Postfix

From Docunext Technology Wiki

Postfix Summary

Postfix is my mail transfer agent of choice. Its configuration is relatively sane, and it performs well in my experiences. One of my favorite features is SMTP authentication. :-)

Database Configuration

What I especially like about Postfix is that its configuration is simple and easy to understand, and that it can support virtual domains via a MySQL back-end.

There are really two parts to configuring a database back-end for Postfix:

Who is authorized to receive mail on the server? And where should there mail be delivered to? This is done by files like "mysql-recipient.cf".
Who is authorized to send mail to other domains via the server? This is done by sasl.

Mail Storage

I have used the Maildir format without serious problems for several years. It works well with Courier, Dovecot and even Mutt. I don't use quotas though.

Postfix also supports Mbox.

Spam Prevention

It is possible to configure postfix to defend against unsolicited email. Most people think about how they need to prevent spam from getting to their inbox, but administrators need to make sure that their servers aren't getting used to send spam as well. One way to do that is to require outgoing SMTP users to authenticate. With Postfix, this can be done using SASL.

I usually use maildrop to activate spamassassin filtering, though I may try this technique.

I also use Postfix-gld, and am planning on setting up different settings for each of my clients using Postfix restriction classes.

Postfix and SASL

AUTH failed '535 5.7.8 Error: authentication failed: generic failure'.

Jan  3 21:06:36 sleepy1 postfix/smtpd[23918]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan  3 21:06:36 sleepy1 postfix/smtpd[23918]: warning: dev-48[192.168.8.48]: SASL LOGIN authentication failed: generic failure

Setting up saslauthdb with Postfix on Debian can be a little tricky.

libsasl2-2 Cyrus SASL - authentication abstraction library
libsasl2-dev Cyrus SASL - development files for authentication abstraction li
libsasl2-modules Cyrus SASL - pluggable authentication modules
sasl2-bin Cyrus SASL - administration programs for SASL users database

The major hurdle for me is always getting the permissions on the saslauthd unix socket right. Postfix is chrooted and needs to have access to the folder, so I do this:

sudo mkdir -p /var/spool/postfix/var/run/saslauthd
sudo chown -R postfix /var/spool/postfix/var/run
sudo rm -rf /var/run/saslauthd

And from the readme:

Using a single saslauthd instance with Postfix or another chrooted server:

   NOTE: this applies only if you run Postfix or another server in
   a chroot, which is the Debian default. If you run a mixed environment
   (some instances of Postfix's smtpd in a chroot, some outside chroot,
   for example) then see the section on multiple instances of saslauthd
   below.

 If you run a chrooted server such as Postfix and wish to use saslauthd, you
 must place the saslauthd socket ("mux") inside the Postfix chroot. You must
 also set correct overrides for the run directory inside the chroot, using
 dpkg-statoverride. Finally, you must add the postfix user to the sasl group.
 These steps ensure that the Debian subsystems know how you want things to be
 laid out.

 To place the saslauthd socket inside the Postfix chroot, edit
 /etc/default/saslauthd and set OPTIONS like this (you may omit -c):
  OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

 To set the run directory using dpkg-statoverride, run this command as root:
  dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

 Finally, to add the postfix user to the sasl group:
  adduser postfix sasl

 The init script will automatically create the run directory with the
 permissions you have set using dpkg-statoverride. Please note that you must
 also configure Postfix correctly. There are many options related to SASL. See
 the Postfix documentation for how to do this.

Here's one of the /etc/default/saslauthd files I've used:

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page for general information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

I often put "-r" on the end so that the username and realm are concatenated, as I store the entire email address in the database. FWIW, I've also used rimap successfully. For this to work, two more files are needed:

/etc/pam.d/smtp
/etc/postfix/sasl/smtpd.conf

/etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

UPDATE: I'm now using the rimap feature - its simpler for my needs.

Handy for use with smtpd_client_event_limit_exceptions:

tail /var/log/mail.log -n 1000000 | grep sasl | awk '{ print $7 }' | sed 's/client=.*\[//' | sed 's/\],//' | sort | uniq

I plan on connecting it with NGINX Mail at some point as well.

Problems

postfix/smtpd[25373]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

For this error I removed the libsasl2-modules-sql package, and commented out:

#auxprop_plugin: saslauthd

in /etc/postfix/sasl/smtpd.conf.

Sasldb?

Hmmm. Why is postfix trying sasldb?

warning: SASL authentication failure: error fetching from sasldb: Invalid argument

Sasl

Postfix and Dovecot

This is totally awesome - Postfix can authenticate directly to Dovecot's sasl service! Its even pretty easy to setup on Debian.

Postfix Logging

Email logging can be a bit of a pain due to the volume. This is what I use in my syslog.conf:

mail.debug              -/var/log/mail.log
mail.warn           -/var/log/mail.warn
mail.err            -/var/log/mail.err

Actually I'm commenting out mail.debug and mail.warn a lot these days due to the volume of SPAM.

Very useful: pflogsumm

Postfix Restriction Classes

These are very cool, they allow you to setup various rules for different recipient classes.

smtpd_restriction_classes

More information here: Postfix restriction classes

Postfix Add-Ons

Postfix can work with lots of other programs and packages, for example:

Links