1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
|
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Postfix Small/Home Office Hints and Tips</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1>
<hr>
<h2>Overview</h2>
<p> This document combines hints and tips for "small office/home
office" applications into one document so that they are easier to
find. The text describes the mail sending side only. If your machine
does not receive mail directly (i.e. it does not have its own
Internet domain name and its own fixed IP address), then you will
need a solution such as "fetchmail", which is outside the scope of
the Postfix documentation. </p>
<ul>
<li> <p> Selected topics from the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> document: </p>
<ul>
<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a>
<li><a href="#fantasy">Postfix on hosts without a real
Internet hostname</a>
</ul>
<p> Selected topics from the <a href="SASL_README.html">SASL_README</a> document: </p>
<ul>
<li><a href="#client_sasl_enable">Enabling SASL authentication in the
Postfix SMTP client</a></li>
<li><a href="#client_sasl_sender">Configuring Sender-Dependent SASL
authentication </a></li>
</ul>
</ul>
<p> See the <a href="SASL_README.html">SASL_README</a> and <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents for
further information on these topics. </p>
<h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2>
<p> Postfix should work out of the box without change on a stand-alone
machine that has direct Internet access. At least, that is how
Postfix installs when you download the Postfix source code via
<a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p>
<p> You can use the command "<b>postconf -n</b>" to find out what
settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname
settings, few parameters should be set on a stand-alone box, beyond
what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Optional: send mail as user@domainname instead of user@hostname.
#<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
# Optional: specify NAT/proxy external address.
#<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4
# Alternative 1: don't relay mail from other hosts.
<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host
<a href="postconf.5.html#relay_domains">relay_domains</a> =
# Alternative 2: relay mail from local clients only.
# <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28
# <a href="postconf.5.html#relay_domains">relay_domains</a> =
</pre>
</blockquote>
<p> See also the section "<a href="#fantasy">Postfix on hosts without
a real Internet hostname</a>" if this is applicable to your configuration.
</p>
<h2><a name="fantasy">Postfix on hosts without a real Internet
hostname</a></h2>
<p> This section is for hosts that don't have their own Internet
hostname. Typically these are systems that get a dynamic IP address
via DHCP or via dialup. Postfix will let you send and receive mail
just fine between accounts on a machine with a fantasy name. However,
you cannot use a fantasy hostname in your email address when sending
mail into the Internet, because no-one would be able to reply to
your mail. In fact, more and more sites refuse mail addresses with
non-existent domain names. </p>
<p> Note: the following information is Postfix version dependent.
To find out what Postfix version you have, execute the command
"<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p>
<h3>Solution 1: Postfix version 2.2 and later </h3>
<p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace
local fantasy email addresses by valid Internet addresses. This
mapping happens ONLY when mail leaves the machine; not when you
send mail between users on the same machine. </p>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
discussed the first half of this document. </p>
<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2 <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/generic
3
4 /etc/postfix/generic:
5 his@localdomain.local hisaccount@hisisp.example
6 her@localdomain.local heraccount@herisp.example
7 @localdomain.local hisaccount+local@hisisp.example
</pre>
</blockquote>
<p> When mail is sent to a remote host via SMTP: </p>
<ul>
<li> <p> Line 5 replaces <i>his@localdomain.local</i> by his ISP
mail address, </p>
<li> <p> Line 6 replaces <i>her@localdomain.local</i> by her ISP
mail address, and </p>
<li> <p> Line 7 replaces other local addresses by his ISP account,
with an address extension of +<i>local</i> (this example assumes
that the ISP supports "+" style address extensions). </p>
</ul>
<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses
<b>dbm</b> files instead of <b>db</b> files. To find out what lookup
tables Postfix supports, use the command "<b>postconf -m</b>". </p>
<p> Execute the command "<b>postmap /etc/postfix/generic</b>"
whenever you change the generic table. </p>
<h3>Solution 2: Postfix version 2.1 and earlier </h3>
<p> The solution with older Postfix systems is to use valid
Internet addresses where possible, and to let Postfix map valid
Internet addresses to local fantasy addresses. With this, you can
send mail to the Internet and to local fantasy addresses, including
mail to local fantasy addresses that don't have a valid Internet
address of their own.</p>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
discussed the first half of this document. </p>
<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2 <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain
3 <a href="postconf.5.html#mydomain">mydomain</a> = localdomain
4
5 <a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/canonical
6
7 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual
8
9 /etc/postfix/canonical:
10 your-login-name your-account@your-isp.com
11
12 /etc/postfix/virtual:
13 your-account@your-isp.com your-login-name
</pre>
</blockquote>
<p> Translation: </p>
<ul>
<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
use a domain name that is already in use by real organizations
on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
names that are guaranteed not to be owned by anyone. </p>
<li> <p> Lines 5, 9, 10: This provides the mapping from
"your-login-name@hostname.localdomain" to "your-account@your-isp.com".
This part is required. </p>
<li> <p> Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com"
locally, instead of sending it to the ISP. This part is not required
but is convenient.
</ul>
<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses
<b>dbm</b> files instead of <b>db</b> files. To find out what lookup
tables Postfix supports, use the command "<b>postconf -m</b>". </p>
<p> Execute the command "<b>postmap /etc/postfix/canonical</b>"
whenever you change the canonical table. </p>
<p> Execute the command "<b>postmap /etc/postfix/virtual</b>"
whenever you change the virtual table. </p>
<h2><a name="client_sasl_enable">Enabling SASL authentication in the
Postfix SMTP/LMTP client</a></h2>
<p> This section shows a typical scenario where the Postfix SMTP
client sends all messages via a mail gateway server that requires
SASL authentication. </p>
<blockquote>
<strong> Trouble solving tips: </strong>
<ul>
<li> <p> If your SASL logins fail with "SASL authentication failure:
No worthy mechs found" in the mail logfile, then see the section
"<a href="SASL_README.html#client_sasl_policy">Postfix SMTP/LMTP
client policy - SASL mechanism <em>properties</em></a>".
<li> <p> For a solution to a more obscure class of SASL authentication
failures, see "<a href="SASL_README.html#client_sasl_filter">Postfix
SMTP/LMTP client policy - SASL mechanism <em>names</em></a>".
</ul>
</blockquote>
<p> To make the example more readable we introduce it in two parts.
The first part takes care of the basic configuration, while the
second part sets up the username/password information. </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> = noanonymous
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]
# Alternative form:
# <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission
<a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd
</pre>
</blockquote>
<ul>
<li> <p> The <code><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a></code> setting enables
client-side authentication. We will configure the client's username
and password information in the second part of the example. </p>
</li>
<li> <p> The <code><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></code> setting ensures
that the connection to the remote smtp server will be encrypted, and
<code><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a></code> removes the prohibition on
plaintext passwords. </p>
<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP
to send all remote messages to the specified mail server instead
of trying to deliver them directly to their destination. </p> </li>
<li> <p> In the <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting, the "<code>[</code>"
and "<code>]</code>" prevent the Postfix SMTP client from looking
up MX (mail exchanger) records for the enclosed name. </p> </li>
<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination may also specify a
non-default TCP port. For example, the alternative form
<code>[mail.isp.example]:submission</code> tells Postfix to connect
to TCP network port 587, which is reserved for email client
applications. </p> </li>
<li> <p> The Postfix SMTP client is compatible with SMTP servers
that use the non-standard "<code>AUTH=<em>method.</em>...</code>"
syntax in response to the EHLO command; this requires no additional
Postfix client configuration. </p> </li>
<li> <p> The Postfix SMTP client does not support the obsolete
"wrappermode" protocol, which uses TCP port <code>465</code> on the
SMTP server. See <a href="TLS_README.html">TLS_README</a> for a solution that uses the
<code>stunnel</code> command. </p> </li>
<li> <p> With the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> parameter,
we configure the Postfix SMTP client to send username and password
information to the mail gateway server. As discussed in the next
section, the Postfix SMTP client supports multiple ISP accounts.
For this reason the username and password are stored in a table
that contains one username/password combination for each mail gateway
server. </p>
</ul>
<blockquote>
<pre>
/etc/postfix/sasl_passwd:
# destination credentials
[mail.isp.example] username:password
# Alternative form:
# [mail.isp.example]:submission username:password
</pre>
</blockquote>
<blockquote>
<strong>Important</strong>
<p> Keep the SASL client password file in <code>/etc/postfix</code>,
and make the file read+write only for <code>root</code> to protect
the username/password combinations against other users. The Postfix
SMTP client will still be able to read the SASL client passwords.
It opens the file as user <code>root</code> before it drops privileges,
and before entering an optional chroot jail. </p>
</blockquote>
<ul>
<li> <p> Use the <code>postmap</code> command whenever you
change the <code>/etc/postfix/sasl_passwd</code> file. </p> </li>
<li> <p> If you specify the "<code>[</code>" and "<code>]</code>"
in the <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the
same form in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p>
</li>
<li> <p> If you specify a non-default TCP Port (such as
"<code>:submission</code>" or "<code>:587</code>") in the
<code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the same form
in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> </li>
</ul>
<h2><a name="client_sasl_sender">Configuring Sender-Dependent SASL
authentication</a></h2>
<p> Postfix supports different ISP accounts for different sender
addresses (version 2.3 and later). This can be useful when one
person uses the same machine for work and for personal use, or when
people with different ISP accounts share the same Postfix server.
</p>
<p> To make this possible, Postfix supports per-sender SASL passwords
and per-sender relay hosts. In the example below, the Postfix SMTP
client will search the SASL password file by sender address before
it searches that same file by destination. Likewise, the Postfix
<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon will search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file,
and use the default <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting only as a final
resort. </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes
<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_relay
<a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
<a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]
# Alternative form:
# <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/sasl_passwd:
# Per-sender authentication; see also /etc/postfix/sender_relay.
user1@example.com username1:password1
user2@example.net username2:password2
# Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>.
[mail.isp.example] username:password
# Alternative form:
# [mail.isp.example]:submission username:password
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/sender_relay:
# Per-sender provider; see also /etc/postfix/sasl_passwd.
user1@example.com [mail.example.com]:submission
user2@example.net [mail.example.net]
</pre>
</blockquote>
<ul>
<li> <p> If you are creative, then you can try to combine the two
tables into one single MySQL database, and configure different
Postfix queries to extract the appropriate information. </p>
<li> <p> Specify dbm instead of hash if your system uses dbm files
instead of db files. To find out what lookup tables Postfix supports,
use the command "postconf -m". </p>
<li> <p> Execute the command "postmap /etc/postfix/sasl_passwd"
whenever you change the sasl_passwd table. </p>
<li> <p> Execute the command "postmap /etc/postfix/sender_relay"
whenever you change the sender_relay table. </p>
</ul>
</body>
</html>
|