Linux Mail Server Setup and Howto Guide » Postfix

Static DB Virtual Users in Postfix and Dovecot

consultant — Sat, 29 May 2010 05:44:44 +0000

This article describes how to use a text file or static db file as the source for user accounts in Postfix and Dovecot. This is suitable for very simple mail account requirements. For larger implementations, check out the MySQL virtual accounts or Active Directory/LDAP virtual accounts.

Create the Virtual Mail User Account

1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Learn how to use the User Manager application here.

2. Take note of the User ID and Home Directory of vmail.

3. Click the Groups tab and now note down the Group ID of vmail. We’ll be needing all of them later.

Configure Postfix for Virtual User Accounts

1. Edit the postfix configuration file /etc/postfix/main.cf and edit the line below

mydestination = $myhostname, localhost.$mydomain, localhost

and add the lines below

virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail/
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:501
virtual_gid_maps = static:501

virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.

2. Create the file /etc/postfix/vmailbox containing the mapping from an email address to a mailbox path relative to virtual_mailbox_base. See the example below.

johndoe@acme.local johndoe/Maildir/
janedoe@acme.local janedoe/Maildir/

3. Type in the command below to generate the static db that will be used for the lookup.

postmap /etc/postfix/vmailbox

4. Restart the Postfix or MailScanner service if you have installed MailScanner. Learn how to start and stop services here.

5. Try sending an email. See Test Postfix using Telnet. New mails should now be stored under the path specified in virtual_mailbox_base.

Configure Dovecot Virtual User Accounts

1. Edit the file /etc/dovecot.conf and change the value of the following keys below

passdb static {
  args = /etc/dovecot-passdb
}

userdb static {
  args = uid=501 gid=501 home=/home/vmail/%u
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

Make sure comment out all the other passdb and userdb sections to avoid any conflicts.

2. Create the file /etc/dovecot-passdb containing the password of a user name. See the example below.

johndoe:{PLAIN}secret
janedoe:{HMAC-MD5}dd59f669267e9bb13d42a1ba57c972c5b13a4b2ae457c9ada803dc7d8bae4ab

You can generate a hash password using the dovecotpw command.

3. Restart the dovecot service. Learn how to start and stop services here.

4. Test Dovecot using Telnet. You should be able to read the recently sent mail which was stored in a new location.

Postfix Restrict Senders or Recipients

consultant — Mon, 17 May 2010 12:52:16 +0000

This article describes how to configure Postfix to restrict mails from a sender, to a recipient, or both.

Restrict Sender

This section describes how to allow/reject a specific sender or a specific domain.

1. Edit the file /etc/postfix/main.cf and add the line below.

smtpd_sender_restrictions = 
  check_sender_access hash:/etc/postfix/sender_access

2. Create the file /etc/postfix/sender_access and review the example below.

janedoe@acme.local  REJECT
bugsbunny@acme.com  OK
acme.com            REJECT

3. Type in the command below in a terminal window to create a hash file.

postmap /etc/postfix/sender_access

4. Restart the Postfix or MailScanner service. Learn how to restart services.

Restrict Recipient

This section describes how to allow/reject a specific recipient or a specific domain.

1. Edit the file /etc/postfix/main.cf and add the line below.

smtpd_recipient_restrictions = 
  check_recipient_access hash:/etc/postfix/recipient_access,
  reject_unauth_destinations

2. Create the file /etc/postfix/recipient_access and review the example below.

janedoe@acme.local  REJECT
bugsbunny@acme.com  OK
acme.com            REJECT

3. Type in the command below in a terminal window to create a hash file.

postmap /etc/postfix/recipient_access

4. Restart the Postfix or MailScanner service. Learn how to restart services.

Restrict Sender and Recipient

This section describes how to restrict both the sender and recipient. Example usage of this is when you have a private domain which should not be allowed to send to the internet.

1. Edit the file /etc/postfix/main.cf and add the lines below.

smtpd_recipient_restrictions = 
  check_sender_access hash:/etc/postfix/sender_access,
  reject_unauth_destinations

smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, 
  reject

2. Create the file /etc/postfix/sender_access and review the example below.

acme.local  local_only

3. Create the file /etc/postfix/local_domains and review the example below.

acme.local  OK

4. Type in the command belows in a terminal window to create the hash files.

postmap /etc/postfix/sender_access
postmap /etc/postfix/local_domains

5. Restart the Postfix or MailScanner service. Learn how to restart services.

Add a Disclaimer to Outgoing Postfix Emails

consultant — Sun, 16 May 2010 10:55:14 +0000

This article describes how to use MailScanner to add a disclaimer message to outgoing mails in Postfix. Make sure MailScanner is integrated into Postfix and tested to be working.

1. Edit the file /etc/MailScanner/reports/en/inline.sig.txt and /etc/MailScanner/reports/en/inline.sig.html and replace it with your own message.

2. Edit the file /etc/MailScanner/MailScanner.conf and update the line below.

Sign Clean Messages = /etc/MailScanner/rules/signing.rules

3. Create the file /etc/MailScanner/rules/signing.rules and add the lines below.

From:      *@acme.local  yes
FromOrTo:  default       no

Replace acme.local with your own domain name.

4. Restart the MailScanner service. Learn how to restart services.

5. You should now see your disclaimer message on outbound emails.

Backup Postfix Mailbox

consultant — Sun, 09 May 2010 12:36:48 +0000

Backing up your mailboxes is a simple as copying your mailbox folder. This article describes how to backup and restore your Postfix mailboxes using the tar command.

To backup the mailbox, type the command below in a terminal window.

tar cvzf mailbox-`date +%F_%H%M`.tar.gz /home/vmail

Replace /home/vmail with the location of your own mailbox.

To restore the mailbox, type the command below in a terminal window.

tar xvzf mailbox.tar.gz -C /

Replace mailbox.tar.gz with the name of your backup file.

Ideally, the Postfix and Dovecot configurations should be documented, or better yet, maintained using a change configuration process. But you can also use the procedure above to backup the /etc directory although it is not recommended since you may restore your configuration on an updated OS.

Postfix SMTP Gateway

consultant — Sun, 02 May 2010 23:12:21 +0000

To improve security or offload services like virus and spam checking, you may want to implement an SMTP gateway. This article describes how to configure Postfix as an SMTP gateway.

DMZ Mail Server

The DMZ mail server forwards the inbound mail to the internal mail server and delivers the outbound mail.

1. Edit /etc/postfix/main.cf and update the lines below.

mydestination = 
local_recipient_maps = 
local_transport = error:local mail delivery is disabled

mynetworks = 127.0.0.0/8 192.168.1.3
relay_domains = example.com
transport_maps = hash:/etc/postfix/transport
smtpd_recipient_restrictions = permit_mynetworks
    reject_unauth_destination

The first three lines above disables local delivery. Replace 192.168.1.3 with the IP address of your internal mail server.

2. Edit the file /etc/postfix/transport and add the line below.

example.com :[192.168.1.3]

Replace 192.168.1.3 with the hostname or IP address of your internal mail server.

3. Type the line command below to create a transport database file.

postmap /etc/postfix/transport

4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

5. You should now be able to send mails to your DMZ mail server and those mails will be automatically relayed to your internal mail server. See Test Postfix using Telnet.

Internal Mail Server

The internal mail server holds the mailbox and forward all outbound mail to the DMZ mail server for delivery. Make sure you have working Postfix mail server.

1. Edit /etc/postfix/main.cf and update the lines below.

transport_maps = hash:/etc/postfix/transport

2. Edit the file /etc/postfix/transport and add the lines below.

example.com    :
.example.com   :
*              smtp:[192.168.3.2]

Replace 192.168.3.2 with the hostname or IP address of your DMZ mail server.

3. Type the line command below to create a transport database file.

postmap /etc/postfix/transport

4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

5. Your outbound mail should now be sent the DMZ mail server. See Test Postfix using Telnet.

SMTP Gateway Notes

It is easy to setup an SMTP gateway mail server but you also need to consider the items below.

Add Antivirus and Antispam Filtering. Since the DMZ mail server is exposed on the internet, make sure it has anti-virus and anti-spam filtering.
Verify Recipient. If possible, you also need to apply the same recipient verification method you used in your internal mail server. This will allow your DMZ mail server to reject all invalid recipient address instead of having the internal mail server bounce the relayed emails with invalid recipients. Use the relay_recipient_maps setting in /etc/postfix/main.cf to specify the valid recipients.
Use IP Address. By specifying the hostname or IP address in the transport file, the DNS MX lookup can be eliminated. Specifying the IP address will be even better since this will eliminate the need for any DNS lookup.
Flush Mail Queue. You can force Postfix to immediately send all the mail in its queue by typing in the command below.
```
postfix flush
```

Prevent Sender From Spoofing Email Address

consultant — Fri, 30 Apr 2010 15:22:59 +0000

Postfix can be configured to prevent email senders from using an email address that does not belong to them. This article describes how to configure the sender restriction in Postfix to prevent senders from spoofing email addresses.

1. Make sure SMTP authentication in Postfix is working.

2. Create a Postfix map file which returns a user name given an email address. The line below is a regular expression that returns the user part from an email address. Example, bugsbunny@acme.local returns bugsbunny as the user name. If this works for you, then save it into the file /etc/postfix/sender_login.pcre

/(.*)@.*/ $1

3. Edit the file /etc/postfix/main.cf and add the lines below.

smtpd_sender_login_maps = pcre:/etc/postfix/sender_login.pcre
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

If you have a different map file, specify it in the smtpd_sender_login_maps line.

4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

5. Try sending an email using an address that does not belong to you, Postfix should reject your attempt.

Postfix and Dovecot SSL/TLS

consultant — Sun, 25 Apr 2010 17:01:32 +0000

This article describes how to configure Postfix and Dovecot to use SSL/TLS to encrypt communication. Before you begin, generate an SSL certificate.

Postfix

1. Edit the file /etc/postfix/main.cf and add the lines below.

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.acme.local.cert
smtpd_tls_key_file = /etc/pki/tls/private/mail.acme.local.key
tls_random_source = dev:/dev/urandom

Make sure smtpd_tls_cert_file and smtpd_tls_key_file refers to your own certificate and key file respectively.

2. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

3. Test Postfix using Telnet and check if 250-STARTTLS is present after the ehlo host command.

Dovecot

1. Edit the file /etc/dovecot.conf and add the lines below.

ssl_cert_file = /etc/pki/tls/certs/mail.acme.local.cert
ssl_key_file = /etc/pki/tls/private/mail.acme.local.key

Make sure ssl_cert_file and ssl_key_file refers to your own certificate and key file respectively.

2. Restart the dovecot service. Learn how to start and stop services here.

Configure Postfix to Accept All Mails

consultant — Sat, 13 Feb 2010 23:23:45 +0000

This article describes how to configure Postfix to blindly accept all emails, meaning receive email without checking the recipient. This setup is useful as a backup or archive mail destination.

Create the Virtual Mail User Account

1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Learn how to use the User Manager application here.

2. Take note of the User ID and Home Directory of vmail.

3. Click the Groups tab and now note down the Group ID of vmail. We’ll be needing all of them later.

Configuring Postfix and Dovecot

1. Edit the file /etc/postfix/main.cf and add the lines below.

virtual_transport = dovecot
virtual_mailbox_domains = $mydomain

2. Edit the file /etc/dovecot.conf and add the lines below.

userdb static {
  args = uid=501 gid=501 home=/home/vmail/%u allow_all_users=yes
}

socket listen {
  master {
    path = /var/run/dovecot/auth-master
    mode = 0600
    user = vmail
    group = vmail
  }
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

Comment out all the other passdb and userdb sections except for those specified above to ensure that nothing will conflict with our virtual accounts setting.

3. Restart the Postfix or MailScanner service if you have installed it. Do the same for Dovecot. Learn how to start and stop services here.

If you encounter any problems, check the log file at /var/log/maillog.

Backup Incoming Mail in Postfix

consultant — Sun, 13 Dec 2009 03:59:27 +0000

This article will show you how to copy incoming mail to another mail server using the blind carbon copy (BCC) feature in Postfix. This capability is useful for backup, archive or disaster recovery purposes.

1. Edit the file /etc/postfix/main.cf and add the lines below.

recipient_bcc_maps = pcre:/etc/postfix/backup_bcc.pcre
transport_maps = hash:/etc/postfix/transport
smtp_generic_maps = pcre:/etc/postfix/generic.pcre

2. Create the file /etc/postfix/backup_bcc.pcre containing

/^(.*)@acme\.local$/ $1@backup.invalid

which tells Postfix to BCC emails to the domain backup.invalid.

Email for	BCC to
johndoe@acme.local	johndoe@backup.invalid
janedoe@acme.local	janedoe@backup.invalid

3. Edit the file /etc/postfix/transport and add the line below.

backup.invalid smtp:[192.168.1.4]

Replace the IP address with the IP address of your backup mail server.

Next, type in the command below to convert it to a database file.

postmap /etc/postfix/transport

This tells Postfix to send all emails for the domain backup.invalid to the specified mail server.

4. Create the file /etc/postfix/generic.pcre containing

/^(.*)@backup\.invalid$/ $1@acme.local

which tells Postfix to change the email address back to the original recipient before sending it out.

BCC to	Email for
johndoe@backup.invalid	johndoe@acme.local
janedoe@backup.invalid	janedoe@acme.local

5. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

The destination Postfix server can be configured to accept emails without validating the recipient.

If you encounter any problems, check the log file at /var/log/maillog.

Postfix Backup MX

consultant — Sat, 14 Nov 2009 15:42:49 +0000

Postfix can be configured to act as a backup mail server. A backup MX server accepts mail if the primary mail server goes down and will forward all mails in its queue if the primary mail server goes back online.

This article describes how to configure Postfix to act as a backup MX server.

Configuring Postfix

1. Edit the file /etc/postfix/main.cf and update the lines below.

mynetworks = 127.0.0.0/8
relay_domains = example.com
smtpd_recipient_restrictions = permit_mynetworks, 
    reject_unauth_destination
transport_maps = hash:/etc/postfix/transport

2. Edit the file /etc/postfix/transport and add the line below.

example.com :[192.168.1.3]

Replace 192.168.1.3 with the hostname or IP address of your primary mail server.

3. Type the line command below to create a transport database file.

postmap /etc/postfix/transport

4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

5. You should now be able to send mails to your backup mail server and those mails will be automatically forwarded to your primary mail server. See Test Postfix using Telnet.

Backup MX Notes

It is easy to setup a backup mail server but you also need to consider the items below.

Add DNS MX Record. In order for your backup mail server to be identified over the internet, you need to add a lower priority DNS MX record. A higher number means lower priority.

Domain TTL Priority Mail Server Name

acme.local 86400 10 mail.acme.local

acme.local 86400 20 mail2.acme.local
Add Antivirus and Antispam Filtering. Make sure to have the same or better virus and spam protection in your backup mail server as you have in your primary mail server. Otherwise, viruses and spams will be entering your inbox through the backdoor.
Verify Recipient. If possible, you also need to apply the same recipient verification method you used in your primary mail server. This will allow your backup mail server to reject all invalid recipient address instead of having the primary mail server bounce the forwarded emails with invalid recipients. Use the relay_recipient_maps setting in /etc/postfix/main.cf to specify the valid recipients.
Relay Only. In your /etc/postfix/main.cf, make sure the relay domain is not found in mydestination, virtual_alias_domains and virtual_mailbox_domains. Otherwise, the backup mail server will not forward emails to the primary mail server and will instead store it into its own mailbox.
Use IP Address. By specifying the hostname or IP address in the transport file, the DNS MX lookup can be eliminated. Specifying the IP address will be even better since this will eliminate the need for any DNS lookup. It will also avoid relay loopback problems if you are using port forwarding in your backup mail server.
Flush Mail Queue. You can force Postfix to immediately send all the mail in its queue by typing in the command below. This useful after bringing the primary mail server back online to eliminate the waiting period for the backup mail server to resend mails in its queue.
```
postfix flush
```

Domain	TTL	Priority	Mail Server Name
acme.local	86400	10	mail.acme.local
acme.local	86400	20	mail2.acme.local