« Postfix et ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
 
(85 versions intermédiaires par le même utilisateur non affichées)
Ligne 4 : Ligne 4 :
* [https://help.ubuntu.com/lts/serverguide/postfix.html Email server guide]
* [https://help.ubuntu.com/lts/serverguide/postfix.html Email server guide]
* [https://wiki.archlinux.org/index.php/Postfix Postfix on Archlinux]
* [https://wiki.archlinux.org/index.php/Postfix Postfix on Archlinux]
* [https://www.mail-tester.com Mail tester]
= Description =
Postfix is a SMTP (Simple Mail Transfer Protocol) server.
== Ports ==
{| class="wikitable wtp"
! port
! description
|-
| 587 incoming || standard port for email submission by mail clients. StartTLS protocol.
|-
| 465 incoming || SMTP with TLS encryption (deprecated)
|-
| 25 incoming || mandatory port to receive emails from other SMTP servers
|-
| 25 outgoing || mandatory port to send emails to other SMTP servers
|}


= Commands =
= Commands =
Ligne 22 : Ligne 40 :
= [http://www.postfix.org/BASIC_CONFIGURATION_README.html Basic Configuration] =
= [http://www.postfix.org/BASIC_CONFIGURATION_README.html Basic Configuration] =
<filebox fn='/etc/postfix/main.cf' lang='bash'>
<filebox fn='/etc/postfix/main.cf' lang='bash'>
mydomain = domain.net
# mydomain = localdomain (localdomain is replaced during installation)
# mydomain = localdomain (localdomain is replaced during installation)
# defined during installation but not found in the main.cf file
mydomain = domain.fr


myhostname = mail.domain.net
# myhostname = <hostname>.localdomain
# myhostname = <hostname>.localdomain
# redefine if the hostname is not mail
myhostname = mail.domain.fr


# domain name to use in outbound mail, ex: user@myorigin
# domain name to use in outbound mail, ex: user@myorigin
Ligne 40 : Ligne 56 :
# mydestination = $myhostname, localhost.$mydomain, localhost
# mydestination = $myhostname, localhost.$mydomain, localhost


alias_maps = hash:/etc/aliases
# alias_maps = hash:/etc/aliases, nis:mail.aliases
# forward mail from the local machine only
mynetworks_style = host
# mynetworks_style = ${{$compatibility_level} < {2} ? {subnet} : {host}}
# compatibility_level = 0
# compatibility_level = 0
# mynetworks_style = ${{$compatibility_level} < {2} ? {subnet} : {host}}
# forward mail from only the local machine
mynetworks_style = host


# relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}}
# relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}}
Ligne 49 : Ligne 68 :
relay_domains =  
relay_domains =  


# delivery method: direct or indirect (another smtp server)
relayhost = [smtp.internet-provider.fr]
# relayhost =  (direct delivery to Internet)
# relayhost =  (direct delivery to Internet)
relayhost = [smtp.internet-provider.fr]
</filebox>
</filebox>


== hostname ==
== hostname ==
{{warn | Not sure that it is needed if localhost is used.}}
<kode lang='bash'>
<kode lang='bash'>
# current hostname
# current hostname
Ligne 71 : Ligne 92 :
</kode>
</kode>


= SMTP AUTH using SASL =
= [https://help.ubuntu.com/community/Postfix#Configuration TLS encryption for outgoing mail] =
<filebox fn='/etc/postfix/main.cf' lang='bash'>
<filebox fn='/etc/postfix/main.cf' lang='bash'>
smtpd_sasl_local_domain =  # default value
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtp_tls_security_level = encrypt
smtpd_sasl_security_options = noanonymous  # default value
smtp_tls_note_starttls_offer = yes
broken_sasl_auth_clients = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
inet_interfaces = all
</filebox>
</filebox>


<filebox fn='/etc/postfix/sasl/smtpd.conf'>
== [https://www.smtp2go.com SMTP2GO] ==
pwcheck_method: saslauthd
{{warn | La box d’Orange bloque le port 25 en sortie ipv4 pour limiter l’envoi de spam.<br>
mech_list: plain login
L'envoie d'email doit donc se faire via un relais smtp.}}
 
# create an account on SMTP2GO
# go to your domain registrar (OVH) to add DNS entry
# create an SMTP account on SMTP2GO and use it in the following config files
 
<filebox fn='/etc/postfix/main.cf' lang='bash'>
# TLS encryption outgoing mail
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/smtp2go.conf
smtp_sasl_security_options = noanonymous
header_size_limit = 4096000
relayhost = [mail.smtp2go.com]:2525
relay_destination_concurrency_limit = 20
</filebox>
</filebox>


= [https://help.ubuntu.com/community/PostfixDovecotSASL#Postfix Use dovecot] =
<filebox fn='/etc/postfix/sasl/smtp2go.conf'>
<filebox fn='/etc/postfix/main.cf'>
[mail.smtp2go.com]:2525 USER:PASSWORD
smtpd_sasl_type = dovecot
#smtpd_sasl_auth_enable = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_path = private/auth
</filebox>
</filebox>


= TLS encryption =
<kode lang='bash'>
# create the db
sudo postmap hash:/etc/postfix/sasl/smtp2go.conf
sudo chmod 600 /etc/postfix/sasl/smtp2go.conf    # root:root 600
sudo chmod 600 /etc/postfix/sasl/smtp2go.conf.db  # root:root 600
</kode>
 
* [https://communaute.orange.fr/t5/mon-mail-Orange/Relais-SMTP-quot-%C3%A9metteur-invalide-quot/td-p/3154356/page/4 CONTOURNEMENT SMTP ORANGE]
* [https://www.smtp2go.com/setupguide/postfix Setting up Postfix Smarthost with SMTP2GO]
 
== [http://arobaseinformatique.eklablog.com/configurer-postfix-pour-le-smtp-authentifie-orange-a128181854 Orange] ==
{{warn | Orange n’autorise plus l'envoie d'email provenant d'un autre domaine via son relais smtp.}}
{{warn | La box d’Orange bloque le port 25 en sortie ipv4 pour limiter l’envoi de spam.<br>
L'envoie d'email doit donc se faire via le smtp d'orange.}}
 
<filebox fn='/etc/postfix/main.cf' lang='bash'>
<filebox fn='/etc/postfix/main.cf' lang='bash'>
smtpd_use_tls=yes
relayhost = [smtp.orange.fr]:587
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_sasl_password_maps = hash:/etc/postfix/sasl/orange.conf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
# smtp_sasl_security_options = noplaintext, noanonymous
 
#broken_sasl_auth_clients = yes
#smtpd_sasl_local_domain = $myhostname
</filebox>
 
<filebox fn='/etc/postfix/sasl/orange.conf'>
[smtp.orange.fr]:587 compte@orange.fr:password
</filebox>
 
<kode lang='bash'>
# générer la db
sudo postmap hash:/etc/postfix/sasl/orange.conf
sudo chmod 600 /etc/postfix/sasl/orange.conf    # root:root 600
sudo chmod 600 /etc/postfix/sasl/orange.conf.db  # root:root 600
</kode>


smtp_tls_security_level = may
= [https://help.ubuntu.com/community/Postfix#Configuration TLS encryption for incoming mail] =
<filebox fn='/etc/postfix/main.cf' lang='bash'>
smtpd_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no  # default value
smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem
smtp_tls_note_starttls_offer = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem


smtpd_tls_key_file = /etc/letsencrypt/live/domain.fr/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.fr/fullchain.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache


# log level (default 0)
# log level (default 0)
Ligne 114 : Ligne 174 :
# 2 → Also log levels during TLS negotiation
# 2 → Also log levels during TLS negotiation
# 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged.
# 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged.
</filebox>
== Improve security ==
<filebox fn='/etc/postfix/main.cf' lang='bash'>
# restriction for the others SMTP servers who deliver emails to postfix
smtpd_client_restrictions = reject_unknown_client_hostname reject_unauth_pipelining
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender
# servers that are not using helo are not properly configured or sending spam
smtpd_helo_required = yes
# allow to log recipient address information when the connected client breaks any of the reject rules
smtpd_delay_reject = yes


smtpd_tls_received_header = yes
# disable VRFY (verify), allows brute force attack on user accounts
smtpd_tls_session_cache_timeout = 3600s  # default value
disable_vrfy_command = yes
tls_random_source = dev:/dev/urandom  # default value
</filebox>
 
= [https://help.ubuntu.com/community/PostfixDovecotSASL#Postfix SMTP Authentication using SASL client with Dovecot] =
Postfix supports the Dovecot SASL (Simple Authentication and Security Layer) [https://www.postfix.org/SASL_README.html implementation].<br>
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server, it has its own configuration to authenticate POP/IMAP clients.<br>
Communication between the Postfix SMTP server and Dovecot SASL happens over a [[Dovecot#SASL_client_authentication|UNIX-domain socket]].
 
<filebox fn='/etc/postfix/main.cf' lang='ini'>
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_path = private/auth
</filebox>
</filebox>


= Allow incoming port 587 (submission) =
By default Postfix listen incoming STMP client connections from port 25.<br>
In addition you may allow the port 587 to receive incoming connections from SMTP client to send emails.<br>
StartTLS protocol is used: communications start in plain text and if possible, upgrades to TLS.
<filebox fn='/etc/postfix/master.cf' lang='bash'>
<filebox fn='/etc/postfix/master.cf' lang='bash'>
submission inet n      -      y      -      -      smtpd
submission inet n      -      y      -      -      smtpd
Ligne 127 : Ligne 215 :
   -o smtpd_tls_auth_only=yes
   -o smtpd_tls_auth_only=yes
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
</filebox>
 
<filebox fn='/etc/postfix/main.cf' lang='bash'>
mua_client_restrictions = permit_sasl_authenticated reject
# on BlueMail Android app, Helo command rejected, need fully-qualified hostname
# mua_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname
mua_helo_restrictions = reject_invalid_helo_hostname
mua_sender_restrictions = reject_non_fqdn_sender
</filebox>
 
= Allow incoming port 465 (SMTPS) =
By default Postfix listen incoming STMP client connections from port 25.<br>
In addition you may allow the port 465 to receive incoming connections from SMTP client to send emails.<br>
Implicit TLS protocol is used: communications start encrypted with TLS.
<filebox fn='/etc/postfix/master.cf' lang='bash'>
smtps    inet n      -      y      -      -      smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_recipient_restrictions=
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
Ligne 136 : Ligne 250 :


= [https://help.ubuntu.com/community/Postfix/DKIM DKIM] =
= [https://help.ubuntu.com/community/Postfix/DKIM DKIM] =
{{info | Useless if a SMTP relay is used because it will be the DKIM of the SMTP relay which will be used at the end.}}
<kode lang='bash'>
<kode lang='bash'>
apt install opendkim opendkim-tools
apt install opendkim opendkim-tools
Ligne 193 : Ligne 308 :
* [https://wiki.archlinux.org/index.php/OpenDKIM OpenDKIM on Archlinux]
* [https://wiki.archlinux.org/index.php/OpenDKIM OpenDKIM on Archlinux]
* [https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki Error: connect to Milter service No such file or directory]
* [https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki Error: connect to Milter service No such file or directory]
= [http://arobaseinformatique.eklablog.com/configurer-postfix-pour-le-smtp-authentifie-orange-a128181854 Orange] =
{{warn | La box d’Orange bloque le port 25 pour limiter l’envoi de spam.<br>
L'envoie d'email doit donc se faire via le smtp d'orange.}}
<filebox fn='/etc/postfix/main.cf' lang='bash'>
relayhost = [smtp.orange.fr]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl/orange.conf
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
#smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
</filebox>
<filebox fn='/etc/postfix/sasl/orange.conf'>
[smtp.orange.fr]:587 compte@orange.fr:password
</filebox>
<kode lang='bash'>
# générer la db
sudo postmap hash:/etc/postfix/sasl/orange.conf
sudo chmod 600 /etc/postfix/sasl/orange.conf    # root:root 600
sudo chmod 600 /etc/postfix/sasl/orange.conf.db  # root:root 600
</kode>


= Aliases =
= Aliases =
Ligne 227 : Ligne 318 :
# run after modification of the file /etc/aliases
# run after modification of the file /etc/aliases
sudo newaliases
sudo newaliases
</kode>
= [https://www.linuxbabe.com/mail-server/postfix-transport-map-relay-map-flexible-email-delivery Transport Map & Relayhost Map] =
{{info | By default the local emails don't go through the SMTP relay.}}
<filebox fn='/etc/postfix/main.cf'>
transport_maps = hash:/etc/postfix/transport
</filebox>
* emails sent to your own domain are delivered locally
* email sent to gmail.com are delivered normally by performing MX lookup
* all other emails are delivered via the relay host
<filebox fn='/etc/postfix/transport'>
your-domain.com      local
gmail.com            smtp
*                    relay:[smtp-relay.sendinblue.com]:587
</filebox>
<kode lang='bash'>
# build the index file
sudo postmap /etc/postfix/transport
</kode>
</kode>


Ligne 243 : Ligne 354 :
.
.
quit
quit
</kode>
<kode lang='bash'>
openssl s_client -connect localhost:25 -starttls smtp
openssl s_client -connect localhost:587 -starttls smtp
openssl s_client -connect localhost:465 -starttls smtp
</kode>
</kode>


Ligne 249 : Ligne 366 :
* {{boxx|/var/log/mail.log}}
* {{boxx|/var/log/mail.log}}
* {{boxx|/var/log/mail.err}}
* {{boxx|/var/log/mail.err}}
<filebox fn='/etc/postfix/main.cf' lang='bash'>
# TLS logging outgoing
smtp_tls_loglevel = 1
# TLS logging incoming
smtpd_tls_loglevel = 1
</filebox>
= [https://postfix.traduc.org/index.php/DEBUG_README.html Debug] =


= Mailboxes =
= Mailboxes =
{{info | Use [[Dovecot#Postfix_and_Dovecot_LMTP|Dovecot LMTP instead.]]}}
By default Postifx will use {{boxx|mbox}} for the mailbox format.
By default Postifx will use {{boxx|mbox}} for the mailbox format.
<filebox fn='/etc/postfix/main.cf'>
<filebox fn='/etc/postfix/main.cf' lang='bash'>
# use maildir and store emails in the /home/<user>/maildir directory
# use maildir and store emails in the /home/<user>/maildir directory
home_mailbox = maildir/
home_mailbox = maildir/
mailbox_command =  # default value
</filebox>
</filebox>


= UFW =
= UFW =
<kode lang='bash'>
<kode lang='bash'>
# allow incoming SMTP (25) to receive emails
# allow incoming SMTP (25) to receive emails from other SMTP servers
sudo ufw allow Postfix
sudo ufw allow Postfix
# allow incoming SMTP (587) to receive emails from SMTP client over StartTLS
sudo ufw allow "Postfix Submission"
# allow incoming SMTPs (465) to receive emails from SMTP client over TLS
sudo ufw allow "Postfix SMTPS"
</kode>
</kode>
= [[Fail2ban]] =
<filebox fn='/etc/fail2ban/jail.d/enabled.local' lang='ini'>
[postfix]
enabled = true
[postfix-rbl]
enabled = true
</filebox>


= Installation =
= Installation =

Dernière version du 2 novembre 2024 à 23:19

Liens

Description

Postfix is a SMTP (Simple Mail Transfer Protocol) server.

Ports

port description
587 incoming standard port for email submission by mail clients. StartTLS protocol.
465 incoming SMTP with TLS encryption (deprecated)
25 incoming mandatory port to receive emails from other SMTP servers
25 outgoing mandatory port to send emails to other SMTP servers

Commands

Bash.svg
# vérifier la configuration
sudo postfix check

# recharger la configuration
sudo postfix reload

# affiche les paramètres actuels de Postfix
postconf -pf

# affiche les paramètres par défaut
postconf -df

Basic Configuration

/etc/postfix/main.cf
mydomain = domain.net
# mydomain = localdomain (localdomain is replaced during installation)

myhostname = mail.domain.net
# myhostname = <hostname>.localdomain

# domain name to use in outbound mail, ex: user@myorigin
# send mail as user@$mydomain
myorigin = $mydomain
# myorigin = $myhostname

# domains to receive mail for
# add $mydomain
mydestination = $myhostname localhost.$mydomain localhost $mydomain
# mydestination = $myhostname, localhost.$mydomain, localhost

alias_maps = hash:/etc/aliases
# alias_maps = hash:/etc/aliases, nis:mail.aliases

# forward mail from the local machine only
mynetworks_style = host
# mynetworks_style = ${{$compatibility_level} < {2} ? {subnet} : {host}}
# compatibility_level = 0

# relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}}
# never forward mail from strangers
relay_domains = 

# delivery method: direct or indirect (another smtp server)
relayhost = [smtp.internet-provider.fr]
# relayhost =   (direct delivery to Internet)

hostname

Not sure that it is needed if localhost is used.
Bash.svg
# current hostname
hostnamectl status

sudo hostnamectl set-hostname mail.domain.fr
/etc/hosts
127.0.0.1    localhost mail.domain.fr
::1          localhost ip6-localhost ip6-loopback mail.domain.fr
Bash.svg
# re-login to see the changes then run
hostname -f

TLS encryption for outgoing mail

/etc/postfix/main.cf
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

SMTP2GO

La box d’Orange bloque le port 25 en sortie ipv4 pour limiter l’envoi de spam.
L'envoie d'email doit donc se faire via un relais smtp.
  1. create an account on SMTP2GO
  2. go to your domain registrar (OVH) to add DNS entry
  3. create an SMTP account on SMTP2GO and use it in the following config files
/etc/postfix/main.cf
# TLS encryption outgoing mail
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/smtp2go.conf
smtp_sasl_security_options = noanonymous
header_size_limit = 4096000
relayhost = [mail.smtp2go.com]:2525
relay_destination_concurrency_limit = 20
/etc/postfix/sasl/smtp2go.conf
[mail.smtp2go.com]:2525 USER:PASSWORD
Bash.svg
# create the db
sudo postmap hash:/etc/postfix/sasl/smtp2go.conf
sudo chmod 600 /etc/postfix/sasl/smtp2go.conf     # root:root 600
sudo chmod 600 /etc/postfix/sasl/smtp2go.conf.db  # root:root 600

Orange

Orange n’autorise plus l'envoie d'email provenant d'un autre domaine via son relais smtp.
La box d’Orange bloque le port 25 en sortie ipv4 pour limiter l’envoi de spam.
L'envoie d'email doit donc se faire via le smtp d'orange.
/etc/postfix/main.cf
relayhost = [smtp.orange.fr]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl/orange.conf
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
# smtp_sasl_security_options = noplaintext, noanonymous

#broken_sasl_auth_clients = yes
#smtpd_sasl_local_domain = $myhostname
/etc/postfix/sasl/orange.conf
[smtp.orange.fr]:587 compte@orange.fr:password
Bash.svg
# générer la db
sudo postmap hash:/etc/postfix/sasl/orange.conf
sudo chmod 600 /etc/postfix/sasl/orange.conf     # root:root 600
sudo chmod 600 /etc/postfix/sasl/orange.conf.db  # root:root 600

TLS encryption for incoming mail

/etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem

smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# log level (default 0)
smtpd_tls_loglevel = 1
# 0 → no log
# 1 → Log on TLS handshake completion
# 2 → Also log levels during TLS negotiation
# 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged.

Improve security

/etc/postfix/main.cf
# restriction for the others SMTP servers who deliver emails to postfix
smtpd_client_restrictions = reject_unknown_client_hostname reject_unauth_pipelining
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender

# servers that are not using helo are not properly configured or sending spam
smtpd_helo_required = yes
# allow to log recipient address information when the connected client breaks any of the reject rules
smtpd_delay_reject = yes

# disable VRFY (verify), allows brute force attack on user accounts
disable_vrfy_command = yes

SMTP Authentication using SASL client with Dovecot

Postfix supports the Dovecot SASL (Simple Authentication and Security Layer) implementation.
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server, it has its own configuration to authenticate POP/IMAP clients.
Communication between the Postfix SMTP server and Dovecot SASL happens over a UNIX-domain socket.

/etc/postfix/main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_path = private/auth

Allow incoming port 587 (submission)

By default Postfix listen incoming STMP client connections from port 25.
In addition you may allow the port 587 to receive incoming connections from SMTP client to send emails.
StartTLS protocol is used: communications start in plain text and if possible, upgrades to TLS.

/etc/postfix/master.cf
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
/etc/postfix/main.cf
mua_client_restrictions = permit_sasl_authenticated reject
# on BlueMail Android app, Helo command rejected, need fully-qualified hostname
# mua_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname
mua_helo_restrictions = reject_invalid_helo_hostname
mua_sender_restrictions = reject_non_fqdn_sender

Allow incoming port 465 (SMTPS)

By default Postfix listen incoming STMP client connections from port 25.
In addition you may allow the port 465 to receive incoming connections from SMTP client to send emails.
Implicit TLS protocol is used: communications start encrypted with TLS.

/etc/postfix/master.cf
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

DKIM

Useless if a SMTP relay is used because it will be the DKIM of the SMTP relay which will be used at the end.
Bash.svg
apt install opendkim opendkim-tools
/etc/opendkim.conf
Domain        domain.fr
KeyFile       /etc/dkimkeys/dkim.key
# selectors are used to permit multiple keys under the same organization's domain name
Selector      mail
# prevent trivial reformatting in header and body destroying trust
Canonicalization    relaxed/simple
# if postfix is running in chroot
Socket    local:/var/spool/postfix/var/run/opendkim/opendkim.sock
/etc/default/opendkim
# to use a Unix socket with postfix in a chroot:
RUNDIR=/var/spool/postfix/var/run/opendkim
Bash.svg
# generate the key
opendkim-genkey -r -s mail -b 2048 -d domain.fr
# DNS record containing the public key: mail.txt
# private key: mail.private

# copy the key
sudo mv mail.private /etc/dkimkeys/dkim.key
# check the owner of the file (root:root 600)

# configuration des droits d'accès
# add postfix in the opendkim group
sudo adduser postfix opendkim
# if postfix is running in chroot
sudo mkdir -p /var/spool/postfix/var/run/opendkim
sudo chown opendkim:opendkim /var/spool/postfix/var/run/opendkim
Dns.svg
mail._domainkey.domain.fr. IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; p=xxx";
# mail: selector
# domain.fr: domain
# v: version
# h: hash / algorithme
# k: type de clé
# s: type de service
# p: clé publique base64
/etc/postfix/main.cf
# if postfix is running in chroot, there is no / before var
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
smtpd_milters = unix:var/run/opendkim/opendkim.sock

Aliases

/etc/aliases
postmaster: <user>
root:       <user>
Bash.svg
# run after modification of the file /etc/aliases
sudo newaliases

Transport Map & Relayhost Map

By default the local emails don't go through the SMTP relay.
/etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
  • emails sent to your own domain are delivered locally
  • email sent to gmail.com are delivered normally by performing MX lookup
  • all other emails are delivered via the relay host
/etc/postfix/transport
your-domain.com       local 
gmail.com             smtp
*                     relay:[smtp-relay.sendinblue.com]:587
Bash.svg
# build the index file
sudo postmap /etc/postfix/transport

Test

Bash.svg
telnet localhost 25
ehlo localhost
# vérifier que les lignes suivantes sont bien affichées
# 250-STARTTLS
# 250-AUTH
mail from: root@domain.fr
rcpt to: user@gmail.com
data
subject: test
test
.
quit
Bash.svg
openssl s_client -connect localhost:25 -starttls smtp
openssl s_client -connect localhost:587 -starttls smtp
openssl s_client -connect localhost:465 -starttls smtp

Log

  • journalctl
  • /var/log/mail.log
  • /var/log/mail.err
/etc/postfix/main.cf
# TLS logging outgoing
smtp_tls_loglevel = 1
# TLS logging incoming
smtpd_tls_loglevel = 1

Debug

Mailboxes

Use Dovecot LMTP instead.

By default Postifx will use mbox for the mailbox format.

/etc/postfix/main.cf
# use maildir and store emails in the /home/<user>/maildir directory
home_mailbox = maildir/

UFW

Bash.svg
# allow incoming SMTP (25) to receive emails from other SMTP servers
sudo ufw allow Postfix

# allow incoming SMTP (587) to receive emails from SMTP client over StartTLS
sudo ufw allow "Postfix Submission"

# allow incoming SMTPs (465) to receive emails from SMTP client over TLS
sudo ufw allow "Postfix SMTPS"

Fail2ban

/etc/fail2ban/jail.d/enabled.local
[postfix]
enabled = true

[postfix-rbl]
enabled = true

Installation

Bash.svg
apt install postfix
# General type or mail configuration: Internet site
# System mail name: domain.fr

Erreurs

Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines

Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication.
Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information 550 5.7.1 .
/etc/postfix/main.cf
inet_protocols = ipv4