Postfix
The below instructions were initially tested on Debian Jessie and updated to Debian Stretch.
Overview
Postfix is a mail transfer agent / SMTP server. As such, you use it both to send mail to other mail servers and, unlike what you might think, also to accept mail that other people are sending you. Both these actions happen via SMTP. Since the requirements are different for these two tasks, it makes sense to run them on different ports. In the setup presented below mail is accepted from anywhere (if we put things like spam protection aside for the time being) and without authentication on port 25. However, connecting clients on port 25 are not allowed to send mail. Port 587 is used to send mail, but will only accept encrypted connections with proper authentication.
Authentication and mail delivery will be delegated to dovecot, see the Dovecot article for further information.
Installation
aptitude install postfix
Hostname configuration
Put the name of your smtp server domain into /etc/mailname. This should be the exact same name that a reverse DNS lookup returns for your server ip. In other words,
nslookup <server ip>
MUST return the same name, otherwise, many mailservers will reject mail you are trying to send to them.
General
The general configuration happens in /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
myorigin = /etc/mailname
myhostname = smtp.example.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
queue_directory = /var/spool/postfix
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_auth_only = yes
# the below file must be generated by yourself! Adjust name and path as needed
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
# limit dos attacks (http://security-24-7.com/hardening-guide-for-postfix-2-x/)
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100
# https://wiki.debian.org/Postfix
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
# Haven't tested the below line yet
# reject_rbl_client sbl.spamhaus.org,
permit
# https://wiki.debian.org/Postfix
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
# https://wiki.debian.org/Postfix
# does this not belong into master.cf?
# I personally found the below line to be too restrictive
#smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
# virtual mailbox config according to http://www.postfix.org/VIRTUAL_README.html#virtual_mailbox
virtual_mailbox_domains = example.com
virtual_mailbox_base = /var/vmail
# the below file must be generated by yourself! Adjust name and path as needed
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
# The below user id was chosen by yourself when creating the postfix user. Adjust as needed
virtual_uid_maps = static:150
# The below group id was chosen by yourself when creating the postfix user. Adjust as needed
virtual_gid_maps = static:8
virtual_alias_maps = hash:/etc/postfix/virtual
#local_recipient_maps =
mydestination = localhost, localhost.example.com, smtp.example.com
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# activate maildir format
#mailbox_command = procmail -a "$EXTENSION"
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relay_domains =
# activate maildir format
#dovecot
spamass-dovecot_destination_recipient_limit = 1
#virtual_transport = dovecot
virtual_transport = spamass-dovecot
compatibility_level=2
Service / Port specific configuration
This happens in /etc/postfix/master.cf. Parts of interest (i.e. that needed
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
# Disallow sending authenticating (i.e. sending mail) via smtp port 25
smtp inet n - y - - smtpd
-o smtpd_sasl_auth_enable=no
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
# Send mail via submission port 587
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
## Postfix -> Dovecot
#dovecot unix - n n - - pipe
# flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}
## Postfix -> Spamassassin -> Dovecot
spamass-dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/bin/spamc -s 1500000 -u ${recipient} -e /usr/lib/dovecot/deliver -d ${recipient}
Creating mail accounts
Each system user can represent a mail account, but for the sake of flexibility, this is not what you want. It is much more convenient to let postfix do all its work as the same user, and use virtual users to represent mail accounts. To prepare such a setup, run the following commands
useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin -c "Virtual mailbox" vmail
mkdir /var/vmail
chmod 770 /var/vmail/
chown vmail:mail /var/vmail/
Next, you need to add the user to the virtual mailbox table. Create a file named e.g. vmailbox. You can name it anything you want, but we referred to it in the postfix configuration file, so adjust this accordingly. The format is very simple. Each line represents one user. The first word is the username, the second word is the path of the home directory relative to /var/vmail (which is the home directory we created for the postfix mail user.)
If you use dovecot as the local delivery agent, you do not need to supply a valid mailbox in the second column. Any random word (e.g. "OK") is sufficient for postfix to accept the mail and hand it over to dovecot for delivery. In case you have at least one catchall account for a domain, you do not need to specify any other mail addresses for that domain here, as, again, the routing to individual mailboxes will be handled by dovecot (also see virtual alias maps file below).
The directory layout convention of domain/user/mail is also freely chosen. Whatever you do here must be in line with what you are specifying in the Dovecot configuration under Authentication / Virtual_Users.
Note however that if you change it, you'll also have to adjust the above script and following configuration file content accordingly. As above, if you use a different name for the maildirectory (assumed to be "mail" in this guide, others also use "Maildir"), you'll also need to adjust the value of the mail_location variable in the Dovecot configuration, See section Mail User and Location.
# /etc/postfix/vmailbox
# Use hashes for comments like in bash
user42@foobar.com OK
# Use example below to implement a catch-all.
@example.com OK
When you're done, run the following command to activate the settings. (The second command is only needed if you already have a running postfix)
postmap /etc/postfix/vmailbox
postfix reload
For the above-mentioned routing to work correctly with catchall accounts, a virtual alias map needs to be created. The main.cf shown above reads it from /etc/postfix/virtual. This file could look like the below example (which would lead to mails sent to foo@example.com being delivered to that user and all other mails being delivered to yrt127):
@example.com yrt127@example.com
foo@example.com foo@example.com
Build the db and reload postfix:
postmap /etc/postfix/virtual
postfix reload
Note that these alias maps can also be used to setup mail forwarding. E.g. if you wanted to forward mails to bar@example.com to bar@externaladdress.com you'd just add another line to the file /etc/postfix/virtual:
bar@example.com bar@externaladdress.com
Lastly, tell postfix which sender addresses this user is allowed to use. Create a file named e.g. /etc/postfix/controlled_envelope_senders (again this can be freely chosen)
# envelope sender owners (SASL login names)
@example.com yrt127@example.com
foo@example.com foo@example.com
In the above example, yrt127 can use any sender address ending with @example.com while foo MUST use the identity foo@example.com. Again, do
postmap /etc/postfix/controlled_envelope_senders
postfix reload
Optionally add Sieve rules to this virtual user account.
Blacklisting Recipient Addresses for incoming Mail
Create a file /etc/postfix/recipient_blacklist:
recipient@example.com REJECT
Run postmap on it:
postmap /etc/postfix/recipient_blacklist
And add the following line to your smtp_recipient_restrictions in main.cf
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain,
check_recipient_access hash:/etc/postfix/recipient_blacklist,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
permit