old-www/HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO/postfix-config.html

<HTML
><HEAD
><TITLE
>Configuring Postfix</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Postfix-Cyrus-Web-cyradm-HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Configuring PAM"
HREF="pam-config.html"><LINK
REL="NEXT"
TITLE="Configuring Cyrus IMAP"
HREF="cyrus-config.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Postfix-Cyrus-Web-cyradm-HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="pam-config.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="cyrus-config.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="POSTFIX-CONFIG"
></A
>6. Configuring Postfix</H1
><P
>Postfix needs two major config files: <TT
CLASS="FILENAME"
>main.cf</TT
> and <TT
CLASS="FILENAME"
>master.cf</TT
>. 
	Both need your attention.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="POSTFIX-MASTER"
></A
>6.1. master.cf</H2
><P
>You need to change just one line:</P
><P
>old: </P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}</PRE
></FONT
></TD
></TR
></TABLE
><P
>new: </P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>flags= user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user}</PRE
></FONT
></TD
></TR
></TABLE
><P
>	What does that change affect?
	</P
><P
>	A look to the cyrus man-pages <B
CLASS="COMMAND"
>man deliver </B
>clears up that issue:
	</P
><P
>	The Postfix default setup uses a wrong path to cyrus deliver, this is the first change.
	The parameter <20>-r<> inserts a proper return path. Without that, mail rejected/retured by sieve will 
	be sent to the cyrus user at yourdomain.
	</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="POSTFIX-MAIN"
></A
>6.2. main.cf</H2
><P
>Here you need to change some more things like hostname, relaying, alias-lookups etc.</P
><P
>First change the hostname:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>myhostname = foo.bar.org</PRE
></FONT
></TD
></TR
></TABLE
><P
>mydestination</P
><P
>Here you have to put all domainnames that are local (corresponding to sendmail's 
<TT
CLASS="FILENAME"
>/etc/mail/sendmail.cw)</TT
>. If you have multiple domains, separate them with comma.</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>mydestination = foo.bar.org, example.com, furchbar-grausam.ch, 
 whatever.domain.tld, mysql:/etc/postfix/mysql-mydestination.cf</PRE
></FONT
></TD
></TR
></TABLE
><P
>Relayhost</P
><P
>Here you define where to deliver outgoing mails. If you do not provide any host, mail is delivered directly 
to the destination smtp host. Usually your relayhosts are your internet service provider's smtp server.</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>relayhost = relay01.foobar.net relay02.foobar.net relay03.foobar.net</PRE
></FONT
></TD
></TR
></TABLE
><P
>Mailtransport</P
><P
>Here you define how the mails accepted for local delivery should be handled. In your situation, mail should be 
delivered by the cyrus delivery program.</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>mailbox_transport = cyrus</PRE
></FONT
></TD
></TR
></TABLE
><P
>At the end of file you need to add:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf</PRE
></FONT
></TD
></TR
></TABLE
><P
>If you don't want to have a overriding /etc/postfix/virtual, skip the hash entry</P
><P
>Outgoing addresses should be rewritten from test0002 at domain 
to user.name at virtualhost.com. This is important if you want to use a webmail interface.</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf </PRE
></FONT
></TD
></TR
></TABLE
><P
>Now you need to create the file <TT
CLASS="FILENAME"
>/etc/postfix/mysql-virtual.cf</TT
>: </P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>#
# mysql config file for alias lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = virtual

#
select_field = dest
where_field = alias
additional_conditions = and status = '1'</PRE
></FONT
></TD
></TR
></TABLE
><P
>The file <TT
CLASS="FILENAME"
>/etc/postfix/mysql-canonical.cf</TT
>:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
># mysql config file for canonical lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = virtual
#
select_field = alias
where_field = username
# Return the first match only
additional_conditions = and status = '1' limit 1</PRE
></FONT
></TD
></TR
></TABLE
><P
>Finally the file <TT
CLASS="FILENAME"
>/etc/postfix/mysql-mydestination.cf</TT
>:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
># mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = domain
#
select_field = domain_name
where_field = domain_name</PRE
></FONT
></TD
></TR
></TABLE
><P
>SMTP Authentication with SASL and PAM</P
><P
>Put the following in your <TT
CLASS="FILENAME"
>/etc/postfix/main.cf</TT
></P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 
broken_sasl_auth_clients = yes</PRE
></FONT
></TD
></TR
></TABLE
><P
>You also need to create the file <TT
CLASS="FILENAME"
>/usr/local/lib/sasl2/smtpd.conf</TT
> with
the following contents:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>pwcheck_method: saslauthd</PRE
></FONT
></TD
></TR
></TABLE
><P
>The next step is to tell postfix how to find the saslauthd socket:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>mv /var/run/sasl2 /var/run/sasl2-old
ln -s /var/run/saslauthd /var/run/sasl2</PRE
></FONT
></TD
></TR
></TABLE
><P
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="ANTISPAM"
></A
>6.3. Fighting against SPAM</H2
><P
>This section describes how to implement a basic SPAM protection setup with postfix. It does not use any external software like spamassassin, etc.</P
><P
>Postfix has some built-in filters that allow you to stop obvious SPAM attempts. In particular these are:</P
><P
></P
><UL
><LI
><P
>	smtpd_helo_required = yes
	</P
><P
>	This switch in <TT
CLASS="FILENAME"
>main.cf</TT
> means that SMTP clients connecting to your mail server must give 
	a <20>helo<6C> when connecting.
	</P
></LI
><LI
><P
>	smtpd_recipient_restrictions
	</P
><P
>This option in <TT
CLASS="FILENAME"
>main.cf</TT
> lets you define different rules on the handling the acceptance 
	of mail. The following example simply rejects all invalid sender and recipient data. 
	Additionally it defines how to lookup known spammers from online blacklists.
	</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            reject_unauth_destination,
            reject_rbl_client zombie.dnsbl.sorbs.net,
            reject_rbl_client relays.ordb.org,
            reject_rbl_client opm.blitzed.org,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl.spamhaus.org,
            permit</PRE
></FONT
></TD
></TR
></TABLE
><P
></P
></LI
><LI
><P
>mime_header_checks=pcre:/etc/postfix/body_checks</P
><P
>MIME header checks let you reject mail which contains malicious MIME content, i.e dangerous 
	attachments such as Windows executables. Create the file <TT
CLASS="FILENAME"
>/etc/postfix/body_checks</TT
>. 
	The following example rejects all mail that contains potentially dangerous attachments. 
	In my experience, using this example would filter out most of viruses delivered by e-mail. 
	In any event, a virus scanner should always be installed.
	</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>	/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/      REJECT  attachment type not allowed
	</PRE
></FONT
></TD
></TR
></TABLE
></LI
></UL
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="pam-config.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="cyrus-config.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Configuring PAM</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Configuring Cyrus IMAP</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>