« Postfix et ubuntu » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
Ligne 132 : | Ligne 132 : | ||
# 2 → Also log levels during TLS negotiation | # 2 → Also log levels during TLS negotiation | ||
# 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. | # 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. | ||
</filebox> | </filebox> | ||
Version du 3 septembre 2023 à 11:19
Liens
Description
Postfix is a SMTP (Simple Mail Transfer Protocol) server.
Ports
- incoming 25 to receive emails from other SMTP servers
- outgoing 25 to send emails to other SMTP servers
- incoming 25 to allow SMTP client to connect and send emails
- incoming 587 to allow SMTP client to connect and send emails
Commands
# vérifier la configuration sudo postfix check # recharger la configuration sudo postfix reload # affiche les paramètres actuels de Postfix postconf -pf # affiche les paramètres par défaut postconf -df |
Basic Configuration
/etc/postfix/main.cf |
mydomain = domain.net # mydomain = localdomain (localdomain is replaced during installation) myhostname = mail.domain.net # myhostname = <hostname>.localdomain # domain name to use in outbound mail, ex: user@myorigin # send mail as user@$mydomain myorigin = $mydomain # myorigin = $myhostname # domains to receive mail for # add $mydomain mydestination = $myhostname localhost.$mydomain localhost $mydomain # mydestination = $myhostname, localhost.$mydomain, localhost alias_maps = hash:/etc/aliases # alias_maps = hash:/etc/aliases, nis:mail.aliases # forward mail from the local machine only mynetworks_style = host # mynetworks_style = ${{$compatibility_level} < {2} ? {subnet} : {host}} # compatibility_level = 0 # relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}} # never forward mail from strangers relay_domains = # delivery method: direct or indirect (another smtp server) relayhost = [smtp.internet-provider.fr] # relayhost = (direct delivery to Internet) |
hostname
Not sure that it is needed if localhost is used. |
# current hostname hostnamectl status sudo hostnamectl set-hostname mail.domain.fr |
/etc/hosts |
127.0.0.1 localhost mail.domain.fr ::1 localhost ip6-localhost ip6-loopback mail.domain.fr |
# re-login to see the changes then run hostname -f |
TLS encryption for outgoing mail
/etc/postfix/main.cf |
smtp_tls_security_level = encrypt smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache |
Orange
La box d’Orange bloque le port 25 en sortie ipv4 pour limiter l’envoi de spam. L'envoie d'email doit donc se faire via le smtp d'orange. |
/etc/postfix/main.cf |
relayhost = [smtp.orange.fr]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl/orange.conf smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous # smtp_sasl_security_options = noplaintext, noanonymous #broken_sasl_auth_clients = yes #smtpd_sasl_local_domain = $myhostname |
/etc/postfix/sasl/orange.conf |
[smtp.orange.fr]:587 compte@orange.fr:password |
# générer la db sudo postmap hash:/etc/postfix/sasl/orange.conf sudo chmod 600 /etc/postfix/sasl/orange.conf # root:root 600 sudo chmod 600 /etc/postfix/sasl/orange.conf.db # root:root 600 |
TLS encryption for incoming mail
/etc/postfix/main.cf |
smtpd_tls_security_level = may #smtpd_tls_auth_only = no smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # log level (default 0) smtpd_tls_loglevel = 1 # 0 → no log # 1 → Log on TLS handshake completion # 2 → Also log levels during TLS negotiation # 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. |
SMTP Authentication using SASL client with Dovecot
Postfix supports the Dovecot SASL (Simple Authentication and Security Layer) implementation.
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server, it has its own configuration to authenticate POP/IMAP clients.
Communication between the Postfix SMTP server and Dovecot SASL happens over a UNIX-domain socket.
/etc/postfix/main.cf |
smtpd_sasl_type = dovecot smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_path = private/auth |
DKIM
apt install opendkim opendkim-tools |
/etc/opendkim.conf |
Domain domain.fr KeyFile /etc/dkimkeys/dkim.key # selectors are used to permit multiple keys under the same organization's domain name Selector mail # prevent trivial reformatting in header and body destroying trust Canonicalization relaxed/simple # if postfix is running in chroot Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock |
/etc/default/opendkim |
# to use a Unix socket with postfix in a chroot: RUNDIR=/var/spool/postfix/var/run/opendkim |
# generate the key opendkim-genkey -r -s mail -b 2048 -d domain.fr # DNS record containing the public key: mail.txt # private key: mail.private # copy the key sudo mv mail.private /etc/dkimkeys/dkim.key # check the owner of the file (root:root 600) # configuration des droits d'accès # add postfix in the opendkim group sudo adduser postfix opendkim # if postfix is running in chroot sudo mkdir -p /var/spool/postfix/var/run/opendkim sudo chown opendkim:opendkim /var/spool/postfix/var/run/opendkim |
mail._domainkey.domain.fr. IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; p=xxx"; # mail: selector # domain.fr: domain # v: version # h: hash / algorithme # k: type de clé # s: type de service # p: clé publique base64 |
/etc/postfix/main.cf |
# if postfix is running in chroot, there is no / before var non_smtpd_milters = unix:var/run/opendkim/opendkim.sock smtpd_milters = unix:var/run/opendkim/opendkim.sock |
Aliases
/etc/aliases |
postmaster: <user> root: <user> |
# run after modification of the file /etc/aliases sudo newaliases |
Transport Map & Relayhost Map
/etc/postfix/main.cf |
transport_maps = hash:/etc/postfix/transport |
- emails sent to your own domain are delivered locally
- email sent to gmail.com are delivered normally by performing MX lookup
- all other emails are delivered via the relay host
/etc/postfix/transport |
your-domain.com local gmail.com smtp * relay:[smtp-relay.sendinblue.com]:587 |
# build the index file sudo postmap /etc/postfix/transport |
Test
telnet localhost 25 ehlo localhost # vérifier que les lignes suivantes sont bien affichées # 250-STARTTLS # 250-AUTH mail from: root@domain.fr rcpt to: user@gmail.com data subject: test test . quit |
Log
- journalctl
- /var/log/mail.log
- /var/log/mail.err
Mailboxes
By default Postifx will use mbox for the mailbox format.
/etc/postfix/main.cf |
# use maildir and store emails in the /home/<user>/maildir directory home_mailbox = maildir/ mailbox_command = # default value |
UFW
# allow incoming SMTP (25) to receive emails sudo ufw allow Postfix |
Installation
apt install postfix # General type or mail configuration: Internet site # System mail name: domain.fr |
Erreurs
Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines
Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information 550 5.7.1 .
/etc/postfix/main.cf |
inet_protocols = ipv4 |