PostFix Overview
For some administrators, PostFix is an excellent alternative to Sendmail. PostFix is installed by default on Fedora Core and Red Hat Linux systems, but not enabled by the alternatives system. It was developed as a more secure and modern alternative to Sendmail, and though it is compatible to Sendmail in almost areas, note that PostFix emulation of Sendmail command-line syntax is not 100% accurate. PostFix features includeMultiple functional daemons that operate independently and without root level permission, enhancing MTA security
Use of /etc/aliases as well as procmail-style ~/.forward files
Ability to deliver mail to mbox-style mailboxes in /var/spool/mail/
Though Sendmail is older and-in many cases-crankier than PostFix, it is still the default alternatives-enabled MTA on Red Hat Linux and Fedora Core based systems. Those who want to use PostFix must deliberately enable it. This section offers some basic configuration and feature information; for more detailed assistance, check the resources at the end of the chapter or visit www.postfix.org .
PostFix versus Sendmail
If you're new to PostFix but experienced with Sendmail, you probably want to know what's different between the two MTAs. One of the major differences is how each is configured straight out of the box on a stock system. If you telnet into SMTP on each MTA, you'll see this for Sendmail 8.12.10:
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 es.playground.crudnet.org ESMTP Sendmail
8.12.10/8.12.10; Thu, 30
Oct 2003 22:42:38 -0500
ehlo t.net
250-playground.mydomain.com Hello localhost [127.0.0.1],
pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPEI INING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
The output for PostFix 2.0.11 is a bit different.
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 es.playground.crudnet.org ESMTP Postfix
ehlo t.net
250-es.playground.crudnet.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-XVERP
250 8BITMIME
As you can see, SMTP-Auth is not configured by default under PostFix. It can be turned on easily in the /etc/postfix/master.cf file, however. Neither Sendmail nor PostFix binds to anything other than localhost, by default, for incoming SMTP.
Tip | For more information on SMTP-Auth, see the local sample file /usr/share/doc/ postfix-2.0.11/samples/sample-auth.cf , or just see the line that contains the option smtpd_sasl_auth_enable=yes in your /etc/postfix/master.cf file. |
Configuring PostFix
The true differences between PostFix and Sendmail begin to appear in configuration. While PostFix is "Sendmail-compatible," its design is quite unlike Sendmail's. PostFix splits up the various MTA functions and assigns each to a different program. These programs are configured and run as related, but are independent of each other. This is a more secure design than the large single-program Sendmail method.Because each function is a separate program, you must configure each independently. This is more work at the start of a PostFix installation, but allows you a greater level of microconfiguration for your particular needs. PostFix configuration files are stored in /etc/postfix , and include:
access
aliases
aliases.db
canonica
main.cf
main.cf.default
master.cf
pcre_table
postfix-files
postfix-script
post-install
regexp_table
relocated
transport
virtual
Most of these files are relatively self-explanatory. Brief descriptions of the most important PostFix configuration files follow.
/etc/postfix/main.cf
The /etc/postfix/main.cf file is PostFix's primary configuration file. It is equivalent to /etc/sendmail.cf , but is editable like /etc/sendmail.mc . A sample main.cf file might look like this:
#soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
#default_privs = nobody
#myhostname = host.domain.tld
[...]
inet_interfaces = localhost
#inet_interfaces = all
[...]
mydestination = $myhostname, localhost.$mydomain
[...]
#local_recipient_maps = unix:passwd.byname $alias_maps
[...]
unknown_local_recipient_reject_code = 450
[...]
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
[...]
#relay_domains = $mydestination
#relayhost = $mydomain
[...]
#relay_recipient_maps =hash:/etc/postfix/relay_recipients
#in_flow_delay = ls
alias_maps = hash:/etc/postfix/aliases
[...]
#alias_database = dbm:/etc/aliases
[...]
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id
& sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.0.11/samples
readme_directory = /usr/share/doc/postfix-2.0.11/README_files
alias_database = hash:/etc/postfix/aliases
When you first configure PostFix, you will need to change the inet_interfaces setting to pri , sec IP , or all for an Internet mail server. The default localhost setting will not allow PostFix to listen for incoming mail.Many administrators will also want to add a setting for the "virtual maps" directive, the PostFix equivalent of the virtusertable file in Sendmail configuration. To do so, add this line:
virtual_maps = hash:/etc/postfix/virtual
After any configuration file change you should either reload or restart PostFix with the command
# /etc/init.d/postfix start
Starting postfix: [ OK ]
Tip | To learn more about the /etc/postfix/main.cf file, see www.redhat.com/support/resources/howto/RH-postfix-HOWTO/x118l . |
/etc/postfix/master.cf
PostFix's master process configuration file is located at /etc/postfix/master.cf . The master PostFix daemon is a supervisory application, run under root, which manages and monitors all other PostFix processes. The master.cf file contains various settings that affect all PostFix processes, such as message throttling, feature settings, and subdaemon configurations.Each line in the master.cf file describes how a particular component or subdaemon is to run. Where the main.cf file controls MTA configurations for paths, aliases, options, and hostname or domain settings, master.cf manages the individual programs run by the master binary. These individual programs generally manage alternative services, such as SMTP, bounce management, mail queues, alternate mail engines, protocols, spam and virus filters, and so on.The stock /etc/postfix/master.cf file looks much like this:
==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ========================================================================
smtp inet n - n - - smtpd
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
#qmgr fifo n - n 300 1 qmgr
qmgr fifo n - n 300 1 nqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension}
${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
You will probably want to turn on SMTP-Auth rather than use the stock SMTP setting. To do so, comment out the smtp line in master.cf and replace it with this line:
smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
The master.cf file is extremely flexible, and offers a great deal of power in configuring a responsive and secure MTA. For example, here's a real-world master.cf modification written by Kevin Taylor, a Linux Sys-Admin and RHCE at Rackspace Managed Hosting. Kevin wanted to set up a procmail antivirus quarantine system, which used master.cf . The system needed to deliver incoming mail into procmail from the SMTP subdaemon, with a max thread count of 5. This is how he did it:
smtp inet n - y - - smtpd -o content_filter=filter:
filter unix - n n - 5 pipe user=filter
argv=/usr/bin/procmail -m /etc/procmailrc ${sender) ${recipient}
This set up a filter entry in his master.cf file that formed a special user filter through which Kevin piped all incoming e-mail, using a procmail antivirus recipe. You'll find other procmail antivirus recipes at http://agriroot.aua.gr/~nikant/nkvir/ .
/etc/postfix/virtual
The /etc/postfix/virtual file is the PostFix equivalent of Sendmail's virtusertable file.
Note | If you want to enable this feature, it must be added and turned on in the main.cf file before you begin to use it. |
The main difference between the PostFix virtual file and Sendmail's virtusertable file is that virtual must have its virtual domains declared in the file before they can be used by the MTA. Entries in a PostFix virtual file might look like this:
mydomain.com Bob's virtual domain
bob@mydomain.com bob
bob-home@mydomain.com bsmith@yahoo.com
@mydomain.com bob
On the first line of the virtual file, the text after the virtual domain's domain name declaration is ignored by PostFix. Most administrators simply insert the word VIRTUAL for the sake of clarity.One advantage that PostFix holds over Sendmail is that you no longer need to maintain a separate local-domains file to hold all of your local domain names, since you declare all virtual domains in /etc/postfix/virtual . In addition, you no longer need to add wildcard or catch-all accounts at the bottom of your virtual mapping file. For sysadmins who like to automate as many processes as possible, this is great because you can simply write a script that uses cat to append new users to the end of the virtual file without worrying about their location within the file.
Note | Every time you modify /etc/postfix/virtual , whether it is for adding a new domain or a new address, you must rebuild the virtual.db hash file. Do so with the postmap command, as in
Changes will be applied instantly, so you don't have to restart or reload the main PostFix daemon. |
/etc/postfix/aliases
The /etc/postfix/aliases file is equivalent to Sendmail's /etc/aliases file. In fact, you should be able to use your /etc/aliases file as a direct replacement. However, because of the file's location under Sendmail, and because PostFix checks this file for system aliases, you will need to rebuild its hash file each time you add a new alias.In PostFix, you rebuild the hash file from the command line with the postalias command, as in
# postalias hash:/etc/postfix/aliases
The hash file is also rebuilt automatically whenever the PostFix daemon is restarted, just as in Sendmail.