|
Size: 3931
Comment:
|
Size: 7269
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 27: | Line 27: |
| The ''bad news'' is that Postfix is designed to be launched from userspace using `postfix(1)`, rather than being a binary that can be invoked in the foreground. This [[Docker/Dockerfile#Run_in_foreground|defies]] the architecture of modern containers. The ''good news'' is that running Postfix in a standalone container is barely useful. Postfix will likely need to run alongside at least one other service. The solution to ''both'' issues is [[Docker/Dockerfile#Use_a_supervisor|running a supervisor]]. Consider the following configuration for [[Supervisord]]: {{{ [supervisord] childlogdir=/var/log/supervisord logfile=/dev/stderr logfile_maxbytes=0 nodaemon=true user=root [program:postfix] autostart=false command=postfix start startsecs=0 redirect_stderr=true }}} |
`postfix(1)` is designed to be launched from userspace, rather than being a binary that can be invoked in the foreground. However, a new `start-fg` subcommand was added in version 3.3. Consider the following [[Docker/Dockerfile|Dockerfile]] as a template. {{{ FROM alpine:latest RUN apk add --no-cache postfix EXPOSE 25 CMD ["postfix", "start-fg"] }}} To publish this service on an interface like 10.0.0.1, try: {{{ sudo docker build --tag postfix . sudo docker run --detach --name my-postfix \ --restart=always \ --publish 10.0.0.1:25:25 \ postfix }}} ---- == Usage == Use a connection string like `smtp+insecure+none://example.com:25`. |
| Line 54: | Line 62: |
| Set `myhostname` and `mydomain` to the machines hostname. If the machine is acting as the mailserver for an entire domain, set `myorigin` to that name. === Split Routing === Sometimes mail needs to terminate at different services. Try: {{{ local_transport = local:$myhostname |
Before trying to configure Postfix, ensure that you understand the [[Postfix/Design|design]] of Postfix. See also [[Postfix/Encryption|encryption]] and [[Postfix/Authentication|authentication]]. === Receiving Mail === Set `myhostname` and `mydomain` to the fully-qualified names. Set `mydomains` to the set of all 'trusted' networks. Set `mydestination` to the set of all domains that should be considered 'local'. {{{ myhostname = www1.example.com mydomain = example.com mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 mydestination = $myhostname $mydomain www.$mydomain localhost localhost.localdomain }}} By default mail is only accepted... * from clients in trusted networks (`$mynetworks`) * from clients that authenticated with SASL * for remote addresses matching `$relay_domains` * for local addresses found in `$mydestination` (defaulting to `$myhostname`, `localhost.$mydomain`, and `localhost`) To adjust restrictions, try configuring `smtpd_relay_restrictions` or (the older and less-preferred method) `smtpd_recipient_restrictions`. === Local Delivery === For local addresses, the local part is extracted and casefolded to lowercase. This will be used to attempt delivery. Mail is delivered to a user-specific folder under `mail_spool_directory`, i.e. `/var/spool/mail/root`. (Alternatively, mail can be delivered into users' home directories via `home_mailbox`.) The following manipulations are made to locally-delivered mail: * prepend a `From SENDER DATETIME` envelope header * prepend an `X-Original-To:` header * prepend an `Delivered-To:` header * prepend a `Return-Path:` header * prepend a `>` character to lines beginning with `From ` * append an empty line Also, the mailbox is locked while delivery is in progress; if an error occurs, the mailbox is truncated to its original length. Delivery is executed with the permissions of the recipient. ==== Custom Delivery ==== A custom delivery command can be provided with `mailbox_command_maps` or `mailbox_command`. In most cases, the command is executed with the recipient's permissions. If the recipient is `root`, a custom delivery command is executed with `default_privs`. ==== Qmail ==== For `qmail`-style mailboxes, the value of `mail_spool_directory` or `home_mailbox` must end in a forward slash (`/`). {{{ home_mailbox = Maildir/ }}} The following manipulations are made to locally-delivered `qmail`-style mail: * prepend a `Delivered-To:` header * prepend an `X-Original-To:` header * prepend a `Return-Path:` header === Forwarding === When attempting delivery, `forward_path` is scanned for a `forward(5)` file (i.e. `~/.forward`). These looks like: {{{ [email protected] # anything after # is ignored "|/path/to/examplemda" }}} Forwarded mail is sent as a new message with the `Delivered-To:` header, to prevent loops. Note that the second line is only allowable if `allow_mail_to_commands` is set to: {{{ allow_mail_to_commands = alias,forward,include }}} The default `alias,forward` disallows custom commands. === Routing === To route mail based on the recipient domain, try: {{{ |
| Line 67: | Line 159: |
| `/etc/postfix/transport` should look like: {{{ lists.myhostname.localdomain lmtp:unix:/tmp/lists.sr.ht-lmtp.sock myhostname.localdomain local:myhostname }}} Finally, run `postmap /etc/postfix/transport` and a hashed file will be produced. If your `postmap(1)` does not use LMDB, replace the `lmdb:` with whatever algorithm ''was'' used. |
A `transport(5)` file (i.e. `/etc/postfix/transport`) looks like: {{{ admin@localhost relay:[smtp.gmail.com]:587 service1.example.com lmtp:unix:/path/to/service.sock example.com lmtp:0.0.0.0:24 .example.com lmtp:0.0.0.0:24 localhost local .localdomain local * relay:[smtp.gmail.com]:587 }}} The first part of each line is a pattern. The second part is an instruction: * a `local` instruction expands to the `local_transport` setting, which itself defaults to `local:$myhostname` * a `lmtp` instruction forwards mail to an [[Email/LMTP|LMTP]] server * a `smtp` instruction forwards mail to an [[Email/SMTP|SMTP]] server * a `relay` instruction causes mail to [[Postfix/Relaying|relayed]] Bracketing an address prevents a MX record lookup; the A record alone is looked up and used naively. If even A record lookup should be skipped (i.e. for a name defined in the [[Linux/Hosts|hosts file]]), additionally specify `smtp_dns_support_level = disabled`. Domains prefixed with a dot (`.`) are a pattern for all subdomains. The example above captures `localhost` and `*.localdomain` for local delivery. The asterisk (`*`) domain is a fallback route, used only if nothing else matches. The matching happens in the hierarchical order shown above: by full address, then by full domain part, then by subdomain part, and finally the fallback. Run `postmap /etc/postfix/transport` and a hashed file will be produced. If your `postmap(1)` does not use LMDB, replace the `lmdb:` with whatever algorithm ''was'' used. |
| Line 80: | Line 192: |
| To masquerade as another email, try: {{{ smtp_generic_maps = lmdb:/etc/postfix/generic }}} `/etc/postfix/generic` should look like: {{{ @myhostname.localdomain [email protected] }}} Finally, run `postmap /etc/postfix/generic` and a hashed file will be produced. If your `postmap(1)` does not use LMDB, replace the `lmdb:` with whatever algorithm ''was'' used. === Relay mail === To relay mail through another SMTP server, such as GMail, try: {{{ relayhost = [smtp.gmail.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd smtp_tls_security_level = encrypt smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt }}} `/etc/postfix/sasl/sasl_passwd` should look like: {{{ [smtp.gmail.com]:587 [email protected]:notarealpassword }}} Finally, run `postmap /etc/postfix/sasl/sasl_passwd` and a hashed file will be produced. If your `postmap(1)` does not use LMDB, replace the `lmdb:` with whatever algorithm ''was'' used. |
See [[Postfix/Rewriting|here]]. === Posting Mail === `master(8)` expects mail posted locally to use `$myhostname` as the sender's domain. To override this, set `myorigin`. {{{ myorigin = $mydomain }}} |
| Line 177: | Line 264: |
| [[https://www.postfix.org/documentation.html|Postfix project documentation]] |
Postfix
postfix(1) is an SMTP mail transfer agent.
Contents
Installation
Most Linux and BSD distributions offer a postfix package.
For systemd-capable systems, start and enable postfix.service.
For BSD distributions, try:
postfix start
Containers
postfix(1) is designed to be launched from userspace, rather than being a binary that can be invoked in the foreground. However, a new start-fg subcommand was added in version 3.3.
Consider the following Dockerfile as a template.
FROM alpine:latest RUN apk add --no-cache postfix EXPOSE 25 CMD ["postfix", "start-fg"]
To publish this service on an interface like 10.0.0.1, try:
sudo docker build --tag postfix . sudo docker run --detach --name my-postfix \ --restart=always \ --publish 10.0.0.1:25:25 \ postfix
Usage
Use a connection string like smtp+insecure+none://example.com:25.
Configuration
Before trying to configure Postfix, ensure that you understand the design of Postfix.
See also encryption and authentication.
Receiving Mail
Set myhostname and mydomain to the fully-qualified names. Set mydomains to the set of all 'trusted' networks. Set mydestination to the set of all domains that should be considered 'local'.
myhostname = www1.example.com mydomain = example.com mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 mydestination = $myhostname $mydomain www.$mydomain localhost localhost.localdomain
By default mail is only accepted...
from clients in trusted networks ($mynetworks)
- from clients that authenticated with SASL
for remote addresses matching $relay_domains
for local addresses found in $mydestination (defaulting to $myhostname, localhost.$mydomain, and localhost)
To adjust restrictions, try configuring smtpd_relay_restrictions or (the older and less-preferred method) smtpd_recipient_restrictions.
Local Delivery
For local addresses, the local part is extracted and casefolded to lowercase. This will be used to attempt delivery.
Mail is delivered to a user-specific folder under mail_spool_directory, i.e. /var/spool/mail/root. (Alternatively, mail can be delivered into users' home directories via home_mailbox.) The following manipulations are made to locally-delivered mail:
prepend a From SENDER DATETIME envelope header
prepend an X-Original-To: header
prepend an Delivered-To: header
prepend a Return-Path: header
prepend a > character to lines beginning with From
- append an empty line
Also, the mailbox is locked while delivery is in progress; if an error occurs, the mailbox is truncated to its original length. Delivery is executed with the permissions of the recipient.
Custom Delivery
A custom delivery command can be provided with mailbox_command_maps or mailbox_command.
In most cases, the command is executed with the recipient's permissions. If the recipient is root, a custom delivery command is executed with default_privs.
Qmail
For qmail-style mailboxes, the value of mail_spool_directory or home_mailbox must end in a forward slash (/).
home_mailbox = Maildir/
The following manipulations are made to locally-delivered qmail-style mail:
prepend a Delivered-To: header
prepend an X-Original-To: header
prepend a Return-Path: header
Forwarding
When attempting delivery, forward_path is scanned for a forward(5) file (i.e. ~/.forward). These looks like:
[email protected] # anything after # is ignored "|/path/to/examplemda"
Forwarded mail is sent as a new message with the Delivered-To: header, to prevent loops.
Note that the second line is only allowable if allow_mail_to_commands is set to:
allow_mail_to_commands = alias,forward,include
The default alias,forward disallows custom commands.
Routing
To route mail based on the recipient domain, try:
transport_maps = lmdb:/etc/postfix/transport
A transport(5) file (i.e. /etc/postfix/transport) looks like:
admin@localhost relay:[smtp.gmail.com]:587 service1.example.com lmtp:unix:/path/to/service.sock example.com lmtp:0.0.0.0:24 .example.com lmtp:0.0.0.0:24 localhost local .localdomain local * relay:[smtp.gmail.com]:587
The first part of each line is a pattern. The second part is an instruction:
a local instruction expands to the local_transport setting, which itself defaults to local:$myhostname
a lmtp instruction forwards mail to an LMTP server
a smtp instruction forwards mail to an SMTP server
a relay instruction causes mail to relayed
Bracketing an address prevents a MX record lookup; the A record alone is looked up and used naively. If even A record lookup should be skipped (i.e. for a name defined in the hosts file), additionally specify smtp_dns_support_level = disabled.
Domains prefixed with a dot (.) are a pattern for all subdomains. The example above captures localhost and *.localdomain for local delivery.
The asterisk (*) domain is a fallback route, used only if nothing else matches.
The matching happens in the hierarchical order shown above: by full address, then by full domain part, then by subdomain part, and finally the fallback.
Run postmap /etc/postfix/transport and a hashed file will be produced. If your postmap(1) does not use LMDB, replace the lmdb: with whatever algorithm was used.
Address Rewriting
See here.
Posting Mail
master(8) expects mail posted locally to use $myhostname as the sender's domain. To override this, set myorigin.
myorigin = $mydomain
Administration
Testing the service
Install mailx and send an empty email.
To test mail relay to external hosts, try:
mail -s 'Test Email' '[email protected]' </dev/null
Alternatively, try using telnet.
Reviewing the queue
Two useful administrative utilities exist for reviewing the mail queue: postqueue(1) and postcat(1).
To view the mail queue, try:
postqueue -p
This will display the queued messages, the senders and recipients, and a mail ID.
To force all queued mail to be sent now, run:
postqueue -f
To instead force a singular message to be send now, run:
postqueue -i MAILID
To instead inspect a message in the queue, try:
postcat -vq MAILID