Postfix

 < Day Day Up > 



Postfix is a fast, secure, and flexible MTA designed to replace Sendmail while maintaining as much compatibility as possible. Written by Wietse Venema and originally released as the IBM Secure Mailer, it is now available under the GNU license (www.postfix.org). Postfix was created with security in mind, treating all incoming mail as potential security risks. Postfix uses many of the same Sendmail directories and files and makes use of Sendmail wrappers, letting Sendmail clients interact seamlessly with Postfix servers. Postfix is also easier to configure, using its own configuration file. Red Hat now provides Postfix along with Sendmail.

Instead of one large program, Postfix is implemented as a collection of smaller programs, each designed to perform a specific mail-related task. A Postfix master daemon runs continuously and manages the use of the other Postfix daemons, running them only as needed. A bounce daemon handles undeliverable mail, a trivial-rewrite daemon redirects messages, and the showq daemon provides information on the print queues.

Postfix Commands

Several Postfix commands allow you to manage your server tasks. The sendmail command sends messages. You use mailq to display the status of your mail queues. The newaliases command takes mail aliases listed in the aliases files and stores them in a database file that can be used by Postfix. The postmap command is used to maintain various database files used by Postfix, such as the alias file for mail aliases and the access file that restricts messages received by the server. In addition, Postfix provides lower-level tools all beginning with the term post, such as the postalias command, which maintains the alias database, and postcat, which displays print queue files.

Postfix Configuration: main.cf

Postfix configuration is handled by setting parameters in its configuration file, main.cf. Red Hat installs a default /etc/postfis/main.cf file with Postfix, with most of the essential configuration values already set. Parameter names tend to be user friendly. For example, directory locations are specified by parameters ending in the term directory, such as queue_directory for the location of Postfix queues and daemon_directory for the location of the Postfix daemons. Defaults are already implemented for most parameters. For example, defaults are set for particular resource controls, such as message size, time limits, and the number of allowed messages per queue. You can edit the main.cf file to change the parameter values to meet your own needs. After making any changes, you only need to reload the configuration using the postfix reload command:

postfix reload

Network Parameters

You will most likely need to set several network parameters. To ease this process, Postfix defines parameters that hold key network information, such as myhostname, which holds the hostname of your system, and mydomain, which holds the domain name of your network. For example, myhostname would be set to the host turtle.mytrek.com, whereas mydomain would be just mytrek.com. Parameters like myhostname and mydomain are themselves used as values assigned to other parameters. In the next example, myhostname and mydomain are set to the host the mail server is running on and its network domain:

myhostname=turtle.mytrek.com mydomain=mytrek.com

The myorigin parameter specifies the origin address for e-mail sent by the server. By default, this is set to the value of the parameter myhostname, as shown here. Note that a $ precedes the myhostname variable to evaluate it.

myorigin=$myhostname

If you are using a single system directly attached to the Internet, you may want to keep this configuration, labeling mail as being sent by your host. However, if your system is operating as a gateway for a network, your mail server is sending out mail from different hosts on that network. You may wish to change the origin address to the domain name, so that mail is perceived as sent from the domain.

myorigin=$mydomain

Local Networks

The mydestination parameter holds the list of domains that your mail server will receive mail for. By default, these include localhost and your system's hostname.

mydestination = $myhostname localhost.$mydomain

If you want the mail server to receive mail for an entire local network, you need to also specify its domain name. That way, the server can receive mail addressed just to the domain, instead of your specific host.

mydestination = $myhostname localhost.$mydomain $mydomain

Also, if your host goes by other hostnames and there are DNS records identifying your host by those names, you need to specify those names also. For example, your host could also be a Web server to which mail could be directed. A host turtle.mytrek.com may also be identified as the Web site www.mytrek.com. Both names would have to be listed in the mydestination parameter.

mydestination = $myhostname localhost.$mydomain $mydomain www.$mydomain

If your system is a gateway for one or more local networks, you can specify them with the mynetworks parameter. This allows your mail server to relay mail addressed to those networks. Networks are specified using their IP addresses. The relay_domains parameter lets you specify domain addresses of networks for which you can relay messages. By default, this is set to mydestination:

mynetworks=192.168.0.0 relay_domains=$mydestination

Hosts within the local network connected to the Internet by a gateway need to know the identity of the relay host, the mail server. You set this with the relayhost parameter. Also, myorigin should be set to just mydomain. If there is a DNS server identifying the gateway as the mail server, you can just set relayhost to the value of mydomain. If not, then relayhost should be set to the specific hostname of the gateway/mail server. If your local network is not running a DNS server, be sure to set disable_dns_lookups to yes.

relay_host=$mydomain

Direct Connections

If your system is directly connected to the Internet and you use an ISP for receiving mail, you can configure Postfix as a null client to just send mail. Set the relay_host parameter to just your own domain name. Also, in the master.cf file, comment out the SMTP server and local delivery agent entries.

relayhost = $mydomain

Masquerading

If your mail server is operating on a gateway for a local network and you want to hide the hosts in that network, you can opt to masquerade the local hosts, letting it appear that all mail is coming from the domain in general, instead of a particular host. To set this option, you use the masquerade_domains parameter. In the following example, all mail sent by a local host such as rabbit.mytrek.com will be addressed as just coming from mytrek.com. Thus a message sent by the user chris@rabbit.mytrek.com is sent out as coming from chris@mytrek.com.

masquerade_domains = $mydomain

Received mail is not masqueraded by default. This allows Postfix to still deliver received mail to particular hosts. If you want received mail to also be masqueraded, you have to add the envelope_recipients parameter to the list of values assigned to the masquerade_class parameter. In that case, Postfix will no longer be able to deliver received mail.

Virtual Domains

If your network has implemented virtual domains, you will need to set up a virtual domain table and then specify that table with the virtual_maps option. Setting up a table is a simple matter of listing virtual names and their real addresses in a text file such as /etc/postfix/virtual. Then use the postmap command to create a Postfix table:

postmap /etc/postfix/virtual

In the main.cf file, specify the table with the virtual_maps parameter. Postfix will then use this table to look up virtual domains.

virtual_maps = hash:/etc/postfix/virtual
Note 

See the Postfix FAQ at www.postfix.org for detailed information on how to set up Postfix for a gateway, a local workstation, or a host directly connected to the Internet (null server).

Security: UCM

Postfix parameters let you configure methods for controlling what it politely refers to as unsolicited commercial mail (UCM).

Controlling User and Host Access

With an access file, you can control access by certain users, hosts, and domains. The access file works much like the one used for Sendmail. Entries are made in a text file beginning with the user, host, or domain name or address, followed by an action to be take. A user, host, or domain can be accepted, rejected, or rejected with a message. Once entries are made, they can be installed in a Postfix database file with the postmap command:

postmap /etc/postfix/access

You can then use the access file in various Postfix operations to control clients, recipients, and senders.

Blocking Access

Access can also be controlled by use of the Mail Abuse Prevention System (MAPS), which provides the RBL+ service, a collection of mail address DNS-based databases (mail-abuse.org). These databases, like the Realtime Blackhole List (RBL), list mail addresses that are known to be used by mail abusers. A domain or host is matched against a list maintained by the service. The service can be accessed on a local server or or directly from an online site. Various Postfix operations let you use MAPS databases to control access by clients, recipients, senders.

Header and Body Checks

With the header_checks parameter, you can specify a Postfix table where you can list criteria for rejecting messages. The criteria are patterns that can match message headers. You can have matching messages rejected, rejected with a reply, simply deleted, or a warning logged. You have the option of taking several actions including REJECT, DISCARD, WARN, HOLD, and IGNORE.

header_checks = regexp:/etc/postfix/header_checks

The database, in this case /etc/postfix/header_checks, will have lines, each with a regular expression and a corresponding action. The regular expression can be either a standard regular expression as denoted by regexp in the header_checks parameter (see Chapter 8), or it can conform to a Perl Compatible Regular Expression, prece.

The body_checks parameters lets you check the body of text messages, line by line, using regular expressions and actions like those used for header_checks.

Controlling Client, Senders, and Recipients

With the smtpd_client_restrictions parameter, you can restrict access to the mail server by certain clients. Restrictions you can apply include reject_unknown_client, which will reject any clients with unresolved addresses; permit_mynetworks, which allows access by any clients defined by mynetworks; and check_client_access, which will check an access database to see if a client should be accepted or rejected. The reject_ rbl_client and reject_rhsbl_client will reject clients from specified domains.

smtpd_client_restrictions = permit_mynetworks, \              reject_unknown_client, check_client_access, reject_maps_rbl

The reject_rbl_client restriction rejects domain addresses based on a specified MAPS service. The site can be an online site or a local one set up to provide it. The reject_rhsbl_client restriction rejects host addresses.

smtpd_client_restrictions = reject_rbl_client relays.mail-abuse.org

To implement restrictions from a access file, you can use the hash directive and the name of file.

smtpd_client_restrictions = hash:/etc/postfix/access

The corresponding smtpd_sender_restrictions parameter works much the same way as its client counterpart but controls access from specific senders. It has many of the same restrictions and adds reject_non_fqdn_sender, which will reject any mail header without a fully qualified domain name, and reject_sender_login_mismatch, which will require sender verification. The reject_rhsbl_sender restriction rejects domain addresses based on a specified MAPS service.

The smtpd_recipient_restrictions parameter will restrict the recipients the server will accept mail for. Restrictions include permit_auth_destination, which allows authorized messages, and reject_auth_destination, which rejects unauthorized messages. The check_recipient_address restriction will check local networks for recipient address, and check_recipient_maps will reject an address not verified in recipient tables listing local, relay, and virtual recipients along with aliases. The reject_unknown recipient_domain restriction rejects recipient addresses with no DNS entry. The reject_rhsbl_recipient restriction rejects domain addresses based on a specified MAPS service.

You can further refine restrictions with the parameters like smtpd_helo_restrictions, which requires a HELO command from a client. Restriction parameters include reject_ invalid_hostname, which checks for faulty syntax, reject_unknown_hostname for hosts with no DNS entry, and reject_non_fqdn_hostname for hosts whose names are not fully qualified. The strict_rfc821_envelopes parameter will implement strict envelope protocol compliance.



 < Day Day Up > 



Red Hat(c) The Complete Reference
Red Hat Enterprise Linux & Fedora Edition (DVD): The Complete Reference
ISBN: 0072230754
EAN: 2147483647
Year: 2004
Pages: 328

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net