Basic settings in the Postfix main.cf file • Last updated on: 2015-12-29 • Authored by: Rackspace Support After you have installed Postfix, you can work with settings in the main.cf file to further configure Postfix. Note: This article assumes that you are using a single domain for your email needs. Modular nature of Postfix One of the key aspects of Postfix is that it is designed to be a modular package. The base installation itself is fairly small, and the vast majority of the “usual” mail administration, such as anti-spam and anti-virus, is actually conducted by third-party packages like SpamAssassin. You can begin to see the modular nature of Postfix when you look at the main.cf file. Many settings refer to other files on the server.
Postfixadmin is free software. The last change that required a Postfix configuration change was the introduction of alias domains in PostfixAdmin 2.3. Basic Postfix configuration and preparation for SMTP AUTH. Postfix main configuration is done in the /etc/postfix/main.cf. Use your favorite editor to edit the file.
This setup can seem slightly confusing at first, and your initial reaction might be to hard code the data rather than reference another file with a single word in it. However, we recommend retaining the modularity of Postfix and editing multiple files for what might seem like simple settings. Such modularity will be useful when you start adding multiple domains, users, and aliases to your setup.
The main.cf file To see the main.cf file, issue the following command: sudo nano /etc/postfix/main.cf The file consists of basically three sections. The first section includes several settings such as the smtpd_banner and biff parameters. The second section has settings for TLS parameters. This article focuses on the last section, which looks as follows on the democloud server: myhostname = mail.democloud.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = mail.democloud.com, localhost.democloud.com,, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all Note: Some of the settings already have the host name from the base Postfix installation.
Although some of the settings might be self-explanatory, the following sections describe them so that you can get a better understanding of Postfix and what you can do with it. Myhostname The myhostname value was set during the Postfix installation when you entered the domain name that you want to use. This name also matches the cloud server host name. Aliases Aliases provide a method for delivering mail to different users without having to set up dozens of different accounts. The default settings in the main.cf reference another file: alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases Open that file, as follows: sudo nano /etc/aliases The file shows a list of names followed by root. Mail delivered to the first name is actually delivered to the second name. You do not need to set up the postmaster, news, webmaster, abuse, and other users for Postfix because mail delivered to those names is sent to root.
Using the same syntax, you can have all mail for root delivered to the admin user by adding the following line ( demo is the main admin user for the democloud server): root: demo As a result, the delivery destination would change as follows: • Mail sent to mailer-daemon is sent to postmaster. • Mail to postmaster is sent to root. • Mail sent to root is sent to the main admin user demo. You can adjust the aliases as you see fit, but instead of changing all the root users in the file, it is easier to add the one line as shown. Adding that line also makes future migration and administration easier. After you change the aliases file, you must refresh the aliases database for any changes to occur. Use the following command: sudo newaliases myorigin Internal emails from packages such as cron jobs do not supply full mail credentials; they use the myorigin setting instead.
As such, you need to set this parameter to the main host name of the server. By default, the setting refers to the /etc/mailname file. To look at the contents, run the following command: cat /etc/mailname Example output for the democloud server is as follows: mail.democloud.com However, you can also set myorigin by using $mydomain in the main.cf file, as follows: myorigin = $mydomain Although you haven’t specifically set the $mydomain variable, Postfix gets the information from the myhostname setting, parsing the host name to gain the main domain name. Setting the myorigin parameter this way allows for easier administration at a later date because only one setting ( myhostname) needs to change.
All the other parameters take the change from that. Mydestination Although you have not yet set the server to receive mail, the mydestination parameter defines the domains from which the server will accept mail. The default looks as follows: mydestination = mail.democloud.com, localhost.democloud.com,, localhost The default is adequate when you are setting up mail for a single domain. However, like with the myorigin setting, you can reduce future administration by using the $mydomain variable as follows: mydestination = $mydomain, localhost.$mydomain, localhost relayhosts For the setup in this series of articles, you do not need this setting. You can leave it blank. Mynetworks The mynetworks parameter defines the network to use.
The default value includes IPv6 settings, which you can remove. The remaining value looks as follows: mynetworks = 127.0.0.0/8 The rest You can use the default values for the remaining settings. They are relevant for more complex configurations.
If you built the RPMS you may wonder why we check for TLS support. This section also applies for NON-RPM configuration and people that might just jump in on this HOWTO. Anyway it's a good exercise. You'll find out how to query binaries for the libraries they support. In our HOWTO the smtpd daemon is in /usr/libexec/postfix/. When a TLS connection is being established the host establishing the connection has to validate itself.
This is because someone else could hijack the connection and establish an encrypted connection. The remote host probably wouldn't notice and pass sensible information. Therefore certificates are used to provide unique information that proves that the host encrypting the communication really is the host your client wants to talk to. You are right when you argue that anyone even a hostile server could issue a certificate if it wasn't for that little detail we left out: Each certificate that is issued provides information about an authority that will validate the cert that is issued when an TLS connection is established. Now that you understand the concept you'll understand what we need. Note The following information was written for RedHat 7.x users. If you run a different version or distribution your mileage may vary.
On RedHat machines OpenSSL has its configuration file for creating certs in /usr/share/ssl. So we go there and edit that file first as it carries the default values that will be offered to us later. You can skip this section, but don't complain when you mistype your values and must start the whole script again.;-) [root@example.com]# cd /usr/share/ssl/ [root@example.com]# vi openssl.cnf edit countryName_default and 0.organizationName_default and provide values that make sense to your setting. This HOWTO will use Germany (DE) and HOWTO as values. CountryName_default = DE 0.organizationName_default = HOWTO then uncomment organizationalUnitName_default and add a value. We will use Mail server in this HOWTO.
OrganizationalUnitName_default = Mailserver add the lines commonName_default (must be the name of your Mail server!) and emailAddress_default and provide values specific to your setting. Our Mail servers hostname is mail.example.com and postmaster@example.com is in charge. CommonName_default = mail.example.com emailAddress_default = postmaster@example.com That's it and it will save us a lot of typing as we will build not only one cert. Save the file and read on as we will have to edit yet another file. Consider this: Usually certs are crypted.
That's a good idea when you take them along with yourself and the disc you have it on gets lost. It won't be of any use to the finder unless that person also knows your secret passphrase. But then if you don't take it with you, but leave it on a server this feature can become a real problem to the availability of your service. Any time you restart the server and the server wants to get its hand on the cert, the cert wants to be given the secret passphrase and the server hangs in there waiting to pass that task on its start list. And it waits and waits and waits. Скачать Игру Майнкрафт На Пк На Русском Бесплатно Торрентом on this page. Until you enter the secret passphrase at the command prompt. The bottom line is: No passphrase, no service.
So we will not create certs with secret passphrases, as we will not always be available when the server needs to be restarted or starts itself, say after a power failure. In order to have certs that aren't crypted we will have to add a parameter to the script that we run when we create a cert. So let's cd to the directory that holds the script and create a backup first before we edit it. [root@example.com]# cd misc/ [root@example.com]# cp CA CA_nodes [root@example.com]# edit CA_nodes. Note Either it's CA or CA.pl. This depends on your RedHat distribution. Both scripts will help you generate certs.
Search for # create a certificate and add -nodes to the line below that begins with $REQ. When your done with this search for # create a certificate request and do the same again. When your done it should look like this: -newcert) # create a certificate $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS RET=$? Echo 'Certificate (and private key) is in newreq.pem';; -newreq) # create a certificate request $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS RET=$? Echo 'Request (and private key) is in newreq.pem';; That's it for preparations. Let's create the certs.
The first cert we will create is the Authority cert. We do this by calling the CA script and telling it that we want it to create a new CA: [root@example.com]#./CA_nodes -newca CA certificate filename (or enter to create) MAKING CA CERTIFICATE. Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key..++++++...++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.'
, the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Germany]: Locality Name (eg, city) []:Munich Organization Name (eg, company) [ExampleOrganisation]: Organizational Unit Name (eg, section) [Mailserver]: Common Name (eg, your name or your server's hostname) [mail.example.com]: Email Address [postmaster@example.com]. Then we will create the server cert request that will be signed by the CA Authority: [root@example.com]#./CA_nodes -newreq Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key...++++++..++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.' , the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Germany]: Locality Name (eg, city) []:Munich Organization Name (eg, company) [ExampleOrganisation]: Organizational Unit Name (eg, section) [Mailserver]: Common Name (eg, your name or your server's hostname) [mail.example.com]: Email Address [postmaster@example.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:certpass An optional company name []: Request (and private key) is in newreq.pem. Next we will check if we can initiate a TLS session. We telnet to the server and check, if the string STARTTLS shows up when Postfix advertises it's capabilities.
Then we simply type in STARTTLS and wait for Postfix to respond that it is ready to start TLS. This is how our successful telnet session should look like: C: [root@example.com]# telnet mail.example.com 25 S: 220 mail.example.com ESMTP Postfix (1.1.5) C: EHLO example.com S: 250-mail.example.com S: 250-PIPELINING S: 250-SIZE 10240000 S: 250-VRFY S: 250-ETRN S: 250-STARTTLS S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI S: 250-XVERP S: 250 8BITMIME C: STARTTLS S: 220 Ready to start TLS So Postfix advertises TLS and it can start a session. Time to go for the full experience and configure a mail client. We edited main.cf, we must tell Postfix. Custom Memorial Patch Order Online.
So we reload it. [root@example.com]# postfix reload Now when we send messages to the server SMTP AUTH will only be offered after the TLS layer has been established.
You can see that when you telnet to the server. The AUTH announcement is gone and still when you use a mail client you can relay using SMTP AUTH. C: [root@example.com]# telnet mail.example.com 25 S: 220 mail.example.com ESMTP Postfix (1.1.5) C: EHLO example.com S: 250-mail.example.com S: 250-PIPELINING S: 250-SIZE 10240000 S: 250-VRFY S: 250-ETRN S: 250-STARTTLS S: 250-XVERP S: 250 8BITMIME C: STARTTLS S: 220 Ready to start TLS That's it.