Step 1: Install and Configure Postfix

mailto:pboy@fedoraproject.org[Peter Boy] Versio F38 Last review: 2023-03-xx
Perform a basic Postfix installation and improve it

You are in the Fedora Server documentation staging area!

These documents are not approved yet and may be incomplete and/or incorrect. Take everything here with a grain of salt! You would probably prefer to study the published documentation.

Status of this document: Work in progress, version 0.2 (early state).

You may help us and comment using the ticket system - see button above

Basic installation

  1. Install and start Postfix

    Additionally install swaks, a tool useful to test mail connections and configuration.

    […]$ sudo -i
    […]# dnf install postfix swaks
    […]# systemctl start postfix
  2. Check if Postfix basically works

    […]# echo "This is a testmail" | sendmail root
    […]# tail -f /var/mail/root
    […]# tail -f /var/log/maillog
    […]# swaks  --to root -s localhost
    […]# swaks  --to root@mymailer.example.com -s localhost

    On an external computer, install swaks and try

    […]# swaks  --to root@mymailer.example.com -s localhost

Basic configuration

  1. Make a backup copy of the central configuration file and then open it in the editor.

    […]# cp /etc/postfix/main.cf{,.f38}
    […]# vim /etc/postfix/main.cf
  2. Adjust hostname

    By default postfix uses gethostname(). If the host configuration is correct, if works. However, since a lot of other configuration parameters use this one, you should set it permanently to be on the safe side.

    :97                                  # skip to line 97
    #myhostname = host.domain.tld
    #myhostname = virtual.domain.tld
    myhostname = mymailer.example.com    # <== insert new line
  3. Adjust Internet interfaces to listen on

    Is set to localhost and must be changed to either 'all' or specific set ol interfaces, separated by koma (e.g. <IP-localhost>, <IPv4 Server>, <IPv6 Server>).

    :137                                    # skip to line 137
    #inet_interfaces = all
    #inet_interfaces = $myhostname
    #inet_interfaces = $myhostname, localhost
    #inet_interfaces = localhost            # <== modify, comment out
    inet_interfaces = all                   # <== insert new line
  4. Adjust which nodes postfix should trust and relay mail for

    For trusted network nodes, Postfix in particular takes care of sending and forwarding mail without any special additional checking. By default Postfix trusts all nodes on the hosts subnet. Thats fine if the host is part of a subnet that is protected by a router and firewall appliance.

    Otherwise you would like just trust your host itself

    mynetworks_style = host

    If the host has a (virtual) internal network that should also be trusted, then the mynetworks_style parameter must be left unchanged and instead the networks must be explicitly listed with the mynetworks parameter.

    mynetworks = 127.0.0.0/8
                 [::1]/128
                 192.168.100.0/24
  5. Adjust basic default TLS configuration#

    We use Let’s encrypt certificates as explained at the beginning.

    Skip to the the default TLS configuration part (e.g. "/TLS")

    # TLS CONFIGURATION
    #
    # Basic Postfix TLS configuration by default with self-signed certificate
    # for inbound SMTP and also opportunistic TLS for outbound SMTP.
    ## and added custom certificates.
    
    # The full pathname of a file with the Postfix SMTP server RSA certificate
    # in PEM format. Intermediate certificates should be included in general,
    # the server certificate first, then the issuing CA(s) (bottom-up order).
    #
    ## For Postfix > 3.4 deprecated, use smtpd_tls_chain_files instead
    ##smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
    
    # The full pathname of a file with the Postfix SMTP server RSA private key
    # in PEM format. The private key must be accessible without a pass-phrase,
    # i.e. it must not be encrypted.
    #
    ## For Postfix > 3.4 deprecated, use smtpd_tls_chain_files instead
    ##smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
    
    ## smtpd_tls_chain_files multiple files are concatenated and treated as one
    ## file. The server KEY file must be FIRST!
    ## see https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files
    smtpd_tls_chain_files = /etc/letsencrypt/live/cheiron.libreccm.org/privkey.pem
                            /etc/letsencrypt/live/cheiron.libreccm.org/fullchain.pem
    
    # Announce STARTTLS support to remote SMTP clients, but do not require that
    # clients use TLS encryption (opportunistic TLS inbound).
    #
    smtpd_tls_security_level = may
    
    # Directory with PEM format Certification Authority certificates that the
    # Postfix SMTP client uses to verify a remote SMTP server certificate.
    #
    smtp_tls_CApath = /etc/pki/tls/certs
    
    # The full pathname of a file containing CA certificates of root CAs
    # trusted to sign either remote SMTP server certificates or intermediate CA
    # certificates.
    #
    smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
    
    # Outbound TLS security (SMTP client)
    
    ## Recommended configuration Postfix >= 3.4 (empty or commented out)
    smtp_tls_chain_files =${smtpd_tls_chain_files}
    
    # Use TLS if this is supported by the remote SMTP server, otherwise use
    # plaintext (opportunistic TLS outbound).
    smtp_tls_security_level = may
    
    # TLS, DNSSEC and DANE for SMTP client
    #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    #smtp_tls_security_level = dane
    smtp_dns_support_level = dnssec
    
    
    ## Accept auth over encrypted channel only
    smtpd_tls_auth_only = yes
    
    # END Customized default TLS communication
  6. Add various custom customization

    Skip to the end of file (type G)

    # #########################################################################
    #
    # CUSTOM CONFIGURATION
    #
    # #########################################################################
    
    ## Reject unknown recipients permanently
    unverified_recipient_reject_code = 577
    
    ## Unknown target, don't show exact table name
    show_user_unknown_table_name = no
    
    ## Adjust message & mailbox size
    message_size_limit = 104857600
    mailbox_size_limit = 0
    
    ## Mail-Queue properties
    maximal_queue_lifetime = 1h
    bounce_queue_lifetime = 1h
    maximal_backoff_time = 15m
    minimal_backoff_time = 5m
    queue_run_delay = 5m
    
    ### No system-messages to users about new e-mail
    biff = no
    
    ### User have to specify a complete (FQDN) e-mail address
    append_dot_mydomain = no
    
    # Command verify enables to query mail address without MAIL FROM.
    # Prevent bad guys from querying for valid email addresses
    disable_vrfy_command = yes

Basic junk and relay control

First defense wall: Postscreen

TBD

Second defense wall: Restrictions

TBD

Testing the configration

TBD