From b5896ba9f6047e7031e2bdee0622d543e11a6734 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 03:46:30 +0200 Subject: Adding upstream version 3.4.23. Signed-off-by: Daniel Baumann --- html/SOHO_README.html | 418 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 418 insertions(+) create mode 100644 html/SOHO_README.html (limited to 'html/SOHO_README.html') diff --git a/html/SOHO_README.html b/html/SOHO_README.html new file mode 100644 index 0000000..ce2ff14 --- /dev/null +++ b/html/SOHO_README.html @@ -0,0 +1,418 @@ + + + + + + +Postfix Small/Home Office Hints and Tips + + + + + + + +

Postfix Small/Home Office Hints and Tips

+ +

Overview

+ +

This document combines hints and tips for "small office/home +office" applications into one document so that they are easier to +find. The text describes the mail sending side only. If your machine +does not receive mail directly (i.e. it does not have its own +Internet domain name and its own fixed IP address), then you will +need a solution such as "fetchmail", which is outside the scope of +the Postfix documentation.

+ +

Selected topics from the STANDARD_CONFIGURATION_README document:
+ +
- Postfix on a stand-alone Internet host + +
- Postfix on hosts without a real +Internet hostname + +
+ +
Selected topics from the SASL_README document:
+ +
- Enabling SASL authentication in the +Postfix SMTP client
- Configuring Sender-Dependent SASL +authentication
+ +

+ +

See the SASL_README and STANDARD_CONFIGURATION_README documents for +further information on these topics.

+ +

Postfix on a stand-alone Internet host

+ +

Postfix should work out of the box without change on a stand-alone +machine that has direct Internet access. At least, that is how +Postfix installs when you download the Postfix source code via +http://www.postfix.org/.

+ +

You can use the command "postconf -n" to find out what +settings are overruled by your main.cf. Besides a few pathname +settings, few parameters should be set on a stand-alone box, beyond +what is covered in the BASIC_CONFIGURATION_README document:

+ +

+/etc/postfix/main.cf:
+    # Optional: send mail as user@domainname instead of user@hostname.
+    #myorigin = $mydomain
+
+    # Optional: specify NAT/proxy external address.
+    #proxy_interfaces = 1.2.3.4
+
+    # Alternative 1: don't relay mail from other hosts.
+    mynetworks_style = host
+    relay_domains =
+
+    # Alternative 2: relay mail from local clients only.
+    # mynetworks = 192.168.1.0/28
+    # relay_domains =
+

+ +

See also the section "Postfix on hosts without +a real Internet hostname" if this is applicable to your configuration. +

+ +

Postfix on hosts without a real Internet +hostname

+ +

This section is for hosts that don't have their own Internet +hostname. Typically these are systems that get a dynamic IP address +via DHCP or via dialup. Postfix will let you send and receive mail +just fine between accounts on a machine with a fantasy name. However, +you cannot use a fantasy hostname in your email address when sending +mail into the Internet, because no-one would be able to reply to +your mail. In fact, more and more sites refuse mail addresses with +non-existent domain names.

+ +

Note: the following information is Postfix version dependent. +To find out what Postfix version you have, execute the command +"postconf mail_version".

+ +

Solution 1: Postfix version 2.2 and later

+ +

Postfix 2.2 uses the generic(5) address mapping to replace +local fantasy email addresses by valid Internet addresses. This +mapping happens ONLY when mail leaves the machine; not when you +send mail between users on the same machine.

+ +

The following example presents additional configuration. You +need to combine this with basic configuration information as +discussed the first half of this document.

+ +

+1 /etc/postfix/main.cf:
+2     smtp_generic_maps = hash:/etc/postfix/generic
+3 
+4 /etc/postfix/generic:
+5     his@localdomain.local             hisaccount@hisisp.example
+6     her@localdomain.local             heraccount@herisp.example
+7     @localdomain.local                hisaccount+local@hisisp.example
+

+ +

When mail is sent to a remote host via SMTP:

+ +

Line 5 replaces his@localdomain.local by his ISP +mail address,
+ +
Line 6 replaces her@localdomain.local by her ISP +mail address, and
+ +
Line 7 replaces other local addresses by his ISP account, +with an address extension of +local (this example assumes +that the ISP supports "+" style address extensions).
+ +

+ +

Specify dbm instead of hash if your system uses +dbm files instead of db files. To find out what lookup +tables Postfix supports, use the command "postconf -m".

+ +

Execute the command "postmap /etc/postfix/generic" +whenever you change the generic table.

+ +

Solution 2: Postfix version 2.1 and earlier

+ +

The solution with older Postfix systems is to use valid +Internet addresses where possible, and to let Postfix map valid +Internet addresses to local fantasy addresses. With this, you can +send mail to the Internet and to local fantasy addresses, including +mail to local fantasy addresses that don't have a valid Internet +address of their own.

+ +

The following example presents additional configuration. You +need to combine this with basic configuration information as +discussed the first half of this document.

+ +

+ 1 /etc/postfix/main.cf:
+ 2     myhostname = hostname.localdomain
+ 3     mydomain = localdomain
+ 4 
+ 5     canonical_maps = hash:/etc/postfix/canonical
+ 6 
+ 7     virtual_alias_maps = hash:/etc/postfix/virtual
+ 8 
+ 9 /etc/postfix/canonical:
+10     your-login-name    your-account@your-isp.com
+11 
+12 /etc/postfix/virtual:
+13     your-account@your-isp.com       your-login-name
+

+ +

Translation:

+ +

Lines 2-3: Substitute your fantasy hostname here. Do not +use a domain name that is already in use by real organizations +on the Internet. See RFC 2606 for examples of domain +names that are guaranteed not to be owned by anyone.
+ +
Lines 5, 9, 10: This provides the mapping from +"your-login-name@hostname.localdomain" to "your-account@your-isp.com". +This part is required.
+ +
Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" +locally, instead of sending it to the ISP. This part is not required +but is convenient. + +

+ +

Specify dbm instead of hash if your system uses +dbm files instead of db files. To find out what lookup +tables Postfix supports, use the command "postconf -m".

+ +

Execute the command "postmap /etc/postfix/canonical" +whenever you change the canonical table.

+ +

Execute the command "postmap /etc/postfix/virtual" +whenever you change the virtual table.

+ +

Enabling SASL authentication in the +Postfix SMTP/LMTP client

+ +

This section shows a typical scenario where the Postfix SMTP +client sends all messages via a mail gateway server that requires +SASL authentication.

+ +

+ + Trouble solving tips: + +
+ +

If your SASL logins fail with "SASL authentication failure: +No worthy mechs found" in the mail logfile, then see the section +"Postfix SMTP/LMTP +client policy - SASL mechanism properties". + +

For a solution to a more obscure class of SASL authentication +failures, see "Postfix +SMTP/LMTP client policy - SASL mechanism names". + +
+ +

+ +

To make the example more readable we introduce it in two parts. +The first part takes care of the basic configuration, while the +second part sets up the username/password information.

+ +

+/etc/postfix/main.cf:
+    smtp_sasl_auth_enable = yes
+    smtp_tls_security_level = encrypt
+    smtp_sasl_tls_security_options = noanonymous
+    relayhost = [mail.isp.example]
+    # Alternative form:
+    # relayhost = [mail.isp.example]:submission
+    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+

+ +

The smtp_sasl_auth_enable setting enables +client-side authentication. We will configure the client's username +and password information in the second part of the example.
+
The smtp_tls_security_level setting ensures +that the connection to the remote smtp server will be encrypted, and +smtp_sasl_tls_security_options removes the prohibition on +plaintext passwords.
+ +
The relayhost setting forces the Postfix SMTP +to send all remote messages to the specified mail server instead +of trying to deliver them directly to their destination.
In the relayhost setting, the "[" +and "]" prevent the Postfix SMTP client from looking +up MX (mail exchanger) records for the enclosed name.
The relayhost destination may also specify a +non-default TCP port. For example, the alternative form +[mail.isp.example]:submission tells Postfix to connect +to TCP network port 587, which is reserved for email client +applications.
The Postfix SMTP client is compatible with SMTP servers +that use the non-standard "AUTH=method...." +syntax in response to the EHLO command; this requires no additional +Postfix client configuration.
The Postfix SMTP client does not support the obsolete +"wrappermode" protocol, which uses TCP port 465 on the +SMTP server. See TLS_README for a solution that uses the +stunnel command.
With the smtp_sasl_password_maps parameter, +we configure the Postfix SMTP client to send username and password +information to the mail gateway server. As discussed in the next +section, the Postfix SMTP client supports multiple ISP accounts. +For this reason the username and password are stored in a table +that contains one username/password combination for each mail gateway +server.
+ +

+ +

+/etc/postfix/sasl_passwd:
+    # destination                   credentials
+    [mail.isp.example]              username:password
+    # Alternative form:
+    # [mail.isp.example]:submission username:password
+

+ +

+ +Important + +
Keep the SASL client password file in /etc/postfix, +and make the file read+write only for root to protect +the username/password combinations against other users. The Postfix +SMTP client will still be able to read the SASL client passwords. +It opens the file as user root before it drops privileges, +and before entering an optional chroot jail.
+ +

+ +

Use the postmap command whenever you +change the /etc/postfix/sasl_passwd file.
If you specify the "[" and "]" +in the relayhost destination, then you must use the +same form in the smtp_sasl_password_maps file.
+
If you specify a non-default TCP Port (such as +":submission" or ":587") in the +relayhost destination, then you must use the same form +in the smtp_sasl_password_maps file.

+ +

Configuring Sender-Dependent SASL +authentication

+ +

Postfix supports different ISP accounts for different sender +addresses (version 2.3 and later). This can be useful when one +person uses the same machine for work and for personal use, or when +people with different ISP accounts share the same Postfix server. +

+ +

To make this possible, Postfix supports per-sender SASL passwords +and per-sender relay hosts. In the example below, the Postfix SMTP +client will search the SASL password file by sender address before +it searches that same file by destination. Likewise, the Postfix +trivial-rewrite(8) daemon will search the per-sender relayhost file, +and use the default relayhost setting only as a final +resort.

+ +

+/etc/postfix/main.cf:
+    smtp_sender_dependent_authentication = yes
+    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+    smtp_sasl_auth_enable = yes
+    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+    relayhost = [mail.isp.example]
+    # Alternative form:
+    # relayhost = [mail.isp.example]:submission
+

+ +

+/etc/postfix/sasl_passwd:
+    # Per-sender authentication; see also /etc/postfix/sender_relay.
+    user1@example.com               username1:password1
+    user2@example.net               username2:password2
+    # Login information for the default relayhost.
+    [mail.isp.example]              username:password
+    # Alternative form:
+    # [mail.isp.example]:submission username:password
+

+ +

+/etc/postfix/sender_relay:
+    # Per-sender provider; see also /etc/postfix/sasl_passwd.
+    user1@example.com               [mail.example.com]:submission
+    user2@example.net               [mail.example.net]
+

+ +

If you are creative, then you can try to combine the two +tables into one single MySQL database, and configure different +Postfix queries to extract the appropriate information.
+ +
Specify dbm instead of hash if your system uses dbm files +instead of db files. To find out what lookup tables Postfix supports, +use the command "postconf -m".
+ +
Execute the command "postmap /etc/postfix/sasl_passwd" +whenever you change the sasl_passwd table.
+ +
Execute the command "postmap /etc/postfix/sender_relay" +whenever you change the sender_relay table.
+ +

+ + + + -- cgit v1.2.3