Postfix Small/Home Office Hints and Tips (2024)

Overview

This document combines hints and tips for "small office/homeoffice" applications into one document so that they are easier tofind. The text describes the mail sending side only. If your machinedoes not receive mail directly (i.e. it does not have its ownInternet domain name and its own fixed IP address), then you willneed a solution such as "fetchmail", which is outside the scope ofthe Postfix documentation.

• Selected topics from the STANDARD_CONFIGURATION_README document:

  • Postfix on a stand-alone Internet host
  • Postfix on hosts without a realInternet hostname

  Selected topics from the SASL_README document:

  • Enabling SASL authentication in thePostfix SMTP client
  • Configuring Sender-Dependent SASLauthentication

See the SASL_README and STANDARD_CONFIGURATION_README documents forfurther information on these topics.

Postfix on a stand-alone Internet host

Postfix should work out of the box without change on a stand-alonemachine that has direct Internet access. At least, that is howPostfix installs when you download the Postfix source code viahttp://www.postfix.org/.

You can use the command "postconf -n" to find out whatsettings are overruled by your main.cf. Besides a few pathnamesettings, few parameters should be set on a stand-alone box, beyondwhat is covered in the BASIC_CONFIGURATION_README document:

/etc/postfix/main.cf: # Optional: send mail as user@domainname instead of user@hostname. #myorigin = $mydomain # Optional: specify NAT/proxy external address. #proxy_interfaces = 1.2.3.4 # Alternative 1: don't relay mail from other hosts. mynetworks_style = host relay_domains = # Alternative 2: relay mail from local clients only. # mynetworks = 192.168.1.0/28 # relay_domains =

See also the section "Postfix on hosts withouta real Internet hostname" if this is applicable to your configuration.

Postfix on hosts without a real Internethostname

This section is for hosts that don't have their own Internethostname. Typically these are systems that get a dynamic IP addressvia DHCP or via dialup. Postfix will let you send and receive mailjust fine between accounts on a machine with a fantasy name. However,you cannot use a fantasy hostname in your email address when sendingmail into the Internet, because no-one would be able to reply toyour mail. In fact, more and more sites refuse mail addresses withnon-existent domain names.

Note: the following information is Postfix version dependent.To find out what Postfix version you have, execute the command"postconf mail_version".

Solution 1: Postfix version 2.2 and later

Postfix 2.2 uses the generic(5) address mapping to replacelocal fantasy email addresses by valid Internet addresses. Thismapping happens ONLY when mail leaves the machine; not when yousend mail between users on the same machine.

The following example presents additional configuration. Youneed to combine this with basic configuration information asdiscussed in the first half of this document.

1 /etc/postfix/main.cf:2 smtp_generic_maps = hash:/etc/postfix/generic3 4 /etc/postfix/generic:5 his@localdomain.local hisaccount@hisisp.example6 her@localdomain.local heraccount@herisp.example7 @localdomain.local hisaccount+local@hisisp.example

When mail is sent to a remote host via SMTP:

• Line 5 replaces his@localdomain.local by his ISPmail address,

• Line 6 replaces her@localdomain.local by her ISPmail address, and

• Line 7 replaces other local addresses by his ISP account,with an address extension of +local (this example assumesthat the ISP supports "+" style address extensions).

Specify dbm instead of hash if your system usesdbm files instead of db files. To find out what lookuptables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/generic"whenever you change the generic table.

Solution 2: Postfix version 2.1 and earlier

The solution with older Postfix systems is to use validInternet addresses where possible, and to let Postfix map validInternet addresses to local fantasy addresses. With this, you cansend mail to the Internet and to local fantasy addresses, includingmail to local fantasy addresses that don't have a valid Internetaddress of their own.

The following example presents additional configuration. Youneed to combine this with basic configuration information asdiscussed in the first half of this document.

 1 /etc/postfix/main.cf: 2 myhostname = hostname.localdomain 3 mydomain = localdomain 4 5 canonical_maps = hash:/etc/postfix/canonical 6 7 virtual_alias_maps = hash:/etc/postfix/virtual 8 9 /etc/postfix/canonical:10 your-login-name your-account@your-isp.com11 12 /etc/postfix/virtual:13 your-account@your-isp.com your-login-name

Translation:

• Lines 2-3: Substitute your fantasy hostname here. Do notuse a domain name that is already in use by real organizationson the Internet. See RFC 2606 for examples of domainnames that are guaranteed not to be owned by anyone.

• Lines 5, 9, 10: This provides the mapping from"your-login-name@hostname.localdomain" to "your-account@your-isp.com".This part is required.

• Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com"locally, instead of sending it to the ISP. This part is not requiredbut is convenient.

Specify dbm instead of hash if your system usesdbm files instead of db files. To find out what lookuptables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/canonical"whenever you change the canonical table.

Execute the command "postmap /etc/postfix/virtual"whenever you change the virtual table.

Enabling SASL authentication in thePostfix SMTP/LMTP client

This section shows a typical scenario where the Postfix SMTPclient sends all messages via a mail gateway server that requiresSASL authentication.

Trouble solving tips:

• If your SASL logins fail with "SASL authentication failure:No worthy mechs found" in the mail logfile, then see the section"Postfix SMTP/LMTPclient policy - SASL mechanism properties".

• For a solution to a more obscure class of SASL authenticationfailures, see "PostfixSMTP/LMTP client policy - SASL mechanism names".

To make the example more readable we introduce it in two parts.The first part takes care of the basic configuration, while thesecond part sets up the username/password information.

/etc/postfix/main.cf: smtp_sasl_auth_enable = yes smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

• The smtp_sasl_auth_enable setting enablesclient-side authentication. We will configure the client's usernameand password information in the second part of the example.

• The smtp_tls_security_level setting ensuresthat the connection to the remote smtp server will be encrypted, andsmtp_sasl_tls_security_options removes the prohibition onplaintext passwords.

• The relayhost setting forces the Postfix SMTPto send all remote messages to the specified mail server insteadof trying to deliver them directly to their destination.

• In the relayhost setting, the "["and "]" prevent the Postfix SMTP client from lookingup MX (mail exchanger) records for the enclosed name.

• The relayhost destination may also specify anon-default TCP port. For example, the alternative form[mail.isp.example]:submission tells Postfix to connectto TCP network port 587, which is reserved for email clientapplications.

• The Postfix SMTP client is compatible with SMTP serversthat use the non-standard "AUTH=method...."syntax in response to the EHLO command; this requires no additionalPostfix client configuration.

• With the setting "smtp_tls_wrappermode = yes", the PostfixSMTP client supports the "wrappermode" protocol, which uses TCPport 465 on the SMTP server (Postfix 3.0 and later).

• With the smtp_sasl_password_maps parameter,we configure the Postfix SMTP client to send username and passwordinformation to the mail gateway server. As discussed in the nextsection, the Postfix SMTP client supports multiple ISP accounts.For this reason the username and password are stored in a tablethat contains one username/password combination for each mail gatewayserver.

/etc/postfix/sasl_passwd: # destination credentials [mail.isp.example] username:password # Alternative form: # [mail.isp.example]:submission username:password

Important

Keep the SASL client password file in /etc/postfix,and make the file read+write only for root to protectthe username/password combinations against other users. The PostfixSMTP client will still be able to read the SASL client passwords.It opens the file as user root before it drops privileges,and before entering an optional chroot jail.

• Use the postmap command whenever youchange the /etc/postfix/sasl_passwd file.

• If you specify the "[" and "]"in the relayhost destination, then you must use thesame form in the smtp_sasl_password_maps file.

• If you specify a non-default TCP Port (such as":submission" or ":587") in therelayhost destination, then you must use the same formin the smtp_sasl_password_maps file.

Configuring Sender-Dependent SASLauthentication

Postfix supports different ISP accounts for different senderaddresses (version 2.3 and later). This can be useful when oneperson uses the same machine for work and for personal use, or whenpeople with different ISP accounts share the same Postfix server.

To make this possible, Postfix supports per-sender SASL passwordsand per-sender relay hosts. In the example below, the Postfix SMTPclient will search the SASL password file by sender address beforeit searches that same file by destination. Likewise, the Postfixtrivial-rewrite(8) daemon will search the per-sender relayhost file,and use the default relayhost setting only as a finalresort.

/etc/postfix/main.cf: smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission

/etc/postfix/sasl_passwd: # Per-sender authentication; see also /etc/postfix/sender_relay. user1@example.com username1:password1 user2@example.net username2:password2 # Login information for the default relayhost. [mail.isp.example] username:password # Alternative form: # [mail.isp.example]:submission username:password

/etc/postfix/sender_relay: # Per-sender provider; see also /etc/postfix/sasl_passwd. user1@example.com [mail.example.com]:submission user2@example.net [mail.example.net]

• If you are creative, then you can try to combine the twotables into one single MySQL database, and configure differentPostfix queries to extract the appropriate information.

• Specify dbm instead of hash if your system usesdbm files instead of db files. To find out what lookuptables Postfix supports, use the command "postconf -m".

• Execute the command "postmap /etc/postfix/sasl_passwd"whenever you change the sasl_passwd table.

• Execute the command "postmap /etc/postfix/sender_relay"whenever you change the sender_relay table.