl_auth_enable=yes



SMTPS
The smtps (or ssmtp) port (465) is the equivalent of https. The secure layer
is expected from the get-go and not an optional negotiated parameter after
connecting.

Whether the port is named smtps or ssmtp depends on the contents of your
/etc/services file. On Debian both names seem to be defined. The output of
netstat -tl shows ssmtp.

In order to enable an additional service edit the file /etc/postfix/master.cf.

On Debian there is already a prepared entry for smtps but commented out.
Remove the "#" characters to enable it.
	smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING



Connections from Fetchmail to Postfix
It seems fetchmail is not able to setup a TLS connection to Postfix. (Not to
be confused with fetchmail's capabilities to fetch mails via TLS
connections.)

If Postfix is configured to only accept TLS connections
(smtpd_tls_security_level=encrypt) fetchmail will fail with an error like 
"Must issue a STARTTLS command first".

One way to escape from this is to provide an unencrypted smtp service. Of
course, this service should be available for a local fetchmail process
only.

Edit /etc/postfix/master.cf and add
	127.0.0.1:40025 inet n - - - - smtpd
-o smtpd_tls_security_level=none

This will add an additional smtp service listening on port 40025 with TLS
disabled but only accepting local connections.

Fetchmail has to be configured accordingly via the option smtphost.

Edit /etc/fetchmailrc
	# Server options
poll ...

# User options
user a ...
 smtphost 127.0.0.1/40025
user b ...
 smtphost 127.0.0.1/40025

The smtphost option is a so called "user option". It must be added to every user
section.

Alternatively fetchmail can be instructed to use an external TLS-capable
program1 to forward mails. This is not handled here. And if fetchmail and
Postfix run on the same machine it does not make much sense anyway.



Sending With SSL
With the following commands Postfix is configured to use TLS for sending
mail:
	~# postconf -e smtp_tls_security_level = may
~# postconf -e smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt



Advanced options



SPF and multiple external ip addresses



Explanation
I have some systems that are networked on an internal private ip address
subnet (192.168.0.0/16). For a few reasons I email reports and such to
@mail.internal where user is an address that is not valid for receiving
mail via the external interfaces. These systems also share a public ip
address subnet so they could email each other that way, but I'd prefer they
didn't for local addresses. I have published SPF records for the public mail
servers because all of our mail routes through those servers so if others
care to check they can ignore email claiming to be from us but being
delivered from other servers as per our SPF record.

Recently I have expanded the ip addresses these systems are using externally
to support multiple instances of port-based services like https (adding
:oddport doesn't impress the customers.) I could have expanded or added more
liberal SPF record values, or added more forward and reverse DNS records but
I wanted to stick with less ip addresses.

So to recap my system has:
eth1 

eth1:1 

eth0 

By using the settings in /etc/postfix/master.cf, /etc/postfix/main.cf and
/etc/postfix/transport as outlined above I was able to get my outgoing smtp
traffic to use my SPF published ip address once again.



Make SPF and multiple external ip addresses
If you are trying to implement SPF records while binding to one external ip
address and still working with dual-homed multiple ip aliased systems, or
have any other reason to support multi-homed systems with multiple ip
addresses but want to limit postfix to use only two of them try this.

clone the smtp (not smtpd) service. Set the first one to use  Rename the
second to smtpinternal and use  

	smtp unix - - - - - smtp
 -o smtp_bind_address=
 smtpinternal unix - - - - - smtp
 -o smtp_bind_address=

/etc/postfix/main.cf

Use transport_maps for routing 
	transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport
	
Map a transport for your internal domain. 
	.internal smtpinternal:


Just postmap /etc/postfix/transport, invoke-rc.d postfix stop and invoke
-rc.d postfix start and you should be in business. Email to @.internal
will be delivered via the internal interface/ip address all other email will
be delivered via default methods which means internet mail will go out the
the spf published ip address.



Optional:

/etc/postfix/main.cf
inet_interfaces = 127.0.0.1, , 




Postfix and Sasl

SMTP server : SASL authentication in the Postfix SMTP server

SMTP client : SASL authentication in the Postfix SMTP client 




See also

Please see Postfix/Tutorials