Sometimes, you want a backup mail server. Something that will accept mail and hold it for delivery until your primary mail server is available again. This is the purpose of a backup MX (the MX refers to the type of DNS record that mail exchangers use).
Basic Postfix Config
Bits I added:
- IPv6
- max queue lifetime (you can adjust this to your own needs. If your mailserver may be off for a week or more, make sure you give yourself plenty of time in the queue or messages will be bounced).
- Make sure mydestination does not include an entry for $domain
1alias_maps = hash:/usr/local/etc/postfix/aliases
2command_directory = /usr/local/sbin
3compatibility_level = 3.6
4daemon_directory = /usr/local/libexec/postfix
5data_directory = /var/db/postfix
6debug_peer_level = 2
7debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
8html_directory = /usr/local/share/doc/postfix
9inet_protocols = ipv4, ipv6
10mail_owner = postfix
11mailq_path = /usr/local/bin/mailq
12manpage_directory = /usr/local/man
13maximal_queue_lifetime = 20d
14meta_directory = /usr/local/libexec/postfix
15mydestination = $myhostname, localhost.$mydomain, localhost
16myhostname = backup-mx.domain.tld
17mynetworks = 127.0.0.0/24
18mynetworks_style = host
19newaliases_path = /usr/local/bin/newaliases
20queue_directory = /var/spool/postfix
21readme_directory = /usr/local/share/doc/postfix
22sample_directory = /usr/local/etc/postfix
23sendmail_path = /usr/local/sbin/sendmail
24setgid_group = maildrop
25shlib_directory = /usr/local/lib/postfix
26unknown_local_recipient_reject_code = 550
TLS/SSL
I’m not covering the generation of keys, see a previous post in this series about generating all the SSL bits.
Enabling SSL/TLS for the main.cf
1smtp_tls_loglevel = 1
2smtp_tls_mandatory_protocols =
3 !SSLv2,
4 !SSLv3
5smtp_tls_note_starttls_offer = yes
6smtp_tls_protocols =
7 !SSLv2,
8 !SSLv3
9smtp_tls_security_level = may
10smtp_use_tls = yes
11smtpd_tls_CAfile = $config_directory/tls/cacert.pem
12smtpd_tls_auth_only = yes
13smtpd_tls_cert_file = $config_directory/tls/server.crt
14smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
15smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
16smtpd_tls_eecdh_grade = strong
17smtpd_tls_key_file = $config_directory/tls/server.key
18smtpd_tls_loglevel = 1
19smtpd_tls_mandatory_protocols =
20 !SSLv2,
21 !SSLv3
22smtpd_tls_protocols =
23 !SSLv2,
24 !SSLv3
25smtpd_tls_received_header = yes
26smtpd_tls_security_level = may
27smtpd_tls_session_cache_timeout = 3600s
28smtpd_use_tls = yes
29tls_eecdh_strong_curve = prime256v1
30tls_eecdh_ultra_curve = secp384r1
31tls_random_source = dev:/dev/random
Not quite done here, we also need to adjust the master.cf
These bits need to be uncommented, and depending on the ordering in main.cf, you may need to move things around to keep the uncommented bits together.
1smtps inet n - n - - smtpd
2 -o syslog_name=postfix/smtps
3 -o smtpd_tls_wrappermode=yes
4 -o milter_macro_daemon_name=ORIGINATING
1service postfix restart
You should now be able to do a sockstat -4l
and see
1[louisk@backup-mx postfix 89 ]$ sockstat -4l
2USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
3root master 9549 13 tcp4 *:25 *:*
4root master 9549 27 tcp4 *:465 *:*
5root sshd 1014 4 tcp4 *:22 *:*
6root syslogd 513 7 udp4 *:514 *:*
7[louisk@backup-mx postfix 90 ]$
The 465 entry tells you that postifx is listening on the SMTPS port (TCP/465)
Relay
There are a couple files here you will need to create after you define these bits in main.cf
1relay_domains = hash:$config_directory/relaydomains
2relay_recipient_maps =
3transport_maps = hash:$config_directory/transport
The transport file will have the format of
1domain.tld smtp:[final.destination.domain.tld]
The relaydomains file will have the format of
1domain.tld OK
1service postfix restart
At this point, you should be able to send a message and see it get delivered to the correct destination in /var/log/maillog. Something like
1echo "test" | mail -s "test" user@relay-domain.tld
Postscreen
We should have a functional mail relay now, but we want to add some basic checks on incoming mail to reduce the junk. Postscreen is a nice built-in tool for this. Familiarize yourself with it here .
main.cf additions
1postscreen_access_list =
2 permit_mynetworks,
3 cidr:$config_directory/postscreen_access.cidr,
4 cidr:$config_directory/postscreen_spf_whitelist.cidr
5postscreen_bare_newline_action = ignore
6postscreen_bare_newline_enable = yes
7postscreen_bare_newline_ttl = 1d
8postscreen_blacklist_action = drop
9postscreen_cache_cleanup_interval = 12h
10postscreen_cache_map = btree:$data_directory/postscreen_cache
11postscreen_cache_retention_time = 7d
12postscreen_disable_vrfy_command = $disable_vrfy_command
13postscreen_dnsbl_action = enforce
14postscreen_dnsbl_sites =
15 zen.spamhaus.org*3,
16 b.barracudacentral.org=127.0.0.[2..11]*2,
17 bl.spameatingmonkey.net*2,
18 bl.mailspike.net*2,
19 bl.spamcop.net,
20 dnsbl.sorbs.net,
21 swl.spamhaus.org*-4,
22 wl.mailspike.net=127.0.0.[17;18]*-1,
23 wl.mailspike.net=127.0.0.[19;20]*-2,
24 list.dnswl.orq=127.[0..255].[0..255].0*-2,
25 list.dnswl.org=127.[0..255].[0..255].1*-4,
26 list.dnswl.orq=127.[0..255].[0..255].[2..255]*-6
27postscreen_dnsbl_threshold = 3
28postscreen_dnsbl_ttl = 1h
29postscreen_dnsbl_whitelist_threshold = -2
30postscreen_greet_action = enforce
31postscreen_greet_banner = $smtpd_banner
32postscreen_greet_ttl = 1d
33postscreen_greet_wait = ${stress?2}${stress:6}s
34postscreen_helo_required = $smtpd_helo_required
35postscreen_non_smtp_command_action = enforce
36postscreen_non_smtp_command_enable = yes
37postscreen_non_smtp_command_ttl = 30d
38postscreen_pipelining_action = enforce
39postscreen_pipelining_enable = yes
40postscreen_whitelist_interfaces = static:all
You may want to change weights of the DNSBL based on your own mail traffic.
You should also remove any white/blacklist DNS checks in your smtpd_recipient_restrictions because they should all be done by postscreen and you don’t want to do them more than once.
master.cf
The first line gets commented out, and the rest of them get uncommented. It should look like this.
1#smtp inet n - n - - smtpd
2smtp inet n - n - 1 postscreen
3smtpd pass - - n - - smtpd
4dnsblog unix - - n - 0 dnsblog
5tlsproxy unix - - n - 0 tlsproxy
Whole main.cf
Obtained with postconf -n
1address_verify_map = btree:$data_directory/verify_cache
2alias_maps = hash:/usr/local/etc/postfix/aliases
3command_directory = /usr/local/sbin
4compatibility_level = 3.6
5daemon_directory = /usr/local/libexec/postfix
6data_directory = /var/db/postfix
7debug_peer_level = 2
8debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
9html_directory = /usr/local/share/doc/postfix
10inet_protocols = ipv4, ipv6
11mail_owner = postfix
12mailq_path = /usr/local/bin/mailq
13manpage_directory = /usr/local/man
14maximal_queue_lifetime = 20d
15meta_directory = /usr/local/libexec/postfix
16mydestination = $myhostname, localhost.$mydomain, localhost
17myhostname = www.cryptomonkeys.com
18mynetworks = 127.0.0.0/24
19mynetworks_style = host
20newaliases_path = /usr/local/bin/newaliases
21postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr, cidr:$config_directory/postscreen_spf_whitelist.cidr
22postscreen_bare_newline_action = ignore
23postscreen_bare_newline_enable = yes
24postscreen_bare_newline_ttl = 1d
25postscreen_blacklist_action = drop
26postscreen_cache_cleanup_interval = 12h
27postscreen_cache_map = btree:$data_directory/postscreen_cache
28postscreen_cache_retention_time = 7d
29postscreen_disable_vrfy_command = $disable_vrfy_command
30postscreen_dnsbl_action = enforce
31postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org=127.0.0.[2..11]*2 bl.spameatingmonkey.net*2 bl.mailspike.net*2 bl.spamcop.net dnsbl.sorbs.net swl.spamhaus.org*-4 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2 list.dnswl.orq=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.orq=127.[0..255].[0..255].[2..255]*-6
32postscreen_dnsbl_threshold = 3
33postscreen_dnsbl_ttl = 1h
34postscreen_dnsbl_whitelist_threshold = -2
35postscreen_greet_action = enforce
36postscreen_greet_banner = $smtpd_banner
37postscreen_greet_ttl = 1d
38postscreen_greet_wait = ${stress?2}${stress:6}s
39postscreen_helo_required = $smtpd_helo_required
40postscreen_non_smtp_command_action = enforce
41postscreen_non_smtp_command_enable = yes
42postscreen_non_smtp_command_ttl = 30d
43postscreen_pipelining_action = enforce
44postscreen_pipelining_enable = yes
45postscreen_whitelist_interfaces = static:all
46queue_directory = /var/spool/postfix
47readme_directory = /usr/local/share/doc/postfix
48relay_domains = hash:$config_directory/relaydomains
49relay_recipient_maps =
50sample_directory = /usr/local/etc/postfix
51sendmail_path = /usr/local/sbin/sendmail
52setgid_group = maildrop
53shlib_directory = /usr/local/lib/postfix
54smtp_tls_loglevel = 1
55smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
56smtp_tls_note_starttls_offer = yes
57smtp_tls_protocols = !SSLv2, !SSLv3
58smtp_tls_security_level = may
59smtp_use_tls = yes
60smtpd_banner = $myhostname ESMTP Sendmail 8.10 (Solaris 2.6)
61smtpd_client_connection_count_limit = 5
62smtpd_client_connection_rate_limit = 10
63smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
64smtpd_error_sleep_time = 0
65smtpd_hard_error_limit = 10
66smtpd_helo_required = yes
67smtpd_recipient_limit = 50
68smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, warn_if_reject reject_non_fqdn_recipient, warn_if_reject reject_unknown_client, warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_non_fqdn_hostname, reject_unverified_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient, reject_unknown_hostname, warn_if_reject reject_unauth_destination, permit
69smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
70smtpd_sender_restrictions = warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_unknown_client, warn_if_reject reject_unknown_sender_domain, permit
71smtpd_soft_error_limit = 5
72smtpd_timeout = 30s
73smtpd_tls_CAfile = $config_directory/tls/cacert.pem
74smtpd_tls_auth_only = yes
75smtpd_tls_cert_file = $config_directory/tls/server.crt
76smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
77smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
78smtpd_tls_eecdh_grade = strong
79smtpd_tls_key_file = $config_directory/tls/server.key
80smtpd_tls_loglevel = 1
81smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
82smtpd_tls_protocols = !SSLv2, !SSLv3
83smtpd_tls_received_header = yes
84smtpd_tls_security_level = may
85smtpd_tls_session_cache_timeout = 3600s
86smtpd_use_tls = yes
87tls_eecdh_strong_curve = prime256v1
88tls_eecdh_ultra_curve = secp384r1
89tls_random_source = dev:/dev/random
90transport_maps = hash:$config_directory/transport
91unknown_local_recipient_reject_code = 550
Whole master.cf
I’ve removed any lines that are comments
1smtp inet n - n - 1 postscreen
2smtpd pass - - n - - smtpd
3dnsblog unix - - n - 0 dnsblog
4tlsproxy unix - - n - 0 tlsproxy
5smtps inet n - n - - smtpd
6 -o syslog_name=postfix/smtps
7 -o smtpd_tls_wrappermode=yes
8 -o milter_macro_daemon_name=ORIGINATING
9pickup unix n - n 60 1 pickup
10cleanup unix n - n - 0 cleanup
11qmgr unix n - n 300 1 qmgr
12tlsmgr unix - - n 1000? 1 tlsmgr
13rewrite unix - - n - - trivial-rewrite
14bounce unix - - n - 0 bounce
15defer unix - - n - 0 bounce
16trace unix - - n - 0 bounce
17verify unix - - n - 1 verify
18flush unix n - n 1000? 0 flush
19proxymap unix - - n - - proxymap
20proxywrite unix - - n - 1 proxymap
21smtp unix - - n - - smtp
22relay unix - - n - - smtp
23 -o syslog_name=postfix/$service_name
24showq unix n - n - - showq
25error unix - - n - - error
26retry unix - - n - - error
27discard unix - - n - - discard
28local unix - n n - - local
29virtual unix - n n - - virtual
30lmtp unix - - n - - lmtp
31anvil unix - - n - 1 anvil
32scache unix - - n - 1 scache
33postlog unix-dgram n - n - 1 postlogd
Comments