1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3 4<html> 5 6<head> 7 8<title>Postfix Small/Home Office Hints and Tips</title> 9 10<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 11 12</head> 13 14<body> 15 16<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1> 17 18<hr> 19 20<h2>Overview</h2> 21 22<p> This document combines hints and tips for "small office/home 23office" applications into one document so that they are easier to 24find. The text describes the mail sending side only. If your machine 25does not receive mail directly (i.e. it does not have its own 26Internet domain name and its own fixed IP address), then you will 27need a solution such as "fetchmail", which is outside the scope of 28the Postfix documentation. </p> 29 30<ul> 31 32<li> <p> Selected topics from the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> document: </p> 33 34<ul> 35 36<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a> 37 38<li><a href="#fantasy">Postfix on hosts without a real 39Internet hostname</a> 40 41</ul> 42 43<p> Selected topics from the <a href="SASL_README.html">SASL_README</a> document: </p> 44 45<ul> 46 47<li><a href="#client_sasl_enable">Enabling SASL authentication in the 48Postfix SMTP client</a></li> 49 50<li><a href="#client_sasl_sender">Configuring Sender-Dependent SASL 51authentication </a></li> 52 53</ul> 54 55</ul> 56 57<p> See the <a href="SASL_README.html">SASL_README</a> and <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents for 58further information on these topics. </p> 59 60<h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2> 61 62<p> Postfix should work out of the box without change on a stand-alone 63machine that has direct Internet access. At least, that is how 64Postfix installs when you download the Postfix source code via 65<a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p> 66 67<p> You can use the command "<b>postconf -n</b>" to find out what 68settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname 69settings, few parameters should be set on a stand-alone box, beyond 70what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p> 71 72<blockquote> 73<pre> 74/etc/postfix/<a href="postconf.5.html">main.cf</a>: 75 # Optional: send mail as user@domainname instead of user@hostname. 76 #<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> 77 78 # Optional: specify NAT/proxy external address. 79 #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 80 81 # Alternative 1: don't relay mail from other hosts. 82 <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host 83 <a href="postconf.5.html#relay_domains">relay_domains</a> = 84 85 # Alternative 2: relay mail from local clients only. 86 # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28 87 # <a href="postconf.5.html#relay_domains">relay_domains</a> = 88</pre> 89</blockquote> 90 91<p> See also the section "<a href="#fantasy">Postfix on hosts without 92a real Internet hostname</a>" if this is applicable to your configuration. 93</p> 94 95<h2><a name="fantasy">Postfix on hosts without a real Internet 96hostname</a></h2> 97 98<p> This section is for hosts that don't have their own Internet 99hostname. Typically these are systems that get a dynamic IP address 100via DHCP or via dialup. Postfix will let you send and receive mail 101just fine between accounts on a machine with a fantasy name. However, 102you cannot use a fantasy hostname in your email address when sending 103mail into the Internet, because no-one would be able to reply to 104your mail. In fact, more and more sites refuse mail addresses with 105non-existent domain names. </p> 106 107<p> Note: the following information is Postfix version dependent. 108To find out what Postfix version you have, execute the command 109"<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p> 110 111<h3>Solution 1: Postfix version 2.2 and later </h3> 112 113<p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace 114local fantasy email addresses by valid Internet addresses. This 115mapping happens ONLY when mail leaves the machine; not when you 116send mail between users on the same machine. </p> 117 118<p> The following example presents additional configuration. You 119need to combine this with basic configuration information as 120discussed the first half of this document. </p> 121 122<blockquote> 123<pre> 1241 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 1252 <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/generic 1263 1274 /etc/postfix/generic: 1285 his@localdomain.local hisaccount@hisisp.example 1296 her@localdomain.local heraccount@herisp.example 1307 @localdomain.local hisaccount+local@hisisp.example 131</pre> 132</blockquote> 133 134<p> When mail is sent to a remote host via SMTP: </p> 135 136<ul> 137 138<li> <p> Line 5 replaces <i>his@localdomain.local</i> by his ISP 139mail address, </p> 140 141<li> <p> Line 6 replaces <i>her@localdomain.local</i> by her ISP 142mail address, and </p> 143 144<li> <p> Line 7 replaces other local addresses by his ISP account, 145with an address extension of +<i>local</i> (this example assumes 146that the ISP supports "+" style address extensions). </p> 147 148</ul> 149 150<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses 151<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 152tables Postfix supports, use the command "<b>postconf -m</b>". </p> 153 154<p> Execute the command "<b>postmap /etc/postfix/generic</b>" 155whenever you change the generic table. </p> 156 157<h3>Solution 2: Postfix version 2.1 and earlier </h3> 158 159<p> The solution with older Postfix systems is to use valid 160Internet addresses where possible, and to let Postfix map valid 161Internet addresses to local fantasy addresses. With this, you can 162send mail to the Internet and to local fantasy addresses, including 163mail to local fantasy addresses that don't have a valid Internet 164address of their own.</p> 165 166<p> The following example presents additional configuration. You 167need to combine this with basic configuration information as 168discussed the first half of this document. </p> 169 170<blockquote> 171<pre> 172 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 173 2 <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain 174 3 <a href="postconf.5.html#mydomain">mydomain</a> = localdomain 175 4 176 5 <a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/canonical 177 6 178 7 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual 179 8 180 9 /etc/postfix/canonical: 18110 your-login-name your-account@your-isp.com 18211 18312 /etc/postfix/virtual: 18413 your-account@your-isp.com your-login-name 185</pre> 186</blockquote> 187 188<p> Translation: </p> 189 190<ul> 191 192<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not 193use a domain name that is already in use by real organizations 194on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain 195names that are guaranteed not to be owned by anyone. </p> 196 197<li> <p> Lines 5, 9, 10: This provides the mapping from 198"your-login-name@hostname.localdomain" to "your-account@your-isp.com". 199This part is required. </p> 200 201<li> <p> Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" 202locally, instead of sending it to the ISP. This part is not required 203but is convenient. 204 205</ul> 206 207<p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses 208<b>dbm</b> files instead of <b>db</b> files. To find out what lookup 209tables Postfix supports, use the command "<b>postconf -m</b>". </p> 210 211<p> Execute the command "<b>postmap /etc/postfix/canonical</b>" 212whenever you change the canonical table. </p> 213 214<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" 215whenever you change the virtual table. </p> 216 217<h2><a name="client_sasl_enable">Enabling SASL authentication in the 218Postfix SMTP/LMTP client</a></h2> 219 220<p> This section shows a typical scenario where the Postfix SMTP 221client sends all messages via a mail gateway server that requires 222SASL authentication. </p> 223 224<blockquote> 225 226<strong> Trouble solving tips: </strong> 227 228<ul> 229 230<li> <p> If your SASL logins fail with "SASL authentication failure: 231No worthy mechs found" in the mail logfile, then see the section 232"<a href="SASL_README.html#client_sasl_policy">Postfix SMTP/LMTP 233client policy - SASL mechanism <em>properties</em></a>". 234 235<li> <p> For a solution to a more obscure class of SASL authentication 236failures, see "<a href="SASL_README.html#client_sasl_filter">Postfix 237SMTP/LMTP client policy - SASL mechanism <em>names</em></a>". 238 239</ul> 240 241</blockquote> 242 243<p> To make the example more readable we introduce it in two parts. 244The first part takes care of the basic configuration, while the 245second part sets up the username/password information. </p> 246 247<blockquote> 248<pre> 249/etc/postfix/<a href="postconf.5.html">main.cf</a>: 250 <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes 251 <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt 252 <a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> = noanonymous 253 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] 254 # Alternative form: 255 # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission 256 <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd 257</pre> 258</blockquote> 259 260<ul> 261 262<li> <p> The <code><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a></code> setting enables 263client-side authentication. We will configure the client's username 264and password information in the second part of the example. </p> 265</li> 266 267<li> <p> The <code><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></code> setting ensures 268that the connection to the remote smtp server will be encrypted, and 269<code><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a></code> removes the prohibition on 270plaintext passwords. </p> 271 272<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP 273to send all remote messages to the specified mail server instead 274of trying to deliver them directly to their destination. </p> </li> 275 276<li> <p> In the <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting, the "<code>[</code>" 277and "<code>]</code>" prevent the Postfix SMTP client from looking 278up MX (mail exchanger) records for the enclosed name. </p> </li> 279 280<li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination may also specify a 281non-default TCP port. For example, the alternative form 282<code>[mail.isp.example]:submission</code> tells Postfix to connect 283to TCP network port 587, which is reserved for email client 284applications. </p> </li> 285 286<li> <p> The Postfix SMTP client is compatible with SMTP servers 287that use the non-standard "<code>AUTH=<em>method.</em>...</code>" 288syntax in response to the EHLO command; this requires no additional 289Postfix client configuration. </p> </li> 290 291<li> <p> The Postfix SMTP client does not support the obsolete 292"wrappermode" protocol, which uses TCP port <code>465</code> on the 293SMTP server. See <a href="TLS_README.html">TLS_README</a> for a solution that uses the 294<code>stunnel</code> command. </p> </li> 295 296<li> <p> With the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> parameter, 297we configure the Postfix SMTP client to send username and password 298information to the mail gateway server. As discussed in the next 299section, the Postfix SMTP client supports multiple ISP accounts. 300For this reason the username and password are stored in a table 301that contains one username/password combination for each mail gateway 302server. </p> 303 304</ul> 305 306<blockquote> 307<pre> 308/etc/postfix/sasl_passwd: 309 # destination credentials 310 [mail.isp.example] username:password 311 # Alternative form: 312 # [mail.isp.example]:submission username:password 313</pre> 314</blockquote> 315 316<blockquote> 317 318<strong>Important</strong> 319 320<p> Keep the SASL client password file in <code>/etc/postfix</code>, 321and make the file read+write only for <code>root</code> to protect 322the username/password combinations against other users. The Postfix 323SMTP client will still be able to read the SASL client passwords. 324It opens the file as user <code>root</code> before it drops privileges, 325and before entering an optional chroot jail. </p> 326 327</blockquote> 328 329<ul> 330 331<li> <p> Use the <code>postmap</code> command whenever you 332change the <code>/etc/postfix/sasl_passwd</code> file. </p> </li> 333 334<li> <p> If you specify the "<code>[</code>" and "<code>]</code>" 335in the <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the 336same form in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> 337</li> 338 339<li> <p> If you specify a non-default TCP Port (such as 340"<code>:submission</code>" or "<code>:587</code>") in the 341<code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the same form 342in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> </li> 343 344</ul> 345 346<h2><a name="client_sasl_sender">Configuring Sender-Dependent SASL 347authentication</a></h2> 348 349<p> Postfix supports different ISP accounts for different sender 350addresses (version 2.3 and later). This can be useful when one 351person uses the same machine for work and for personal use, or when 352people with different ISP accounts share the same Postfix server. 353</p> 354 355<p> To make this possible, Postfix supports per-sender SASL passwords 356and per-sender relay hosts. In the example below, the Postfix SMTP 357client will search the SASL password file by sender address before 358it searches that same file by destination. Likewise, the Postfix 359<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon will search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file, 360and use the default <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting only as a final 361resort. </p> 362 363<blockquote> 364<pre> 365/etc/postfix/<a href="postconf.5.html">main.cf</a>: 366 <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes 367 <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_relay 368 <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes 369 <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sasl_passwd 370 <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] 371 # Alternative form: 372 # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission 373</pre> 374</blockquote> 375 376<blockquote> 377<pre> 378/etc/postfix/sasl_passwd: 379 # Per-sender authentication; see also /etc/postfix/sender_relay. 380 user1@example.com username1:password1 381 user2@example.net username2:password2 382 # Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>. 383 [mail.isp.example] username:password 384 # Alternative form: 385 # [mail.isp.example]:submission username:password 386</pre> 387</blockquote> 388 389<blockquote> 390<pre> 391/etc/postfix/sender_relay: 392 # Per-sender provider; see also /etc/postfix/sasl_passwd. 393 user1@example.com [mail.example.com]:submission 394 user2@example.net [mail.example.net] 395</pre> 396</blockquote> 397 398<ul> 399 400<li> <p> If you are creative, then you can try to combine the two 401tables into one single MySQL database, and configure different 402Postfix queries to extract the appropriate information. </p> 403 404<li> <p> Specify dbm instead of hash if your system uses dbm files 405instead of db files. To find out what lookup tables Postfix supports, 406use the command "postconf -m". </p> 407 408<li> <p> Execute the command "postmap /etc/postfix/sasl_passwd" 409whenever you change the sasl_passwd table. </p> 410 411<li> <p> Execute the command "postmap /etc/postfix/sender_relay" 412whenever you change the sender_relay table. </p> 413 414</ul> 415 416</body> 417 418</html> 419
