1
PPoossttffiixx SSmmaallll//HHoommee OOffffiiccee HHiinnttss aanndd TTiippss
3
-------------------------------------------------------------------------------
7
This document combines hints and tips for "small office/home office"
8
applications into one document so that they are easier to find. The text
9
describes the mail sending side only. If your machine does not receive mail
10
directly (i.e. it does not have its own Internet domain name and its own fixed
11
IP address), then you will need a solution such as "fetchmail", which is
12
outside the scope of the Postfix documentation.
14
* Selected topics from the STANDARD_CONFIGURATION_README document:
16
o Postfix on a stand-alone Internet host
17
o Postfix on hosts without a real Internet hostname
19
Selected topics from the SASL_README document:
21
o Enabling SASL authentication in the Postfix SMTP client
22
o Supporting multiple ISP accounts in the Postfix SMTP client
24
See the SASL_README and STANDARD_CONFIGURATION_README documents for further
25
information on these topics.
27
PPoossttffiixx oonn aa ssttaanndd--aalloonnee IInntteerrnneett hhoosstt
29
Postfix should work out of the box without change on a stand-alone machine that
30
has direct Internet access. At least, that is how Postfix installs when you
31
download the Postfix source code via http://www.postfix.org/.
33
You can use the command "ppoossttccoonnff --nn" to find out what settings are overruled
34
by your main.cf. Besides a few pathname settings, few parameters should be set
35
on a stand-alone box, beyond what is covered in the BASIC_CONFIGURATION_README
39
# Optional: send mail as user@domainname instead of user@hostname.
42
# Optional: specify NAT/proxy external address.
43
#proxy_interfaces = 1.2.3.4
45
# Alternative 1: don't relay mail from other hosts.
46
mynetworks_style = host
49
# Alternative 2: relay mail from local clients only.
50
# mynetworks = 192.168.1.0/28
53
See also the section "Postfix on hosts without a real Internet hostname" if
54
this is applicable to your configuration.
56
PPoossttffiixx oonn hhoossttss wwiitthhoouutt aa rreeaall IInntteerrnneett hhoossttnnaammee
58
This section is for hosts that don't have their own Internet hostname.
59
Typically these are systems that get a dynamic IP address via DHCP or via
60
dialup. Postfix will let you send and receive mail just fine between accounts
61
on a machine with a fantasy name. However, you cannot use a fantasy hostname in
62
your email address when sending mail into the Internet, because no-one would be
63
able to reply to your mail. In fact, more and more sites refuse mail addresses
64
with non-existent domain names.
66
Note: the following information is Postfix version dependent. To find out what
67
Postfix version you have, execute the command "ppoossttccoonnff mmaaiill__vveerrssiioonn".
69
SSoolluuttiioonn 11:: PPoossttffiixx vveerrssiioonn 22..22 aanndd llaatteerr
71
Postfix 2.2 uses the generic(5) address mapping to replace local fantasy email
72
addresses by valid Internet addresses. This mapping happens ONLY when mail
73
leaves the machine; not when you send mail between users on the same machine.
75
The following example presents additional configuration. You need to combine
76
this with basic configuration information as discussed the first half of this
79
1 /etc/postfix/main.cf:
80
2 smtp_generic_maps = hash:/etc/postfix/generic
82
4 /etc/postfix/generic:
83
5 his@localdomain.local hisaccount@hisisp.example
84
6 her@localdomain.local heraccount@herisp.example
85
7 @localdomain.local hisaccount+local@hisisp.example
87
When mail is sent to a remote host via SMTP:
89
* Line 5 replaces his@localdomain.local by his ISP mail address,
91
* Line 6 replaces her@localdomain.local by her ISP mail address, and
93
* Line 7 replaces other local addresses by his ISP account, with an address
94
extension of +local (this example assumes that the ISP supports "+" style
97
Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files.
98
To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm".
100
Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ggeenneerriicc" whenever you change the
103
SSoolluuttiioonn 22:: PPoossttffiixx vveerrssiioonn 22..11 aanndd eeaarrlliieerr
105
The solution with older Postfix systems is to use valid Internet addresses
106
where possible, and to let Postfix map valid Internet addresses to local
107
fantasy addresses. With this, you can send mail to the Internet and to local
108
fantasy addresses, including mail to local fantasy addresses that don't have a
109
valid Internet address of their own.
111
The following example presents additional configuration. You need to combine
112
this with basic configuration information as discussed the first half of this
115
1 /etc/postfix/main.cf:
116
2 myhostname = hostname.localdomain
117
3 mydomain = localdomain
119
5 canonical_maps = hash:/etc/postfix/canonical
121
7 virtual_alias_maps = hash:/etc/postfix/virtual
123
9 /etc/postfix/canonical:
124
10 your-login-name your-account@your-isp.com
126
12 /etc/postfix/virtual:
127
13 your-account@your-isp.com your-login-name
131
* Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name
132
that is already in use by real organizations on the Internet. See RFC 2606
133
for examples of domain names that are guaranteed not to be owned by anyone.
135
* Lines 5, 9, 10: This provides the mapping from "your-login-
136
name@hostname.localdomain" to "your-account@your-isp.com". This part is
139
* Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally,
140
instead of sending it to the ISP. This part is not required but is
143
Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files.
144
To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm".
146
Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ccaannoonniiccaall" whenever you change the
149
Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" whenever you change the
152
EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
154
Turn on client-side SASL authentication, and specify a table with per-host or
155
per-destination username and password information. The Postfix SMTP client
156
first searches the table for an entry with the remote SMTP server hostname; if
157
no entry is found, then the Postfix SMTP client searches the table for an entry
158
with the next-hop destination. Usually, that is the right-hand part of an email
159
address, but it can also be the information that is specified with the
160
relayhost parameter or with a transport(5) table.
162
/etc/postfix/main.cf:
163
smtp_sasl_auth_enable = yes
164
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
165
smtp_sasl_type = cyrus
166
relayhost = [mail.myisp.net]
168
# relayhost = [mail.myisp.net]:submission
170
/etc/postfix/sasl_passwd:
171
[mail.myisp.net] username:password
172
[mail.myisp.net]:submission username:password
176
* The "submission" destination port tells Postfix to send mail via TCP
177
network port 587, which is normally reserved for email clients. The default
178
is to send mail to the "smtp" destination port (TCP port 25), which is used
179
for receiving mail across the internet. If you use an explicit destination
180
port in main.cf, then you must use the same form also in the
181
smtp_sasl_password_maps file.
183
* Postfix does not deliver mail via TCP port 465 (the obsolete "wrappermode"
184
protocol). See TLS_README for a solution that uses the "stunnel" command.
186
* The "[" and "]" prevent Postfix from looking up the MX (mail exchanger)
187
records for the enclosed name. If you use this form in main.cf, then you
188
must use the same form also in the smtp_sasl_password_maps file.
190
* The Postfix SMTP client opens the SASL client password file before entering
191
the optional chroot jail, so you can keep the file in /etc/postfix and set
192
permissions read / write only for root to keep the username:password
193
combinations away from other system users.
195
* Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
196
files. To find out what lookup tables Postfix supports, use the command
197
"ppoossttccoonnff --mm".
199
* Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
200
the sasl_passwd table.
204
* Some remote SMTP servers support PLAIN or LOGIN authentication only. By
205
default, the Postfix SMTP client does not use authentication methods that
206
send plaintext passwords, and defers delivery with the following error
207
message: "Authentication failed: cannot SASL authenticate to server". To
208
enable plaintext authentication specify, for example:
210
/etc/postfix/main.cf:
211
smtp_sasl_security_options = noanonymous
213
* Some remote SMTP servers announce authentication mechanisms that don't
214
actually work. It is possible via the smtp_sasl_mechanism_filter parameter
215
to restrict the list of server mechanisms that the Postfix SMTP client will
216
take into consideration:
218
/etc/postfix/main.cf:
219
smtp_sasl_mechanism_filter = !gssapi, !external, static:all
221
In the above example, the Postfix SMTP client will decline to use
222
mechanisms that require special infrastructure such as Kerberos or TLS.
224
* The Postfix SMTP client is backwards compatible with SMTP servers that use
225
the non-standard "AUTH=method..." syntax in response to the EHLO command;
226
there is no Postfix client configuration needed to work around it.
228
SSuuppppoorrttiinngg mmuullttiippllee IISSPP aaccccoouunnttss iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
230
Postfix version 2.3 supports multiple ISP accounts. This can be useful when one
231
person uses the same machine for work and for personal use, or when people with
232
different ISP accounts share the same Postfix server. To make this possible,
233
Postfix 2.3 supports per-sender SASL passwords and per-sender relay hosts. In
234
the example below, Postfix will search the SASL password file by sender before
235
it searches that same file by destination. Likewise, Postfix will search the
236
per-sender relayhost file, and use the default relayhost only as a final
239
/etc/postfix/main.cf:
240
smtp_sender_dependent_authentication = yes
241
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
242
smtp_sasl_auth_enable = yes
243
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
244
relayhost = [mail.myisp.net]
246
# relayhost = [mail.myisp.net]:submission
248
/etc/postfix/sasl_passwd:
249
# Per-sender authentication; see also /etc/postfix/sender_relay.
250
user1@example.com username2:password2
251
user2@example.net username2:password2
252
# Login information for the default relayhost.
253
[mail.myisp.net] username:password
254
[mail.myisp.net]:submission username:password
256
/etc/postfix/sender_relay:
257
# Per-sender provider; see also /etc/postfix/sasl_passwd.
258
user1@example.com [mail.example.com]:submission
259
user2@example.net [mail.example.net]
263
* If you are creative, then you can try to combine the two tables into one
264
single MySQL database, and configure different Postfix queries to extract
265
the appropriate information.
267
* Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
268
files. To find out what lookup tables Postfix supports, use the command
269
"ppoossttccoonnff --mm".
271
* Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
272
the sasl_passwd table.
274
* Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" whenever you change
275
the sender_relay table.