« Postfix et ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Ligne 75 : Ligne 75 :
= [https://help.ubuntu.com/community/Postfix#Configuration TLS encryption for outgoing mail] =
= [https://help.ubuntu.com/community/Postfix#Configuration TLS encryption for outgoing mail] =
<filebox fn='/etc/postfix/main.cf' lang='bash'>
<filebox fn='/etc/postfix/main.cf' lang='bash'>
smtp_tls_security_level = may
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Version du 31 août 2023 à 20:45

Liens

Commands

Bash.svg 
# vérifier la configuration
sudo postfix check

# recharger la configuration
sudo postfix reload

# affiche les paramètres actuels de Postfix
postconf -pf

# affiche les paramètres par défaut
postconf -df

Basic Configuration

/etc/postfix/main.cf 
mydomain = domain.net
# mydomain = localdomain (localdomain is replaced during installation)

myhostname = mail.domain.net
# myhostname = <hostname>.localdomain

# domain name to use in outbound mail, ex: user@myorigin
# send mail as user@$mydomain
myorigin = $mydomain
# myorigin = $myhostname

# domains to receive mail for
# add $mydomain
mydestination = $myhostname localhost.$mydomain localhost $mydomain
# mydestination = $myhostname, localhost.$mydomain, localhost

alias_maps = hash:/etc/aliases
# alias_maps = hash:/etc/aliases, nis:mail.aliases

# forward mail from the local machine only
mynetworks_style = host
# mynetworks_style = ${{$compatibility_level} < {2} ? {subnet} : {host}}
# compatibility_level = 0

# relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}}
# never forward mail from strangers
relay_domains = 

# delivery method: direct or indirect (another smtp server)
relayhost = [smtp.internet-provider.fr]
# relayhost =   (direct delivery to Internet)

hostname

Bash.svg 
# current hostname
hostnamectl status

sudo hostnamectl set-hostname mail.domain.fr
/etc/hosts 
127.0.0.1    localhost mail.domain.fr
::1          localhost ip6-localhost ip6-loopback mail.domain.fr
Bash.svg 
# re-login to see the changes then run
hostname -f

TLS encryption for outgoing mail

/etc/postfix/main.cf 
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Orange

La box d’Orange bloque le port 25 pour limiter l’envoi de spam.
L'envoie d'email doit donc se faire via le smtp d'orange.
/etc/postfix/main.cf 
relayhost = [smtp.orange.fr]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl/orange.conf
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
# smtp_sasl_security_options = noplaintext, noanonymous

#broken_sasl_auth_clients = yes
#smtpd_sasl_local_domain = $myhostname
/etc/postfix/sasl/orange.conf 
[smtp.orange.fr]:587 compte@orange.fr:password
Bash.svg 
# générer la db
sudo postmap hash:/etc/postfix/sasl/orange.conf
sudo chmod 600 /etc/postfix/sasl/orange.conf     # root:root 600
sudo chmod 600 /etc/postfix/sasl/orange.conf.db  # root:root 600

TLS encryption for both incoming mail

/etc/postfix/main.cf 
smtpd_tls_security_level = may
#smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/letsencrypt/live/domain.net/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.net/fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# log level (default 0)
smtpd_tls_loglevel = 1
# 0 → no log
# 1 → Log on TLS handshake completion
# 2 → Also log levels during TLS negotiation
# 3 and 4. Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged.
/etc/postfix/master.cf 
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

SMTP Authentication using SASL client with Dovecot

/etc/postfix/main.cf 
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_path = private/auth
Don't forget to install and configure Dovecot#SASL_client_authentication

DKIM

Bash.svg 
apt install opendkim opendkim-tools
/etc/opendkim.conf 
Domain        domain.fr
KeyFile       /etc/dkimkeys/dkim.key
# selectors are used to permit multiple keys under the same organization's domain name
Selector      mail
# prevent trivial reformatting in header and body destroying trust
Canonicalization    relaxed/simple
# if postfix is running in chroot
Socket    local:/var/spool/postfix/var/run/opendkim/opendkim.sock
/etc/default/opendkim 
# to use a Unix socket with postfix in a chroot:
RUNDIR=/var/spool/postfix/var/run/opendkim
Bash.svg 
# generate the key
opendkim-genkey -r -s mail -b 2048 -d domain.fr
# DNS record containing the public key: mail.txt
# private key: mail.private

# copy the key
sudo mv mail.private /etc/dkimkeys/dkim.key
# check the owner of the file (root:root 600)

# configuration des droits d'accès
# add postfix in the opendkim group
sudo adduser postfix opendkim
# if postfix is running in chroot
sudo mkdir -p /var/spool/postfix/var/run/opendkim
sudo chown opendkim:opendkim /var/spool/postfix/var/run/opendkim
Dns.svg 
mail._domainkey.domain.fr. IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; p=xxx";
# mail: selector
# domain.fr: domain
# v: version
# h: hash / algorithme
# k: type de clé
# s: type de service
# p: clé publique base64
/etc/postfix/main.cf 
# if postfix is running in chroot, there is no / before var
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
smtpd_milters = unix:var/run/opendkim/opendkim.sock

Aliases

/etc/aliases 
postmaster: <user>
root:       <user>
Bash.svg 
# run after modification of the file /etc/aliases
sudo newaliases

Test

Bash.svg 
telnet localhost 25
ehlo localhost
# vérifier que les lignes suivantes sont bien affichées
# 250-STARTTLS
# 250-AUTH
mail from: root@domain.fr
rcpt to: user@gmail.com
data
subject: test
test
.
quit

Log

  • journalctl
  • /var/log/mail.log
  • /var/log/mail.err

Mailboxes

By default Postifx will use mbox for the mailbox format.

/etc/postfix/main.cf 
# use maildir and store emails in the /home/<user>/maildir directory
home_mailbox = maildir/
mailbox_command =   # default value

UFW

Bash.svg 
# allow incoming SMTP (25) to receive emails
sudo ufw allow Postfix

Installation

Bash.svg 
apt install postfix
# General type or mail configuration: Internet site
# System mail name: domain.fr

Erreurs

Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines

Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication.
Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information 550 5.7.1 .
/etc/postfix/main.cf 
inet_protocols = ipv4
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=Postfix_et_ubuntu&oldid=29288 »