Postfix
Installer Postfix
# cd /usr/ports/mail/postfix # make config
Verifier que les options suivantes soient sélectionnées : MYSQL, TLS, PCRE, DOVECOT2, SASL2, SPF # make install clean && rehash # echo 'postfix_enable="YES"' >> /etc/rc.conf
Editer ou completer les 2 fichiers suivants :
/etc/rc.conf- - - - - - - - - - - - - - - - - - sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" - - - - - - - - - - - - - - - - - -
/etc/periodic.confdaily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"
Fichiers de configuration
/usr/local/etc/main.cfcompatibility_level = 2 myhostname = mail.domain.tld mydomain = domain.tld myorigin = $mydomain mynetworks_style = host relayhost = # ========================================================================== # LMTP virtual_transport = dovecot dovecot_destination_recipient_limit=1 relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains.cf virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_domains.cf virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf virtual_mailbox_base = /mail virtual_minimum_uid = 5000 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 # ========================================================================== ### Enable SASL Authentication, tell postfix where is the socket for authentication requests smtpd_sasl_auth_enable = yes #reporter les noms de login SASL dans les en-têtes de message Received smtpd_sasl_authenticated_header = yes # on utilise le SASL de Dovecot smtpd_sasl_type = dovecot # Chemin vers le socket Unix smtpd_sasl_path = /var/spool/postfix/private/auth # Ceci assure une compatibilite avec d'anciens clinet (Outlook par ex.) broken_sasl_auth_clients = yes smtpd_sasl_local_domain = $mydomain # Activer l'authentification en clair (authentification PLAIN ou LOGIN) smtpd_sasl_security_options = noanonymous # ========================================================================== # Règles sur les adresses de destination # permit_sasl_authenticated : Accepter la connexion lorsque le client est authentifié # reject_non_fqdn_recipient : Refuser les adresses de destinations invalides (non FQDN) smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_recipient_domain, #reject_spf_invalid_sender, reject_rbl_client zen.spamhaus.org # Règles sur l'échange HELO qui survient avant la connexion # reject_invalid_helo_hostname : Refuser les échanges HELO invalides # reject_non_fqdn_helo_hostname : Refuser les noms d'hôte invalides (non FQDN) # reject_unknown_helo_hostname : Refuser les noms d'hôte qui n'ont pas de champ DNS A ou MX dans leurs DNS. smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname # reject_unknown_helo_hostname # Règles de connexion des clients # permit_sasl_authenticated : Accepter la connexion lorsque le client est authentifié # reject_plaintext_session : Refuser les connexions non sécurisées # reject_unauth_pipelining : Refuser les défauts lors de la connexion smtpd_client_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated # reject_plaintext_session, # reject_unauth_pipelining # Règles sur les expéditeurs # reject_non_fqdn_sender : Refuser les expéditeurs invalides (non FQDN) # reject_unknown_sender_domain : Refuser les expéditeurs qui n'ont pas de champ DNS A ou MX dans leurs DNS. smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain # ========================================================================== # Adjust time-related queue parameters maximal_queue_lifetime = 4h bounce_queue_lifetime = 4h # Instruct postfix to add SPF received header, this will be used by SpamAssassin for SPAM scoring # spf_received_header = yes mynetworks = $config_directory/mynetworks # ========================================================================== # TLS CONFIG # Smtp ( OUTGOING / Client ) smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes # Smtpd ( INCOMING / Server ) # Enable (optional) TLS encryption smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_received_header = yes # Caching for Server-Side Certificate Setups (smtpd) 3600=1H smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_session_cache smtpd_tls_session_cache_timeout = 3600s # Caching for Client-Side Certificate Setups (smtp) smtp_tls_session_cache_database = btree:${data_directory}/smtp_tls_session_cache smtp_tls_session_cache_timeout = 3600s lmtp_tls_session_cache_database = btree:${data_directory}/lmtp_tls_session_cache # TLS certificates # smtpd_tls_cert_file = /etc/ssl/postfix/cert.pem # smtpd_tls_key_file = /etc/ssl/postfix/key.pem # smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem # Certificats StartSSL valides smtpd_tls_cert_file = /usr/local/etc/postfix/certificats/1_mail.domain.tld_bundle.crt smtpd_tls_key_file = /usr/local/etc/postfix/certificats/mail.domain.tld.key smtpd_tls_CAfile = /usr/local/etc/postfix/certificats/root.crt # External entropy source for the pseudo random number generator pool. # Specify /dev/arandom when /dev/urandom gives timeout errors. tls_random_source = dev:/dev/urandom # ========================================================================== # setup opendkim & opendmarc smtpd_milters = inet:127.0.0.1:8891, inet:localhost:8893 non_smtpd_milters = $smtpd_milters milter_default_action = accept # ========================================================================== # Vacation auto responder transport_maps = hash:/usr/local/etc/postfix/transport vacation_destination_recipient_limit = 1 # ========================================================================== # Augmenter la taille des messages a 50M (1024*1024*50) message_size_limit=52428800 # Taille maxi des Boites , environ 10G mailbox_size_limit = 10240000000 # ========================================================================== # RESTRICTIONS # Vérification des Headers, du Body et du Type Mime par Postfix header_checks = regexp:/usr/local/etc/postfix/checks/header_checks.cf body_checks = regexp:/usr/local/etc/postfix/checks/body_checks.cf mime_header_checks = regexp:/usr/local/etc/postfix/checks/mime_headers_checks.cf # ========================================================================== # Amavisd content_filter = amavisfeed:[127.0.0.1]:10024
/usr/local/etc/master.cf# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ========================================================================== # DOVECOT2 dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient} # ========================================================================== # VACATION (postfixadmin plugin) vacation unix - n n - - pipe flags=DRhu user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient} # ========================================================================== # AMAVISD-NEW amavisfeed unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings -o local_header_rewrite_clients= -o smtpd_milters= -o local_recipient_maps= -o relay_recipient_maps= # ==========================================================================
Requettes SQL
/usr/local/etc/postfix/mysql_relay_domains.cfuser = utilisateur password = mot de passe hosts = 127.0.0.1 dbname = postfix query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = 1 AND active = 1
/usr/local/etc/postfix/mysql_virtual_mailbox_domains.cfuser = utilisateur password = mot de passe hosts = 127.0.0.1 dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = 0 AND active = 1
/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cfuser = utilisateur password = mot de passe hosts = 127.0.0.1 dbname = postfix query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1
/usr/local/etc/postfix/mysql_virtual_alias_maps.cfuser = utilisateur password = mot de passe hosts = 127.0.0.1 dbname = postfix query = SELECT goto FROM alias WHERE address='%s' AND active = true
On ajoute ces 2 tables au fichier de config de postfix
# echo '127.0.0.1' >> /usr/local/etc/postfix/mynetworks # echo 'autoreply.example.com vacation:' >> /usr/local/etc/postfix/transport # postmap /usr/local/etc/postfix/mynetworks # postmap /usr/local/etc/postfix/transport
