Configuring Postfix

= Standard Postfix Config Files =

master.cf
Edit /etc/postfix/master.cf


 * 1) FIXME not changing

smtp     inet  n       -       -       -       -       smtpd to smtp     inet  n       -       n       -       -       smtpd This is necessary because the Debian default uses a chroot jail, which breaks too much stuff.
 * Change

pickup   fifo  n       -       -       60      1       pickup to pickup   fifo  n       -       -       60      1       pickup -o content-filter= -o receive_override_options=no_header_body_checks
 * Change

cyrus    unix  -       n       n       -       -       pipe flags= user=cyrus argv=/usr/sbin/cyrdeliver -e -r ${sender} -m ${recipient} ${user} smtp-amavis unix -     -       n       -       2       smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforard_command=y2s -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n -       n       -       -       smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
 * Add at the end of the file

main.cf
Change smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key to smtpd_tls_cert_file=/etc/ssl/certs/cyrus-imapd.pem smtpd_tls_key_file=/etc/ssl/certs/cyrus-imapd.pem (Note: we're using the same file for both Cyrus-imapd and Postfix SMTP. Change this if necessary.

Change mydestination = machine.domain.com, localhost.domain.com,, localhost relayhost = to mydestination = machine.domain.com, localhost.domain.com,, localhost mysql:/etc/postfix/mysql-mydestination.cf relayhost = (Where machine.domain.com is your full hostname.)

Edit /etc/postfix/main.cf

Add at end default_privs = nobody local_recipient_maps = mysql:/etc/postfix/mysql-local.cf  mysql:/etc/postfix/mysql-local-noalias.cf alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mailbox_transport = cyrus debug_peer_level = 2 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop html_directory = no smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, permit smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:60000, permit content_filter = smtp-amavis:127.0.0.1:10024 smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = webl.com broken_sasl_auth_clients = yes sender_canoncal_maps = mysql:/etc/postfix/mysql-canonical.cf proxy_read_maps= proxy:unix:passwd.byname proxy:mysql:/etc/postfix/mysql-canonical.cf proxy:mysql:/etc/postfix/mysql-virtual.cf proxy:mysql:/etc/postfix/mysql-mydestination.cf virtual_maps = proxy:mysql:/etc/postfix/mysql-virtual.cf   hash:/etc/postfix/virtual canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical.cf mydestination_maps = proxy:mysql:/etc/postfix/mysql-mydestination.cf receive_override_options = no_address_mappings

smtpd.conf
Create /etc/postfix/sasl/smtpd.conf

Contents: pwcheck_method: saslauthd mech_list: plain

virtual
Virtual aliases can be managed by Web-Cyradmin, but they may also be set in the file /etc/postfix/virtual.

cp /usr/share/doc/postfix-doc/examples/virtual.gz \ /etc/postfix gzip -d /etc/postfix/virtual.gz postmap /etc/postfix/virtual

helo_access
touch /etc/postfix/helo_access postmap /etc/postfix/helo_access

= MySQL-specific Config Files =

Add new files for MySQL database access.

mysql-canonical.cf
Create /etc/postfix/mysql-canonical.cf, contents # hosts = localhost user = mail password = shaky+robot:plumy dbname = mail table = virtual # select_field = alias where_field = username additional_conditions = and status = '1' limit 1
 * 1) mysql config file for canonical lookups on postfix
 * 2) comments are ok.
 * 1) the user name and password to log into the mysql server
 * 1) the database name on the servers
 * 1) the table name
 * 1) Return the first match only

mysql-local-noalias.cf
Create /etc/postfix/mysql-local-noalias.cf # # hosts = localhost user = mail password = shaky+robot:plumy dbname = mail table = accountuser # select_field = username where_field = username
 * 1) mysql config file for non-aliased lookups on postfix
 * 2) comments are ok.
 * 1) the user name and password to log into the mysql server
 * 1) the database name on the servers
 * 1) the table name

mysql-virtual.cf
Create /etc/postfix/mysql-virtual.cf # # hosts = localhost user = mail password = shaky+robot:plumy dbname = mail table = virtual # select_field = dest where_field = alias additional_conditions = and status = '1'
 * 1) mysql config file for alias lookups on postfix
 * 2) comments are ok.
 * 1) the user name and password to log into the mysql server
 * 1) the database name on the servers
 * 1) the table name

mysql-local.cf
Create /etc/postfix/mysql-local.cf # # hosts = localhost user = mail password = shaky+robot:plumy dbname = mail table = virtual # select_field = alias where_field = alias
 * 1) mysql config file for local lookups on postfix
 * 2) comments are ok.
 * 1) the user name and password to log into the mysql server
 * 1) the database name on the servers
 * 1) the table name

mysql-mydestination.cf
Create /etc/postfix/mysql-mydestination.cf # hosts = localhost user = mail password = shaky+robot:plumy dbname = mail table = domain # select_field = domain_name where_field = domain_name
 * 1) mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
 * 2) comments are ok.
 * 1) the user name and password to log into the mysql server
 * 1) the database name on the servers
 * 1) the table name

= Permissions = Ensure all MySQL config files are readable only by Postfix. chown postfix:mail /etc/postfix/mysql*.cf chmod 640 /etc/postfix/mysql*.cf These files contain the mail database password unencrypted, so should not be readable by normal users.

= Chroot support =

To support the MySQL and clam daemons from within the Postfix chroot jail, it's necessary to map the socket directories into the chroot space. First mkdir -p /var/spool/postfix/var/run

Then edit /etc/fstab. Add at end /var/run /var/spool/postfix/var/run auto bind 0 0