Minimal mail server based on Postfix and Dovecot. Part 2: Postfix

The goal remained the same: get a minimally working mail server using only Postfix and Dovecot, with minimal changes to the default settings.
Introduction and configuration of Dovecot.

Postfix’s responsibilities include:

Receive mail from other servers for the users we serve and forward it to mailboxes with Dovecot.
Receive mail from authenticated users and deliver it to its destination.
Receive and deliver to destination mail from local services and services running on our server. As a rule, it is addressed to the root user, but other recipients are possible, including external ones.

For definiteness, we denote:

The main domain (example1.com) is the domain in which our mail server is located.
The name of our mail server is mail.example1.com.
The main administrator (user1@example1.com) is a mail system user who will be redirected to all local mail, including addressed to root.
All users of the mail system are virtual and have no connection with local users. The place and method of storing mail are described in the first part .
Local users are not users of the mail system and cannot use it until an account is created for them in the / etc / dovecot / users file.

Changes to the main.cf file

alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases +append_dot_mydomain = no +biff = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 +disable_vrfy_command = yes html_directory = no -inet_interfaces = localhost +inet_interfaces = all inet_protocols = all +local_recipient_maps = $alias_maps mail_owner = postfix +mailbox_size_limit = 409600000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man +message_size_limit = 8192000 mydestination = $myhostname, localhost.$mydomain, localhost +myhostname = mail.example1.com +mynetworks = 127.0.0.1/32 [::1]/128 +mynetworks_style = host newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop +smtp_tls_security_level = may +smtpd_banner = $myhostname ESMTP +smtpd_helo_required = yes +smtpd_recipient_restrictions = reject_unknown_recipient_domain, permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, reject_unverified_recipient, permit +smtpd_sasl_path = private/auth +smtpd_sasl_type = dovecot +smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem +smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem +smtpd_tls_security_level = may +smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache +strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 +virtual_alias_domains = example2.com ... +virtual_alias_maps = hash:/etc/postfix/virtual +virtual_mailbox_domains = example1.com, example3.com .... +virtual_transport = lmtp:unix:private/dovecot-lmtp

The main parameter is of course:
```
 myhostname = mail.example1.com 
```
This will give us the following values for other important settings:
```
 mydomain = example1.com mydestination = mail.example1.com, localhost.example1.com, localhost myorigin = mail.example1.com 
```
It suits us, so leave everything by default.
It is desirable that the PTR record of our server points to mail.example1.com.

Update. The manual has a warning about the possibility of looping mail delivery.
Caution: in order to avoid mail delivery loops, you must list all the hostnames of the machine, including $ myhostname, and localhost. $ Mydomain.
In my opinion, it is not entirely clear why you need to register ALL host names in the list. Let me explain what is at stake by example.
Suppose that there is an entry in the / etc / hosts file - “127.0.0.1 localhost4” and someone or something from our server, intentionally or accidentally, sends an email to root @ localhost4.
1. Postfix takes delivery, because The sender is in a trusted network.
2. Our server is not the final recipient, because we did not specify the localhost4 domain in mydestination.
3. Postfix forwards the letter for the localhost4 domain to the address 127.0.0.1 and proceeds to step 1.
By default, Postfix searches for local mail recipients in the / etc / passwd file. Or redirects mail using the alias file - / etc / aliases. We will not use the list of local users, but / etc / aliases will still be useful to us.
```
 local_recipient_maps = $alias_maps 
```
Add in the / etc / aliases file:
```
 root: user1@example1.com 
```
Thus, by redirecting mail (the recipient of which is an alias from the / etc / aliases file) to the main administrator. The / etc / aliases file requires reindexing, using the newaliases command, after making changes.
Unfortunately, I did not find an easy way to deny receiving mail for recipients specified in the / etc / aliases file from the Internet. For the system in question, the following addresses will be available from the Internet: alias@mail.example1.com, alias@localhost.example1.com, alias @ [ip.address], where alias is the alias from the / etc / aliases file. All mail sent to these addresses, not only from the local machine, but also from the Internet, will be sent to user1@example1.com. Let me remind you that the alias for postmaster should be required.
')
Set up the ability to send mail without authentication, only from your computer.
```
 mynetworks_style = host mynetworks = 127.0.0.1/32 [::1]/128 
```
Set up mail reception for our domains.
```
 virtual_mailbox_domains = example1.com, example3.com … virtual_alias_domains = example2.com … 
```
For domain aliases, Postfix only looks for recipients in the file / etc / postfix / virtual and if it does not find it, rejects mail. For domains from virtual_mailbox_domains, a list of the users served will also be requested from Dovecot.
```
 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_alias_maps = hash:/etc/postfix/virtual 
```
The / etc / postfix / virtual file requires reindexing, with the help of the postmap command, after making changes. At a minimum, for each accepted domain, it is advisable to create an entry in it for the postmaster user if you do not have a user with that name.
The main directive that limits the reception of mail from the Internet in our mailboxes. The order of the options is important. We will receive mail from the Internet, only for users served by our server or from the local machine for anyone.
```
 smtpd_recipient_restrictions = reject_unknown_recipient_domain, permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, reject_unverified_recipient, permit 
```
Configure authentication.
Postfix uses the general settings file main.cf, but when you start the services, from the master.cf file, you can override some of them, or indicate the missing ones. By default, we will not allow authentication, but we will make the necessary settings to reduce the number of parameters in the master.cf file.
```
 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth 
```

Set up TLS, simplified, using a temporary Dovecot certificate.

 smtpd_tls_cert_file=/etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file=/etc/pki/dovecot/private/dovecot.pem smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_security_level = may smtp_tls_security_level = may

Finally, some optional decorations.

 smtpd_banner = $myhostname ESMTP biff = no strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_helo_required = yes

In order to start the smtp server on port 587, with the possibility of authentication, we need to add the following lines to the master.cf file:

 submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

A complete list of main.cf options is available here .

The following files are used to manage our system:
/ etc / dovecot / users - list of users and passwords
/ etc / aliases - a list of aliases, used to redirect email notifications from local services running on our machine, to a system administrator,
/ etc / postfix / virtual - a list of aliases, used to redirect email messages intended for our domains,
/etc/postfix/main.cf - using the parameters “virtual_mailbox_domains”, “virtual_alias_domains” specify the list of domains served by our system.

Setting up a mail system, in my opinion, is the most difficult task in system administration. On this occasion, books have been written. I wanted to describe each parameter in more detail, but, unfortunately, it was just a bad retelling of the manual. Therefore, I tried to leave comments only on the most important points, but even more remained beyond the scope of the article. In any case, the reading and understanding of the documentation is necessary to configure the system. And this article, like many similar ones, was written to help make the first small step in mastering a complex system.

Allow me to bow out.

Source: https://habr.com/ru/post/258407/

All Articles

Minimal mail server based on Postfix and Dovecot. Part 2: Postfix

More articles: