December 2025
M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Archive for the ‘postfix’ Category

Postfix TLS Support

Posted by jpluimers on 2021/02/25

For my link archive:

[WayBack] Postfix TLS Support
Topics covered in this section:
[WayBack] Adding TLS support to Postfix
[WayBack] How to secure Postfix using Let’s Encrypt – UpCloud
[WayBack] How to configure TLS encryption in Postfix – Zurgl (adding it to an existing Postfix configuration)
[WayBack] enforce TLS on incoming mail in postfix – Server Fault
[WayBack] Postfix and TLS encryption

In this post I will show how I setup a smtp server running Postfix with TLS encryption and with the correct cyphers. So that email between smtp servers where possible is using strong email encryption.

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, postfix, Power User, SMTP | Leave a Comment »

Postfix for relaying SMTP, some info about my own configuration

Posted by jpluimers on 2020/03/20

I’ve a bunch of secondary MX servers using postfix (which I like a lot over sendmail). Basically all their configurations are very similar:

To the file /etc/postfix/relay, add a list of domains to relay for, each ending with a space followed by OK as per
[WayBack] Configure Postfix to relay mail to multiple internal mail servers w/different domains
Run postmap /etc/postfix/relay to update the relay database file.
Ensure that /etc/postfix/main.cf has these settings (note that the FQDN – in the example smtp3.example.org – isn’t always returned by hostname --fqdn, see below):
1. inet_interfaces = all
2. myhostname = smtp3.example.org
3. smtpd_helo_required = yes
4. smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
rcpostfix restart && rcpostfix status

Check the functionality with journalctl -u postfix.

FQDN – how to get `myhostname`

This usually gives a good indication of your external FQDN, but depending on your network circumstances it might not at all be the FQDN of your machine:

dig +noall +answer +short -x `curl -s ipv4.whatismyip.akamai.com` | sed 's/\.$//'

I got there through these StackExchange answers:

[WayBack] linux – How do I get cURL to not show the progress bar? – Stack Overflow
Reverse DNS lookup through dig: [WayBack] 10 Linux DIG Command Examples for DNS Lookup and [WayBack] linux – Bash: Reverse DNS Lookup of Active IP Addresses – Super User
remove the final . from the dig answer: [WayBack] text processing – Remove last character from line – Unix & Linux Stack Exchange

Testing with `sendEmail`

Then test with sendEmail from [WayBack] GitHub – mogaal/sendemail: lightweight, command line SMTP email client, with statements like these

The most recent version is now at [Wayback/Archive.is] GitHub – zehm/sendEmail: SendEmail is a lightweight, command line SMTP email client.

sendEmail -o fqdn=sending.example.org -f sender@example.org -t recipient@example.com -u message-subjetc -s smtp3.example.org -m message-text
sendEmail -o fqdn=sending.example.org -f sender@example.org -t recipient@example.com -u message-subjetc -s smtp3.example.org -m message-text -v -v -v -v

If you get an error containing 450 4.7.1 … Helo command rejected: Host not found, then reject_unknown_helo_hostname works, but your -o fqdn= parameter contains an invalid hostname.

More sending examples are in the sendEmail documentation.

If you want to know more about fighting SPAM, then continue at [WayBack] Fighting Spam – What can I do as an: Email Administrator, Domain Owner, or User? – Server Fault

–jeroen

Posted in *nix, *nix-tools, postfix, Power User, sendmail | Leave a Comment »

Postfix and blacklists

Posted by jpluimers on 2019/04/19

Still learning postfix configuration , below are some links on how to enable various blacklists that use the RBL DNS (aka [WayBack] DNSBL) way of operations.

They are centered around using the of the [WayBack] Postfix Documentation entry reject_rbl_client listings:

Basically reject_rbl_client is part of smtpd_client_restrictions.

TODO:

I need to dig further into some other blacklist options than reject_rbl_client: reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender or reject_rhsbl_recipient restriction.

Then I need to go through these links:

[WayBack] Jim Seymour’s suggestions/examples for Postfix anti-UCE configuration. (Aka: Postfix Anti-UCE Cheat Sheet)

via [WayBack] SpamCop.net – SpamCop FAQ: Postfix

[WayBack] Blocking SPAM (UCE) using Postfix

[WayBack] Enable DNSBL service in Postfix to reduce spam

[WayBack] spam – Blacklisted client: why did Postfix not reject this email? – Server Fault

[WayBack] spam – Postfix reject_rbl_client Blacklists Not Working – Server Fault

[WayBack] How To Block Spam Before It Enters A Postfix Server

[WayBack] Postfix configure anti spam with blacklist – nixCraft

[WayBack] HOWTO Stop spam using Postfix – LinuxReviews

[WayBack] email server – How to enable RBL checking in postfix? – Server Fault

[WayBack] More robust Postfix anti-spam configuration | Le Blog

[WayBack] dnswl.org – E-Mail Reputation – Protect against false positives

[WayBack] dnswl.org Self Service

Dnswl.org maintains a database of IP addresses (netranges) which are grouped into “DNSWL Records” (identified by a DNSWL Id, which is just an arbitrary number). This data is maintained through a combination of manual and automated actions – and by yourself.

Using the Self Service portal you can “claim” DNSWL Ids as being yours After verification you can then request changes to IPs already stored, or add new IPs. For most parts, there will still be an editor approval before changes take effect.

The Self Service portal is also used to manage the subscriptions which are required for certain types of users (eg for > 100’000 queries per day).

Some blacklist checking links:

[WayBack] DNSBL Information – Spam Database and Blacklist Check
[WayBack] IP Address Blacklist Check
[WayBack] The Spamhaus Project – ZENzen.spamhaus.org should be the only spamhaus.org DNSBL in your IP blocklist configuration. You should not use ZEN together with other Spamhaus IP blocklists, or with blocklists already included in our zones (such as the CBL) or you will simply be wasting DNS queries and slowing your mail queue.
Caution: Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for anything other than checking IP addresses that hand off to your mailservers.
- [WayBack] DNSBL Usage Terms – The Spamhaus Project
- [WayBack] Blocklist Removal Center – The Spamhaus Project

–jeroen

Posted in *nix, *nix-tools, postfix, Power User | Leave a Comment »

mail-filters/Makefile at master · fumiyas/mail-filters

Posted by jpluimers on 2019/04/15

Cool tool if you use Postfix: mail-filters/Makefile at master · fumiyas/mail-filters.

You set it up like this:

cd /etc/postfix wget https://raw.githubusercontent.com/fumiyas/mail-filters/master/postfix/Makefile

Then each time you change your postfix configuration:

cd /etc/postfix make

In that directory, it will (re)generate a Makefile.postmapbased on the lines with hash in main.cf, then make each .db file from the source hash file.

After that you have to manually restart postfix, which depends on your Linux flavour.

Default OpenSuSE Postfix main.cf forgets to configure SASL for cyrus…

Posted by jpluimers on 2019/04/15

If you see the below in your Postfix log when trying to test your config, then the SASL configuration is empty. Oddly that seems the default on OpenSuSE for a while now, despite it providing cyrus SASL out of the box.

Sep 15 14:30:07 katrien postfix/smtpd[12719]: fatal: bad string length 0 < 1: smtpd_sasl_path = Sep 15 14:30:08 katrien postfix/master[12400]: warning: process /usr/lib/postfix/smtpd pid 12719 exit status 1 Sep 15 14:30:08 katrien postfix/master[12400]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

Prior OpenSuSE versions had this in /etc/postfix/main.cf:

# SASL stuff ############################################################ smtp_sasl_auth_enable = no smtp_sasl_security_options = smtp_sasl_password_maps = smtpd_sasl_auth_enable = no #smtpd_sasl_path = private/auth #smtpd_sasl_type = dovecot

Newer OpenSuSE versions have this:

# SASL stuff ############################################################ smtp_sasl_auth_enable = no smtp_sasl_security_options = smtp_sasl_password_maps = smtpd_sasl_auth_enable = no # cyrus : smtpd_sasl_type = cyrus, smtpd_sasl_path = smtpd # dovecot : smtpd_sasl_type = dovecot, smtpd_sasl_path = private/auth smtpd_sasl_path = smtpd_sasl_type =

Despite the newer having these installed:

# rpm -qa | grep cyrus cyrus-sasl-crammd5-2.1.26-14.2.aarch64 cyrus-sasl-2.1.26-14.2.aarch64 cyrus-sasl-plain-2.1.26-14.2.aarch64 cyrus-sasl-digestmd5-2.1.26-14.2.aarch64 cyrus-sasl-gssapi-2.1.26-14.2.aarch64

Solution:

smtpd_sasl_path = smtpd smtpd_sasl_type = cyrus

Since the values for both lines are default, you could even comment them out; see the documentation:

–jeroen

Via: [WayBack] postfix IRC logs [July 26 – 2007]

Posted in *nix, *nix-tools, Linux, openSuSE, postfix, Power User, SuSE Linux, Tumbleweed | Leave a Comment »

Some Postfix configuration guidelines

Posted by jpluimers on 2019/02/08

Not just for Postfix are the first two guidelines:

Change one thing at a time
Save known working configurations

For the latter, I’m using etckeeper pushing to an external git repository hoster.

For Postfix are the others from [WayBack] Postfix Configuration Guidelines.

One tip that’s missing, but saved my life numerous of times:

In /etc/postfix/main.cfg do not use this line ever:

inet_interfaces = $myhostname

If the resolving (through DNS or hosts file) of $myhostname fails for any reason in the future, then Postfix will not start at all, but in stead emit a fatal error like this:

/usr/sbin/postconf: fatal: parameter inet_interfaces: no local interface found for 127.0.0.2

Specify exact interfaces in stead, like any of these:

inet_interfaces = all

inet_interfaces = localhost

inet_interfaces = 192.168.24.68

–jeroen

Posted in *nix, *nix-tools, etckeeper, Linux, postfix, Power User | Leave a Comment »

‪Dear #lazyweb, can anyone point me to a modern email server setup (just emai…

Posted by jpluimers on 2019/02/01

Summary from [WayBack]‪ Dear #lazyweb, can anyone point me to a modern email server setup (just email) with letsencrypt, some spam filter, multi domain preferably on RHEL/Cent… – Jan Wildeboer – Google+

many SMTP servers on the interwebs do not have proper TLS setups, so do not require remote SMTP servers to deliver email with a proper certificate
delivering mail via SMTP using STARTTLS with a proper certificate yourself is a good step forward
postfix
dovecot
greylisting (although in practice it does not make much of a difference any more)
fail2ban
dnsbl (often called rbl)
spamassasin
rspamd (supports SPF, DKIM and many others)
- [WayBack] Rspamd spam filtering system
- [WayBack] GitHub – vstakhov/rspamd: Rapid spam filtering system.
letsencrypt automation can be tough, so here is a small wrapper: [WayBack] GitHub – DrGlitchMX/update-letsencrypt: Tiny script for updating “Let’s Encrypt!” certificates from cron
it helps having letsencrypt and the mail server to be on one machine:
- multidomain let’s encrypt cert that has my webserver name and the mailserver in the Subject Alternative Names field. As both are on the same machine certbot can automatically update it and I just point Postfix and Dovecot to the LE files.
Hans-Martin Mosner SMTP as-is is just not suitable for the kind of decentralized mail that you would prefer. You need some mechanism to determine which mail senders to trust and which not. Cryptography is suitable at the MUA level and should be used much more, but at the MTA level, TLS for privacy and SPF(bleh) or DKIM(meh) for sender domain authentication are basically your only weapons -much too weak. The PGP web of trust must be considered a failed experiment – who of your mail contacts uses PGP properly or at all? Ironically the only secure messaging solutions for the masses are centralized.

A bit large but, might be an option: Zimbra. Multidomain and spam out of the box. Certs are well documented. Just disable logging which consumes way too much resources.
Guides
- [WayBack] Mailserver mit Dovecot, Postfix, MySQL und Rspamd unter Debian 9 Stretch
- [WayBack] ISPmail tutorials – workaround.org (Postfix, Dovecot IMAP/POP3 and MySQL backend on a Debian server just)
  - [WayBack] ISPmail guide for Debian Stretch – workaround.org
  - [WayBack] ISPmail guide for Debian Jessie – workaround.org
  - The above cover (though I wish it did without MariaDB / MySQL):
    - Receive emails on your domain(s).
    - Filter out spam and malware.
    - Send emails out to any other servers/domains on the internet. Connections will be encrypted when possible.
    - Add cryptographic signatures (DKIM) to outgoing emails.
    - Store as many emails for as many email addresses as you have disk space. Set limits (“quotas”) per user.
    - Let your users fetch email using IMAP or POP3 and send email through your servers using SMTP.
    - Allow users to manage server-based filter rules. Distribute incoming emails to different folders. Forward copies. Or send out-of-office notifications.
    - Provide a webmail interface so users can access their emails securely from any location.
    - Mitigate brute force attacks.

Things to do:

find a proper multi-MX fallback setup guide for postfix

–jeroen

Read the rest of this entry »

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, postfix, Power User, SMTP | Leave a Comment »

For my postfix studies…

Posted by jpluimers on 2018/03/02

Some links that I will extend in the future:

[WayBack] Postfix Queue Management – EasyEngine
[WayBack] Inspecting Postfix’s email queue – Tech-G
The Book of Postfix explains in detail how to configure Postfix, the famous message transfer agent by Wietse Venema, for various uses. It has been written by Ralf Hildebrandt and Patrick Koetter, both active members of the Postfix community.
[WayBack] The Book of Postfix

–jeroen

Posted in *nix, *nix-tools, postfix, Power User | Leave a Comment »

Fixing Invalid HELO’s – major.io

Posted by jpluimers on 2017/12/08

for postfix and sendmail: [WayBack] Fixing Invalid HELO’s – major.io

Posted in *nix, *nix-tools, postfix, Power User, sendmail | Leave a Comment »

TLS tests for your mail server

Posted by jpluimers on 2017/11/09

Need to do some more research on this to ensure I didn’t goof up:

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, postfix, Power User, Security, sendmail, SMTP | Leave a Comment »

Next Entries »

	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…
	Thaddy de Koning on Formulier voor bewindvoerders…
	Thaddy de Koning on Formulier voor bewindvoerders…
	Thaddy de Koning on Formulier voor bewindvoerders…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘postfix’ Category

Postfix TLS Support

Postfix for relaying SMTP, some info about my own configuration

FQDN – how to get `myhostname`

Testing with `sendEmail`

Postfix and blacklists

mail-filters/Makefile at master · fumiyas/mail-filters

Default OpenSuSE Postfix main.cf forgets to configure SASL for cyrus…

Some Postfix configuration guidelines

‪Dear #lazyweb, can anyone point me to a modern email server setup (just emai…

For my postfix studies…

Fixing Invalid HELO’s – major.io

TLS tests for your mail server

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘postfix’ Category

Rate this:

Share this:

FQDN – how to get myhostname

Testing with sendEmail

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

FQDN – how to get `myhostname`

Testing with `sendEmail`