1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3 4<html> 5 6<head> 7 8<title>Postfix Small/Home Office Hints and Tips</title> 9 10<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 11<link rel='stylesheet' type='text/css' href='postfix-doc.css'> 12 13</head> 14 15<body> 16 17<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1> 18 19<hr> 20 21<h2>Overview</h2> 22 23<p> This document combines hints and tips for "small office/home 24office" applications into one document so that they are easier to 25find. The text describes the mail sending side only. If your machine 26does not receive mail directly (i.e. it does not have its own 27Internet domain name and its own fixed IP address), then you will 28need a solution such as "fetchmail", which is outside the scope of 29the Postfix documentation. </p> 30 31<ul> 32 33<li> <p> Selected topics from the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> document: </p> 34 35<ul> 36 37<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a> 38 39<li><a href="#fantasy">Postfix on hosts without a real 40Internet hostname</a> 41 42</ul> 43 44<p> Selected topics from the <a href="SASL_README.html">SASL_README</a> document: </p> 45 46<ul> 47 48<li><a href="#client_sasl_enable">Enabling SASL authentication in the 49Postfix SMTP client</a></li> 50 51<li><a href="#client_sasl_sender">Configuring Sender-Dependent SASL 52authentication </a></li> 53 54</ul> 55 56</ul> 57 58<p> See the <a href="SASL_README.html">SASL_README</a> and <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents for 59further information on these topics. </p> 60 61<h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2> 62 63<p> Postfix should work out of the box without change on a stand-alone 64machine that has direct Internet access. At least, that is how 65Postfix installs when you download the Postfix source code via 66<a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p> 67 68<p> You can use the command "<b>postconf -n</b>" to find out what 69settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname 70settings, few parameters should be set on a stand-alone box, beyond 71what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p> 72 73<blockquote> 74<pre> 75/etc/postfix/<a href="postconf.5.html">main.cf</a>: 76 # Optional: send mail as user@domainname instead of user@hostname. 77 #<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> 78 79 # Optional: specify NAT/proxy external address. 80 #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 81 82 # Alternative 1: don't relay mail from other hosts. 83 <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host 84 <a href="postconf.5.html#relay_domains">relay_domains</a> = 85 86 # Alternative 2: relay mail from local clients only. 87 # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28 88 # <a href="postconf.5.html#relay_domains">relay_domains</a> = 89</pre> 90</blockquote> 91 92<p> See also the section "<a href="#fantasy">Postfix on hosts without 93a real Internet hostname</a>" if this is applicable to your configuration. 94</p> 95 96<h2><a name="fantasy">Postfix on hosts without a real Internet 97hostname</a></h2> 98 99<p> This section is for hosts that don't have their own Internet 100hostname. Typically these are systems that get a dynamic IP address 101via DHCP or via dialup. Postfix will let you send and receive mail 102just fine between accounts on a machine with a fantasy name. However, 103you cannot use a fantasy hostname in your email address when sending 104mail into the Internet, because no-one would be able to reply to 105your mail. In fact, more and more sites refuse mail addresses with 106non-existent domain names. </p> 107 108<p> Note: the following information is Postfix version dependent. 109To find out what Postfix version you have, execute the command 110"<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p> 111 112<h3>Solution 1: Postfix version 2.2 and later </h3> 113 114<p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace 115local fantasy email addresses by valid Internet addresses. This 116mapping happens ONLY when mail leaves the machine; not when you 117send mail between users on the same machine. </p> 118 119<p> The following example presents additional configuration. You 120need to combine this with basic configuration information as 121discussed in the first half of this document. </p> 122 123<blockquote> 124<pre> 1251 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 1262 <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/generic 1273 1284 /etc/postfix/generic: 1295 his@localdomain.local hisaccount@hisisp.example 1306 her@localdomain.local heraccount@herisp.example 1317 @localdomain.local hisaccount+local@hisisp.example 132</pre> 133</blockquote> 134 135<p> When mail is sent to a remote host via SMTP: </p> 136 137<ul> 138 139<li> <p> Line 5 replaces <i>his@localdomain.local</i> by his ISP 140mail address, </p> 141 142<li> <p> Line 6 replaces <i>her@localdomain.local</i> by her ISP 143mail address, and </p> 144 145<li> <p> Line 7 replaces other local addresses by his ISP account, 146with an address extension of +<i>local</i> (this example assumes 147that the ISP supports "+" style address extensions). </p> 148 149</ul> 150 151<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses 152<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 153tables Postfix supports, use the command "<b>postconf -m</b>". </p> 154 155<p> Execute the command "<b>postmap /etc/postfix/generic</b>" 156whenever you change the generic table. </p> 157 158<h3>Solution 2: Postfix version 2.1 and earlier </h3> 159 160<p> The solution with older Postfix systems is to use valid 161Internet addresses where possible, and to let Postfix map valid 162Internet addresses to local fantasy addresses. With this, you can 163send mail to the Internet and to local fantasy addresses, including 164mail to local fantasy addresses that don't have a valid Internet 165address of their own.</p> 166 167<p> The following example presents additional configuration. You 168need to combine this with basic configuration information as 169discussed in the first half of this document. </p> 170 171<blockquote> 172<pre> 173 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 174 2 <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain 175 3 <a href="postconf.5.html#mydomain">mydomain</a> = localdomain 176 4 177 5 <a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/canonical 178 6 179 7 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual 180 8 181 9 /etc/postfix/canonical: 18210 your-login-name your-account@your-isp.com 18311 18412 /etc/postfix/virtual: 18513 your-account@your-isp.com your-login-name 186</pre> 187</blockquote> 188 189<p> Translation: </p> 190 191<ul> 192 193<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not 194use a domain name that is already in use by real organizations 195on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain 196names that are guaranteed not to be owned by anyone. </p> 197 198<li> <p> Lines 5, 9, 10: This provides the mapping from 199"your-login-name@hostname.localdomain" to "your-account@your-isp.com". 200This part is required. </p> 201 202<li> <p> Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" 203locally, instead of sending it to the ISP. This part is not required 204but is convenient. 205 206</ul> 207 208<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses 209<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 210tables Postfix supports, use the command "<b>postconf -m</b>". </p> 211 212<p> Execute the command "<b>postmap /etc/postfix/canonical</b>" 213whenever you change the canonical table. </p> 214 215<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" 216whenever you change the virtual table. </p> 217 218<h2><a name="client_sasl_enable">Enabling SASL authentication in the 219Postfix SMTP/LMTP client</a></h2> 220 221<p> This section shows a typical scenario where the Postfix SMTP 222client sends all messages via a mail gateway server that requires 223SASL authentication. </p> 224 225<blockquote> 226 227<strong> Trouble solving tips: </strong> 228 229<ul> 230 231<li> <p> If your SASL logins fail with "SASL authentication failure: 232No worthy mechs found" in the mail logfile, then see the section 233"<a href="SASL_README.html#client_sasl_policy">Postfix SMTP/LMTP 234client policy - SASL mechanism <em>properties</em></a>". 235 236<li> <p> For a solution to a more obscure class of SASL authentication 237failures, see "<a href="SASL_README.html#client_sasl_filter">Postfix 238SMTP/LMTP client policy - SASL mechanism <em>names</em></a>". 239 240</ul> 241 242</blockquote> 243 244<p> To make the example more readable we introduce it in two parts. 245The first part takes care of the basic configuration, while the 246second part sets up the username/password information. </p> 247 248<blockquote> 249<pre> 250/etc/postfix/<a href="postconf.5.html">main.cf</a>: 251 <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes 252 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt 253 <a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> = noanonymous 254 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] 255 # Alternative form: 256 # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission 257 <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd 258</pre> 259</blockquote> 260 261<ul> 262 263<li> <p> The <code><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a></code> setting enables 264client-side authentication. We will configure the client's username 265and password information in the second part of the example. </p> 266</li> 267 268<li> <p> The <code><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></code> setting ensures 269that the connection to the remote smtp server will be encrypted, and 270<code><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a></code> removes the prohibition on 271plaintext passwords. </p> 272 273<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP 274to send all remote messages to the specified mail server instead 275of trying to deliver them directly to their destination. </p> </li> 276 277<li> <p> In the <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting, the "<code>[</code>" 278and "<code>]</code>" prevent the Postfix SMTP client from looking 279up MX (mail exchanger) records for the enclosed name. </p> </li> 280 281<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination may also specify a 282non-default TCP port. For example, the alternative form 283<code>[mail.isp.example]:submission</code> tells Postfix to connect 284to TCP network port 587, which is reserved for email client 285applications. </p> </li> 286 287<li> <p> The Postfix SMTP client is compatible with SMTP servers 288that use the non-standard "<code>AUTH=<em>method.</em>...</code>" 289syntax in response to the EHLO command; this requires no additional 290Postfix client configuration. </p> </li> 291 292<li> <p> With the setting "<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes", the Postfix 293SMTP client supports the "wrappermode" protocol, which uses TCP 294port 465 on the SMTP server (Postfix 3.0 and later). </p> </li> 295 296<li> <p> With the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> parameter, 297we configure the Postfix SMTP client to send username and password 298information to the mail gateway server. As discussed in the next 299section, the Postfix SMTP client supports multiple ISP accounts. 300For this reason the username and password are stored in a table 301that contains one username/password combination for each mail gateway 302server. </p> 303 304</ul> 305 306<blockquote> 307<pre> 308/etc/postfix/sasl_passwd: 309 # destination credentials 310 [mail.isp.example] username:password 311 # Alternative form: 312 # [mail.isp.example]:submission username:password 313</pre> 314</blockquote> 315 316<blockquote> 317 318<strong>Important</strong> 319 320<p> Keep the SASL client password file in <code>/etc/postfix</code>, 321and make the file read+write only for <code>root</code> to protect 322the username/password combinations against other users. The Postfix 323SMTP client will still be able to read the SASL client passwords. 324It opens the file as user <code>root</code> before it drops privileges, 325and before entering an optional chroot jail. </p> 326 327</blockquote> 328 329<ul> 330 331<li> <p> Use the <code>postmap</code> command whenever you 332change the <code>/etc/postfix/sasl_passwd</code> file. </p> </li> 333 334<li> <p> If you specify the "<code>[</code>" and "<code>]</code>" 335in the <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the 336same form in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> 337</li> 338 339<li> <p> If you specify a non-default TCP Port (such as 340"<code>:submission</code>" or "<code>:587</code>") in the 341<code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the same form 342in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> </li> 343 344</ul> 345 346<h2><a name="client_sasl_sender">Configuring Sender-Dependent SASL 347authentication</a></h2> 348 349<p> Postfix supports different ISP accounts for different sender 350addresses (version 2.3 and later). This can be useful when one 351person uses the same machine for work and for personal use, or when 352people with different ISP accounts share the same Postfix server. 353</p> 354 355<p> To make this possible, Postfix supports per-sender SASL passwords 356and per-sender relay hosts. In the example below, the Postfix SMTP 357client will search the SASL password file by sender address before 358it searches that same file by destination. Likewise, the Postfix 359<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon will search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file, 360and use the default <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting only as a final 361resort. </p> 362 363<blockquote> 364<pre> 365/etc/postfix/<a href="postconf.5.html">main.cf</a>: 366 <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes 367 <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_relay 368 <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes 369 <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd 370 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] 371 # Alternative form: 372 # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission 373</pre> 374</blockquote> 375 376<blockquote> 377<pre> 378/etc/postfix/sasl_passwd: 379 # Per-sender authentication; see also /etc/postfix/sender_relay. 380 user1@example.com username1:password1 381 user2@example.net username2:password2 382 # Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>. 383 [mail.isp.example] username:password 384 # Alternative form: 385 # [mail.isp.example]:submission username:password 386</pre> 387</blockquote> 388 389<blockquote> 390<pre> 391/etc/postfix/sender_relay: 392 # Per-sender provider; see also /etc/postfix/sasl_passwd. 393 user1@example.com [mail.example.com]:submission 394 user2@example.net [mail.example.net] 395</pre> 396</blockquote> 397 398<ul> 399 400<li> <p> If you are creative, then you can try to combine the two 401tables into one single MySQL database, and configure different 402Postfix queries to extract the appropriate information. </p> 403 404<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses 405<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 406tables Postfix supports, use the command "<b>postconf -m</b>". </p> 407 408<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>" 409whenever you change the sasl_passwd table. </p> 410 411<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>" 412whenever you change the sender_relay table. </p> 413 414</ul> 415 416</body> 417 418</html> 419
