Postfix Basic Configuration
The basic settings for Postfix are extremely important as they will impact the rest of the program functions. Complete these settings in the main.cf file before you make any changes with Webmin to insure you have the basics covered.
Configure the Hostname in the smtpd Banner
When your mail server connects to another mail server to transfer messages it performs a HELO which sends it’s hostname to the other server. This is one of the reasons your hostname is so important. In fact, many servers in order to verify the integrity of mail exchanges will do a DNS lookup to verify the FQDN (Fully Qualified Domain Name) matches what if provided in the HELO. If they do not match some servers will not allow the transfer of mail. Therefore, make sure your FQDN is what is present in the HELO.
Edit /etc/postfix/main.cf
First, make a backup of your files located in the /etc/postfix directory. This will provide a reference of changes you have made as well as give you a rescue file so you can start over after a mistake. Now edit the myhostname parameter to provide the FQDN.
myhostname = mail.example.com
Postfix is smart enough to understand that the domain listed in myhostname is the domain for the server. You can also set the mydomain parameter.
mydomain = example.com
Set your inet_interfaces to all.
inet_interfaces = all
Configure Relays
Postfix will not allow any relaying of mail for any domains by default. It will relay mail for the localhost but all other relays must be explicitly set. In the initial configuration for a one domain server, this setting for allowing your domain to relay mail is found in the mydestination parameter.
mydestination = $mydomain
If you would like to also accept mail for your hostname you may also add this information to the configuration.
mydestination = $mydomain, $myhostname
If you have created CNAMEs in your DNS settings for your domain that would also need to be added here. A CNAME (Canonical Name) is like an alias, www for example. If you want to accept mail for these they must be entered as well. If they do not fit on one line you can enter a new one on each line with a space in front of them as Postfix will not recognize them without a space.
mydestination =
$mydomain,
$myhostname,
www.$mydomain,
tech.$mydomain
Each line ends with a comma and starts with a space.
Configure Outgoing Domain
The outgoing domain parameter provides a way to verify where mail came from. This parameter setting will be used by Postfix whenever mail is sent for an address that is not fully qualified. Again,this setting is located in the main.cf file.
myorigin = $mydomain
root Mail Configuration
Postfix has a focus on security, especially when it comes to running programs as root. As a result, Postfix will deliver mail to root locally but it will not allow other programs to run as root. This means that programs like procmail cannot be used to deliver mail to the root user. Therefore you will need to create an alias for the root user so that mail that is intended for root will be delivered to a non-privileged user.
Edit /etc/aliases and create a line like this:
root: mike
Whatever user you choose make sure that it is an account that is on the system. Do not use the admin account as it is tied to other things on the system.
Once you have added the username run the command:
newaliases
Verify that Postfix is running:
/etc/init.d/postfix start
/etc/init.d/postfix stop
/etc/init.d/postfix reload
Webmin Configuration of Postfix
Now you are ready to start with additional configuration options from the Webmin interface.
General Options
This Webmin image in “General Options” shows these “Most Useful General options”.
“What domain to use in outbound mail”
If you have your settings set in the basics you can set this to “Use domainname”.
“What domains to receive mail for”
The two settings that you see, $myhostname and $mydomain are the options you should use if you have one domain.
“What trouble to report to postmaster”
This option notify_classes, allows you to send mail reports to the postmaster. This is additional information that is not usually reported because only the worst situations are typically reported. Here is a list of the notify_classes that you can use. The default for Postfix is to use resource and software.
bounce – This option will send copies of the headers that are bounced. It will also send the information about the SMTP session that led to the bounce.
2bounce – Any undeliverable mail will be sent to the postmaster by default.
delay – When mail is delayed it will send copies of the headers to the postmaster.
policy – If a client is rejected based on UCE policy (Unsolicitated Commercial Email) the transcript of the SMTP session is sent to postmaster.
protocol – If there are client server protocol errors the transcript of the SMTP session will be sent to postmaster.
resource – If Postfix cannot deliver mail because of resource problems send a message to the postmaster.
software – This option will notify postmaster if there are software problems that are associated with why mail cannot be delivered.
If you would like to get this information delivered to an email, you may want to add your email to the postmaster aliases so it comes to your email account and you do not have to dig for it.
postmaster: root,your_email
This will allow you to receive that information to your email account. This is something that you can do on a temporary situation as you will surely get tired of receiving all this stuff….
Here is an example you can place in your main.cf.
notify_classes = bounce, delay, resource, software
Each of the options you see here are default options that you can leave in place. In a typical Postfix installation these are going to work fine.
However, these options that you see in this screen will need to be changed.
“Internet hostname of this mail system”
This is the FQDN (Fully Qualified Domain Name) of the mail server. It should have two parts, the hostname (mail) and the domain name (example.com). Mail servers when they talk to each other will require this setting. So if you have having difficulties this is one of the places to look.
“Local Internet domain name”
Set his the same as the option above, your FQDN.
“Local Networks”
These are all of the networks that are connected to the mail server. The setting will help the mail server determine who is a local client from a Spammer on the Internet. You have two options, click the “Default” which automatically detects the networks attached to the mail server. This is an easy option but if you have other networks that use this mail server you must select option two and list the networks that will use the mail server as you see in the example.
“Automatic local networks”
This setting has four options. The options are “Default, Same IP Subnet, Same Network Class and Local Machine Only”. These setting will help simply the setting above. If you local network in on a subnet and all of your users are one the same subnet choose “Same IP Subnet”. You can expand that to many more computers if you have a large network by choosing “Same Network Class”.
“Email Content Filter”
In this example you can see an email content filter is enabled. Do Not enable this feature using Webmin as it requires multiple edits and so it will not work unless you complete all edits at once.
The other settings here are fine as the default.
SMTP Server Options
This screen SMTP server options. You can leave all at the default except the “Restrictions on recipient addresses”. In the example you can see that there are entries that are placed in this and it is not the default. This entries must be placed in a specific order…be sure you check the order before you enable this and if you have problems examine the order carefully.
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client dnsbl-1.uceprotect.net
permit
Explanation of Each Setting
reject_non_fqdn_recipient
It is important that you require the FQDN for recipients. In order to make this happen use the reject_non_fqdn_recipients option.
reject_unknown_recipient_domain
Another restriction to consider for the envelope sender is the requirement of an existing domain. Spammers will use this as a way to conceal their true domain. So you will want to reject all domains that are not real. You do have to consider the fact that users may create a typo that would put them in this category and receive a bounced mail from Postfix. However, in order to control spam this may be a requirement.
permit_mynetworks
The order of processing restrictions is important. As you view the list in the example, note that the permit_mynetworks is a watershed in that it differentiates between clients on the outside and clients on the inside. The options that appear up to the permit_mynetworks apply to both internal and external clients. The options which appear after permit_mynetworks apply only to external clients. This is why the order is so important.
permit_sasl_authenticated
Allow sasl authentication if you use secure connections.
reject_unauth_destination
Prevents your server from becoming an open relay.
reject_non_fqdn_hostname
Use the reject_non_fqdn_sender option to make sure users have a FQDN.
reject_invalid_hostname
You may also choose to reject based on a valid hostname. The rules are that each valid hostname should contain a top level domain (com,net,org, etc), a domain, like example in example.com and it should contain a “.” separating the two.
check_helo_access pcre:/etc/postfix/helo_checks
Create a file called helo_checks in the /etc/postfix directory. This file should contain a number of variations on your address on one line at a time.
/^ns\.example\.com$/ 550 Bad helo check
/^216\.114\.226\.157$/ 550 Bad helo check
/^\[216\.114\.226\.157\]$/ 550 Bad helo check
In these examples, you will see a start of string (^)and end of string anchor ($). The ^ matches matches the position before the first character in the string. So ^ns will match the n and org$ will match the g. This is a useful tool to have for Postfix to read one line at a time and not combine text strings.
check_sender_mx_access cidr:/etc/postfix/bogus_mx
Spammers will also use networks which are not routeable, thus not traceable. You can stop this technique with Postfix, however, your network firewall should not allow these kinds of networks to enter your network at all.
Create a map that will list these unrouteable networks. Place one network on each line.
0.0.0.0/8 550 Bad Network
10.0.0.0/8 550 Bad Network
127.0.0.0/8 550 Bad Network
224.0.0.0/4 550 Bad Network
192.168.0.0/16 550 Bad Network
reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client dnsbl-1.uceprotect.net
The one thing that is important to understand when using blackholes is that these DNS blacklists require Postfix to do a DNS lookup which will take resources from your server and create latency. However, this can be a significant reduction in SPAM. In the example below two kinds of lists are used to block spam, these are only illustrations you should research your list carefully. Each list will have an address that you can enter to access the list. These two are combined in one address. That address is then entered into your smtpd restrictions.
Having tried a number of RBLs you will see that some are going out of existence, some are either too aggressive or just do not cover all of the areas that give you the protection you need. Here is a list that makes a good combination of protection without getting too crazy. Be sure to try one at a time so you can determine if one is not right for you. Use at your own risk…you could lose email.
http://postfixmail.com/blog/index.php/using-webmin-to-set-up-postfix/
http://rimuhosting.com/support/settingupemail.jsp?mta=postfix
http://neranjara.org/article/title/How_to_configure_PostFix_and_Dovecot_for_Virtual_Users_with_out_a_Database_
No comments:
Post a Comment