pete@guardiandigital.com/etc/postfix,
/usr/lib/libexec/postfix contains the postfix daemons, and
/var/spool/postfix contains the mail queues and various mail
staging directories and the default chroot directory "etc" (if chrooting
is configured).
/etc/postfix will be the most important directory as it
controls postfix's behaviour. This directory holds the two configuration
files and the aliases, virtual, transport, access, and other databases in
maps.
There are many maps that can be used with postfix but I will only discuss
the main three here as they are the basis of most typical Postfix
configurations. The others are for more specialized purposes and
are beyond the scope of this document. There are also several different
"maptypes" or formats that can be used such as "hash", "dbm", "nis",
and ASCII "regexp" files. All of the maptype files have an ASCII form
and then are converted to a "maptype" database file with the
postmap utility (except for "regexp" files which just have the
ASCII form). The "maptype" used by default with EnGarde is "hash".
With regards to "aliases" there are two parameters that are involved, the "alias_map" and the "alias_database". The "alias_map" defines which databases Postfix will refer to when looking up an alias. EnGarde comes with just one database defined
alias_maps = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases, nis:mail.aliases
/etc/postfix/aliases.db followed by a look up in the NIS
"mail.aliases" database. (NIS stands for Network Information Service and
its operation is beyond the scope of this HOWTO).
The "alias_database" parameter defines what text file will
be converted to a database and what "database type" will be used for the
conversion when running the "newaliases" command. EnGarde's default setting
is "alias_database = hash:/etc/postfix/aliases".
The purpose of these two parameters can be a little confusing. To sum it up, Postfix uses "alias_maps" to find out what database(s) to use when looking up aliases and "alias_database" to find out what text file to use to create an aliases database file (aliases.db).
The format of the "aliases" file is identical to sendmail's is function and format where the entries are of the form:
local-user: alias
user@[some-machine, some-machine@somedomain]
root: pete@guardiandigital.com
postalias hash:/etc/postfix/aliases
simply run "newaliases" with no command line options.
[root@juggernaut-t postfix]# postalias hash:/etc/postfix/aliases
[root@juggernaut-t postfix]# ls -ltr /etc/postfix/aliases*
-rw-r----- 1 root root 3768 May 21 14:03 /etc/postfix/aliases
-rw-r--r-- 1 root root 20480 May 21 14:03 /etc/postfix/aliases.db
[root@juggernaut-t postfix]#
NOTE - ALL OTHER DATABASES ARE CREATED WITH THEHere you can see that the aliases.db database file was created from thepostmapCOMMAND - THE ALIASES MAP IS SPECIAL AND HAS IT'S OWN MAP CREATING COMMANDSpostaliasORnewaliases.
postalias command.
The "virtual" map defines virtual domains and their users. This allows the
mail server to redirect incoming mail addressed to
user1@DOMAINNAME to different destinations such as a
another user of the same domain or a user in a different domain or
even a combination of many users at many destinations. The
"typical" format of this file is made up of one or many sections of
the format:
DOMAINNAME1 XXXXXXX
user1@DOMAINNAME local-user
user2@DOMAINNAME user@someotherdomain
user3@DOMAINNAME user@someotherdomain, user@anotherdomain, ...
.
.
@DOMAINNAME local-user or user@somedomain (OPTIONAL)
The second field of the user definition can be one or more local users
and or one or more users at some other domain. The
"@DOMAINNAME user" defines that "user"
will get
all mail that is NOT defined for this domain. This means that
"user" will get ALL mail sent to non-existent
users of that
domain. When NOT including such an entry, all mail sent to
non-existent users will be bounced back to the sender with an
error message. This would be a lower maintenance option that
also has the benefit of letting a sender know that the addressee
doesn't exist.
A typical example:
linuxseclabs.net VIRTUALDOMAIN
bill@linuxseclabs.net bill
joe@linuxseclabs.net joe@guardiandigital.com
@linuxseclabs.net pete@guardiandigital.com
postmap hash:/etc/postfix/virtual
NOTE: - AFTER MAKING ANY CONFIGURATION CHANGES, WHETHER THEY ARE TO A MAP OR A CONFIGURATION FILE (The quickest and least intrusive form is to runmain.cformaster.cf) YOU MUST EITHER RESTART POSTFIX (/etc/init.d/postfix restart) OR RELOAD THE NEW CONFIGURATION TO THE CURRENTLY RUNNING POSTFIX PROCESS (postfix reload).
postfix reload
as this does not stop and start the current process but just reloads the
configuration. A total restart can take time on a very active server.
The "transport" map defines what server mail for a given domain will be forwarded to and by what transport. The format is a one line entry with the DOMAINNAME followed by the TRANSPORT:SERVERNAME. Transports are listed in the /etc/postfix/master.cf file. The most typical will be "smtp". Using any other transports is beyond the scope of this introductory document.
A typical example:
demo.guardiandigital.com smtp:smtp.demo.guardiandigital.com
postmap hash:/etc/postfix/transport
Postfix processes the virtual map against addresses BEFORE the transport map. This is important to know especially when trouble shooting.
Here are a couple of several more maps worth briefly mentioning:
access" map into "recipient_access"
and "sender_access" maps for a finer tuned
access contol.
The big Kahuna. This is where most of the configuration gets defined. This
file is located at /etc/postfix/main.cf. Previously
defined maps as well as up to 206 configuration parameters
(as of snapshot-20010502)
are combined in main.cf to formulate the Postfix
configuration. But fortunately you don't need to know about most of
the configuration parameters and Postfix was designed to accomodate
many typical mail server scenarios out of the box.
The main.cf file provides a decent amount of documentation and
many times one only needs to read the description to get an
understanding of the configuration parameter. But if more information
is needed there is a full set of HTML docs in
/usr/share/doc/postfix-XXXXXXXX/html that are very
informative. Here is a listing with a description of the default
/etc/postfix/main.cf
file found in EnGarde-1.0:
queue_directory specifies the location of the
Postfix queue. This is also the root directory of Postfix daemons
that run chrooted. See the files in
examples/chroot-setup for setting up Postfix chroot
environments on different UNIX systems.
queue_directory = /var/spool/postfix
command_directory parameter specifies the
location of all postXXX commands. The default value is
$program_directory.
command_directory = /usr/sbin
daemon_directory parameter specifies the
location of all Postfix daemon programs (i.e. programs listed in the
master.cf file). The default value is
$program_directory. This directory must be owned by root.
daemon_directory = /usr/libexec/postfix
mail_owner parameter specifies the owner of the
Postfix queue and of most Postfix daemon processes. Specify the name
of a user account THAT DOES NOT SHARE A GROUP WITH OTHER ACCOUNTS AND
THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In particular,
don't specify nobody or daemon. PLEASE
USE A DEDICATED USER.
mail_owner = postfix
myorigin parameter specifies the domain that
locally-posted mail appears to come from. The default is to append
$myhostname,
which is fine for small sites. If you run a domain with multiple
machines, you should (1) change this to $mydomain and
(2) set up a domain-wide alias database that aliases each user to
user@that.users.mailhost.
myorigin = $myhostname
mydestination parameter specifies the list of
domains that this machine considers itself the final destination for.
That does not include virtual domains that are hosted on this
machine. Those domains are specified elsewhere (see virtual and
transport maps).
mydestination = $myhostname, localhost.$mydomain $mydomain
smtpd_recipient_restrictions parameter, according
to most Postfix documentation, specifies restrictions on recipient
addresses that SMTP
clients can send in RCPT TO commands. But in reality it
can actually control ALL smtpd restrictions and it is highly
recommended to put ALL of the smtpd restrictions in this parameter.
(These are just a few of many restrictions - there is a more
complete list documented in /etc/postfix/main.cf and
sample configurations in /etc/postfix/samples).
$mynetworks (see "mynetworks" below).
$inet_interfaces,
$mydestination, or
$virtual_maps,
$relay_domains or subdomain thereof,
$relay_domains or subdomain thereof
(except addresses with sender-specified routing),
smtpd_recipient_restrictions = reject_unknown_client,
permit_mynetworks, check_relay_domains
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
relay_domains parameter restricts what clients
this mail system will relay mail from, or what destinations this
system will relay
mail to. Any domains listed in the "virtual" and
"transport" maps MUST BE LISTED HERE!
The "out of the box" default is to list
$mydestination which by
default refers to the local server. Here is a typical definition
where the server will relay mail for itself and a couple of additional
domains.
relay_domains = $mydestination, linuxseclabs.com, linuxseclabs.net
relay_domains = $mydestination, $virtual_maps, $transport_maps
$virtual_maps $transport_maps expand to the
domains that are defined in "virtual" and
"transport" maps.
The "mynetworks" parameter specifies the list of networks
that are local to this machine. The list is used by the anti-UCE
software to distinguish local clients from strangers.
By default, for security reasons, lists only hosts on the loopback
network as trusted.
mynetworks = 127.0.0.0/8
SMTP VRFY address verification command that can be
executed by mail clients.
disable_vrfy_command = yes
A typical format would look like this:
relayhost = 222.333.444.555 (IP quad)
Note: This setting is not set by default.
This file is generally very static. It describes how each Postfix mailer component should be run. In most cases you shouldn't have to touch this file. In EnGarde we have modified this file to run all of the postfix daemons in the default chroot environment of /var/spool/postfix. The exceptions to this are the "local" and "pipe" programs which are restricted by Postfix to not run chrooted.
This environment is intended to limit system access to any malicious user who
gains entry via an exploit of the mail system and contains only the very
limited set of files necessary for the chrooted Postfix daemoms to run.
The files that EnGarde includes in the chrooted environment are found in
/var/spool/postfix/etc:
[root@demo postfix]# ls -l /var/spool/postfix/etc
total 24
-rw-r----- 1 root root 604 Mar 5 13:43 hosts
-rw-r--r-- 1 postfix postfix 1250 Feb 7 08:30 localtime
-rw-r--r-- 1 postfix postfix 153 Mar 6 11:45 resolv.conf
-rw-r--r-- 1 postfix postfix 11332 Feb 7 08:30 services
[root@demo postfix]#
[root@demo postfix]# ls -l /var/spool/postfix/lib/
total 72
-rwxr-xr-x 1 postfix postfix 67600 Feb 7 08:30 libnss_dns.so.2
[root@demo postfix]#
/var/spool/postfix/etc files are copies of the ones
found in /etc
as is the /var/spool/postfix/lib/libnss_dns.so.2 a copy
of the libnss_dns library found in /lib.
maps_rbl_domains"
parameter can be set to include several rbl domains. The default is
blackholes.mail-abuse.org. A multiple domain setting
would look something like:
maps_rbl_domains = blackholes.mail-abuse.org,
dialups.mail-abuse.org, relays.mail-abuse.org
Note: - THE ABOVE IS ONLY AN EXAMPLE AND IS OUTDATED DUE TO RECENT CHANGES TO MAPS POLICY. AS OF 07/31/01 MAPS - Mail Abuse Prevention System (mail-abuse.org) SERVICE IS NOW AVAILABLE BY SUBSCRIPTION ONLY. THEREFORE IT IS UP TO THE MAIL ADMININSTRATOR AS TO WHAT TO USE AS A REPLACEMENT, IF ANY.
Note: Any whitespace character can be used as line-continuation.Once the
maps_rbl_domains parameter is set it can now be
referenced by several other mail restriction type parameters by putting
reject_maps_rbl in the options list. Here is an example
of including it in the smtpd_recipient_restrictions
parameter. (You typically want to add RBL checks at the end of the
list as a DNS lookup is performed when doing an RBL check - by
putting them at the end of a list you avoid performing the check as
much as possible as the smtp connection in question may be caught by
a more leftmost restriction. There is an exception to this: at least
in postfix-20010329 postfix's smtpd sends a warning if the options
are listed AFTER check_relay_domains. (The
options list is processed from left to right). This is because
check_relay_domains returns either OK or
REJECT and therefore no further restrictions are
evaluated.
smtpd[25690]: warning: restriction `reject_maps_rbl' after
`check_relay_domains' is ignored
reject_maps_rbl after all of the other
options and BEFORE check_relay_domains works.
smtpd_recipient_restrictions = reject_unknown_client, permit_mynetworks,
reject_maps_rbl, check_relay_domains
acme.com and
wiley-coyote.org. The server
is smtp.acme.com and therefore it is in the
acme.com domain. As a courtesy to one of Acme's biggest
customers, smtp.acme.com will receive and forward mail
for the wiley-coyote.org domain to
mail.wiley-coyote.orig as well as store Acme's mail
locally in the standard /var/spool/mail directory using
the WebTool.
From the main page follow the links "System Management" -> "Mail Server Management" -> "Mail Server Configuration". If this is server is going to have a connection to the Internet (most likely through some sort of protection like a firewall) you would leave the "Deliver directly" button set. This is the setting we are going to use as our example is to configure a top level mail server. (If this were some internal server you would set up a connection to a relay server instead by clicking on the button to the left of the text field and filling in the field with the FQDN of the the mail relay. You may need to check with your network administrator/architect for the appropriate server name).
Finish by clicking on "Save Options".
acme.com. You would also enter an email address for
the person who would be postmaster of this domain into the
"Postmaster" text field.
Finish by clicking on "Add New Domain". You should now see the name
acme.com listed in blue lettering below the "Domain
Management" title bar at the top of the page verifying that the new
domain has been created.
acme.com
text and you will enter a page where you can add users. Here you
define username-recipient pairs. For example to create the local user
joe@acme.com enter "joe" in the E-Mail
Username text field and "joe" in the
"Recipient" text field. Click on "Add New" and you will
see "joe@acme.com" appear in the "E-Mail Address" field
in the lower portion of the page with a cooresponding "joe" in the
"Recipient" field.
Note: Local users such as "joe" above must be actual local users on this server. If they don't currently exist they can be created via "Main Page -> "System Management" under the "Local User Management" section. Refer to the Guardian Digital EnGarde Linux User Manual on how to create new users.We can also create users with remote destinations by entering their remote address in the recipient field. To create "
bob@acme.com" and have his mail sent to
"bob@guardiandigital.com" enter "bob" in the "E-Mail
Username" field and "bob@guardiandigital.com" in the
"Recipient" field.
wiley-coyote.org" back out 2 levels of pages and enter
the "Mail Routing" link. Enter "wiley-coyote.org" in the "Domain"
field and an the mail server "mail.wiley-coyote.org" in
the "Relay mail to" field. Follow this by clicking on "Add New" and
"wiley-coyote.org" will appear as an "Existing Mail
Route" verifying that the new mail relay was created.
smtp.acme.com" will now receive mail for
"joe" and store in /var/spool/mail/joe. It
will also receive mail for "bob@acme.com" and forward it
to "bob@guardiandigital.com" and it will forward all
mail for "wiley-coyote.org" to
mail.wiley-coyote.org.
Note: Obviously to forward mail to "wiley-coyote.org" it would have to receive mail for "wiley-coyote.org". This means thatsmtp.acme.comwould have to defined somewhere as a mail server for "wiley-coyote.org". This would most commonly be done throughsmtp.acme.combeing defined via an MX for the "wiley-coyote.org" domain in DNS.
Almost everything will be done in the /etc/postfix
directory. Let's start setting up the "aliases" file.
The default aliases file has most of your typical administrative users:
postmaster: root
MAILER-DAEMON: postmaster
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
foo: root
falken: root
admin: root
manager: root
dumper: root
operator: root
.
.
.
postfix: postmaster
root: SOME REAL PERSON
postfix: root" used to be "root: postfix"
accompanied by a comment to change the "postfix" to some
real person. Now the last two lines above are recommended instead.
The most likely candidate for the "root" alias would be
an administrator type of person. The new line should look like this:
root: joe@acme.com
postalias hash:/etc/postfix/aliases
newaliases with no command line options.
The next step would be to define the two virtual domains. This is done
in the virtual map so we will edit
/etc/postfix/virtual following the format described above:
acme.com ACME.COM VIRTUAL DOMAIN
joe@acme.com joe
bill@acme.com bill
jack@acme.com jack@slacker.com
admins@acme.com joe, jack@slacker.com
wiley-coyote.org WILEY-COYOTE.ORG VIRTUAL DOMAIN
wiley@wiley-coyote.org wiley
roadrunner@wiley-coyote.org roadrunner
ACME.COM VIRTUAL DOMAIN". We have just defined
the users for acme.com. The local users (the ones where
this a just a user name WITHOUT the @domainname suffix)
must be local users on this server such as "joe". Any mail sent to
"joe" will typically end up in /var/spool/mail/joe. Any
mail received by this mail server for user jack@acme.com
will get forwarded to jack@slacker.com.
Once again, once editing the text file "virtual" has been
completed, the database file "virtual.db" must be
created with
postmap hash:/etc/postfix/virtual
You may have noticed that we did not define the virtual domain
"wiley-coyote.org". This is because, as stated above,
all of the mail received for this domain will be forwarded on to a
mail server at wiley-coyote.org. This is defined in the
"transport" map and the
/etc/postfix/transport text file should look something
like this:
wiley-coyote.org smtp:mail.wiley-coyote.org
.wiley-coyote.org smtp:mail.wiley-coyote.org
wiley-coyote.org will be sent to the mail server
mail.wiley-coyote.org via the "smtp"
transport. The smtp specifies the postfix
smtp daemon found in
/usr/libexec/postfix directory which utilizes the
standard SMTP protocol. This will be the most commonly used transport
for most situations. The second line with the "." prepended to it
says to send mail addressed to any subdomains of
wiley-coyote.org to
mail.wiley-coyote.org as well. Since this example is
describing a typical real life scenario it is included as more often
than not you would want subdomain mail to go to the same top level
mail server as the parent domain.
If we had multiple domains to forward to we would just simply
add an extra two lines to the transport file for each domain:
wiley-coyote.org smtp:mail.wiley-coyote.org
.wiley-coyote.org smtp:mail.wiley-coyote.org
jack-jill.com smtp:smtp.jack-jill.com
.jack-jill.com smtp:smtp.jack-jill.com
bugsbunny.net smtp:mail.bugsbunny.net
.bugsbunny.net smtp:mail.bugsbunny.net
transport.db database file with
postmap hash:/etc/postfix/transport
The last thing to do is to edit /etc/postfix/main.cf
file. This is where we tell Postfix about the newly created databases
along with other configuration settings. As previously mentioned,
there are around 200 parameters that can be set in this file to alter
the behaviour of Postfix operation. I will leave most of those to you to
explore. The default main.cf that comes with the EnGarde distribution
will function just as it is as a workstation mail server. This means
that it will handle mail for itself only. This mainly determined by
several parameters with their default values being:
mydestination = $myhostname, localhost.$mydomain"
If Postfix is serving as just a workstation mail service
mydestination will be defined as
"$myhostname, localhost.$mydomain".
"mydestination" defines what addresses will be received
locally. Here only mail addressed to the hosts' FQDN (as stated by
$myhostname) or
"localhost.this-machines-domainname" (as stated by
$mydomain) will be received.
To change the server from a workstation server to a domain server you
would alter mydestination to include an additional
definition of $mydomain to state that it recieves mail
for any machine or subdomain of $mydomain and would
look like this:
mydestination = $myhostname, localhost.$mydomain, $mydomain
relay_domains to include more than just its own domain,
which is discussed shortly.
The myorigin = $myhostname parameter specifies the
address that locally posted mail appears to come from.
The main.cf also refers to the maps that we have just
created with the following lines:
alias_maps = hash:/etc/postfix/aliases
virtual_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
VRFY is disabled for security reasons:
disable_vrfy_command = yes
The relay_domains parameter states what domains this
server will relay mail for. By default this is set to
$mydestination which represents the local machine's
hostname smtp.acme.com and
localhost.acme.com.
YOU WILL NEED TO ADD ANY DOMAINS DEFINED IN THE VIRTUAL AND TRANSPORT MAPS TO THIS PARAMETER OR MAIL WILL NOT BE RELAYED TO THEM!
So for our example the relay_domains parameter in
main.cf will look like this:
relay_domains = $mydestination, acme.com, wiley-coyote.org
relayhost = RELAYSERVERNAME
relayhost = 111.222.333.444
Postfix is now ready to go and can be started by running the
initscript:
/etc/init.d/postfix start
/var/log/mail.log and verify that Postfix has started
without error. You may want to send a couple of test e-mails now and
watch the entries as the mail gets delivered.
"/etc/init.d/postfix start"
"/etc/init.d/postfix stop"
"/etc/init.d/postfix restart"
postfix reload and upon completion the new configuration
will be deployed.
/usr/sbin/postfix flush
postmap hash:/etc/postfix/MAPNAME
postalias hash:/etc/postfix/aliases
simply run newaliases with no command line options.
postfix reload - just reloads new
configuration without halting the daemon.
/etc/init.d/postfix restart - which
halts and restarts the postfix daemon with new
configuration.
postmap -q key map
[root@demo postfix]# postmap -q linuxseclabs.com transport
smtp:orion-t.secure.linuxseclabs.com
[root@demo postfix]#
postalias.
[root@demo postfix]# postalias -q root aliases
pete@guardiandigital.com
[root@demo postfix]#
mailq lists the mail queue. Each entry shows the
queue file ID, message size, arrival time, sender, and the
recipients that still need to be delivered. If mail could not be
delivered upon the last attempt, the reason for failure is shown.
This mode of operation is implemented by connecting to the
showq(8) daemon.
For example:
[root@juggernaut postfix]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
BF09A11D315 1125 Mon May 21 14:30:24
vuln-newsletter-admins@linuxsecurity.com
(Name service error for ec.ucdb.br: Host not found, try again)
SOMEHOST@SOMEDOMAIN.COM
BF09A11D315" is the mail queue identifier
which can be used to access this file in the queue. A reason for
such access could be to delete the file thus removing it from the
queue.
postcat queuefile
prints out in readable form a queue file. First you may want to run a
find command to locate queue files or run
mailq and run find on the returned
queueID's.
Example 1:
[root@demo ]# find /var/spool/postfix/active -type f active/B/8/B8E7611D302
[root@demo ]# postcat active/B/8/B8E7611D302
[root@demo ]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-----
BF09A11D315 1125 Mon May 21 14:30:24
vuln-newsletter-admins@linuxsecurity.com
.
.
[root@demo ]# find . -name A119611D303 ./deferred/A/1/A119611D303
[root@demo ]# postcat deferred/B/F/BF09A11D315
find /var/spool/postfix -name "IDENTIFIER" -exec rm {} \;
mailq" to verify the removal.
Note: To remove queueID from the mail queue
in versions of postfix later than snapshot-20010502
postsuper -d queueID
"(Name service error for SOMEHOST@SOMEDOMAIN.COM
Host not found,try again)".
To check the current configuration:
/usr/sbin/postfix check
/var/log/mail.log to verify that you need more
information first. If more information is needed then restart the
postfix daemon in "verbose" mode with the "-v" option. To do this
you would stop the daemon first:
/etc/init.d/postfix stop
/var/log/mail.log:
/usr/sbin/postfix -v start
debug_peer_level = 2
debug_peer_list = some.domain
debug_peer_level" parameter specifies the increment
in verbose logging level when an SMTP client or server host name or
address matches a pattern in the "debug_peer_list"
parameter.
The "debug_peer_list" parameter specifies an optional
list of domain or network patterns, /file/name patterns or
type:name tables. When an SMTP client or server host name or address
matches a pattern, increase the verbose logging level by the amount
specified in the "debug_peer_level" parameter.