1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3 4<html> 5 6<head> 7 8<title>Postfix Small/Home Office Hints and Tips</title> 9 10<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 11 12</head> 13 14<body> 15 16<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1> 17 18<hr> 19 20<h2>Overview</h2> 21 22<p> This document combines hints and tips for "small office/home 23office" applications into one document so that they are easier to 24find. The text describes the mail sending side only. If your machine 25does not receive mail directly (i.e. it does not have its own 26Internet domain name and its own fixed IP address), then you will 27need a solution such as "fetchmail", which is outside the scope of 28the Postfix documentation. </p> 29 30<ul> 31 32<li> <p> Selected topics from the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> document: </p> 33 34<ul> 35 36<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a> 37 38<li><a href="#fantasy">Postfix on hosts without a real 39Internet hostname</a> 40 41</ul> 42 43<p> Selected topics from the <a href="SASL_README.html">SASL_README</a> document: </p> 44 45<ul> 46 47<li><a href="#client_sasl_enable">Enabling SASL authentication in the 48Postfix SMTP client</a></li> 49 50<li><a href="#client_sasl_sender">Configuring Sender-Dependent SASL 51authentication </a></li> 52 53</ul> 54 55</ul> 56 57<p> See the <a href="SASL_README.html">SASL_README</a> and <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents for 58further information on these topics. </p> 59 60<h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2> 61 62<p> Postfix should work out of the box without change on a stand-alone 63machine that has direct Internet access. At least, that is how 64Postfix installs when you download the Postfix source code via 65<a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p> 66 67<p> You can use the command "<b>postconf -n</b>" to find out what 68settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname 69settings, few parameters should be set on a stand-alone box, beyond 70what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p> 71 72<blockquote> 73<pre> 74/etc/postfix/<a href="postconf.5.html">main.cf</a>: 75 # Optional: send mail as user@domainname instead of user@hostname. 76 #<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> 77 78 # Optional: specify NAT/proxy external address. 79 #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 80 81 # Alternative 1: don't relay mail from other hosts. 82 <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host 83 <a href="postconf.5.html#relay_domains">relay_domains</a> = 84 85 # Alternative 2: relay mail from local clients only. 86 # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28 87 # <a href="postconf.5.html#relay_domains">relay_domains</a> = 88</pre> 89</blockquote> 90 91<p> See also the section "<a href="#fantasy">Postfix on hosts without 92a real Internet hostname</a>" if this is applicable to your configuration. 93</p> 94 95<h2><a name="fantasy">Postfix on hosts without a real Internet 96hostname</a></h2> 97 98<p> This section is for hosts that don't have their own Internet 99hostname. Typically these are systems that get a dynamic IP address 100via DHCP or via dialup. Postfix will let you send and receive mail 101just fine between accounts on a machine with a fantasy name. However, 102you cannot use a fantasy hostname in your email address when sending 103mail into the Internet, because no-one would be able to reply to 104your mail. In fact, more and more sites refuse mail addresses with 105non-existent domain names. </p> 106 107<p> Note: the following information is Postfix version dependent. 108To find out what Postfix version you have, execute the command 109"<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p> 110 111<h3>Solution 1: Postfix version 2.2 and later </h3> 112 113<p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace 114local fantasy email addresses by valid Internet addresses. This 115mapping happens ONLY when mail leaves the machine; not when you 116send mail between users on the same machine. </p> 117 118<p> The following example presents additional configuration. You 119need to combine this with basic configuration information as 120discussed in the first half of this document. </p> 121 122<blockquote> 123<pre> 1241 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 1252 <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/generic 1263 1274 /etc/postfix/generic: 1285 his@localdomain.local hisaccount@hisisp.example 1296 her@localdomain.local heraccount@herisp.example 1307 @localdomain.local hisaccount+local@hisisp.example 131</pre> 132</blockquote> 133 134<p> When mail is sent to a remote host via SMTP: </p> 135 136<ul> 137 138<li> <p> Line 5 replaces <i>his@localdomain.local</i> by his ISP 139mail address, </p> 140 141<li> <p> Line 6 replaces <i>her@localdomain.local</i> by her ISP 142mail address, and </p> 143 144<li> <p> Line 7 replaces other local addresses by his ISP account, 145with an address extension of +<i>local</i> (this example assumes 146that the ISP supports "+" style address extensions). </p> 147 148</ul> 149 150<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses 151<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 152tables Postfix supports, use the command "<b>postconf -m</b>". </p> 153 154<p> Execute the command "<b>postmap /etc/postfix/generic</b>" 155whenever you change the generic table. </p> 156 157<h3>Solution 2: Postfix version 2.1 and earlier </h3> 158 159<p> The solution with older Postfix systems is to use valid 160Internet addresses where possible, and to let Postfix map valid 161Internet addresses to local fantasy addresses. With this, you can 162send mail to the Internet and to local fantasy addresses, including 163mail to local fantasy addresses that don't have a valid Internet 164address of their own.</p> 165 166<p> The following example presents additional configuration. You 167need to combine this with basic configuration information as 168discussed in the first half of this document. </p> 169 170<blockquote> 171<pre> 172 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 173 2 <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain 174 3 <a href="postconf.5.html#mydomain">mydomain</a> = localdomain 175 4 176 5 <a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/canonical 177 6 178 7 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual 179 8 180 9 /etc/postfix/canonical: 18110 your-login-name your-account@your-isp.com 18211 18312 /etc/postfix/virtual: 18413 your-account@your-isp.com your-login-name 185</pre> 186</blockquote> 187 188<p> Translation: </p> 189 190<ul> 191 192<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not 193use a domain name that is already in use by real organizations 194on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain 195names that are guaranteed not to be owned by anyone. </p> 196 197<li> <p> Lines 5, 9, 10: This provides the mapping from 198"your-login-name@hostname.localdomain" to "your-account@your-isp.com". 199This part is required. </p> 200 201<li> <p> Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" 202locally, instead of sending it to the ISP. This part is not required 203but is convenient. 204 205</ul> 206 207<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses 208<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 209tables Postfix supports, use the command "<b>postconf -m</b>". </p> 210 211<p> Execute the command "<b>postmap /etc/postfix/canonical</b>" 212whenever you change the canonical table. </p> 213 214<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" 215whenever you change the virtual table. </p> 216 217<h2><a name="client_sasl_enable">Enabling SASL authentication in the 218Postfix SMTP/LMTP client</a></h2> 219 220<p> This section shows a typical scenario where the Postfix SMTP 221client sends all messages via a mail gateway server that requires 222SASL authentication. </p> 223 224<blockquote> 225 226<strong> Trouble solving tips: </strong> 227 228<ul> 229 230<li> <p> If your SASL logins fail with "SASL authentication failure: 231No worthy mechs found" in the mail logfile, then see the section 232"<a href="SASL_README.html#client_sasl_policy">Postfix SMTP/LMTP 233client policy - SASL mechanism <em>properties</em></a>". 234 235<li> <p> For a solution to a more obscure class of SASL authentication 236failures, see "<a href="SASL_README.html#client_sasl_filter">Postfix 237SMTP/LMTP client policy - SASL mechanism <em>names</em></a>". 238 239</ul> 240 241</blockquote> 242 243<p> To make the example more readable we introduce it in two parts. 244The first part takes care of the basic configuration, while the 245second part sets up the username/password information. </p> 246 247<blockquote> 248<pre> 249/etc/postfix/<a href="postconf.5.html">main.cf</a>: 250 <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes 251 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt 252 <a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> = noanonymous 253 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] 254 # Alternative form: 255 # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission 256 <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd 257</pre> 258</blockquote> 259 260<ul> 261 262<li> <p> The <code><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a></code> setting enables 263client-side authentication. We will configure the client's username 264and password information in the second part of the example. </p> 265</li> 266 267<li> <p> The <code><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></code> setting ensures 268that the connection to the remote smtp server will be encrypted, and 269<code><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a></code> removes the prohibition on 270plaintext passwords. </p> 271 272<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP 273to send all remote messages to the specified mail server instead 274of trying to deliver them directly to their destination. </p> </li> 275 276<li> <p> In the <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting, the "<code>[</code>" 277and "<code>]</code>" prevent the Postfix SMTP client from looking 278up MX (mail exchanger) records for the enclosed name. </p> </li> 279 280<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination may also specify a 281non-default TCP port. For example, the alternative form 282<code>[mail.isp.example]:submission</code> tells Postfix to connect 283to TCP network port 587, which is reserved for email client 284applications. </p> </li> 285 286<li> <p> The Postfix SMTP client is compatible with SMTP servers 287that use the non-standard "<code>AUTH=<em>method.</em>...</code>" 288syntax in response to the EHLO command; this requires no additional 289Postfix client configuration. </p> </li> 290 291<li> <p> With the setting "<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes", the Postfix 292SMTP client supports the "wrappermode" protocol, which uses TCP 293port 465 on the SMTP server (Postfix 3.0 and later). </p> </li> 294 295<li> <p> With the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> parameter, 296we configure the Postfix SMTP client to send username and password 297information to the mail gateway server. As discussed in the next 298section, the Postfix SMTP client supports multiple ISP accounts. 299For this reason the username and password are stored in a table 300that contains one username/password combination for each mail gateway 301server. </p> 302 303</ul> 304 305<blockquote> 306<pre> 307/etc/postfix/sasl_passwd: 308 # destination credentials 309 [mail.isp.example] username:password 310 # Alternative form: 311 # [mail.isp.example]:submission username:password 312</pre> 313</blockquote> 314 315<blockquote> 316 317<strong>Important</strong> 318 319<p> Keep the SASL client password file in <code>/etc/postfix</code>, 320and make the file read+write only for <code>root</code> to protect 321the username/password combinations against other users. The Postfix 322SMTP client will still be able to read the SASL client passwords. 323It opens the file as user <code>root</code> before it drops privileges, 324and before entering an optional chroot jail. </p> 325 326</blockquote> 327 328<ul> 329 330<li> <p> Use the <code>postmap</code> command whenever you 331change the <code>/etc/postfix/sasl_passwd</code> file. </p> </li> 332 333<li> <p> If you specify the "<code>[</code>" and "<code>]</code>" 334in the <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the 335same form in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> 336</li> 337 338<li> <p> If you specify a non-default TCP Port (such as 339"<code>:submission</code>" or "<code>:587</code>") in the 340<code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the same form 341in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> </li> 342 343</ul> 344 345<h2><a name="client_sasl_sender">Configuring Sender-Dependent SASL 346authentication</a></h2> 347 348<p> Postfix supports different ISP accounts for different sender 349addresses (version 2.3 and later). This can be useful when one 350person uses the same machine for work and for personal use, or when 351people with different ISP accounts share the same Postfix server. 352</p> 353 354<p> To make this possible, Postfix supports per-sender SASL passwords 355and per-sender relay hosts. In the example below, the Postfix SMTP 356client will search the SASL password file by sender address before 357it searches that same file by destination. Likewise, the Postfix 358<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon will search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file, 359and use the default <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting only as a final 360resort. </p> 361 362<blockquote> 363<pre> 364/etc/postfix/<a href="postconf.5.html">main.cf</a>: 365 <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes 366 <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_relay 367 <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes 368 <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd 369 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] 370 # Alternative form: 371 # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission 372</pre> 373</blockquote> 374 375<blockquote> 376<pre> 377/etc/postfix/sasl_passwd: 378 # Per-sender authentication; see also /etc/postfix/sender_relay. 379 user1@example.com username1:password1 380 user2@example.net username2:password2 381 # Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>. 382 [mail.isp.example] username:password 383 # Alternative form: 384 # [mail.isp.example]:submission username:password 385</pre> 386</blockquote> 387 388<blockquote> 389<pre> 390/etc/postfix/sender_relay: 391 # Per-sender provider; see also /etc/postfix/sasl_passwd. 392 user1@example.com [mail.example.com]:submission 393 user2@example.net [mail.example.net] 394</pre> 395</blockquote> 396 397<ul> 398 399<li> <p> If you are creative, then you can try to combine the two 400tables into one single MySQL database, and configure different 401Postfix queries to extract the appropriate information. </p> 402 403<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses 404<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 405tables Postfix supports, use the command "<b>postconf -m</b>". </p> 406 407<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>" 408whenever you change the sasl_passwd table. </p> 409 410<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>" 411whenever you change the sender_relay table. </p> 412 413</ul> 414 415</body> 416 417</html> 418
