Postfix SMTP server

23 January,2022

Setting up Postfix

• Installing postfix

  apt install postfix

• The config files are present in /etc/postfix. There are mainly 2 files to edit main.cf and master.cf.
• main.cf is used for the general behaviour of the server such as authentication, userlookup etc.
• master.cf is used to configure the behaviour of individual ports and other restrictions.
• We will be using 2 ports - port 25 for receiving mails hence no authentication - port 587(submission port) for sending mail after authenticating over tls

Setting up TLS

• Certificates can be install from command line using certbot package.

  apt install certbot

• Run command certbot

  certbot

Configuring main.cf

• Attribute info can be found in postconf manpage

  man 5 postconf

TLS

• You can either enforce or use oppurtunistic tls.
  • encrypt - force the SMTP server to use tls
  • may - oppurtunistic, checks if other server can use TLS if not it wouldnt use TLS.

    smtpd_tls_security_level = encrypt smtpd_tls_manditory_ciphers = high smtpd_tls_loglevel = 1

• Authentication over tls only

  smtpd_tls_auth_only = yes

• Log hostname of remote server that offers starttls

  smtp_tls_note_starttls_offer = yes

• Can define which protocols, ciphers to use and not use.

  smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL

• Specify the location of TLS certificate(letsencypt in this example)

  smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem

Authentication

• Will be using Dovecot for authentication

  smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes

• Adds authenticated user in received message header

  smtpd_sasl_authenticated_header = yes

• Authentication over tls only

  smtpd_tls_auth_only = yes

SMTP Restrictions

• Restrictions while sending mail
  • The username and mail id must belong to the same user
  • Only allow authenticated senders

    smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated

• Relay restrictions

  smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

• Recipient restricitons

  smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, warn_if_reject reject_unknown_helo_hostname, warn_if_reject reject_unknown_reverse_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain

• Postfix Lookup Tables
  • These tables are used for user,mailbox lookup, vertification etc
  • Checks whether given userid exists in postfix local db and passes that info to dovecot

    virtual_alias_maps = ldap:/etc/postfixi/ldap/ldap_aliases.cf

  • Checks whether the uid and mail are of the same user

    smtpd_sender_login_maps = ldap:/etc/postfix/ldap/ldap_sender.cf

• Mail Delivery
  • Mail is delivered using dovecot LMTP

    mailbox_transport = lmtp:unix:private/dovecot-lmtp

• Additional configs
  • Disable VRFY command

    disable_vrfy_command = yes

  • Enforce server to send HELO command before MAIL command

    smtpd_helo_required = yes

  • DKIM keys, Rspamd and mail filters

    smtpd_milters = inet:localhost:8892 inet:localhost:11332 milter_default_action = accept non_smtpd_milters = $smtpd_milters milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

  • OpenDKIM
    • Installisation

      apt install opendkim opendkim-tools

    • Setting up keys

      opendkim-genkey -s "youselector" -d "yourdomain" --directory /etc/dkimkeys

    • Configure /etc/opendkim.conf after the key has been created.
  • Rspamd

end of main.cf

Configuring master.cf

• For port 25/smtp change the configuration to

  smtp inet n - y - - smtpd -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=no

• Port 587/submission must be uncommented and will look like this.

  submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject

• Commented out arguments need not be deleted

end of master.cf

Lookup tables

• ldap_aliases.cf

  server_host = localhost:389 bind = yes bind_dn = cn=admin,dc=example,dc=in bind_pw = password

  search_base = ou=mail,dc=example,dc=in

  query_filter = (&(objectClass=inetOrgPerson)(mail=%s)) result_attribute = uid

• ldap_sender.cf

  server_host = localhost:389 bind = no search_base = ou=mail,dc=mrtsukimoto,dc=in query_filter = (&(oddbjectClass=qmailUser)(mail=%s)) result_attribute = uid

• After these files have been created we can create the local db using postmap command. These must be repeated after each update of the above files or any lookup table file or the changes wont take effect

  postmap /etc/postfix/ldap/ldap_aliases.cf postmap /etc/postfix/ldap/ldap_sender.cf

• You can check if these files give the desired output by using postmap command.

  postmap -q user@example.in ldap:/etc/postfix/ldap/ldap_aliases.cf

• the result will be the uid of user with the given email. similarly ldap_sender.cf can be checked too.