Difference between revisions of "Linux: Postfix with a remote SMTP relay host"
Lukas Dzunko (talk | contribs) (→regular expression rewrite rule) |
Lukas Dzunko (talk | contribs) (→regular expression rewrite rule) |
||
Line 69: | Line 69: | ||
==== regular expression rewrite rule ==== | ==== regular expression rewrite rule ==== | ||
− | Sender and also recipient can be rewritten using regular expression or by simple combination of key:value. During mail delivery postfix examine file line by line and if match is found then address from this line is used. Configuration type <code>regexp</code> is read by postfix directly so it is not necessary to create binary representation via command postmap. | + | Sender and also recipient can be rewritten using regular expression or by simple combination of key:value. During mail delivery postfix examine file line by line and if match is found then address from this line is used. Configuration type <code>regexp</code> is read by postfix directly so it is not necessary to create binary representation via command <code>postmap</code>. |
+ | <pre> | ||
+ | sender_canonical_maps = regexp:/etc/postfix/sender_map | ||
+ | </pre> | ||
+ | Content of the file is in format: | ||
+ | <pre> | ||
+ | /regular_expression/ rewrite_target | ||
+ | </pre> | ||
+ | '''Note:''' I don't recommend following configuration. | ||
+ | <pre> | ||
+ | /.*/ user@example.com | ||
− | + | or | |
− | |||
− | |||
− | |||
− | |||
/.+/ user@example.com | /.+/ user@example.com | ||
− | + | </pre> | |
− | /. | + | Both of them rewrite also <code>postmaster</code> and "empty" source used for bounce message. If you would like to use such a configuration then make sure that system accounts (postmaster, double-bounce, root, etc.) are in configuration so you will not end up with bounce loop. |
=== Secure postfix === | === Secure postfix === |
Latest revision as of 16:30, 14 November 2013
This is short guide how to setup postfix to use another server as email relay. Most of the dynamic IP address assigned to broadband (home) network are blacklisted. This is desired behavior as users should use email service instead of direct email delivery. If your are using server or Linux box to send notifications from local services then you may find problem to deliver such a notifications. Configuration of postfix is flexible and it is possible to configure it to act as "user" which use user/pass for authentication. Once postfix is authenticated on relay host it's possible to send emails through it. Here is example how to configure postifx in this way:
You should have running postfix. It should be installed with options sasl
and ssl
enabled. I don't cover installation itself here.
In order to configure postfix set following options in /etc/postfix/main.cf
by editing configuration file or by postconf
:
- by editing:
relayhost = mail.example.com:587 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
- via command:
postconf -e 'relayhost = mail.example.com:587' postconf -e 'smtp_use_tls = yes' postconf -e 'smtp_sasl_auth_enable = yes' postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd' postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
Description of configuration:
-
relayhost
- dns name (or IP) used for client connection on remote server -
smtp_use_tls
- enable TLS/SSL connection to remote servers -
smtp_sasl_auth_enable
- sasl authentication to remote SMTP server (e.g. client login) -
smtp_sasl_password_maps
- map file with password -
smtp_tls_CAfile
- list of CAs to trust
Syntax for password file (/etc/postfix/sasl_passwd
) is:
mail.example.com:587 user:password
Once this file is in place access should be secured. I recommend root:root
owner and 600
permisions.
chown root:root /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd
Postfix access its files in binary form so before restart it is necessary to convert password file:
postmap /etc/postfix/sasl_passwd
Last step is restart or reload of postfix:
/etc/init.d/postfix restart
Sender email rewrite
If relay host is configured properly and you are using client connection credential then there is one problem. Email service provider should refuse to resend emails with different user details and envelope information. For example if your email account is name.surname@example.com then email from root@home.net should be rejected. Reason is simple. Clients should use theirs own email address not address of someone else.
Rewriting of sender/recipient address is really simple with postfix but there is one catch. If you rewrite all source addresses then also postmaster address is rewritten. In case of delivery error postfix try to return email to source which is rewritten address. As error message is handled in similar way then also origin of it is rewritten and email is stuck in bounce loop. To prevent this there are two possibilities.
static rewrite of sender and recipient
sender_canonical_maps = static:sender@example.com recipient_canonical_maps = static:recipient@example.com
Each message will be rewritten to match one "source" address and delivered to one specific recipient. This is good option if there is one recipient for all emails generated on system. For example I am using this configuration on my media PC. If there is some kind of problem then I would like to see it in my mailbox. This will also disable local delivery. If you would like to deliver notification to several recipients depending on some condition then check second option
regular expression rewrite rule
Sender and also recipient can be rewritten using regular expression or by simple combination of key:value. During mail delivery postfix examine file line by line and if match is found then address from this line is used. Configuration type regexp
is read by postfix directly so it is not necessary to create binary representation via command postmap
.
sender_canonical_maps = regexp:/etc/postfix/sender_map
Content of the file is in format:
/regular_expression/ rewrite_target
Note: I don't recommend following configuration.
/.*/ user@example.com or /.+/ user@example.com
Both of them rewrite also postmaster
and "empty" source used for bounce message. If you would like to use such a configuration then make sure that system accounts (postmaster, double-bounce, root, etc.) are in configuration so you will not end up with bounce loop.
Secure postfix
To ensure that postfix server is not misused it is necessary to restrict access. Simple way how to restrict access only to local is set following options:
inet_interfaces = localhost mynetworks_style = host