Postfix Configuration

[Mischback]

This issue just documents the configuration of Postfix with some additional notes.

Please note that Postfix and Dovecot work closely together and can not be handled independently!

Postfix Configuration

• [x] mydestination for Postfix's canonical domains, that is domains that are directly related to the server. Might just be localhost and the actual mail setup relies on virtual domains
• [x] mynetworks: Should most likely be empty or just containing my very own subnet
• [x] Use Dovecot for SASL authentication: smtpd_sasl_type=dovecot
• [x] Use the existing authentication socket: smtpd_sasl_path=private/auth
• [x] smtpd_sasl_auth_enable=yes Verify this setting
• [x] smtpd_tls_security_level=may Verfiy this setting (document what it is doing!)
• [x] smtpd_tls_auth_only=yes Verfiy this setting (document what it is doing!)
• [x] smtpd_tls_cert_file=/etc/letsencrypt/live/webmail.example.org/fullchain.pem
  • provide the actual path to the certificate file
• [x] smtpd_tls_key_file=/etc/letsencrypt/live/webmail.example.org/privkey.pem (see above)
• [x] smtp_tls_security_level=may Verify this setting (document what it is doing!)
• [x] virtual mailboxes: virtual_mailbox_maps
• [x] virtual domains: virtual_mailbox_domains
• [x] (virtual) aliases: virtual_alias_maps
• [x] Verify: smtpd_recipient_restrictions=reject_sender_login_mismatch
• [x] use Dovecot's lmtp service: virtual_transport=lmtp:unix:private/dovecot-lmtp
• [x] use Dovecot's quota service: smtpd_recipient_restrictions=reject_unauth_destination,"check_policy_service unix:private/quota-status"
• [x] smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination Verify this setting (document what it is doing!)
• [x] enable submission service in /etc/postfix/master.cf

  submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

• [x] review smtpd_sender_login_maps and make that work
  • The tutorial allow (by default) only sending from your own account. The setup should support sending from alias addresses aswell
  • Has to be included in the submission service like -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject
  • needs mirror rule: michael@mischback.de michael@mischback.de
• inet_interfaces=all Verify this setting! Details in #19

[Mischback]

Postfix might be tied to a dedicated IPv4/IPv6 address.

This will make SPF/DMARC/... possible without too much interdependent settings with other services.

Highly relevant for an IPv6 setup, that maintains scalability.

See https://serverfault.com/questions/92181/how-to-make-postfix-use-another-ip-address#92207

Moved to #19

[Mischback]

Basic setup completed with f749eb01c201f1f5d85f6997177c45bd0d1cd80b

• Postfix is accepting mails for mailboxes and aliases
• Postfix's sending capabilities are not yet tested