Mainos / Advertisement:

Ero sivun ”Postfix/en” versioiden välillä

Kohteesta Taisto
Siirry navigaatioon Siirry hakuun
(Ak: Uusi sivu: Remove the number sign (#) from the lines with submission and smtps. If you also want authentication, add the following line below those.)
(Ak: Uusi sivu: ==   ==)
 
(41 välissä olevaa versiota samalta käyttäjältä ei näytetä)
Rivi 254: Rivi 254:
 
=== TLS (STARTSSL) ===
 
=== TLS (STARTSSL) ===
  
Esimerkki konfiguraatio tiedostosta /etc/postfix/main.cf
+
Example of the configuration file /etc/postfix/main.cf
  
 
  smtpd_tls_cert_file = /etc/postfix/cert.pem
 
  smtpd_tls_cert_file = /etc/postfix/cert.pem
Rivi 267: Rivi 267:
 
  smtpd_use_tls=yes
 
  smtpd_use_tls=yes
  
Ota käyttöön Submission kohdasta risuaidat pois.
+
Enable Submission by removing the number signs (#).
  
Testaa STARTSSL: https://starttls.info/
+
Test STARTSSL: https://starttls.info/
  
ja
+
and
  
 
http://checktls.com/
 
http://checktls.com/
Rivi 277: Rivi 277:
 
=== SMTPS ===
 
=== SMTPS ===
  
Postfixissä on tuki SSL yhteydelle TLS:n kanssa mutta ei pelkästään SSL kanssa. Tämä seuraava ohje siis on pelkälle SSL, mutta jos on tuki TLS salaukselle, on suositeltavaa käyttää sitä.
+
Postfix has support for SSL connections with TLS but not with only SSL. Thus, the following instruction is only for SSL, but if you have support for TLS encryption, it is recommended to use it.
  
Ohjeen lähde: http://www5.sonera.fi/keskustele/viewtopic.php?f=59&t=9210
+
Instruction source: http://www5.sonera.fi/keskustele/viewtopic.php?f=59&t=9210 (Finnish)
  
SMTPS on salattu SMTP yhteys ja nykyisin suositus olisi käyttää tätä ominaisuutta.  
+
SMPTS is a secure SMTP connection and the current standard recommendation is to use it.  
  
Esimerkkinä on Soneran verkko:
+
In this example we are on the Sonera (ISP) network:
  
Olet siis konfiguroinnut /etc/postfix/main.cf tiedostoon. Tämä siis toimii salaamattassa portissa 25.
+
==   ==
  
 
   relayhost = [mail.inet.fi]
 
   relayhost = [mail.inet.fi]
  
Nyt olisi aika siirtyä salattuun postiin ja tämä on hieman hankalempi, kun Soneran omat postipalvelimet eivät tue TLS salausta. Postfix ei tue SSL salausta, mutta asennetaan pieni kiertotie niin se onnistuu.
+
It is now time to move to secure e-mail, which is a bit more difficult as Sonera's own post servers do not support TLS encryption. Postfix does not support SSL encryption, but we install a tiny workaround and it will work.
  
Asennetaan ensin Stunnel
+
First we install Stunnel
  
 
   [[aptitude]] install stunnel
 
   [[aptitude]] install stunnel
  
Luodaan tiedosto /etc/stunnel/postfix.conf ja kopioi alla oleva koodi:
+
We create the file /etc/stunnel/postfix.conf and copy the lines below into it:
  
 
   [ssmtp_c2s]
 
   [ssmtp_c2s]
Rivi 303: Rivi 303:
 
     delay = yes   
 
     delay = yes   
  
ja tämän jälkeen avaa tiedosto: /etc/default/stunnel ja muuta se seuraavanlaiseksi:
+
and after this you open the file /etc/default/stunnel and switch it to the following:
  
 
   # Change to one to enable stunnel automatic startup
 
   # Change to one to enable stunnel automatic startup
   # MUUTOS
+
   # CHANGE
 
   #ENABLED=0
 
   #ENABLED=0
 
   ENABLED=1
 
   ENABLED=1
Rivi 315: Rivi 315:
 
   PPP_RESTART=0
 
   PPP_RESTART=0
  
Tämän jälkeen muokkaa /etc/postfix/main.cf seuraavanlaiseksi:
+
After this, modify /etc/postfix/main.cf to the following:
  
 
   relayhost = 127.0.0.1:10111
 
   relayhost = 127.0.0.1:10111
Rivi 335: Rivi 335:
 
   smtpd_tls_security_level = may
 
   smtpd_tls_security_level = may
 
    
 
    
Luo tiedosto /etc/postfix/passwd ja kirjoita siihen Soneran sähköpostisi käyttäjätunnus ja salasana
+
Create file /etc/postfix/passwd and type your Sonera e-mail's username and password into it.
  
   mail.inet.fi:465 KÄYTTÄJÄTUNNUS:SALASANA
+
   mail.inet.fi:465 USERNAME:PASSWORD
  
Esimerkiksi:
+
For example:
  
   mail.inet.fi:465 etunimi.sukunimi@pp1.inet.fi:taisto
+
   mail.inet.fi:465 firstname.lastname@pp1.inet.fi:taisto
  
Tämän jälkeen anna tämä komento:
+
And after that give the command.
  
 
   postmap hash:/etc/postfix/passwd
 
   postmap hash:/etc/postfix/passwd
  
Kokeile toimiiko antamalla seuraava komento:
+
Test functionality by giving the following command:
  
 
   postmap -q mail.inet.fi:465 /etc/postfix/passwd
 
   postmap -q mail.inet.fi:465 /etc/postfix/passwd
  
Jos komento tulostaa käyttäjätunnuksesi ja salasanasi, kaikki toimii tähän asti
+
If the command prints your username and password, everything is working fine so far.
  
  
Estä muiden käyttäjien näkemästä salasanaasi:
+
Prevent other users form seeing your password:
  
 
   chmod go-rwx /etc/postfix/passwd*
 
   chmod go-rwx /etc/postfix/passwd*
  
Käynnistä lopuksi palvelut uudelleen
+
And in the end restart the services so the changes will apply.
  
 
   service stunnel4  restart
 
   service stunnel4  restart
Rivi 365: Rivi 365:
  
  
== Postfix toiminta PHP5 kanssa ==
+
== Postfix functionality with PHP5 ==
  
PHP5 sisältää mail funktion. Sinun tulee konfiguroida php.ini tiedostoa
+
PHP5 includes a mail function. You must configure the php.ini file.
  
 
   nano /etc/php5/apache2/php.ini
 
   nano /etc/php5/apache2/php.ini
  
ja muuttaa se tälläiseksi:
+
and change it to the following:
  
 
   ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
 
   ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
Rivi 377: Rivi 377:
 
   sendmail_path = "/usr/sbin/sendmail -t -i"
 
   sendmail_path = "/usr/sbin/sendmail -t -i"
  
ja käynnistä apache uudelleen
+
And then restart apache
  
 
   service apache2 restart
 
   service apache2 restart
  
== Virheilmoituksia ==
+
== Error messages ==
  
  
Tässä lista yleisistä virheilmoituksista mitä ilmenee usein postfixin konfiguroinnista:
+
Here is a list of the common error messages which you might encounter while configuring postfix:
  
=== Sender address rejected: Domain not found (in reply to RCPT TO command ===
+
=== Sender address rejected: Domain not found (in reply to RCPT TO command) ===
  
myorigin on määritetty väärin /etc/mailname tiedostosta. Tämän tulee olemaan domainin nimi.
+
myorigin is defined incorrectly in the /etc/mailname file. It should be the domain name.
  
 
   myorigin /etc/mailname
 
   myorigin /etc/mailname
Rivi 396: Rivi 396:
 
=== Client host rejected: Access denied===
 
=== Client host rejected: Access denied===
  
Relayhost on estänyt sinut, ehkä roskapostien takia.
+
Relayhost has blocked you, maybe for sending spam.
  
 
=== connect to mx3.hotmail.com[65.55.37.104]:25: No route to host ===
 
=== connect to mx3.hotmail.com[65.55.37.104]:25: No route to host ===
  
Tarkista Relayhost main.cf tiedostossa. Mahdollisesti sinulla on suljettu suoraan portti 25.
+
Check Relayhost in the main.cf file. You might have closed port 25.
  
 
=== Host or domain name not found. Name service error for name=gmail.con type=A: Host not found ===
 
=== Host or domain name not found. Name service error for name=gmail.con type=A: Host not found ===
  
DNS Virhe. Tarkista resolv.conf tiedostossa määriteytyt DNS asetukset. Kokeile nslookup komentoa.
+
DNS error. Check the DNS settings defined in resolv.conf . Test the nslookup command.
  
=== Invalid mail address, must be fully qualified domain (in reply to RCPT TO command)) ===
+
=== Invalid mail address, must be fully qualified domain (in reply to RCPT TO command) ===
  
Isäntänimessä ongelma. Varmista että DNS on oikein määritetty ja isäntänimi main.cf tiedostossa.
+
Problem with the hostname. Verify, that DNS is properly configured and the hostname is in the main.cf file.
  
=== unable to verify address (in reply to MAIL FROM command)) ===
+
=== unable to verify address (in reply to MAIL FROM command) ===
  
DNS ongelma. Varmista että sinulla on määritetty oikein A-records DNS palvelimelle ja MX-records. Tarkista /etc/hosts tiedosto. Korjaus:
+
DNS error. Verify, that you have correctly defined A-records and MX-records for the DNS server. Check the /etc/hosts file. Fix:
  
 
  nano /etc/hosts
 
  nano /etc/hosts
Rivi 419: Rivi 419:
 
  127.0.1.1      example.com mail.example.com server
 
  127.0.1.1      example.com mail.example.com server
  
== Lähteet ==
+
== Sources ==
  
 
http://www.postfix.org/
 
http://www.postfix.org/

Nykyinen versio 21. heinäkuuta 2015 kello 06.49

Muut kielet:
English • ‎suomi

Postfix is a free and open source mail transfer agent (MTA). Postfix is secure, performs well and has good spam filtering options.

We also recommend you to use Spamassassin and Amavis to protect mail servers from spammers.

Installation

 aptitude install postfix

Follow the installation programs instructions.

Postfix1.png


After this you need to give the servers host name.

For example:

 mail.example.com

Configuration

Open the configuration file:

 nano /etc/postfix/main.cf

Check that the postfix configuration file has defined the computers' host name and server address.

 myhostname = server.example.com
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = example.com
 mydestination = example.com, server.example.com, localhost, localhost.example.com$
 #relayhost =
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_command = procmail -a "$EXTENSION"
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all

Save the file and then open the next file

 nano /etc/postfix/master.cf

By default, normal SMTP connections are allowed in port 25 by the master.cf file.

 smtp      inet  n       -       -       -       -       smtpd


By default the next lines will be marked by a number sign (#).

Enable SMTP transfer in port 587 by erasing the number sign. It can also transfer encrypted traffic with the STARTTLS command.

 submission inet n       -       -       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING

Enable SMTPS traffic in port 465 by removing the number sign. SSL encryption is enabled by default in this connection. SASL certification is recommended to be used.

 smtps     inet  n       -       -       -       -       smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING

Explanations:

Your servers' name (make sure it is the same as hostname (command: hostname)):

 myhostname = server.example.com

Log in credentials = Same as Debian. Let's not change.

 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases

Domain (define your server into a mail address [email protected]). By default there is defined /etc/mailname:

 myorigin = example.com

Computer host names:

 mydestination = example.com, server.example.com, localhost, localhost.example.com$
 #relayhost = 127.0.0.1:10111

This is required if you don't have direct connection to the network.

As example, a mail server from Sonera:

 relayhost = [mail.inet.fi]:25

DNA post server:

 relayhost = [smtp.dnainternet.net]:25


Your local network:

 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_command = procmail -a "$EXTENSION"
 mailbox_size_limit = 0
 recipient_delimiter = +

Network connections:

 inet_interfaces = all

Close the file and restart postfix.

 service postfix restart

Additional settings

Virtual e-mail addresses

You can direct your virtual mail addresses e.g. [email protected] and [email protected] to your own user.

Open the file:

 /etc/aliases
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root = [username]

By changing [username] into your own account, you can get all the mail from these user accounts in the same inbox. You can add other addresses to the end of the file:

[alias_postname] = [touser]

Confirm changes

 newaliases

Virtual domains

Virtualdomains are meant for mail servers that send and receive for multiple different domains.


Open the postfix configuration file main.cf

 /etc/postfix/main.cf

Add the following lines:

 virtual_alias_domains = example.com
 virtual_alias_maps = hash:/etc/postfix/virtual

Create a new file

 [email protected] postmaster
 [email protected]       matti
 [email protected]      kalle
 # Uncomment entry below to implement a catch-all address
 # @example.com         aleksi

Don't add virtual_alias_domain as a mydestination domain!

Mail redirection

For example, how to redirect mail from [email protected] to matti.example2.com

Open the postfix configuration file main.cf

 /etc/postfix/main.cf:

Add the following lines into the file:

   virtual_alias_domains = example.com
   virtual_alias_maps = hash:/etc/postfix/virtual

Create a new file

 /etc/postfix/virtual:

Add the following lines into the file

  [email protected] postmaster
  [email protected]        [email protected]
  [email protected]       [email protected]
  # Uncomment entry below to implement a catch-all address
  # @example.com         jim@yet-another-site

The domain of mail to be redirected must also be mydestination marked. You can't, for instance, redirect aliases /etc/alias

Check configuration

  postmap /etc/postfix/virtual

Test Postfix functionality

We send a test mail:

Install this e-mail tool if you haven't done so yet:

 apt-get install mailutils

and after that we send some mail:

 mail [email protected]

The command will print:

Subject: your mail's topic or headline

After this write your message and hit enter, and it will print:

 CC: 

Which you can leave blank. Send the mail by the keyboard combination CTRL+D.

Protecting your mail server

When you create your own mail server, you must immediately set up basic protection to cover yourself from spammers. We also recommend that you enable SASL proofing.

Filtering spam

By adding a few lines to the configuration we can verify if the sender's host name / domain actually exists, and block it if it doesn't.

 nano /etc/postfix/main.cf


 smtpd_recipient_restrictions = reject_invalid_hostname,
       reject_unknown_recipient_domain,
       reject_unauth_destination,
       reject_rbl_client sbl.spamhaus.org, # If your provider is Sonera, do not add this line
       permit
smtpd_helo_restrictions = reject_invalid_helo_hostname,
       reject_non_fqdn_helo_hostname,
       reject_unknown_helo_hostname

And this checks the list of known spam senders for cross-reference:

 nano /etc/postfix/main.cf
 smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net

SMTPS SASL proofing

By adding the following line you prevent e-mail transfer from other networks than your own. Using SASL proofing you can also send from other networks.

 nano /etc/postfix/main.cf
 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
 nano /etc/postfix/master.cf

Remove the number sign (#) from the lines with submission and smtps. If you also want authentication, add the following line below those.

 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject

TLS (STARTSSL)

Example of the configuration file /etc/postfix/main.cf

smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ask_ccert = yes
smtp_tls_fingerprint_digest = sha1
smtpd_use_tls=yes

Enable Submission by removing the number signs (#).

Test STARTSSL: https://starttls.info/

and

http://checktls.com/

SMTPS

Postfix has support for SSL connections with TLS but not with only SSL. Thus, the following instruction is only for SSL, but if you have support for TLS encryption, it is recommended to use it.

Instruction source: http://www5.sonera.fi/keskustele/viewtopic.php?f=59&t=9210 (Finnish)

SMPTS is a secure SMTP connection and the current standard recommendation is to use it.

In this example we are on the Sonera (ISP) network:

 

 relayhost = [mail.inet.fi]

It is now time to move to secure e-mail, which is a bit more difficult as Sonera's own post servers do not support TLS encryption. Postfix does not support SSL encryption, but we install a tiny workaround and it will work.

First we install Stunnel

 aptitude install stunnel

We create the file /etc/stunnel/postfix.conf and copy the lines below into it:

 [ssmtp_c2s]
   accept = 127.0.0.1:10111
   client = yes
   connect = mail.inet.fi:465
   delay = yes  

and after this you open the file /etc/default/stunnel and switch it to the following:

 # Change to one to enable stunnel automatic startup
 # CHANGE
 #ENABLED=0
 ENABLED=1
 FILES="/etc/stunnel/*.conf"
 OPTIONS=""
 
 # Change to one to enable ppp restart scripts
 PPP_RESTART=0

After this, modify /etc/postfix/main.cf to the following:

 relayhost = 127.0.0.1:10111
   
 # SASL authentication
 smtp_sasl_auth_enable=yes
 smtp_sasl_password_maps = hash:/etc/postfix/passwd
 smtp_sasl_security_options = noanonymous
 smtp_sasl_tls_security_options = noanonymous
    
 # TLS
 smtp_tls_eccert_file =
 smtp_tls_eckey_file =
 # http://www.postfix.org/TLS_README.html#client_tls_may
 smtp_tls_security_level = may
 smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
 # http://www.postfix.org/TLS_README.html#client_tls_may
 smtpd_tls_security_level = may
 

Create file /etc/postfix/passwd and type your Sonera e-mail's username and password into it.

 mail.inet.fi:465 USERNAME:PASSWORD

For example:

 mail.inet.fi:465 [email protected]:taisto

And after that give the command.

 postmap hash:/etc/postfix/passwd

Test functionality by giving the following command:

 postmap -q mail.inet.fi:465 /etc/postfix/passwd

If the command prints your username and password, everything is working fine so far.


Prevent other users form seeing your password:

 chmod go-rwx /etc/postfix/passwd*

And in the end restart the services so the changes will apply.

 service stunnel4  restart
 service postfix restart


Postfix functionality with PHP5

PHP5 includes a mail function. You must configure the php.ini file.

 nano /etc/php5/apache2/php.ini

and change it to the following:

 ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
 ; http://php.net/sendmail-path
 sendmail_path = "/usr/sbin/sendmail -t -i"

And then restart apache

 service apache2 restart

Error messages

Here is a list of the common error messages which you might encounter while configuring postfix:

Sender address rejected: Domain not found (in reply to RCPT TO command)

myorigin is defined incorrectly in the /etc/mailname file. It should be the domain name.

 myorigin /etc/mailname
 example.com  

Client host rejected: Access denied

Relayhost has blocked you, maybe for sending spam.

connect to mx3.hotmail.com[65.55.37.104]:25: No route to host

Check Relayhost in the main.cf file. You might have closed port 25.

Host or domain name not found. Name service error for name=gmail.con type=A: Host not found

DNS error. Check the DNS settings defined in resolv.conf . Test the nslookup command.

Invalid mail address, must be fully qualified domain (in reply to RCPT TO command)

Problem with the hostname. Verify, that DNS is properly configured and the hostname is in the main.cf file.

unable to verify address (in reply to MAIL FROM command)

DNS error. Verify, that you have correctly defined A-records and MX-records for the DNS server. Check the /etc/hosts file. Fix:

nano /etc/hosts
127.0.0.1       localhost mail.example.com server
127.0.1.1       example.com mail.example.com server

Sources

http://www.postfix.org/

https://wiki.debian.org/Postfix

http://www.sami-lehtinen.net/blog/securing-email-transport-starttls-postfix-ca-certificates-fingerprint-authority

Mainos / Advertisement: