Table of Contents for
Postfix: The Definitive Guide

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Postfix: The Definitive Guide by Kyle D. Dent Published by O'Reilly Media, Inc., 2003
  1. Postfix: The Definitive Guide
  2. Cover
  3. Postfix: The Definitive Guide
  4. Foreword
  5. Preface
  6. Audience
  7. Organization
  8. Conventions Used in This Book
  9. Comments and Questions
  10. Acknowledgments
  11. 1. Introduction
  12. 1.1. Postfix Origins and Philosophy
  13. 1.2. Email and the Internet
  14. 1.3. The Role of Postfix
  15. 1.4. Postfix Security
  16. 1.5. Additional Information and How to Obtain Postfix
  17. 2. Prerequisites
  18. 2.1. Unix Topics
  19. 2.2. Email Topics
  20. 3. Postfix Architecture
  21. 3.1. Postfix Components
  22. 3.2. How Messages Enter the Postfix System
  23. 3.3. The Postfix Queue
  24. 3.4. Mail Delivery
  25. 3.5. Tracing a Message Through Postfix
  26. 4. General Configuration and Administration
  27. 4.1. Starting Postfix the First Time
  28. 4.2. Configuration Files
  29. 4.3. Important Configuration Considerations
  30. 4.4. Administration
  31. 4.5. master.cf
  32. 4.6. Receiving Limits
  33. 4.7. Rewriting Addresses
  34. 4.8. chroot
  35. 4.9. Documentation
  36. 5. Queue Management
  37. 5.1. How qmgr Works
  38. 5.2. Queue Tools
  39. 6. Email and DNS
  40. 6.1. DNS Overview
  41. 6.2. Email Routing
  42. 6.3. Postfix and DNS
  43. 6.4. Common Problems
  44. 7. Local Delivery and POP/IMAP
  45. 7.1. Postfix Delivery Transports
  46. 7.2. Message Store Formats
  47. 7.3. Local Delivery
  48. 7.4. POP and IMAP
  49. 7.5. Local Mail Transfer Protocol
  50. 8. Hosting Multiple Domains
  51. 8.1. Shared Domains with System Accounts
  52. 8.2. Separate Domains with System Accounts
  53. 8.3. Separate Domains with Virtual Accounts
  54. 8.4. Separate Message Store
  55. 8.5. Delivery to Commands
  56. 9. Mail Relaying
  57. 9.1. Backup MX
  58. 9.2. Transport Maps
  59. 9.3. Inbound Mail Gateway
  60. 9.4. Outbound Mail Relay
  61. 9.5. UUCP, Fax, and Other Deliveries
  62. 10. Mailing Lists
  63. 10.1. Simple Mailing Lists
  64. 10.2. Mailing-List Managers
  65. 11. Blocking Unsolicited Bulk Email
  66. 11.1. The Nature of Spam
  67. 11.2. The Problem of Spam
  68. 11.3. Open Relays
  69. 11.4. Spam Detection
  70. 11.5. Anti-Spam Actions
  71. 11.6. Postfix Configuration
  72. 11.7. Client-Detection Rules
  73. 11.8. Strict Syntax Parameters
  74. 11.9. Content-Checking
  75. 11.10. Customized Restriction Classes
  76. 11.11. Postfix Anti-Spam Example
  77. 12. SASL Authentication
  78. 12.1. SASL Overview
  79. 12.2. Postfix and SASL
  80. 12.3. Configuring Postfix for SASL
  81. 12.4. Testing Your Authentication Configuration
  82. 12.5. SMTP Client Authentication
  83. 13. Transport Layer Security
  84. 13.1. Postfix and TLS
  85. 13.2. TLS Certificates
  86. 14. Content Filtering
  87. 14.1. Command-Based Filtering
  88. 14.2. Daemon-Based Filtering
  89. 14.3. Other Considerations
  90. 15. External Databases
  91. 15.1. MySQL
  92. 15.2. LDAP
  93. A. Configuration Parameters
  94. A.1. Postfix Parameter Reference
  95. 2bounce_notice_recipient
  96. access_map_reject_code
  97. alias_maps
  98. allow_mail_to_files
  99. allow_percent_hack
  100. alternate_config_directories
  101. append_at_myorigin
  102. authorized_verp_clients
  103. berkeley_db_read_buffer_size
  104. biff
  105. body_checks_size_limit
  106. bounce_service_name
  107. canonical_maps
  108. command_directory
  109. command_time_limit
  110. content_filter
  111. daemon_timeout
  112. debug_peer_list
  113. default_destination_concurrency_limit
  114. default_extra_recipient_limit
  115. default_process_limit
  116. default_recipient_limit
  117. default_verp_delimiters
  118. defer_service_name
  119. delay_notice_recipient
  120. deliver_lock_attempts
  121. disable_dns_lookups
  122. disable_mime_output_conversion
  123. disable_vrfy_command
  124. double_bounce_sender
  125. empty_address_recipient
  126. error_service_name
  127. export_environment
  128. fallback_relay
  129. fast_flush_domains
  130. fast_flush_refresh_time
  131. fork_attempts
  132. forward_expansion_filter
  133. hash_queue_depth
  134. header_address_token_limit
  135. header_size_limit
  136. home_mailbox
  137. ignore_mx_lookup_error
  138. in_flow_delay
  139. initial_destination_concurrency
  140. ipc_idle
  141. line_length_limit
  142. lmtp_connect_timeout
  143. lmtp_data_init_timeout
  144. lmtp_lhlo_timeout
  145. lmtp_quit_timeout
  146. lmtp_rset_timeout
  147. lmtp_tcp_port
  148. local_destination_concurrency_limit
  149. local_recipient_maps
  150. luser_relay
  151. mail_owner
  152. mail_spool_directory
  153. mailbox_command
  154. mailbox_delivery_lock
  155. mailbox_transport
  156. manpage_directory
  157. masquerade_domains
  158. max_idle
  159. maximal_backoff_time
  160. message_size_limit
  161. mime_header_checks
  162. minimal_backoff_time
  163. mydomain
  164. mynetworks
  165. myorigin
  166. newaliases_path
  167. notify_classes
  168. parent_domain_matches_subdomains
  169. pickup_service_name
  170. process_id_directory
  171. proxy_interfaces
  172. qmgr_clog_warn_time
  173. qmgr_message_active_limit
  174. qmgr_message_recipient_minimum
  175. qmqpd_error_delay
  176. queue_directory
  177. queue_run_delay
  178. rbl_reply_maps
  179. recipient_canonical_maps
  180. reject_code
  181. relay_domains_reject_code
  182. relay_transport
  183. relocated_maps
  184. resolve_dequoted_address
  185. sample_directory
  186. sendmail_path
  187. setgid_group
  188. showq_service_name
  189. smtp_bind_address
  190. smtp_data_done_timeout
  191. smtp_data_xfer_timeout
  192. smtp_destination_recipient_limit
  193. smtp_helo_timeout
  194. smtp_mail_timeout
  195. smtp_pix_workaround_delay_time
  196. smtp_quit_timeout
  197. smtp_rcpt_timeout
  198. smtp_skip_5xx_greeting
  199. smtpd_banner
  200. smtpd_data_restrictions
  201. smtpd_error_sleep_time
  202. smtpd_expansion_filter
  203. smtpd_helo_required
  204. smtpd_history_flush_threshold
  205. smtpd_noop_commands
  206. smtpd_recipient_limit
  207. smtpd_restriction_classes
  208. smtpd_soft_error_limit
  209. soft_bounce
  210. strict_7bit_headers
  211. strict_8bitmime_body
  212. strict_rfc821_envelopes
  213. swap_bangpath
  214. syslog_name
  215. transport_retry_time
  216. undisclosed_recipients_header
  217. unknown_client_reject_code
  218. unknown_local_recipient_reject_code
  219. unknown_virtual_alias_reject_code
  220. verp_delimiter_filter
  221. virtual_alias_maps
  222. virtual_mailbox_base
  223. virtual_mailbox_limit
  224. virtual_mailbox_maps
  225. virtual_transport
  226. B. Postfix Commands
  227. C. Compiling and Installing Postfix
  228. C.1. Obtaining Postfix
  229. C.2. Postfix Compiling Primer
  230. C.3. Building Postfix
  231. C.4. Installation
  232. C.5. Compiling Add-on Packages
  233. C.6. Common Problems
  234. C.7. Wrapping Things Up
  235. D. Frequently Asked Questions
  236. Index
  237. About the Author
  238. Colophon
  239. Copyright

Configuring Postfix for SASL

Before you get started, decide on the authentication mechanisms you plan to support and the authentication framework you want SASL to use with Postfix.

Specifying a Framework

The SASL library uses a separate configuration file for each application it works with. Postfix uses a file named smtpd.conf for SASL purposes. This file is usually located at /usr/local/lib/sasl2/smtpd.conf. At a minimum, smtpd.conf contains a line indicating the framework to use. We are going to look at specifying either Unix passwords or separate SASL passwords for Postfix authentication. See the Cyrus documentation to see other options you might include in smtpd.conf.

Unix passwords

Often, it’s most convenient for SASL to use the existing system database to authenticate users. Historically, this meant using the /etc/passwd file. Today, it’s more likely that you use /etc/shadow, PAM, or some related authentication database. Since these passwords are not available to unprivileged processes, and Postfix purposely runs with limited privileges, it cannot normally authenticate users.

The Cyrus libraries deal with the problem by providing a special authentication server called saslauthd . It handles requests on behalf of Postfix. The saslauthd daemon requires superuser privileges; however, since it runs as a process distinct from Postfix and does not have to communicate outside of your network, the security impact is minimized. If you are going to use Unix passwords with SASL, you must run the saslauthd daemon that ships with the Cyrus distribution. Note that using Unix passwords with saslauthd limits you to plaintext passwords because the daemon needs the actual passwords to verify them. See Chapter 13 for using encryption between Postfix and email clients.

To specify that you want Postfix to use the saslauthd daemon for authentication, create the smtpd.conf with a line like the following:

pwcheck_method: saslauthd

saslauthd comes with the Cyrus SASL distribution and should be installed in a convenient location. The daemon must be running in the background for Postfix to use it to authenticate clients. When you start saslauthd , you tell it what type of password system you are using with the -a option. The most common options are pam, shadow, or getpwent (for the conventional /etc/passwd). For example, to start the daemon on a system that uses PAM for authentication, type the command:

# saslauthd -a pam

Consult the Cyrus documentation for other options when using saslauthd . Also, you probably want this daemon to start automatically at system initialization so that it is always available for your Postfix server. You can add saslauthd to your system’s startup processes in the same way you add other daemons such as Postfix.

SASL passwords

If you don’t want your mail server to use existing system accounts, you can create a separate database of users and passwords that is independent of the system password mechanism. You can create accounts for email users who have mail access only and will not be able to log into the host itself. Include the following line in your smtpd.conf file:

pwcheck_method: auxprop

The term auxprop comes from the Cyrus notion of auxiliary property plug-ins. Plug-ins allow you to insert external programs for authentication. The Cyrus SASL distribution ships with sasldb as the default auxiliary property plug-in and that should be all you need to work with Postfix. The keyword auxprop simply says to use an external SASL password file.

You do not have to run the saslauthd daemon when using SASL passwords, but you must create the external password file containing credentials for all of your email accounts. By default, the SASL username/password file is kept at /etc/sasldb2. The Postfix SMTP server needs at least read access to the file, and if you use the auto_transition feature of Cyrus SASL (see the Cyrus documentation), Postfix will also require write access to the file. If you don’t need the auto_transition feature, it’s best not to give Postfix write access to the password file.

If you have other processes that also need access to the file (such as a POP/IMAP server), you may have to adjust the ownership and permissions so all the processes that need it can access it. For example, you might want to create an sasl group on your system. Make sure that the postfix user and other accounts that need access to the file are all in that group. If any of the other processes need to update the file, then read-only is too restrictive and you’ll have to provide write access for the processes that need it. To set the permissions to 440, so that it is read-only and not generally readable by users on the system, type the following commands:

# chown postfix:sasl /etc/sasldb2
# chmod 440 /etc/sasldb2

To create accounts for your SMTP server, use the saslpasswd2 command included with the Cyrus SASL distribution. It stores accounts in /etc/sasldb2. You must specify both a username and an SASL domain. For Postfix the domain should be the value specified in the myhostname parameter. If you use the command postconf -h myhostname to determine your hostname, you can be sure you have the correct one. The following command creates an account for the user kdent:

# saslpasswd2 -c -u `postconf -h myhostname` kdent
Password: 
Again (for verification):

Enter the password twice, as prompted. The -c option tells saslpasswd2 to create the user account, and -u is used to specify the domain for this account, which you take directly from the Postfix configuration.

Configuring Postfix

All of the relevant Postfix parameters for SASL password authentication start with smtpd_sasl* for the SMTP server or smtp_sasl* for the SMTP client. For server configuration you need at a minimum the smtpd_sasl_auth_enable parameter and the permit_sasl_authenticated restriction, which must be assigned to one of the smtpd restriction parameters. See Chapter 11 for more information on UBE restrictions.

Enabling SASL

In order to turn on authentication in the Postfix SMTP server, add the enable parameter to your main.cf file:

smtpd_sasl_auth_enable = yes

In addition, some older email clients[2] don’t follow the SMTP authentication protocol correctly. The specification calls for the server to list its supported mechanisms after the keyword AUTH followed by a space. These clients expect to receive AUTH followed by an equals sign. Postfix allows you to accommodate them by setting the following parameter:

broken_sasl_auth_clients = yes

By setting this parameter, you tell Postfix to advertise its SMTP authentication support in the nonstandard way as well as the standard way. This option is perfectly safe to use since it doesn’t interfere with other mail clients, and the nonstandard ones will now work as well.

Preventing sender spoofing

To make sure that clients use correct sender addresses when relaying, Postfix allows you to map sender addresses to SASL logins. For example, if you have an address kdent@example.com that should be used only by the SASL user kdent, you can create a file requiring the correct user for that address:

kdent@example.com        kdent

The file is a normal Postfix lookup table and allows regular expressions as well as local parts and domains (see Chapter 4 for information on Postfix lookup tables). Use the parameter smtpd_sender_login_maps in main.cf to indicate the table you create:

smtpd_sender_login_maps = hash:/etc/postfix/sasl_senders

You can list as many addresses as you need in the table. To reject messages from users attempting to use incorrect sender addresses or users who are not authenticated at all who attempt to use a specified address, include the restriction reject_sender_login_mismatch with your restriction parameters (see Chapter 11 for information on UBE restrictions).

Permitting authenticated users

If you are already using the smtpd_recipient_restrictions parameter as part of your UBE blocking, you have to tell Postfix to allow authenticated users to relay by adding permit_sasl_authenticated to the list of restrictions. If you were previously using the default and didn’t need a smtpd_recipient_restrictions parameter, just add the following line:

smtpd_recipient_restrictions = permit_mynetworks, 
        permit_sasl_authenticated, reject_unauth_destination

If you are already using the smtpd_recipient_restrictions parameter, just add permit_sasl_authenticated to the list of restrictions. Be sure to include some kind of rejection restriction in your list (see Chapter 11).

Specifying mechanisms

The smtpd_sasl_security_options parameter lets you control which password mechanisms are listed when clients connect to your SMTP server. The complete list of available mechanisms depends on your system and the mechanisms that were available when your SASL libraries were built. If you don’t specify any options, the default is to accept all available mechanisms including plaintext passwords, but not anonymous logins. If you are using the saslauthd daemon, you must accept plaintext passwords, so the default configuration probably makes the most sense. If you specify any of the options, you override the default, so make sure that you include noanonymous among your options. If you set this parameter, you can specify any combination of the following values. For example:

smtpd_sasl_security_options = noanonymous, noplaintext

Common mechanisms include:

noplaintext

If your security policy does not permit passwords to be sent as plaintext, specify noplaintext . This causes SASL to use one of the challenge/response techniques that authenticate without transmitting actual passwords.

noactive

In active attacks, attackers manage to insert themselves between the client and server. Some types of active attacks are commonly referred to as man-in-the-middle attacks. Attackers may be able to read or alter data as it is transmitted or pretend to be the client or server. Specify noactive to limit supported password mechanisms to those that are not known to be vulnerable to active attacks.

nodictionary

In dictionary attacks, attackers run through a preassembled database of possible passwords trying each one in turn to see if it allows access. Databases are typically made up of lists of cities, teams, proper names, and all dictionary words plus obvious variations on the words. Specify nodictionary to limit supported password mechanisms to those that are not known to be vulnerable to dictionary attacks.

noanonymous

Anonymous logins have no useful purpose for SMTP servers. By default Postfix does not allow anonymous logins. If you specify any other options, be sure to also specify noanonymous since you will be overriding the default.

mutual_auth

You can require mechanisms that provide mutual authentication where both the client and server provide credentials proving their identities. Specify mutual_auth to limit advertised mechanisms to those that provide for mutual authentication.

Configuration Summary

Following are step-by-step instructions summarizing the configuration described in this chapter. This is a broad overview of what’s required to set up your Postfix system with SASL:

  1. Determine the authentication mechanisms and framework you plan to support.

  2. Install the SASL libraries and recompile Postfix with SASL support. Or obtain a Postfix distribution with SASL, including support for the authentication mechanisms and SASL options you need.

  3. Reinstall Postfix.

  4. Create the file /usr/local/lib/sasl2/smtpd.conf. Enter either saslauthd or auxprop for pwcheck_method.

  5. If you are using Unix passwords for authentication, start the saslauthd daemon, specifying the type of authentication in use on your system. Otherwise, use the saslpasswd2 command to create email accounts on your system.

  6. Edit main.cf to turn on authentication. This requires that you enable SASL and that you specify that authenticated clients should be allowed to relay mail. A basic setup requires at least the following parameters:

    smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated, reject_unauth_destination

  7. Reload Postfix so that it recognizes the changes in its main.cf configuration file:

    # postfix reload

[2] Reportedly, Microsoft Outlook and Outlook Express before Version 5, but you may have to experiment to determine if your clients are culprits.