Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
This article concentrates on the installation and configuration of Postfix. The emphasis is on the
FreeBSD environment although the basics should apply to most operating systems. Virtual domains
are touched upon briefly, but Postfix - virtual domains
contains more information about the three different types of virtual domains and is recommended
reading for anyone contemplating implementation.
Postfix is an MTA designed to be
a replacement for sendmail as well as being fast, secure, and easy to configure.
Why was it designed to replace sendmail? Easy. sendmail is a very widely used MTA with a quite complex configuration.
It also handles most of the mail on the Internet not to mention the many private networks around the world.
I have been running Postfix on some of my mail servers since August 2001. At least, that's when I think I first installed
Postfix on this web server, which also doubles as a mail server. I've been happy with it mostly because I've been able
to easily configure my virtual domains (i.e. handle mail for multiple domains) and block mail from certain sources.
Postfix is now my MTA of choice.
In this article, I will outline how to install Postfix and how to configure it to accept mail from more then one
domain. I'm using virtual_mapping for my virtual domains. There are other ways to do virtual domains which are far
more suitable for large scale operations. Search the newsgroup mailing.postfix.users for the phrase
"Some notes on relay, local and virtual domains".
It will be useful to read and understand the Postfix Anatomy.
That will help you to understand how virtual address mapping, aliases, etc relate to the various Postfix components.
Postfix has many different parts, each with a very distinct function. By keeping the programs smaller
and with very distinct separation of tasks, it it both easier to code and to secure the system.
I install just about everything using the ports tree.
Right away you will be presented with the following choices. I wanted only
PCRE because of my header checks. If you don't
understand or need any of the optional components shown below, you can safely
omit it without worry.
On my P233 box, it took about 10 or 15 minutes to compile the code.
During the install, you will see a couple of messages which you need to pay attention to (NOTE:
The following is from Postfix 2.2.4,1) under FreeBSD 4.*:
If you have postfix configured in your /etc/mail/mailer.conf (answered yes to
the previous question) and would like to enable postfix to start at boot time,
please set these variables in your /etc/rc.conf file:
I made those changes to my system as indicated above. I had to create /etc/periodic.conf.
The first set of changes ensure your system operates Postfix and not sendmail. The second set of changes avoids this
error in your daily run output message (these are emailed to you automatically by the system).
Mail in submit queue:
mailq: illegal option -- A
mailq: fatal: usage: mailq [options]
Postfix has a very well laid out configuration page. I urge you to read http://www.postfix.org/basic.html
before proceeding. Understanding the rest of this article involves reading that URL first.
The primary configuration file for Postfix is /usr/local/etc/postfix/main.cf. Unless otherwise
mentioned, all settings are made in that file. There are many examples in that directory. My count was 36 sample-* files.
The comments in main.cf make frequent reference to the example files.
Names used in this article
For the purposes of this article, we'll assume the hostname of the computer is gus.example.org
(named after my cat). For those of you writing documentation for others,
you should know that example.org is reserved for use in documentation.
How to not mess up when making changes
When making configuration changes, I suggest using the SOFT BOUNCE feature of Postfix. Please refer
to main.cf for more information. It's the first setting in there. This will
allow you to make mistakes without rejecting all incoming mail....
What domain to use in outbound mail
I didn't make any changes here. I left things as the default. You may use to experiment with that.
Virtual address mapping will allow you to map an address in a virtual domain to a real address.
For example, let's assume there are two people named Dan on this box. One has a login of
dan and the other has a login dtm. What we want is for the address translations to occur:
To implement this in Postfix, we would add the following entry to the configuration file:
Then add this to the file /usr/local/etc/postfix/virtual_maps:
It is very important to know that these destination addresses are
actually @$mydomain, which in
this case is example.org. If you actually wish to deliver to local users and not
users in the given domain, then append @localhost to the names. For example:
Anything can be used in place of DOMAIN; it is
ignored. But using DOMAIN will emphasis to
the reader that the line signifies the start of the domain. It
also required for a Postfix-style virtual domain, which is what we
are using here. See man 5 virtual
for more information.
In this case, Postfix will accept the incoming mail and relay it to the mail servers for example.info and example.biz.
After creating your mapping file, you need to create the database file from which Postfix will look up the mappings:
In the above example, we put all of our virtual mappings into one file. If you have several domains,
or many different virtual hosts, it might be useful to use multiple files. That's entirely optional.
For what it's worth, I actually put my mappings and aliases into another directory: /usr/local/etc/postfix-config/.
For example, freebsddiary.org.aliases contains aliases, and freebsddiary.org.virtusertable contains virtual address mappings.
By default, Postfix will relay mail for clients in authorized networks and in authorized domains.
The authorized networks setting is controlled by the mynetworks directive.
The default is to authorize all clients in the IP subnetworks that the local machine is attached to. I just
found this out the hard way. I just checked the mail server I run at home. It handles most of my outgoing
mail and some incoming mail. I discovered it was an open relay for it's /24 on the public side. Don't worry,
I just changed that.
WARNING! If your mail server is directly connected to a public network
(e.g. the Internet), make sure you set mynetworks appropriately. If you do not,
then by default, it will relay for all of that subnet. That means anyone, and I mean anyone, will be able
to abuse your mail server.
Here is my setting for mynetworks:
mynetworks = 10.0.0.0/24 127.0.0.0/8
This means that anyone on my local subnet (10.0.0.0/24) and on the machine itself (127.0.0.0/8) can send outgoing
mail through this host.
I discovered this problem with the following command:
/usr/local/sbin/postconf | grep mynetworks
The authorized domains setting is controlled by the relay_domains. The default
setting automatically trusts hosts within the domains listed in the
Notice when running mergemaster during system upgrade14 November 2002
If you are upgrading your system using make world, then remember to be careful
when it comes to upgrade /etc/mail/mailer.conf. If you aren't, then chances are when
your system reboots into the upgrading OS, you'll be running Sendmail, not
Postfix. Yes, I feel victim to this, just yesterday when I was upgrading from 4.6-STABLE
to 4.7-STABLE. Luckily, if it can be called lucky, it was only my mail server here at home...
In case it is useful, here is my existing /etc/mail/mailer.conf:
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
Are you using logcheck/security?
If you are, you might want to add these entries to /usr/local/etc/logcheck.ignore: