configuration of Postfix Ubunutu - mail server

Postfix has several hundred configuration parameters set in the main.cf file. Fortunately, all parameters have meaningful defaults. In most cases, you only have to set two or three parameters before you can start playing with the mail system. Here is a brief introduction to the syntax:

Postfix configuration files

The following text implies that you have already installed Postfix by self-compiling it from the source code (as described in the INSTALL file), or by installing from ready-made binaries.

This document describes the basic configuration of Postfix. Information on how to configure Postfix to work in specific conditions, such as: on the mail node, behind the firewall, on the dial-up client, can be found in the STANDARD_CONFIGURATION_README file. But do not follow the link until you have mastered the material provided below.

First of all, we are interested in the parameters that determine the identification information and the role of the machine in the network.

What domain name to use in outgoing mail

For which domains to accept mail

From which clients to send (relay) letters

Where to send (relay) letters

Delivery method: direct or not direct

Many other configuration parameters inherit their values ​​from the above.

The following interesting parameter controls the amount of mail sent to the local postmaster:

What problems should postmaster report

The following parameter should be set correctly if you are behind a proxy server or behind a NAT (network address translator (NAT) and you work as a backup MX host for a foreign domain:

Proxy / NAT external network addresses

Postfix processes are daemons running in the background. They log information about problems and normal activity on a syslog system. Here are a few points to consider:

What you should know about Postfix logging

If your machine has special security requirements, then you probably want Postfix to work in a chroot environment (from CHange ROOT, a environment with a modified file system root).

Run Postfix daemons in chroot

If you run Postfix on a virtual network interface, or other mail servers (mailers) are running on your virtual interfaces, then you should also pay attention to the following parameters:

My hostname

My domain name

My network addresses
Postfix configuration files

By default, Postfix configuration files are located in / etc / postfix (in FreeBSD - in / usr / local / etc / postfix - approx. Transl.). The two most important files are main.cf and master.cf. These files must belong to root. Granting any other user permissions to write to main.cf and master.cf (or to their parent folders) means giving him superuser privileges.

In /etc/postfix/main.cf you need to set the values ​​of a number of configuration parameters. These parameters resemble shell variables, but there are two important differences. First: Postfix does not know about quotes in the understanding of the UNIX shell.

You assign a value to the configuration parameter as follows:
/etc/postfix/main.cf:
parameter = value

and use the parameter value by adding the "$" symbol in front of its name:
/etc/postfix/main.cf:
other_parameter = $ parameter

You can use the $ parameter before assigning a value to it (this is the second major difference from UNIX shell variables). The Postfix configuration language uses lazy evaluation and does not look at the parameter values ​​until they are needed during runtime.

Postfix uses databases for access control, address rewriting and other uses. In the DATABASE_README file, you will find introductory information on how Postfix works with Berkeley DB, LDAP, SQL and other types of databases. This is a general example of how Postfix accesses a database:
/etc/postfix/main.cf:
virtual_alias_maps = hash: / etc / postfix / virtual

If you made changes to the main.cf or master.cf files, run the command
# postfix reload

This should be done as root in order for the running Postfix to catch configuration changes:
What domain name to use in outgoing mail

The myorigin parameter specifies the domain name that is used in mail sent from this machine. By default, the local machine name is $ myhostname. The default value of myhostname is the host name. If Postfix does not work on a very small site, then you probably want to set the myorigin parameter to $ mydomain, which by default contains the domain part of the full machine name.

For consistency between the sender and recipient addresses, myorigin also indicates the domain name that is added to the not fully specified recipient address.

Examples (specify only one of the following):
/etc/postfix/main.cf:
myorigin = $ myhostname (default: send emails from "user @ $ myhostname")
myorigin = $ mydomain (perhaps preferable: "user @ $ mydomain")
For which domains to accept mail

The mydestination parameter specifies for which domains mail will be delivered locally instead of forwarded to another host. By default, Postfix accepts mail for the local machine only. See the VIRTUAL_README file for configuring Postfix for virtual hosting of domains (hosted domains).

You can specify one or more domains, “/ name / file” and / or lookup tables “type: table (type: table)” (such as hash :, btree :, nis :, ldap :, or mysql :), separated by spaces and / or commas. "/ name / file" is replaced by the contents of the file; "type: table (type: table)" makes a query to the database, simply checking the presence of the domain, the search result is ignored.

IMPORTANT: If your host is the mail server for the entire domain, you should also include $ mydomain in mydestination.

Example 1: The default value.
/etc/postfix/main.cf:
mydestination = $ myhostname localhost. $ mydomain localhost

Example 2: mail server for the entire domain.
/etc/postfix/main.cf:
mydestination = $ myhostname localhost. $ mydomain localhost $ mydomain

Example 3: Host with multiple DNS A. records.
/etc/postfix/main.cf:
mydestination = $ myhostname localhost. $ mydomain localhost
www. $ mydomain ftp. $ mydomain

Example 4: a host with DNS MX records pointing to a different domain (for example, mail.ru mail yandex.ru gmail.com mail).

/etc/postfix/main.cf:
mydestination = localhost

Warning: to avoid mail delivery loops, you should specify all machine names, including $ myhostname and localhost. $ Mydomain.
From which clients to send (relay) letters

By default, Postfix sends mail from clients located in the authorized part of the network to any address. Authorized networks are defined by the mynetworks configuration parameter. The default behavior is to authorize all the clients of the IP subnets to which the machine is connected.

IMPORTANT: if your machine is connected to a wide area network (wide area network), then the settings of the mynetworks parameter, by default, may be unsafe.

Examples (specify only one of the following options):
/etc/postfix/main.cf:
mynetworks_style = subnet (default: authorize subnets)
mynetworks_style = host (safe: authorize only the local machine)
mynetworks = 127.0.0.0/8 (safe: authorize only the local machine)
mynetworks = 127.0.0.0/8 168.100.189.2/32 (authorize only the local machine)

You can specify the networks you trust in the main.cf file or give Postfix the opportunity to do this work. By default, Postfix does the work for you. The result depends on the value of the mynetworks_style parameter.

Specify "mynetworks_style = host" if Postfix should only forward mail from the local host.

Specify "mynetworks_style = subnet" (default) if Postfix should forward mail from SMTP clients from the IP subnets to which the local machine belongs. On Linux, this works correctly only for interfaces configured with the "ifconfig" command.

Specify "mynetworks_style = class" if Postfix should forward mail from SMTP clients that are on the same IP network as an A / B / C class with a local machine. You should not configure Postfix in this way when working on a machine with a dialup connection, since Postfix will "trust" the entire network of your provider. Instead, explicitly list mynetworks as described below.

Alternatively, you can specify the mynetworks list manually, which will force Postfix to ignore the mynetworks_style parameter. To specify a list of trusted networks, specify network blocks in CIDR format (network / mask), for example:
/etc/postfix/main.cf:
mynetworks = 168.100.189.0/28, 127.0.0.0/8

You can also specify the absolute path of the file with the list of trusted networks instead of directly listing them in the main.cf file.
Where to send (relay) letters

By default, Postfix sends mail from outsiders (that is, clients that are outside of trusted networks) only to authorized domains. The domains for which correspondence is allowed to be sent by third-party clients are defined by the relay_domains parameter. By default, Postfix considers all domains (and subdomains) specified in the mydestination parameter to be authorized.

Examples (specify only one of the following):
/etc/postfix/main.cf:
relay_domains = $ mydestination (default)
relay_domains = (secure option: never send mail from outsiders)
relay_domains = $ mydomain (forward mail addressed to your domain and subdomains)
Delivery method: direct or not direct

By default, Postfix tries to send mail to the Internet directly. Depending on the environment in which your mail server operates, this may be impossible or undesirable. For example, your machine may be disconnected from the Internet during off-hours, it may be closed by a firewall, your provider may prohibit sending mail to the Internet directly. In such cases, you need to configure Postfix to forward letters through another mail server (relay host).

Examples (specify only one of the following):
/etc/postfix/main.cf:
relayhost = (default: send directly to the Internet)
relayhost = $ mydomain (send via local mail server)
relayhost = [mail. $ mydomain] (send via local mail server)
relayhost = [mail.isp.tld] (send via the provider's mail server)

The option enclosed in square brackets [] causes Postfix not to search for MX MX records. Do not worry if you do not understand what this means (either read about the DNS, or drive to the MTA setting - your life will be calmer - note.). Just make sure that the forwarding host name (relay host) obtained from the provider, you indicated in brackets [].

In the file STANDARD_CONFIGURATION_README you can find more examples and tips for configuring Postfix "behind the firewall" and / or in a dial-up network.
What problems should postmaster report

You must specify the alias for the postmaster in the alias table aliases (5), which will redirect the mail to a real person. The postmaster address must exist in order for users to report mail delivery problems. While editing the aliases (5) alias table, do not forget to also redirect the superuser (root-a) mail to a real person.
/ etc / aliases:
postmaster: you
root: you

Run the "newaliases" command after modifying the alias file. Your alias file may be located in a different location than / etc / aliases. Use the "postconf alias_maps" command to find it.

Postfix reports problems to the postmaster nickname. You may want to limit the range of troubles that you are informed about. The postmaster notification mechanism is configurable. By default, you will only be informed about serious (resources, software) problems:

Default settings:
/etc/postfix/main.cf:
notify_classes = resource, software

The values ​​of the alert classes are as follows:
bounce
Inform the postmaster about mail that cannot be delivered (undeliverable mail). Or send a postmaster copy of the letter that cannot be delivered (undeliverable mail), returned to the sender. Or a copy of the SMTP session, during which Postfix decided that delivery was unavailable. For privacy reasons, a copy of the letter that cannot be delivered is sent to the postmaster, cut off immediately after the headers. Also note the luser_relay parameter. A bounce-class problem is reported to the addressee specified in the bounce_notice_recipient parameter (default: postmaster).
2bounce
When Postfix cannot return an undeliverable letter to the sender, send it to the postmaster (without cutting the message after the main headers). A 2bounce class problem is reported to the addressee specified in the 2bounce_notice_recipient parameter (default: postmaster).
delay
Inform the postmaster about mail delayed. In this case, the postmaster receives only the headers of the letter. A message about the problem of the "delay" class is sent to the addressee specified in the delay_notice_recipient parameter (default: postmaster).
policy
Inform the postmaster about client requests that were rejected due to anti-spam policy (spam - UCE - Unsolicited Commercial E-mail). Postmaster receives a copy of the SMTP session. A message about the problem of the class "policy" is sent to the addressee specified in the parameter error_notice_recipient (default: postmaster).
protocol
Inform the postmaster about protocol errors (from the client or server side) or attempts of clients to execute unsold commands. Postmaster receives a copy of the SMTP session. A report of the problem of the class "protocol" is sent to the addressee specified in the parameter error_notice_recipient (default: postmaster).
resource
Inform the postmaster about the impossibility of delivering letters due to problems with system resources (for example, problems with writing a queue file). A message about the problem of the "resource" class is sent to the addressee specified in the parameter error_notice_recipient. (default: postmaster).
software
Inform the postmaster about the impossibility of delivering letters due to software problems. The message about the problem of the class "software" is sent to the addressee specified in the parameter error_notice_recipient. (default: postmaster).
Proxy / NAT external network addresses

Some mail servers are connected to the Internet via a NAT (Network Adress Translator) or proxy server (proxy). This means that systems on the Internet open a connection to a proxy or NAT, rather than directly connecting to the mail server. Proxy or NAT, in turn, connects to the target mail server, but Postfix does not know about it.

If Postfix works for a proxy server or for NAT, you should specify all external proxy or NAT addresses from which Postfix receives mail in the proxy_interfaces parameter. You can specify symbolic host names (hostnames) instead of network addresses.

IMPORTANT: You must specify your external proxy / NAT addresses when your system functions as a backup MX host for other domains, otherwise if the main MX server crashes mail delivery will occur.

Example: system behind NAT, functioning as a spare MX host.
/etc/postfix/main.cf:
proxy_interfaces = 1.2.3.4 (external network proxy / NAT address)
What you should know about Postfix logging

Postfix processes are daemons running in the background. They log information about problems and normal activity on a syslog system. The syslogd process sorts messages by type and importance and adds them to log files (logfiles). Types of logged events, severity levels, and log file names are usually specified in the /etc/syslog.conf file. At a minimum, you need something like this:
/etc/syslog.conf:
mail.err / dev / console
mail.debug / var / log / maillog

After modifying the syslog.conf file, send a "HUP" signal to the syslogd process.

IMPORTANT: Many syslogd implementations do not create their own log files, you must manually create the necessary files before (re) running syslogd.

IMPORTANT: on Linux you should put the "-" symbol in front of the file name, i.e. - / var / log / maillog, otherwise the syslogd process will consume more resources than Postfix.

There will be few problems, but it’s good practice to run every night (before rotating the log files):
# postfix check
# egrep '(reject | warning | error | fatal | panic):' / some / log / file

The first line (postfix check) causes Postfix to report incorrect file owners / permissions.

The second line searches for problem reports in the mail system, and also tells you how effectively mail forwarding and blocking junk correspondence work. This operation can generate a fairly large output of information, so additional processing may be needed to eliminate unnecessary.

The DEBUG_README file describes the meaning of the level "warning", etc. in the Postfix logs.
Run Postfix daemons in chroot

Postfix daemons can be configured (using the master.cf file) to run in a chroot environment. Processes work with fixed low privileges, their access to the file system is limited to the Postfix-a queue directories (/ var / spool / postfix). This creates a serious barrier against invasions. The barrier is not “absolute” (the chroot environment restricts only access to the file system), but each security element is useful.

With the exception of Postfix daemons that deliver mail locally, each Postfix process can operate in a chroot environment.

Machines with high security requirements should consider running in the chroot environment of all daemons that communicate with the network: smtp (8) and smtpd (8) processes, and possibly the lmtp (8) client. On the author's "native" mail server (porcupine.org), all demons work in a chroot environment.

By default, the /etc/postfix/master.cf file instructs Postfix not to start processes in the chroot environment. To start the Postfix daemons in the chroot environment, edit /etc/postfix/master.cf, following the instructions in the file. When done, execute the "postfix reload" command for the changes to take effect.

You should remember that the demons in the chroot environment determine all paths relative to the Postfix queue directory (/ var / spool / postfix). For a successful chroot environment, most UNIX systems require you to transfer some files or devices to the chroot. In the examples / chroot-setup directory of the source distribution, there are a number of scripts that can help you configure the Postfix chroot environment on various operating systems.

In addition, in almost any case, you will need to configure syslogd so that it listens to the socket (socket) inside the Postfix queue directory. Examples of command line options for syslogd that can do this on some systems:

FreeBSD: syslogd -l / var / spool / postfix / var / run / log

Linux, OpenBSD: syslogd -a / var / spool / postfix / dev / log
My hostname (hostname)

Параметр myhostname указывает полное доменное имя машины (fully-qualified domain name - FQDN), на которой функционирует Postfix. $myhostname присутствует во многих других конфигурационных параметрах Postfix, как значение по умолчанию.

По умолчанию, myhostname устанавливается в имя локальной машины. Если имя Вашей машины не указано в полной доменной форме (FQDN), или Вы запускаете postfix на виртуальном интерфейсе, Вам необходимо указать полное доменное имя (FQDN), которое должна использовать почтовая система.

Альтернативно, если Вы укажете значение mydomain в файле main.cf, то Postfix использует это значение, чтобы сгенерировать полное доменное имя машины (FQDN) для параметра myhostname.

Примеры (укажите лишь один вариант из следующих):
/etc/postfix/main.cf:
myhostname = host.local.domain (имя машины не является FQDN)
myhostname = host.virtual.domain (виртуальный интерфейс)
myhostname = virtual.domain (виртуальный интерфейс)
Мое имя домена (domain name)

Параметр mydomain указывает родительский домен $myhostname. По умолчанию, он получает свое значение отрезанием первой части значения $myhostname (если только результат не окажется доменом самого верхнего уровня).

И наоборот, если Вы укажете значение mydomain в main.cf, то Postfix будет использовать его, чтобы сгенерировать полное доменное имя машины (FQDN) для параметра myhostname.

Примеры (укажите лишь один вариант из следующих):
/etc/postfix/main.cf:
mydomain = local.domain
mydomain = virtual.domain (виртуальный интерфейс)
Мои сетевые адреса

Параметр inet_interfaces указывает все адреса сетевых интерфейсов, на которых Postfix должен ждать соединений. Письма, адресованные на "пользователь@[сетевой адрес]" будут доставлены локально, как если бы они были адресованы домену, перечисленному в $mydestination.

Вы можете переопределить значение inet_interfaces в конфигурационном файле master.cf, добавив IP-адрес перед именем сервера.

По умолчанию, Postfix слушает на всех активных интерфейсах. Если Вы запускаете почтовые сервера на виртуальных интерфейсах, Вам необходимо указать, на каких интерфейсах ждать соединений.

ВАЖНО: Если Вы запускаете почтовый сервер на виртуальных интерфейсах, то должны указать точные значения inet_interfaces для MTA (Mail Transfer Agent - агент почтовой пересылки), который принимает почту для локальной машины: этот MTA никогда не должен слушать виртуальные интерфейсы, иначе в случае его падения произойдет зацикливание почты.

Пример: настройки по умолчанию.
/etc/postfix/main.cf:
inet_interfaces = all

Пример: хост с одним или более почтовым сервером. Для каждого экземпляра Postfix укажите лишь один вариант из следующих:
/etc/postfix/main.cf:
inet_interfaces = virtual.host.tld (виртуальный Postfix)
inet_interfaces = $myhostname localhost... (невиртуальный Postfix)

Примечание: вы должны остановить и запустить Postfix после изменения этого параметра.

возможные ошибки

postfix/sendmail[37795]: fatal: /etc/mailname mydestination =....... , localhost: cannot open file:
No such file or directory

в конфиге

mydestination = $myhostname, ....., localhost......com , localhost

перед mydestination лишний пробел