Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

PPoossttffiixx SSmmaallll//HHoommee OOffffiiccee HHiinnttss aanndd TTiippss

-------------------------------------------------------------------------------

OOvveerrvviieeww

This document combines hints and tips for "small office/home office"
applications into one document so that they are easier to find. The text
describes the mail sending side only. If your machine does not receive mail
directly (i.e. it does not have its own Internet domain name and its own fixed
IP address), then you will need a solution such as "fetchmail", which is
outside the scope of the Postfix documentation.

  * Selected topics from the STANDARD_CONFIGURATION_README document:

      o Postfix on a stand-alone Internet host
      o Postfix on hosts without a real Internet hostname

    Selected topics from the SASL_README document:

      o Enabling SASL authentication in the Postfix SMTP client
      o Configuring Sender-Dependent SASL authentication

See the SASL_README and STANDARD_CONFIGURATION_README documents for further
information on these topics.

PPoossttffiixx oonn aa ssttaanndd--aalloonnee IInntteerrnneett hhoosstt

Postfix should work out of the box without change on a stand-alone machine that
has direct Internet access. At least, that is how Postfix installs when you
download the Postfix source code via http://www.postfix.org/.

You can use the command "ppoossttccoonnff --nn" to find out what settings are overruled
by your main.cf. Besides a few pathname settings, few parameters should be set
on a stand-alone box, beyond what is covered in the BASIC_CONFIGURATION_README
document:

    /etc/postfix/main.cf:
        # Optional: send mail as user@domainname instead of user@hostname.
        #myorigin = $mydomain

        # Optional: specify NAT/proxy external address.
        #proxy_interfaces = 1.2.3.4

        # Alternative 1: don't relay mail from other hosts.
        mynetworks_style = host
        relay_domains =

        # Alternative 2: relay mail from local clients only.
        # mynetworks = 192.168.1.0/28
        # relay_domains =

See also the section "Postfix on hosts without a real Internet hostname" if
this is applicable to your configuration.

PPoossttffiixx oonn hhoossttss wwiitthhoouutt aa rreeaall IInntteerrnneett hhoossttnnaammee

This section is for hosts that don't have their own Internet hostname.
Typically these are systems that get a dynamic IP address via DHCP or via
dialup. Postfix will let you send and receive mail just fine between accounts
on a machine with a fantasy name. However, you cannot use a fantasy hostname in
your email address when sending mail into the Internet, because no-one would be
able to reply to your mail. In fact, more and more sites refuse mail addresses
with non-existent domain names.

Note: the following information is Postfix version dependent. To find out what
Postfix version you have, execute the command "ppoossttccoonnff mmaaiill__vveerrssiioonn".

SSoolluuttiioonn 11:: PPoossttffiixx vveerrssiioonn 22..22 aanndd llaatteerr

Postfix 2.2 uses the generic(5) address mapping to replace local fantasy email
addresses by valid Internet addresses. This mapping happens ONLY when mail
leaves the machine; not when you send mail between users on the same machine.

The following example presents additional configuration. You need to combine
this with basic configuration information as discussed the first half of this
document.

    1 /etc/postfix/main.cf:
    2     smtp_generic_maps = hash:/etc/postfix/generic
    3
    4 /etc/postfix/generic:
    5     his@localdomain.local             hisaccount@hisisp.example
    6     her@localdomain.local             heraccount@herisp.example
    7     @localdomain.local                hisaccount+local@hisisp.example

When mail is sent to a remote host via SMTP:

  * Line 5 replaces his@localdomain.local by his ISP mail address,

  * Line 6 replaces her@localdomain.local by her ISP mail address, and

  * Line 7 replaces other local addresses by his ISP account, with an address
    extension of +local (this example assumes that the ISP supports "+" style
    address extensions).

Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files.
To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm".

Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ggeenneerriicc" whenever you change the
generic table.

SSoolluuttiioonn 22:: PPoossttffiixx vveerrssiioonn 22..11 aanndd eeaarrlliieerr

The solution with older Postfix systems is to use valid Internet addresses
where possible, and to let Postfix map valid Internet addresses to local
fantasy addresses. With this, you can send mail to the Internet and to local
fantasy addresses, including mail to local fantasy addresses that don't have a
valid Internet address of their own.

The following example presents additional configuration. You need to combine
this with basic configuration information as discussed the first half of this
document.

     1 /etc/postfix/main.cf:
     2     myhostname = hostname.localdomain
     3     mydomain = localdomain
     4
     5     canonical_maps = hash:/etc/postfix/canonical
     6
     7     virtual_alias_maps = hash:/etc/postfix/virtual
     8
     9 /etc/postfix/canonical:
    10     your-login-name    your-account@your-isp.com
    11
    12 /etc/postfix/virtual:
    13     your-account@your-isp.com       your-login-name

Translation:

  * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name
    that is already in use by real organizations on the Internet. See RFC 2606
    for examples of domain names that are guaranteed not to be owned by anyone.

  * Lines 5, 9, 10: This provides the mapping from "your-login-
    name@hostname.localdomain" to "your-account@your-isp.com". This part is
    required.

  * Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally,
    instead of sending it to the ISP. This part is not required but is
    convenient.

Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files.
To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm".

Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ccaannoonniiccaall" whenever you change the
canonical table.

Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" whenever you change the
virtual table.

EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP//LLMMTTPP cclliieenntt

This section shows a typical scenario where the Postfix SMTP client sends all
messages via a mail gateway server that requires SASL authentication.

    TTrroouubbllee ssoollvviinngg ttiippss::

      * If your SASL logins fail with "SASL authentication failure: No worthy
        mechs found" in the mail logfile, then see the section "Postfix SMTP/
        LMTP client policy - SASL mechanism pprrooppeerrttiieess".

      * For a solution to a more obscure class of SASL authentication failures,
        see "Postfix SMTP/LMTP client policy - SASL mechanism nnaammeess".

To make the example more readable we introduce it in two parts. The first part
takes care of the basic configuration, while the second part sets up the
username/password information.

    /etc/postfix/main.cf:
        smtp_sasl_auth_enable = yes
        smtp_tls_security_level = encrypt
        smtp_sasl_tls_security_options = noanonymous
        relayhost = [mail.isp.example]
        # Alternative form:
        # relayhost = [mail.isp.example]:submission
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

  * The smtp_sasl_auth_enable setting enables client-side authentication. We
    will configure the client's username and password information in the second
    part of the example.

  * The smtp_tls_security_level setting ensures that the connection to the
    remote smtp server will be encrypted, and smtp_sasl_tls_security_options
    removes the prohibition on plaintext passwords.

  * The relayhost setting forces the Postfix SMTP to send all remote messages
    to the specified mail server instead of trying to deliver them directly to
    their destination.

  * In the relayhost setting, the "[" and "]" prevent the Postfix SMTP client
    from looking up MX (mail exchanger) records for the enclosed name.

  * The relayhost destination may also specify a non-default TCP port. For
    example, the alternative form [mail.isp.example]:submission tells Postfix
    to connect to TCP network port 587, which is reserved for email client
    applications.

  * The Postfix SMTP client is compatible with SMTP servers that use the non-
    standard "AUTH=mmeetthhoodd....." syntax in response to the EHLO command; this
    requires no additional Postfix client configuration.

  * The Postfix SMTP client does not support the obsolete "wrappermode"
    protocol, which uses TCP port 465 on the SMTP server. See TLS_README for a
    solution that uses the stunnel command.

  * With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP
    client to send username and password information to the mail gateway
    server. As discussed in the next section, the Postfix SMTP client supports
    multiple ISP accounts. For this reason the username and password are stored
    in a table that contains one username/password combination for each mail
    gateway server.

    /etc/postfix/sasl_passwd:
        # destination                   credentials
        [mail.isp.example]              username:password
        # Alternative form:
        # [mail.isp.example]:submission username:password

    IImmppoorrttaanntt

    Keep the SASL client password file in /etc/postfix, and make the file
    read+write only for root to protect the username/password combinations
    against other users. The Postfix SMTP client will still be able to read the
    SASL client passwords. It opens the file as user root before it drops
    privileges, and before entering an optional chroot jail.

  * Use the postmap command whenever you change the /etc/postfix/sasl_passwd
    file.

  * If you specify the "[" and "]" in the relayhost destination, then you must
    use the same form in the smtp_sasl_password_maps file.

  * If you specify a non-default TCP Port (such as ":submission" or ":587") in
    the relayhost destination, then you must use the same form in the
    smtp_sasl_password_maps file.

CCoonnffiigguurriinngg SSeennddeerr--DDeeppeennddeenntt SSAASSLL aauutthheennttiiccaattiioonn

Postfix supports different ISP accounts for different sender addresses (version
2.3 and later). This can be useful when one person uses the same machine for
work and for personal use, or when people with different ISP accounts share the
same Postfix server.

To make this possible, Postfix supports per-sender SASL passwords and per-
sender relay hosts. In the example below, the Postfix SMTP client will search
the SASL password file by sender address before it searches that same file by
destination. Likewise, the Postfix trivial-rewrite(8) daemon will search the
per-sender relayhost file, and use the default relayhost setting only as a
final resort.

    /etc/postfix/main.cf:
        smtp_sender_dependent_authentication = yes
        sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
        smtp_sasl_auth_enable = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
        relayhost = [mail.isp.example]
        # Alternative form:
        # relayhost = [mail.isp.example]:submission

    /etc/postfix/sasl_passwd:
        # Per-sender authentication; see also /etc/postfix/sender_relay.
        user1@example.com               username1:password1
        user2@example.net               username2:password2
        # Login information for the default relayhost.
        [mail.isp.example]              username:password
        # Alternative form:
        # [mail.isp.example]:submission username:password

    /etc/postfix/sender_relay:
        # Per-sender provider; see also /etc/postfix/sasl_passwd.
        user1@example.com               [mail.example.com]:submission
        user2@example.net               [mail.example.net]

  * If you are creative, then you can try to combine the two tables into one
    single MySQL database, and configure different Postfix queries to extract
    the appropriate information.

  * Specify dbm instead of hash if your system uses dbm files instead of db
    files. To find out what lookup tables Postfix supports, use the command
    "postconf -m".

  * Execute the command "postmap /etc/postfix/sasl_passwd" whenever you change
    the sasl_passwd table.

  * Execute the command "postmap /etc/postfix/sender_relay" whenever you change
    the sender_relay table.