|
Size: 9929
Comment: merge from Manual-Howto
|
Size: 10774
Comment: arrange in prpoer order.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| = Installing and Configuring Postfix on Debian = | = Postfix = == Installing and Configuring Postfix on Debian == |
| Line 82: | Line 83: |
| * You should be set. If your isp is blocking the traffic then you might need to do the following: = Anti-Spam = == Debian Anti-Spam Anti-Virus Gateway Email Server == [:Manual-Howto#head-8d657a43856c958db557ec5aaf4a9526e62a8600:Debian Anti-Spam Anti-Virus Gateway Email Server] == smtp restrictions == Insert this in your /etc/postfix/main.cf: |
* You should be set. If your isp is blocking the traffic then you might need to login to their smtp services. See the Postfix and sbcglobal/yahoo/att below. == anti-spam: smtp restrictions == *The first fight starts at your server so this should be added to any email server that you setup. This makes sure that any computer that trys to send an email to you has a valid domain name. (spammers use ex. myhomepc as a domain name. This will stop them from spamming you.) *Insert this in your /etc/postfix/main.cf: |
| Line 102: | Line 102: |
| == Using RBL Lists == | == anti-spam: Using RBL Lists == *RBL list is a lists domains and whether they are spammers or not. |
| Line 107: | Line 109: |
| ''See more: http://www.us.sorbs.net/mailsystems/postfix2.shtml'' ...or maybe [[http://paulgraham.com/spamhausblacklist.html avoid such blacklists]] = Other Services = == SPF and multiple external ip addresses == If you are trying to implement SPF records while binding to one external ip address and still working with dual-homed multiple ip aliased systems, or have any other reason to support multi-homed systems with multiple ip addresses but want to limit postfix to use only two of them try this. * {{{/etc/postfix/master.cf}}} * clone the smtp (not smtpd) service. Set the first one to use <spf published ip address> Rename the second to smtpinternal and use <internal ip address> {{{ smtp unix - - - - - smtp -o smtp_bind_address=<spf published ip address> smtpinternal unix - - - - - smtp -o smtp_bind_address=<internal ip address> }}} * {{{/etc/postfix/main.cf}}} * Use {{{transport_maps}}} for routing {{{ transport_maps = hash:/etc/postfix/transport }}} * {{{/etc/postfix/transport}}} * Map a transport for your internal domain. {{{ .internal smtpinternal: }}} Just {{{postmap /etc/postfix/transport}}}, {{{invoke-rc.d postfix stop}}} and {{{invoke-rc.d postfix start}}} and you should be in business. Email to <user>@<system>.internal will be delivered via the internal interface/ip address all other email will be delivered via default methods which means internet mail will go out the the spf published ip address. Optional: * {{{/etc/postfix/main.cf}}} * Use the {{{inet_interfaces}}} setting to only listen on the ip addresses you want to.{{{ inet_interfaces = 127.0.0.1, <internal ip>, <spf published external ip> }}} === Explanation === I have some systems that are networked on an internal private ip address subnet ({{{192.168.0.0/16}}}). For a few reasons I email reports and such to {{{<user>@mail.internal}}} where {{{user}}} is an address that is not valid for receiving mail via the external interfaces. These systems also share a public ip address subnet so they could email each other that way, but I'd prefer they didn't for local addresses. I have published SPF records for the public mail servers because all of our mail routes through those servers so if others care to check they can ignore email claiming to be from us but being delivered from other servers as per our SPF record. Recently I have expanded the ip addresses these systems are using externally to support multiple instances of port-based services like https (adding :oddport doesn't impress the customers.) I could have expanded or added more liberal SPF record values, or added more forward and reverse DNS records but I wanted to stick with less ip addresses. So to recap my system has: * eth1 <public ip with spf published> * eth1:1 <public ip for extra port-based services> * eth0 <private ip on> By using the settings in {{{/etc/postfix/master.cf}}}, {{{/etc/postfix/main.cf}}} and {{{/etc/postfix/transport}}} as outlined above I was able to get my outgoing smtp traffic to use my SPF published ip address once again. |
''See what rbl is about: http://www.us.sorbs.net/mailsystems/postfix2.shtml'' '' and [[http://paulgraham.com/spamhausblacklist.html avoid such blacklists]]'' == Debian Anti-Spam Anti-Virus Gateway Email Server == *If you are building anti spam system that will act as a gateway. Read below. If you want to add more anti-spam restrictions this is worth reading. [:Manual-Howto#head-8d657a43856c958db557ec5aaf4a9526e62a8600:Debian Anti-Spam Anti-Virus Gateway Email Server] |
| Line 192: | Line 152: |
| = Postfix and mailing lists = | |
| Line 266: | Line 227: |
= Advanced options = == SPF and multiple external ip addresses == === Explanation === I have some systems that are networked on an internal private ip address subnet ({{{192.168.0.0/16}}}). For a few reasons I email reports and such to {{{<user>@mail.internal}}} where {{{user}}} is an address that is not valid for receiving mail via the external interfaces. These systems also share a public ip address subnet so they could email each other that way, but I'd prefer they didn't for local addresses. I have published SPF records for the public mail servers because all of our mail routes through those servers so if others care to check they can ignore email claiming to be from us but being delivered from other servers as per our SPF record. Recently I have expanded the ip addresses these systems are using externally to support multiple instances of port-based services like https (adding :oddport doesn't impress the customers.) I could have expanded or added more liberal SPF record values, or added more forward and reverse DNS records but I wanted to stick with less ip addresses. So to recap my system has: * eth1 <public ip with spf published> * eth1:1 <public ip for extra port-based services> * eth0 <private ip on> By using the settings in {{{/etc/postfix/master.cf}}}, {{{/etc/postfix/main.cf}}} and {{{/etc/postfix/transport}}} as outlined above I was able to get my outgoing smtp traffic to use my SPF published ip address once again. === Make SPF and multiple external ip addresses === If you are trying to implement SPF records while binding to one external ip address and still working with dual-homed multiple ip aliased systems, or have any other reason to support multi-homed systems with multiple ip addresses but want to limit postfix to use only two of them try this. * {{{/etc/postfix/master.cf}}} * clone the smtp (not smtpd) service. Set the first one to use <spf published ip address> Rename the second to smtpinternal and use <internal ip address> {{{ smtp unix - - - - - smtp -o smtp_bind_address=<spf published ip address> smtpinternal unix - - - - - smtp -o smtp_bind_address=<internal ip address> }}} * {{{/etc/postfix/main.cf}}} * Use {{{transport_maps}}} for routing {{{ transport_maps = hash:/etc/postfix/transport }}} * {{{/etc/postfix/transport}}} * Map a transport for your internal domain. {{{ .internal smtpinternal: }}} Just {{{postmap /etc/postfix/transport}}}, {{{invoke-rc.d postfix stop}}} and {{{invoke-rc.d postfix start}}} and you should be in business. Email to <user>@<system>.internal will be delivered via the internal interface/ip address all other email will be delivered via default methods which means internet mail will go out the the spf published ip address. Optional: * {{{/etc/postfix/main.cf}}} * Use the {{{inet_interfaces}}} setting to only listen on the ip addresses you want to.{{{ inet_interfaces = 127.0.0.1, <internal ip>, <spf published external ip> }}} == Postfix and Sasl == *This page should be merged here. *["PostfixAndSASL"] |
|
| Line 267: | Line 281: |
| * [http://fr.wikipedia.org/wiki/Anti_spam Global concept] ''(in french)'' * [http://pwet.fr/blog/anti_spam_avec_postfix antispam with postfix] ''(in french)'' |
*There is a ton of articles out there. They range from anti-spam to postfix administration, to multi mail servers. There would be too many articles to link here. Google search for what you need.(anti-spam, rbl, postfix, isp style mail servers setup, etc) |
| Line 270: | Line 285: |
| See also: ["PostfixAndSASL"] |
[:/Discussion:Discussion]Postfix is a secure Mail Transfer Agent
?TableOfContents(2)
Postfix
Installing and Configuring Postfix on Debian
- Install postfix (this will remove exim since there can't be two mail systems)(If you have a website, choose internet site if configurations will ask):
apt-get install postfix
- Check the log mail.log, mail.err, mail.info, mail.warn to see if postfix runs.
cat /var/log/mail.log
- Configure: Now add your domain to config files, so others can't abuse your mailsystem. We do it with postconf
postconf -e "myorgin = example.com"
- Now add your hostname (computer name). Use command "hostname" if not sure. It will show your hostname.
postconf -e "myhostname=server1.example.com"
- Now add domain name that your system will handle.
postconf -e "relay_domains = example.com, example2.com, example3.com"
- Reload Postfix Server:
postfix reload
- Let's test our mailserver. Type
telnet localhost 25
- You should see:
Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 server1.example.com ESMTP Postfix (Debian/GNU)
- Now sent an email to yourself:
mail from:<you@youremail.com> rcpt to:<user@example.com> data To: user@example.com From: you@youremail.com Subject: Hey my first email This is my first email on debian postfix after installing configuring it. It was easy. See you
- Now to end data hit enter, type in a dot, and hit enter again:
.
- Then
quit
- Your are done. you can type "mail" and see if you have some.
- Now let's get to next step:
- If you have a router with firewall you will need to enable port 25 and forward that port to your computer.
- You will need to enter your MX records in your domain provider. (ex. godaddy.com, or dnspark.com)
Check your mx records: go to http://www.iptools.com/ locate "DNS lookup". From pulldown menu select "MX". Type in your domain name (ex. example.com). You should see some records there. If you don't see any MX records go back to previus step. You have to have MX record otherwise other computers won't be able to see you when sending emails.
- Usefull commands:
qshape mailq qshape deferred postsuper postsuper -r ALL (requeue all emails)
- You should be set. If your isp is blocking the traffic then you might need to login to their smtp services. See the Postfix and sbcglobal/yahoo/att below.
anti-spam: smtp restrictions
- The first fight starts at your server so this should be added to any email server that you setup. This makes sure that any computer that trys to send an email to you has a valid domain name. (spammers use ex. myhomepc as a domain name. This will stop them from spamming you.)
- Insert this in your /etc/postfix/main.cf:
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
permit
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
anti-spam: Using RBL Lists
- RBL list is a lists domains and whether they are spammers or not.
Insert this in your /etc/postfix/main.cf:
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
See what rbl is about: http://www.us.sorbs.net/mailsystems/postfix2.shtml
and http://paulgraham.com/spamhausblacklist.html avoid such blacklists
Debian Anti-Spam Anti-Virus Gateway Email Server
- If you are building anti spam system that will act as a gateway. Read below. If you want to add more anti-spam restrictions this is worth reading. [:Manual-Howto#head-8d657a43856c958db557ec5aaf4a9526e62a8600:Debian Anti-Spam Anti-Virus Gateway Email Server]
Postfix and sbcglobal/yahoo/att
- SBC global block port 25 on its DSL users:client tools on your box. Now you can checkout the repository:
- We will use sbc smtp server via authentication to sent emails. Do this:
- Install these two modules (They tell postfix how to authenticate):
apt-get postfix-tls libsasl2-modules
- ADD to main.cf by using postconf. Just type:
postconf -e "relayhost = [smtp.sbcglobal.yahoo.com]" postconf -e "smtp_sasl_auth_enable = yes" postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" postconf -e "smtp_sasl_security_options = noanonymous"
- Create a file called sasl_passwd in /etc/postfix/sasl_passwd. Inside type in
[smtp.sbcglobal.yahoo.com] username@sbcglobal.net:mypassword
- Now change permisions so others can't read it:
chmod 600 /etc/postfix/sasl_passwd
- Now postmap it. (creates database-like file so postfix can read it)
postmap /etc/postfix/sasl_passwd
- Restart postfix
postfix reload
- Done. You can use "mutt" to sent emails outside. Check /var/log/mail.log to see if everything is working.
Postfix and mailing lists
Mailman with Postfix
- Install mailman:
apt-get install mailman
- When done type:
newlist mailman
- Start mailman
/etc/init.d/mailman start
- You should be able to see mailman running now. Visit:
- Because postfix is a secondary choice for Debian we need to add:
- Edit /etc/postfix/main.cf; where you see "relay_domains" add lists.yourdomain.com. You would get something like this:
relay_domains = example.com, lists.example.com
- In same file add ,hash:/var/lib/mailman/data/aliases after alias_maps
alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases
- Now type:
postconf -e "transport_maps = hash:/etc/postfix/transport" postconf -e "mailman_destination_recipient_limit = 1"
- In /etc/postfix/master.cf add:
mailman unix - n n - - pipe
flags=FR user=list
argv=/var/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}- Edit or create /etc/postfix/transport. Add this line:
lists.example.com mailman:
- Then postmap it:
postmap /etc/postfix/transport
- Now edit /etc/mailman/mm_cfg.py and add:
MTA = 'Postfix' DEB_LISTMASTER = 'postmaster@example.com' POSTFIX_STYLE_VIRTUAL_DOMAIN = ['lists.example.com']
- Done. Now restart postfix, mailman
/etc/init.d/postfix reload /etc/init.d/mailman restart
- Create a mailing list:
newlist list_name
- If you want archives add this to /etc/apache2/apache2.conf
Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/
- Done. Go to
http://lists.yourwebsite.com/cgi-bin/mailman/listinfo/list_name/
Advanced options
SPF and multiple external ip addresses
Explanation
I have some systems that are networked on an internal private ip address subnet (192.168.0.0/16). For a few reasons I email reports and such to <user>@mail.internal where user is an address that is not valid for receiving mail via the external interfaces. These systems also share a public ip address subnet so they could email each other that way, but I'd prefer they didn't for local addresses. I have published SPF records for the public mail servers because all of our mail routes through those servers so if others care to check they can ignore email claiming to be from us but being delivered from other servers as per our SPF record.
Recently I have expanded the ip addresses these systems are using externally to support multiple instances of port-based services like https (adding :oddport doesn't impress the customers.) I could have expanded or added more liberal SPF record values, or added more forward and reverse DNS records but I wanted to stick with less ip addresses.
So to recap my system has:
eth1 <public ip with spf published>
eth1:1 <public ip for extra port-based services>
eth0 <private ip on>
By using the settings in /etc/postfix/master.cf, /etc/postfix/main.cf and /etc/postfix/transport as outlined above I was able to get my outgoing smtp traffic to use my SPF published ip address once again.
Make SPF and multiple external ip addresses
If you are trying to implement SPF records while binding to one external ip address and still working with dual-homed multiple ip aliased systems, or have any other reason to support multi-homed systems with multiple ip addresses but want to limit postfix to use only two of them try this.
/etc/postfix/master.cf
clone the smtp (not smtpd) service. Set the first one to use <spf published ip address> Rename the second to smtpinternal and use <internal ip address>
smtp unix - - - - - smtp
-o smtp_bind_address=<spf published ip address>
smtpinternal unix - - - - - smtp
-o smtp_bind_address=<internal ip address>/etc/postfix/main.cf
Use transport_maps for routing
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport
- Map a transport for your internal domain.
.internal smtpinternal:
Just postmap /etc/postfix/transport, invoke-rc.d postfix stop and invoke-rc.d postfix start and you should be in business. Email to <user>@<system>.internal will be delivered via the internal interface/ip address all other email will be delivered via default methods which means internet mail will go out the the spf published ip address.
Optional:
/etc/postfix/main.cf
Use the inet_interfaces setting to only listen on the ip addresses you want to.
inet_interfaces = 127.0.0.1, <internal ip>, <spf published external ip>
Postfix and Sasl
- This page should be merged here.
- ["PostfixAndSASL"]
External links
- There is a ton of articles out there. They range from anti-spam to postfix administration, to multi mail servers. There would be too many articles to link here. Google search for what you need.(anti-spam, rbl, postfix, isp style mail servers setup, etc)