diff options
Diffstat (limited to 'html/SOHO_README.html')
-rw-r--r-- | html/SOHO_README.html | 418 |
1 files changed, 418 insertions, 0 deletions
diff --git a/html/SOHO_README.html b/html/SOHO_README.html new file mode 100644 index 0000000..2c5def7 --- /dev/null +++ b/html/SOHO_README.html @@ -0,0 +1,418 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> + +<html> + +<head> + +<title>Postfix Small/Home Office Hints and Tips</title> + +<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +<link rel='stylesheet' type='text/css' href='postfix-doc.css'> + +</head> + +<body> + +<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1> + +<hr> + +<h2>Overview</h2> + +<p> This document combines hints and tips for "small office/home +office" applications into one document so that they are easier to +find. The text describes the mail sending side only. If your machine +does not receive mail directly (i.e. it does not have its own +Internet domain name and its own fixed IP address), then you will +need a solution such as "fetchmail", which is outside the scope of +the Postfix documentation. </p> + +<ul> + +<li> <p> Selected topics from the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> document: </p> + +<ul> + +<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a> + +<li><a href="#fantasy">Postfix on hosts without a real +Internet hostname</a> + +</ul> + +<p> Selected topics from the <a href="SASL_README.html">SASL_README</a> document: </p> + +<ul> + +<li><a href="#client_sasl_enable">Enabling SASL authentication in the +Postfix SMTP client</a></li> + +<li><a href="#client_sasl_sender">Configuring Sender-Dependent SASL +authentication </a></li> + +</ul> + +</ul> + +<p> See the <a href="SASL_README.html">SASL_README</a> and <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents for +further information on these topics. </p> + +<h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2> + +<p> Postfix should work out of the box without change on a stand-alone +machine that has direct Internet access. At least, that is how +Postfix installs when you download the Postfix source code via +<a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p> + +<p> You can use the command "<b>postconf -n</b>" to find out what +settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname +settings, few parameters should be set on a stand-alone box, beyond +what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p> + +<blockquote> +<pre> +/etc/postfix/<a href="postconf.5.html">main.cf</a>: + # Optional: send mail as user@domainname instead of user@hostname. + #<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> + + # Optional: specify NAT/proxy external address. + #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 + + # Alternative 1: don't relay mail from other hosts. + <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host + <a href="postconf.5.html#relay_domains">relay_domains</a> = + + # Alternative 2: relay mail from local clients only. + # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28 + # <a href="postconf.5.html#relay_domains">relay_domains</a> = +</pre> +</blockquote> + +<p> See also the section "<a href="#fantasy">Postfix on hosts without +a real Internet hostname</a>" if this is applicable to your configuration. +</p> + +<h2><a name="fantasy">Postfix on hosts without a real Internet +hostname</a></h2> + +<p> This section is for hosts that don't have their own Internet +hostname. Typically these are systems that get a dynamic IP address +via DHCP or via dialup. Postfix will let you send and receive mail +just fine between accounts on a machine with a fantasy name. However, +you cannot use a fantasy hostname in your email address when sending +mail into the Internet, because no-one would be able to reply to +your mail. In fact, more and more sites refuse mail addresses with +non-existent domain names. </p> + +<p> Note: the following information is Postfix version dependent. +To find out what Postfix version you have, execute the command +"<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p> + +<h3>Solution 1: Postfix version 2.2 and later </h3> + +<p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace +local fantasy email addresses by valid Internet addresses. This +mapping happens ONLY when mail leaves the machine; not when you +send mail between users on the same machine. </p> + +<p> The following example presents additional configuration. You +need to combine this with basic configuration information as +discussed in the first half of this document. </p> + +<blockquote> +<pre> +1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: +2 <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/generic +3 +4 /etc/postfix/generic: +5 his@localdomain.local hisaccount@hisisp.example +6 her@localdomain.local heraccount@herisp.example +7 @localdomain.local hisaccount+local@hisisp.example +</pre> +</blockquote> + +<p> When mail is sent to a remote host via SMTP: </p> + +<ul> + +<li> <p> Line 5 replaces <i>his@localdomain.local</i> by his ISP +mail address, </p> + +<li> <p> Line 6 replaces <i>her@localdomain.local</i> by her ISP +mail address, and </p> + +<li> <p> Line 7 replaces other local addresses by his ISP account, +with an address extension of +<i>local</i> (this example assumes +that the ISP supports "+" style address extensions). </p> + +</ul> + +<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses +<b>dbm</b> files instead of <b>db</b> files. To find out what lookup +tables Postfix supports, use the command "<b>postconf -m</b>". </p> + +<p> Execute the command "<b>postmap /etc/postfix/generic</b>" +whenever you change the generic table. </p> + +<h3>Solution 2: Postfix version 2.1 and earlier </h3> + +<p> The solution with older Postfix systems is to use valid +Internet addresses where possible, and to let Postfix map valid +Internet addresses to local fantasy addresses. With this, you can +send mail to the Internet and to local fantasy addresses, including +mail to local fantasy addresses that don't have a valid Internet +address of their own.</p> + +<p> The following example presents additional configuration. You +need to combine this with basic configuration information as +discussed in the first half of this document. </p> + +<blockquote> +<pre> + 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: + 2 <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain + 3 <a href="postconf.5.html#mydomain">mydomain</a> = localdomain + 4 + 5 <a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/canonical + 6 + 7 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual + 8 + 9 /etc/postfix/canonical: +10 your-login-name your-account@your-isp.com +11 +12 /etc/postfix/virtual: +13 your-account@your-isp.com your-login-name +</pre> +</blockquote> + +<p> Translation: </p> + +<ul> + +<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not +use a domain name that is already in use by real organizations +on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain +names that are guaranteed not to be owned by anyone. </p> + +<li> <p> Lines 5, 9, 10: This provides the mapping from +"your-login-name@hostname.localdomain" to "your-account@your-isp.com". +This part is required. </p> + +<li> <p> Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" +locally, instead of sending it to the ISP. This part is not required +but is convenient. + +</ul> + +<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses +<b>dbm</b> files instead of <b>db</b> files. To find out what lookup +tables Postfix supports, use the command "<b>postconf -m</b>". </p> + +<p> Execute the command "<b>postmap /etc/postfix/canonical</b>" +whenever you change the canonical table. </p> + +<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" +whenever you change the virtual table. </p> + +<h2><a name="client_sasl_enable">Enabling SASL authentication in the +Postfix SMTP/LMTP client</a></h2> + +<p> This section shows a typical scenario where the Postfix SMTP +client sends all messages via a mail gateway server that requires +SASL authentication. </p> + +<blockquote> + +<strong> Trouble solving tips: </strong> + +<ul> + +<li> <p> If your SASL logins fail with "SASL authentication failure: +No worthy mechs found" in the mail logfile, then see the section +"<a href="SASL_README.html#client_sasl_policy">Postfix SMTP/LMTP +client policy - SASL mechanism <em>properties</em></a>". + +<li> <p> For a solution to a more obscure class of SASL authentication +failures, see "<a href="SASL_README.html#client_sasl_filter">Postfix +SMTP/LMTP client policy - SASL mechanism <em>names</em></a>". + +</ul> + +</blockquote> + +<p> To make the example more readable we introduce it in two parts. +The first part takes care of the basic configuration, while the +second part sets up the username/password information. </p> + +<blockquote> +<pre> +/etc/postfix/<a href="postconf.5.html">main.cf</a>: + <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes + <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt + <a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> = noanonymous + <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] + # Alternative form: + # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission + <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd +</pre> +</blockquote> + +<ul> + +<li> <p> The <code><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a></code> setting enables +client-side authentication. We will configure the client's username +and password information in the second part of the example. </p> +</li> + +<li> <p> The <code><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></code> setting ensures +that the connection to the remote smtp server will be encrypted, and +<code><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a></code> removes the prohibition on +plaintext passwords. </p> + +<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP +to send all remote messages to the specified mail server instead +of trying to deliver them directly to their destination. </p> </li> + +<li> <p> In the <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting, the "<code>[</code>" +and "<code>]</code>" prevent the Postfix SMTP client from looking +up MX (mail exchanger) records for the enclosed name. </p> </li> + +<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination may also specify a +non-default TCP port. For example, the alternative form +<code>[mail.isp.example]:submission</code> tells Postfix to connect +to TCP network port 587, which is reserved for email client +applications. </p> </li> + +<li> <p> The Postfix SMTP client is compatible with SMTP servers +that use the non-standard "<code>AUTH=<em>method.</em>...</code>" +syntax in response to the EHLO command; this requires no additional +Postfix client configuration. </p> </li> + +<li> <p> With the setting "<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes", the Postfix +SMTP client supports the "wrappermode" protocol, which uses TCP +port 465 on the SMTP server (Postfix 3.0 and later). </p> </li> + +<li> <p> With the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> parameter, +we configure the Postfix SMTP client to send username and password +information to the mail gateway server. As discussed in the next +section, the Postfix SMTP client supports multiple ISP accounts. +For this reason the username and password are stored in a table +that contains one username/password combination for each mail gateway +server. </p> + +</ul> + +<blockquote> +<pre> +/etc/postfix/sasl_passwd: + # destination credentials + [mail.isp.example] username:password + # Alternative form: + # [mail.isp.example]:submission username:password +</pre> +</blockquote> + +<blockquote> + +<strong>Important</strong> + +<p> Keep the SASL client password file in <code>/etc/postfix</code>, +and make the file read+write only for <code>root</code> to protect +the username/password combinations against other users. The Postfix +SMTP client will still be able to read the SASL client passwords. +It opens the file as user <code>root</code> before it drops privileges, +and before entering an optional chroot jail. </p> + +</blockquote> + +<ul> + +<li> <p> Use the <code>postmap</code> command whenever you +change the <code>/etc/postfix/sasl_passwd</code> file. </p> </li> + +<li> <p> If you specify the "<code>[</code>" and "<code>]</code>" +in the <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the +same form in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> +</li> + +<li> <p> If you specify a non-default TCP Port (such as +"<code>:submission</code>" or "<code>:587</code>") in the +<code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the same form +in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> </li> + +</ul> + +<h2><a name="client_sasl_sender">Configuring Sender-Dependent SASL +authentication</a></h2> + +<p> Postfix supports different ISP accounts for different sender +addresses (version 2.3 and later). This can be useful when one +person uses the same machine for work and for personal use, or when +people with different ISP accounts share the same Postfix server. +</p> + +<p> To make this possible, Postfix supports per-sender SASL passwords +and per-sender relay hosts. In the example below, the Postfix SMTP +client will search the SASL password file by sender address before +it searches that same file by destination. Likewise, the Postfix +<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon will search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file, +and use the default <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting only as a final +resort. </p> + +<blockquote> +<pre> +/etc/postfix/<a href="postconf.5.html">main.cf</a>: + <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes + <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_relay + <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes + <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd + <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] + # Alternative form: + # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission +</pre> +</blockquote> + +<blockquote> +<pre> +/etc/postfix/sasl_passwd: + # Per-sender authentication; see also /etc/postfix/sender_relay. + user1@example.com username1:password1 + user2@example.net username2:password2 + # Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>. + [mail.isp.example] username:password + # Alternative form: + # [mail.isp.example]:submission username:password +</pre> +</blockquote> + +<blockquote> +<pre> +/etc/postfix/sender_relay: + # Per-sender provider; see also /etc/postfix/sasl_passwd. + user1@example.com [mail.example.com]:submission + user2@example.net [mail.example.net] +</pre> +</blockquote> + +<ul> + +<li> <p> If you are creative, then you can try to combine the two +tables into one single MySQL database, and configure different +Postfix queries to extract the appropriate information. </p> + +<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses +<b>dbm</b> files instead of <b>db</b> files. To find out what lookup +tables Postfix supports, use the command "<b>postconf -m</b>". </p> + +<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>" +whenever you change the sasl_passwd table. </p> + +<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>" +whenever you change the sender_relay table. </p> + +</ul> + +</body> + +</html> |