Aller au contenu

Postfix et ubuntu

De Banane Atomic

Liens

Description

Postfix is a SMTP (Simple Mail Transfer Protocol) server.

Ports

  • incoming 25 to receive emails from other SMTP servers
  • outgoing 25 to send emails to other SMTP servers
  • incoming 25 to allow SMTP client to connect and send emails
  • incoming 587 to allow SMTP client to connect and send emails

Commands

# vérifier la configuration
sudo postfix check

# recharger la configuration
sudo postfix reload

# affiche les paramètres actuels de Postfix
postconf -pf

# affiche les paramètres par défaut
postconf -df

Basic Configuration

/etc/postfix/main.cf 
mydomain = domain.net
# mydomain = localdomain (localdomain is replaced during installation)

myhostname = mail.domain.net
# myhostname = <hostname>.localdomain

# domain name to use in outbound mail, ex: user@myorigin
# send mail as user@$mydomain
myorigin = $mydomain
# myorigin = $myhostname

# domains to receive mail for
# add $mydomain
mydestination = $myhostname localhost.$mydomain localhost $mydomain
# mydestination = $myhostname, localhost.$mydomain, localhost

alias_maps = hash:/etc/aliases
# alias_maps = hash:/etc/aliases, nis:mail.aliases

# forward mail from the local machine only
mynetworks_style = host
# mynetworks_style = ${{$compatibility_level} < {2} ? {subnet} : {host}}
# compatibility_level = 0

# relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}}
# never forward mail from strangers
relay_domains = 

# delivery method: direct or indirect (another smtp server)
relayhost = [smtp.internet-provider.fr]
# relayhost =   (direct delivery to Internet)

hostname

Not sure that it is needed if localhost is used. 
# current hostname
hostnamectl status

sudo hostnamectl set-hostname mail.domain.fr
/etc/hosts 
127.0.0.1    localhost mail.domain.fr
::1          localhost ip6-localhost ip6-loopback mail.domain.fr
# re-login to see the changes then run
hostname -f

TLS encryption for outgoing mail

/etc/postfix/main.cf 
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Orange

La box d’Orange bloque le port 25 en sortie ipv4 pour limiter l’envoi de spam.
L'envoie d'email doit donc se faire via le smtp d'orange.
/etc/postfix/main.cf 
relayhost = [smtp.orange.fr]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl/orange.conf
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
# smtp_sasl_security_options = noplaintext, noanonymous

#broken_sasl_auth_clients = yes
#smtpd_sasl_local_domain = $myhostname
/etc/postfix/sasl/orange.conf 
[smtp.orange.fr]:587 compte@orange.fr:password
# générer la db
sudo postmap hash:/etc/postfix/sasl/orange.conf
sudo chmod 600 /etc/postfix/sasl/orange.conf     # root:root 600
sudo chmod 600 /etc/postfix/sasl/orange.conf.db  # root:root 600

TLS encryption for incoming mail

/etc/postfix/main.cf 
smtpd_tls_security_level = may
#smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# log level (default 0)
smtpd_tls_loglevel = 1
# 0 → no log
# 1 → Log on TLS handshake completion
# 2 → Also log levels during TLS negotiation
# 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged.

SMTP Authentication using SASL client with Dovecot

Postfix supports the Dovecot SASL (Simple Authentication and Security Layer) implementation.
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server, it has its own configuration to authenticate POP/IMAP clients.
Communication between the Postfix SMTP server and Dovecot SASL happens over a UNIX-domain socket.

/etc/postfix/main.cf 
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_path = private/auth

Allow incoming port 587 (submission)

By default Postfix listen incoming STMP client connections from port 25.
In addition you may allow the port 587 to receive incoming connections from SMTP client to send emails.

/etc/postfix/master.cf 
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
/etc/postfix/main.cf 
mua_client_restrictions = permit_sasl_authenticated, reject
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
# mua_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
# on BlueMail Android app, Helo command rejected, need fully-qualified hostname
smtpd_restriction_classes = mua_sender_restrictions, mua_client_restrictions, mua_helo_restrictions

DKIM

apt install opendkim opendkim-tools
/etc/opendkim.conf 
Domain        domain.fr
KeyFile       /etc/dkimkeys/dkim.key
# selectors are used to permit multiple keys under the same organization's domain name
Selector      mail
# prevent trivial reformatting in header and body destroying trust
Canonicalization    relaxed/simple
# if postfix is running in chroot
Socket    local:/var/spool/postfix/var/run/opendkim/opendkim.sock
/etc/default/opendkim 
# to use a Unix socket with postfix in a chroot:
RUNDIR=/var/spool/postfix/var/run/opendkim
# generate the key
opendkim-genkey -r -s mail -b 2048 -d domain.fr
# DNS record containing the public key: mail.txt
# private key: mail.private

# copy the key
sudo mv mail.private /etc/dkimkeys/dkim.key
# check the owner of the file (root:root 600)

# configuration des droits d'accès
# add postfix in the opendkim group
sudo adduser postfix opendkim
# if postfix is running in chroot
sudo mkdir -p /var/spool/postfix/var/run/opendkim
sudo chown opendkim:opendkim /var/spool/postfix/var/run/opendkim
mail._domainkey.domain.fr. IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; p=xxx";
# mail: selector
# domain.fr: domain
# v: version
# h: hash / algorithme
# k: type de clé
# s: type de service
# p: clé publique base64
/etc/postfix/main.cf 
# if postfix is running in chroot, there is no / before var
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
smtpd_milters = unix:var/run/opendkim/opendkim.sock

Aliases

/etc/aliases 
postmaster: <user>
root:       <user>
# run after modification of the file /etc/aliases
sudo newaliases

Transport Map & Relayhost Map

/etc/postfix/main.cf 
transport_maps = hash:/etc/postfix/transport
  • emails sent to your own domain are delivered locally
  • email sent to gmail.com are delivered normally by performing MX lookup
  • all other emails are delivered via the relay host
/etc/postfix/transport 
your-domain.com       local 
gmail.com             smtp
*                     relay:[smtp-relay.sendinblue.com]:587
# build the index file
sudo postmap /etc/postfix/transport

Test

telnet localhost 25
ehlo localhost
# vérifier que les lignes suivantes sont bien affichées
# 250-STARTTLS
# 250-AUTH
mail from: root@domain.fr
rcpt to: user@gmail.com
data
subject: test
test
.
quit

Log

  • journalctl
  • /var/log/mail.log
  • /var/log/mail.err

Mailboxes

By default Postifx will use mbox for the mailbox format.

/etc/postfix/main.cf 
# use maildir and store emails in the /home/<user>/maildir directory
home_mailbox = maildir/
mailbox_command =   # default value

UFW

# allow incoming SMTP (25) to receive emails
sudo ufw allow Postfix

Installation

apt install postfix
# General type or mail configuration: Internet site
# System mail name: domain.fr

Erreurs

Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines

Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication.
Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information 550 5.7.1 .
/etc/postfix/main.cf 
inet_protocols = ipv4
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=Postfix_et_ubuntu&oldid=29362 »