<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Postfix Small/Home Office Hints and Tips</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> </head> <body> <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Small/Home Office Hints and Tips</h1> <hr> <h2>Overview</h2> <p> This document combines hints and tips for "small office/home office" applications into one document so that they are easier to find. The text describes the mail sending side only. If your machine does not receive mail directly (i.e. it does not have its own Internet domain name and its own fixed IP address), then you will need a solution such as "fetchmail", which is outside the scope of the Postfix documentation. </p> <ul> <li> <p> Selected topics from the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> document: </p> <ul> <li><a href="#stand_alone">Postfix on a stand-alone Internet host</a> <li><a href="#fantasy">Postfix on hosts without a real Internet hostname</a> </ul> <p> Selected topics from the <a href="SASL_README.html">SASL_README</a> document: </p> <ul> <li><a href="#client_sasl_enable">Enabling SASL authentication in the Postfix SMTP client</a></li> <li><a href="#client_sasl_sender">Configuring Sender-Dependent SASL authentication </a></li> </ul> </ul> <p> See the <a href="SASL_README.html">SASL_README</a> and <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents for further information on these topics. </p> <h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2> <p> Postfix should work out of the box without change on a stand-alone machine that has direct Internet access. At least, that is how Postfix installs when you download the Postfix source code via <a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p> <p> You can use the command "<b>postconf -n</b>" to find out what settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname settings, few parameters should be set on a stand-alone box, beyond what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p> <blockquote> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a>: # Optional: send mail as user@domainname instead of user@hostname. #<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> # Optional: specify NAT/proxy external address. #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 # Alternative 1: don't relay mail from other hosts. <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host <a href="postconf.5.html#relay_domains">relay_domains</a> = # Alternative 2: relay mail from local clients only. # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28 # <a href="postconf.5.html#relay_domains">relay_domains</a> = </pre> </blockquote> <p> See also the section "<a href="#fantasy">Postfix on hosts without a real Internet hostname</a>" if this is applicable to your configuration. </p> <h2><a name="fantasy">Postfix on hosts without a real Internet hostname</a></h2> <p> This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names. </p> <p> Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p> <h3>Solution 1: Postfix version 2.2 and later </h3> <p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine. </p> <p> The following example presents additional configuration. You need to combine this with basic configuration information as discussed the first half of this document. </p> <blockquote> <pre> 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 2 <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = hash:/etc/postfix/generic 3 4 /etc/postfix/generic: 5 his@localdomain.local hisaccount@hisisp.example 6 her@localdomain.local heraccount@herisp.example 7 @localdomain.local hisaccount+local@hisisp.example </pre> </blockquote> <p> When mail is sent to a remote host via SMTP: </p> <ul> <li> <p> Line 5 replaces <i>his@localdomain.local</i> by his ISP mail address, </p> <li> <p> Line 6 replaces <i>her@localdomain.local</i> by her ISP mail address, and </p> <li> <p> Line 7 replaces other local addresses by his ISP account, with an address extension of +<i>local</i> (this example assumes that the ISP supports "+" style address extensions). </p> </ul> <p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses <b>dbm</b> files instead of <b>db</b> files. To find out what lookup tables Postfix supports, use the command "<b>postconf -m</b>". </p> <p> Execute the command "<b>postmap /etc/postfix/generic</b>" whenever you change the generic table. </p> <h3>Solution 2: Postfix version 2.1 and earlier </h3> <p> The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own.</p> <p> The following example presents additional configuration. You need to combine this with basic configuration information as discussed the first half of this document. </p> <blockquote> <pre> 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 2 <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain 3 <a href="postconf.5.html#mydomain">mydomain</a> = localdomain 4 5 <a href="postconf.5.html#canonical_maps">canonical_maps</a> = hash:/etc/postfix/canonical 6 7 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual 8 9 /etc/postfix/canonical: 10 your-login-name your-account@your-isp.com 11 12 /etc/postfix/virtual: 13 your-account@your-isp.com your-login-name </pre> </blockquote> <p> Translation: </p> <ul> <li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is already in use by real organizations on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain names that are guaranteed not to be owned by anyone. </p> <li> <p> Lines 5, 9, 10: This provides the mapping from "your-login-name@hostname.localdomain" to "your-account@your-isp.com". This part is required. </p> <li> <p> Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally, instead of sending it to the ISP. This part is not required but is convenient. </ul> <p>Specify <b>dbm</b> instead of <b>hash</b> if your system uses <b>dbm</b> files instead of <b>db</b> files. To find out what lookup tables Postfix supports, use the command "<b>postconf -m</b>". </p> <p> Execute the command "<b>postmap /etc/postfix/canonical</b>" whenever you change the canonical table. </p> <p> Execute the command "<b>postmap /etc/postfix/virtual</b>" whenever you change the virtual table. </p> <h2><a name="client_sasl_enable">Enabling SASL authentication in the Postfix SMTP/LMTP client</a></h2> <p> This section shows a typical scenario where the Postfix SMTP client sends all messages via a mail gateway server that requires SASL authentication. </p> <blockquote> <strong> Trouble solving tips: </strong> <ul> <li> <p> If your SASL logins fail with "SASL authentication failure: No worthy mechs found" in the mail logfile, then see the section "<a href="SASL_README.html#client_sasl_policy">Postfix SMTP/LMTP client policy - SASL mechanism <em>properties</em></a>". <li> <p> For a solution to a more obscure class of SASL authentication failures, see "<a href="SASL_README.html#client_sasl_filter">Postfix SMTP/LMTP client policy - SASL mechanism <em>names</em></a>". </ul> </blockquote> <p> To make the example more readable we introduce it in two parts. The first part takes care of the basic configuration, while the second part sets up the username/password information. </p> <blockquote> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a>: <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] # Alternative form: # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd </pre> </blockquote> <ul> <li> <p> The <code><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a></code> setting enables client-side authentication. We will configure the client's username and password information in the second part of the example. </p> </li> <li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting forces the Postfix SMTP to send all remote messages to the specified mail server instead of trying to deliver them directly to their destination. </p> </li> <li> <p> In the <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting, the "<code>[</code>" and "<code>]</code>" prevent the Postfix SMTP client from looking up MX (mail exchanger) records for the enclosed name. </p> </li> <li> <p> The <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination may also specify a non-default TCP port. For example, the alternative form <code>[mail.isp.example]:submission</code> tells Postfix to connect to TCP network port 587, which is reserved for email client applications. </p> </li> <li> <p> The Postfix SMTP client is compatible with SMTP servers that use the non-standard "<code>AUTH=<em>method.</em>...</code>" syntax in response to the EHLO command; this requires no additional Postfix client configuration. </p> </li> <li> <p> The Postfix SMTP client does not support the obsolete "wrappermode" protocol, which uses TCP port <code>465</code> on the SMTP server. See <a href="TLS_README.html">TLS_README</a> for a solution that uses the <code>stunnel</code> command. </p> </li> <li> <p> With the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> parameter, we configure the Postfix SMTP client to send username and password information to the mail gateway server. As discussed in the next section, the Postfix SMTP client supports multiple ISP accounts. For this reason the username and password are stored in a table that contains one username/password combination for each mail gateway server. </p> </ul> <blockquote> <pre> /etc/postfix/sasl_passwd: # destination credentials [mail.isp.example] username:password # Alternative form: # [mail.isp.example]:submission username:password </pre> </blockquote> <blockquote> <strong>Important</strong> <p> Keep the SASL client password file in <code>/etc/postfix</code>, and make the file read+write only for <code>root</code> to protect the username/password combinations against other users. The Postfix SMTP client will still be able to read the SASL client passwords. It opens the file as user <code>root</code> before it drops privileges, and before entering an optional chroot jail. </p> </blockquote> <ul> <li> <p> Use the <code>postmap</code> command whenever you change the <code>/etc/postfix/sasl_passwd</code> file. </p> </li> <li> <p> If you specify the "<code>[</code>" and "<code>]</code>" in the <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the same form in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> </li> <li> <p> If you specify a non-default TCP Port (such as "<code>:submission</code>" or "<code>:587</code>") in the <code><a href="postconf.5.html#relayhost">relayhost</a></code> destination, then you must use the same form in the <code><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a></code> file. </p> </li> </ul> <h2><a name="client_sasl_sender">Configuring Sender-Dependent SASL authentication</a></h2> <p> Postfix supports different ISP accounts for different sender addresses (version 2.3 and later). This can be useful when one person uses the same machine for work and for personal use, or when people with different ISP accounts share the same Postfix server. </p> <p> To make this possible, Postfix supports per-sender SASL passwords and per-sender relay hosts. In the example below, the Postfix SMTP client will search the SASL password file by sender address before it searches that same file by destination. Likewise, the Postfix <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon will search the per-sender <a href="postconf.5.html#relayhost">relayhost</a> file, and use the default <code><a href="postconf.5.html#relayhost">relayhost</a></code> setting only as a final resort. </p> <blockquote> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a>: <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> = yes <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> = hash:/etc/postfix/sender_relay <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example] # Alternative form: # <a href="postconf.5.html#relayhost">relayhost</a> = [mail.isp.example]:submission </pre> </blockquote> <blockquote> <pre> /etc/postfix/sasl_passwd: # Per-sender authentication; see also /etc/postfix/sender_relay. user1@example.com username2:password2 user2@example.net username2:password2 # Login information for the default <a href="postconf.5.html#relayhost">relayhost</a>. [mail.isp.example] username:password # Alternative form: # [mail.isp.example]:submission username:password </pre> </blockquote> <blockquote> <pre> /etc/postfix/sender_relay: # Per-sender provider; see also /etc/postfix/sasl_passwd. user1@example.com [mail.example.com]:submission user2@example.net [mail.example.net] </pre> </blockquote> <ul> <li> <p> If you are creative, then you can try to combine the two tables into one single MySQL database, and configure different Postfix queries to extract the appropriate information. </p> <li> <p> Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". </p> <li> <p> Execute the command "postmap /etc/postfix/sasl_passwd" whenever you change the sasl_passwd table. </p> <li> <p> Execute the command "postmap /etc/postfix/sender_relay" whenever you change the sender_relay table. </p> </ul> </body> </html>