Step 1: Install and Configure Postfix
Perform a basic Postfix installation and improve it
|
You are in the Fedora Server documentation staging area! These documents are not approved yet and may be incomplete and/or incorrect. Take everything here with a grain of salt! You would probably prefer to study the published documentation. Status of this document: Work in progress, version 0.2 (early state). You may help us and comment using the ticket system - see button above |
Basic installation
-
Install and start Postfix
Additionally install swaks, a tool useful to test mail connections and configuration.
[…]$ sudo -i […]# dnf install postfix swaks […]# systemctl start postfix -
Check if Postfix basically works
[…]# echo "This is a testmail" | sendmail root […]# tail -f /var/mail/root […]# tail -f /var/log/maillog […]# swaks --to root -s localhost […]# swaks --to root@mymailer.example.com -s localhostOn an external computer, install swaks and try
[…]# swaks --to root@mymailer.example.com -s localhost
Basic configuration
-
Make a backup copy of the central configuration file and then open it in the editor.
[…]# cp /etc/postfix/main.cf{,.f38} […]# vim /etc/postfix/main.cf -
Adjust hostname
By default postfix uses gethostname(). If the host configuration is correct, if works. However, since a lot of other configuration parameters use this one, you should set it permanently to be on the safe side.
:97 # skip to line 97 #myhostname = host.domain.tld #myhostname = virtual.domain.tld myhostname = mymailer.example.com # <== insert new line -
Adjust Internet interfaces to listen on
Is set to localhost and must be changed to either 'all' or specific set ol interfaces, separated by koma (e.g. <IP-localhost>, <IPv4 Server>, <IPv6 Server>).
:137 # skip to line 137 #inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost #inet_interfaces = localhost # <== modify, comment out inet_interfaces = all # <== insert new line -
Adjust which nodes postfix should trust and relay mail for
For trusted network nodes, Postfix in particular takes care of sending and forwarding mail without any special additional checking. By default Postfix trusts all nodes on the hosts subnet. Thats fine if the host is part of a subnet that is protected by a router and firewall appliance.
Otherwise you would like just trust your host itself
mynetworks_style = hostIf the host has a (virtual) internal network that should also be trusted, then the mynetworks_style parameter must be left unchanged and instead the networks must be explicitly listed with the mynetworks parameter.
mynetworks = 127.0.0.0/8 [::1]/128 192.168.100.0/24 -
Adjust basic default TLS configuration#
We use Let’s encrypt certificates as explained at the beginning.
Skip to the the default TLS configuration part (e.g. "/TLS")
# TLS CONFIGURATION # # Basic Postfix TLS configuration by default with self-signed certificate # for inbound SMTP and also opportunistic TLS for outbound SMTP. ## and added custom certificates. # The full pathname of a file with the Postfix SMTP server RSA certificate # in PEM format. Intermediate certificates should be included in general, # the server certificate first, then the issuing CA(s) (bottom-up order). # ## For Postfix > 3.4 deprecated, use smtpd_tls_chain_files instead ##smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem # The full pathname of a file with the Postfix SMTP server RSA private key # in PEM format. The private key must be accessible without a pass-phrase, # i.e. it must not be encrypted. # ## For Postfix > 3.4 deprecated, use smtpd_tls_chain_files instead ##smtpd_tls_key_file = /etc/pki/tls/private/postfix.key ## smtpd_tls_chain_files multiple files are concatenated and treated as one ## file. The server KEY file must be FIRST! ## see https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files smtpd_tls_chain_files = /etc/letsencrypt/live/cheiron.libreccm.org/privkey.pem /etc/letsencrypt/live/cheiron.libreccm.org/fullchain.pem # Announce STARTTLS support to remote SMTP clients, but do not require that # clients use TLS encryption (opportunistic TLS inbound). # smtpd_tls_security_level = may # Directory with PEM format Certification Authority certificates that the # Postfix SMTP client uses to verify a remote SMTP server certificate. # smtp_tls_CApath = /etc/pki/tls/certs # The full pathname of a file containing CA certificates of root CAs # trusted to sign either remote SMTP server certificates or intermediate CA # certificates. # smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt # Outbound TLS security (SMTP client) ## Recommended configuration Postfix >= 3.4 (empty or commented out) smtp_tls_chain_files =${smtpd_tls_chain_files} # Use TLS if this is supported by the remote SMTP server, otherwise use # plaintext (opportunistic TLS outbound). smtp_tls_security_level = may # TLS, DNSSEC and DANE for SMTP client #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache #smtp_tls_security_level = dane smtp_dns_support_level = dnssec ## Accept auth over encrypted channel only smtpd_tls_auth_only = yes # END Customized default TLS communication -
Add various custom customization
Skip to the end of file (type G)
# ######################################################################### # # CUSTOM CONFIGURATION # # ######################################################################### ## Reject unknown recipients permanently unverified_recipient_reject_code = 577 ## Unknown target, don't show exact table name show_user_unknown_table_name = no ## Adjust message & mailbox size message_size_limit = 104857600 mailbox_size_limit = 0 ## Mail-Queue properties maximal_queue_lifetime = 1h bounce_queue_lifetime = 1h maximal_backoff_time = 15m minimal_backoff_time = 5m queue_run_delay = 5m ### No system-messages to users about new e-mail biff = no ### User have to specify a complete (FQDN) e-mail address append_dot_mydomain = no # Command verify enables to query mail address without MAIL FROM. # Prevent bad guys from querying for valid email addresses disable_vrfy_command = yes
Want to help? Learn how to contribute to Fedora Docs ›