« Postfix et ubuntu » : différence entre les versions
(→UFW) |
(→Log) |
||
(9 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 129 : | Ligne 129 : | ||
<filebox fn='/etc/postfix/main.cf' lang='bash'> | <filebox fn='/etc/postfix/main.cf' lang='bash'> | ||
smtpd_tls_security_level = may | smtpd_tls_security_level = may | ||
smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem | smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem | ||
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem | smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem | ||
smtpd_tls_received_header = yes | smtpd_tls_received_header = yes | ||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | ||
Ligne 141 : | Ligne 141 : | ||
# 2 → Also log levels during TLS negotiation | # 2 → Also log levels during TLS negotiation | ||
# 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. | # 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. | ||
</filebox> | |||
== Improve security == | |||
<filebox fn='/etc/postfix/main.cf' lang='bash'> | |||
# restriction for the others SMTP servers who deliver emails to postfix | |||
smtpd_client_restrictions = reject_unknown_client_hostname reject_unauth_pipelining | |||
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname | |||
smtpd_sender_restrictions = reject_non_fqdn_sender | |||
# servers that are not using helo are not properly configured or sending spam | |||
smtpd_helo_required = yes | |||
# allow to log recipient address information when the connected client breaks any of the reject rules | |||
smtpd_delay_reject = yes | |||
# disable VRFY (verify), allows brute force attack on user accounts | |||
disable_vrfy_command = yes | |||
</filebox> | </filebox> | ||
Ligne 175 : | Ligne 191 : | ||
<filebox fn='/etc/postfix/main.cf' lang='bash'> | <filebox fn='/etc/postfix/main.cf' lang='bash'> | ||
mua_client_restrictions = permit_sasl_authenticated | mua_client_restrictions = permit_sasl_authenticated reject | ||
# on BlueMail Android app, Helo command rejected, need fully-qualified hostname | # on BlueMail Android app, Helo command rejected, need fully-qualified hostname | ||
# mua_helo_restrictions = reject_non_fqdn_helo_hostname | # mua_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname | ||
mua_helo_restrictions = reject_invalid_helo_hostname | mua_helo_restrictions = reject_invalid_helo_hostname | ||
mua_sender_restrictions = reject_non_fqdn_sender | mua_sender_restrictions = reject_non_fqdn_sender | ||
</filebox> | </filebox> | ||
Ligne 324 : | Ligne 340 : | ||
smtpd_tls_loglevel = 1 | smtpd_tls_loglevel = 1 | ||
</filebox> | </filebox> | ||
= [https://postfix.traduc.org/index.php/DEBUG_README.html Debug] = | |||
= Mailboxes = | = Mailboxes = | ||
Ligne 344 : | Ligne 362 : | ||
sudo ufw allow "Postfix SMTPS" | sudo ufw allow "Postfix SMTPS" | ||
</kode> | </kode> | ||
= [[Fail2ban]] = | |||
<filebox fn='/etc/fail2ban/jail.d/enabled.local' lang='ini'> | |||
[postfix] | |||
enabled = true | |||
[postfix-rbl] | |||
enabled = true | |||
</filebox> | |||
= Installation = | = Installation = |
Dernière version du 4 septembre 2023 à 12:57
Liens
Description
Postfix is a SMTP (Simple Mail Transfer Protocol) server.
Ports
port | description |
---|---|
587 incoming | standard port for email submission by mail clients. StartTLS protocol. |
465 incoming | SMTP with TLS encryption (deprecated) |
25 incoming | mandatory port to receive emails from other SMTP servers |
25 outgoing | mandatory port to send emails to other SMTP servers |
Commands
# vérifier la configuration sudo postfix check # recharger la configuration sudo postfix reload # affiche les paramètres actuels de Postfix postconf -pf # affiche les paramètres par défaut postconf -df |
Basic Configuration
/etc/postfix/main.cf |
mydomain = domain.net # mydomain = localdomain (localdomain is replaced during installation) myhostname = mail.domain.net # myhostname = <hostname>.localdomain # domain name to use in outbound mail, ex: user@myorigin # send mail as user@$mydomain myorigin = $mydomain # myorigin = $myhostname # domains to receive mail for # add $mydomain mydestination = $myhostname localhost.$mydomain localhost $mydomain # mydestination = $myhostname, localhost.$mydomain, localhost alias_maps = hash:/etc/aliases # alias_maps = hash:/etc/aliases, nis:mail.aliases # forward mail from the local machine only mynetworks_style = host # mynetworks_style = ${{$compatibility_level} < {2} ? {subnet} : {host}} # compatibility_level = 0 # relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}} # never forward mail from strangers relay_domains = # delivery method: direct or indirect (another smtp server) relayhost = [smtp.internet-provider.fr] # relayhost = (direct delivery to Internet) |
hostname
Not sure that it is needed if localhost is used. |
# current hostname hostnamectl status sudo hostnamectl set-hostname mail.domain.fr |
/etc/hosts |
127.0.0.1 localhost mail.domain.fr ::1 localhost ip6-localhost ip6-loopback mail.domain.fr |
# re-login to see the changes then run hostname -f |
TLS encryption for outgoing mail
/etc/postfix/main.cf |
smtp_use_tls = yes smtp_tls_security_level = encrypt smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache |
Orange
La box d’Orange bloque le port 25 en sortie ipv4 pour limiter l’envoi de spam. L'envoie d'email doit donc se faire via le smtp d'orange. |
/etc/postfix/main.cf |
relayhost = [smtp.orange.fr]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl/orange.conf smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous # smtp_sasl_security_options = noplaintext, noanonymous #broken_sasl_auth_clients = yes #smtpd_sasl_local_domain = $myhostname |
/etc/postfix/sasl/orange.conf |
[smtp.orange.fr]:587 compte@orange.fr:password |
# générer la db sudo postmap hash:/etc/postfix/sasl/orange.conf sudo chmod 600 /etc/postfix/sasl/orange.conf # root:root 600 sudo chmod 600 /etc/postfix/sasl/orange.conf.db # root:root 600 |
TLS encryption for incoming mail
/etc/postfix/main.cf |
smtpd_tls_security_level = may smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # log level (default 0) smtpd_tls_loglevel = 1 # 0 → no log # 1 → Log on TLS handshake completion # 2 → Also log levels during TLS negotiation # 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. |
Improve security
/etc/postfix/main.cf |
# restriction for the others SMTP servers who deliver emails to postfix smtpd_client_restrictions = reject_unknown_client_hostname reject_unauth_pipelining smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender # servers that are not using helo are not properly configured or sending spam smtpd_helo_required = yes # allow to log recipient address information when the connected client breaks any of the reject rules smtpd_delay_reject = yes # disable VRFY (verify), allows brute force attack on user accounts disable_vrfy_command = yes |
SMTP Authentication using SASL client with Dovecot
Postfix supports the Dovecot SASL (Simple Authentication and Security Layer) implementation.
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server, it has its own configuration to authenticate POP/IMAP clients.
Communication between the Postfix SMTP server and Dovecot SASL happens over a UNIX-domain socket.
/etc/postfix/main.cf |
smtpd_sasl_type = dovecot smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_path = private/auth |
Allow incoming port 587 (submission)
By default Postfix listen incoming STMP client connections from port 25.
In addition you may allow the port 587 to receive incoming connections from SMTP client to send emails.
StartTLS protocol is used: communications start in plain text and if possible, upgrades to TLS.
/etc/postfix/master.cf |
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING |
/etc/postfix/main.cf |
mua_client_restrictions = permit_sasl_authenticated reject # on BlueMail Android app, Helo command rejected, need fully-qualified hostname # mua_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname mua_helo_restrictions = reject_invalid_helo_hostname mua_sender_restrictions = reject_non_fqdn_sender |
Allow incoming port 465 (SMTPS)
By default Postfix listen incoming STMP client connections from port 25.
In addition you may allow the port 465 to receive incoming connections from SMTP client to send emails.
Implicit TLS protocol is used: communications start encrypted with TLS.
/etc/postfix/master.cf |
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING |
DKIM
Useless if a SMTP relay is used because it will be the DKIM of the SMTP relay which will be used at the end. |
apt install opendkim opendkim-tools |
/etc/opendkim.conf |
Domain domain.fr KeyFile /etc/dkimkeys/dkim.key # selectors are used to permit multiple keys under the same organization's domain name Selector mail # prevent trivial reformatting in header and body destroying trust Canonicalization relaxed/simple # if postfix is running in chroot Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock |
/etc/default/opendkim |
# to use a Unix socket with postfix in a chroot: RUNDIR=/var/spool/postfix/var/run/opendkim |
# generate the key opendkim-genkey -r -s mail -b 2048 -d domain.fr # DNS record containing the public key: mail.txt # private key: mail.private # copy the key sudo mv mail.private /etc/dkimkeys/dkim.key # check the owner of the file (root:root 600) # configuration des droits d'accès # add postfix in the opendkim group sudo adduser postfix opendkim # if postfix is running in chroot sudo mkdir -p /var/spool/postfix/var/run/opendkim sudo chown opendkim:opendkim /var/spool/postfix/var/run/opendkim |
mail._domainkey.domain.fr. IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; p=xxx"; # mail: selector # domain.fr: domain # v: version # h: hash / algorithme # k: type de clé # s: type de service # p: clé publique base64 |
/etc/postfix/main.cf |
# if postfix is running in chroot, there is no / before var non_smtpd_milters = unix:var/run/opendkim/opendkim.sock smtpd_milters = unix:var/run/opendkim/opendkim.sock |
Aliases
/etc/aliases |
postmaster: <user> root: <user> |
# run after modification of the file /etc/aliases sudo newaliases |
Transport Map & Relayhost Map
By default the local emails don't go through the SMTP relay. |
/etc/postfix/main.cf |
transport_maps = hash:/etc/postfix/transport |
- emails sent to your own domain are delivered locally
- email sent to gmail.com are delivered normally by performing MX lookup
- all other emails are delivered via the relay host
/etc/postfix/transport |
your-domain.com local gmail.com smtp * relay:[smtp-relay.sendinblue.com]:587 |
# build the index file sudo postmap /etc/postfix/transport |
Test
telnet localhost 25 ehlo localhost # vérifier que les lignes suivantes sont bien affichées # 250-STARTTLS # 250-AUTH mail from: root@domain.fr rcpt to: user@gmail.com data subject: test test . quit |
openssl s_client -connect localhost:25 -starttls smtp openssl s_client -connect localhost:587 -starttls smtp openssl s_client -connect localhost:465 -starttls smtp |
Log
- journalctl
- /var/log/mail.log
- /var/log/mail.err
/etc/postfix/main.cf |
# TLS logging outgoing smtp_tls_loglevel = 1 # TLS logging incoming smtpd_tls_loglevel = 1 |
Debug
Mailboxes
Use Dovecot LMTP instead. |
By default Postifx will use mbox for the mailbox format.
/etc/postfix/main.cf |
# use maildir and store emails in the /home/<user>/maildir directory home_mailbox = maildir/ |
UFW
# allow incoming SMTP (25) to receive emails from other SMTP servers sudo ufw allow Postfix # allow incoming SMTP (587) to receive emails from SMTP client over StartTLS sudo ufw allow "Postfix Submission" # allow incoming SMTPs (465) to receive emails from SMTP client over TLS sudo ufw allow "Postfix SMTPS" |
Fail2ban
/etc/fail2ban/jail.d/enabled.local |
[postfix] enabled = true [postfix-rbl] enabled = true |
Installation
apt install postfix # General type or mail configuration: Internet site # System mail name: domain.fr |
Erreurs
Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines
Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information 550 5.7.1 .
/etc/postfix/main.cf |
inet_protocols = ipv4 |