Chapter 10. Postfix

Postfix is an efficient and featureful mail server that was designed by Wietse Venema at the IBM T.J. Watson Research Center. It was intended to be a replacement for the popular Sendmail. While it still represents only a small percentage of mail server installations worldwide, its popularity is growing rapidly, due to its simple configuration, secure implementation, and high performance architecture. Also, because Postfix is designed to behave outwardly like Sendmail, it is a mostly drop-in replacement for the older, larger, and slower mail server. It does lack some of the obscure features of Sendmail, but the features it lacks are rarely used by the vast majority of users, so they are not often missed.

The Postfix project, originally named VMailer (fortunately for everyone, the name was changed before release due to legal entanglements of the VMailer name), is designed as a group of related but separate executable components, providing security through segmentation. Smaller parts are easier to debug, as well. The internet home of Postfix is www.postfix.org. Postfix is an ideal mail server choice for new mail administrators, and even experienced Sendmail administrators might find its simplicity appealing. Because it provides a quite compatible Sendmail-ish exterior, and provides programs of the same names (such as sendmail for sendind mail, mailq for managing the queue, etc.), and can utilize the same type of aliases and forwarding files that Sendmail uses, it is possible to replace Sendmail without reconfiguring existing mail-related tools, or rewriting local scripts. After such a switch, local users may not even notice the difference.

 

Note

The previous statements should not be viewed as an endorsement of Postfix as being a better mail transport agent than Sendmail. The two projects have different emphasis, and have had very different development models. Sendmail has been in use all over the world for over 20 years in one form or another, and thus has an extremely large headstart on Postfix with regard to maturity, available documentation, number of experienced administrators, and support tools. Postfix is only a few years old and has much more limited supporting documentation and tools to enhance it. The decision for which mail transfer agent is appropriate for your network will be dictated by the requirements and the availability of local expertise.

General Options

The General Options page configures a number of options regarding the general behavior of Postfix. Specifically, most of the configuration options that impact all users and all messages are configured here. Postfix, keeping with its philosophy of simplicity, usually requires only a few configuration file changes to get a mail server running efficiently and securely.

The General Options page is divided into two parts. The upper section is labelled Most Useful General Options and the lower section Other General Options. In many standard installations, it may be possible to start up a Postfix installation with just configuration of one or more of the three directives in the upper section. Unless otherwise stated, all of the options on this page correspond to directives in the main.cf file in the Postfix configuration directory.

Most Useful General Options

 

What domain to use in outbound mail

Here you may specify the domain or hostname to use to identify the source on outgoing mail. Postfix defaults to using the hostname of the server, but you most likely will want it to identify mail as coming from your domain name instead. If your mail server will be accepting mail for a large number of users under a single domain name, you will most likely configure domain name here, and create a domain-wide alias database to map usernames to their respective local mail servers. This option correlates to the myorigin Postfix directive.

What domain to receive mail for

This option accepts a list of domains and addresses to receive mail as its final destination. In other words, when mail reaches the server destined for addresses in this field, it will deliver the mail to a local user, rather than forward it to another mail server. By default, this is all configured addresses on the machine as well as localhost within the local domain. You may specify any number of domains or hostnames separated by commas, or you may provide a full path to a file containing similar entries. The variables $myhostname and $mydomain may be used to represent those concepts to Postfix automatically. The ability of Postfix to use such variables throughout its configuration files makes it easier to maintain a number of Postfix servers with very similar configurations. This option correlates to the mydestination directive.

What trouble to report to the postmaster

Postfix provides the ability to select what types of error messages will be mailed to the designated postmaster of the mail server. Assuming you have setup a postmaster alias that directs mail to a real person, Postfix will send reports of all of the types of trouble designated here. The available clases are:

 

bounce

When this option is selected, whenever a message is undeliverable, a bounce message (called a single bounce message will be sent to the sender of the message and the local postmaster. For the sake of privacy only the headers will be sent in the message to the postmaster. If the first bounce to the sender is returned as undeliverable, a double bounce message will be sent to the postmaster with the entire contents of the first single bounce message.

2bounce

Causes double bounce messages to be sent to the postmaster.

delay

If the delivery of a message is delayed, the postmaster will receive a notice, along with the headers of the delayed message.

policy

Notifies the postmaster of messages that were rejected due to a unsolicited commercial email policy restriction. The complete transcript of the SMTP session is sent.

protocol

Notifies the postmaster of protocol errors, or client requests that contained unimplemented commands. The complete transcript of the SMTP session is included in the message.

resource

Informs the postmaster of undelivered mail due to resource problems, such as a queue file write error.

software

Notifies the postmaster of mail not delivered due to software failures.

This option correlates to the notify_classes directive, and defaults to reporting only problems that usually indicate a misconfiguration or serious problem (specifically reource and software). In some high load environments, altering this to include bounce notifications could lead to a large number of notices.

Other Global Options

The lower section of this page is devoted to global options which are less likely to need to be altered. In many installations these options will remain at their defaults.

 

Send outgoing mail via

This option configures whether outgoing mail should be delivered directly to the recipients mail server, or if a parent mail gateway should be used as an intermediary. If the server is behind a firewall, behind a network address translating router/gateway, or similar, it may be necessary to use an intermediary server to achieve reliable service. Many mail servers on the internet will not accept mail from a server that does not have a working DNS entry and a routable IP address, in order to help prevent spam from forged addresses. Also, local network use policy may require the use of an intermediary for logging, virus scanning, or other purposes that require aggregation of outgoing mail traffic onto a central server. This option corresponds to the relayhost directive and defaults to sending mail directly.

Address that receives bcc of each message

With this option, an optional email address may be specified that will receive a copy of every message that enters the Postfix system, excluding locally generated bounce messages. This can represent a breach of privacy in many circumstances, and may be illegal in some countries. It is advisable to be especially cautious about utilizing this option. It can be useful in some environments, however, where central archival of email is valuable for legal or technical reasons. This option correlates to the always_bcc directive and defaults to none.

Timeout on handling requests

This option determines how long a Postfix daemon will wait on a request to complete before it assumes the daemon has locked up, at which time the daemon will be killed. This option corresponds to the daemon_timeout and defaults to 18000 seconds.

Default database type

This option determines the type of database to use in the postalias and postmap commands. This option corresponds to the default_database_type directive and the default depends on the OS and installed system libraries at the time of building Postfix. Ordinarily on Unix systems this will be hash or dbm.

Default message delivery transport

The term delivery transport refers to the protocol, or language, used to deliver the message from one mail server to another. The transport on modern systems is nearly always snmp, and this is the default in Postfix, but there are still a few legacy uucp systems in use. This option is merely the default choice, when no transport is explicitly selected for the destination in the optional transport table. This option corresponds to the default_transport directive.

Sender address for bounce mail

In the event a message double-bounces, or first bounces from the recipient and then bounces from the sender when the first bounce notice is sent, the message will be sent to this address. All messages to this address will be silently discarded. In this way bounce-loops can be avoided. This option correlates to the double_bounce_sender and defaults to double-bounce. The name may be any arbitrary name, but must be unique.

Number of subdir levels below the queue dir

This option configures the number of subdirectory levels below the configured queue directories will be used by Postfix for mail storage. Because of the design of the traditional Unix file system, which includes UFS used by all modern BSD systems and the Linux ext2 and ext3 filesystems, performance becomes measurably slower when an extremely large number of files is stored in a single directory. Thus, programs that generate a large number of files often provide the ability to split files out to a number of subdirectories to keep lookups fast. This option correlates to the hash_queue_depth directive and defaults to 2, which is suitable for most moderate and even relatively large installations. Because the number of directories in use increases the search time for object seeks, using a too high value here can be harmful to performance.

Name of queue dirs split accross subdirs

Postfix uses a number of queues to organize messages with varying states and destinations. Each of these queues can be configured to use hashed subdirectories or not. If a queue is selected here, it will be stored in a hashed subdirectory. In some cases, a queue mus not be listed here as performance will be severely impacted, specifically the world-writable mail drop directory. The defer logfile directory, on the other hand must be stored in hashed directories or performance will suffer. This option corresponds to the hash_queue_names directive and defaults to incoming,active,deferred,bounce,defer,flush and it is rarely necessary or beneficial to alter this configuration.

Max number of Received: headers

A message that contains more Received: headers than this will bounce. An extremely large number of this header may indicate a mail loop or a misconfigured mail server somewhere in the path of this message. This option correlates to the hopcount_limit directive and defaults to 50. This value rarely needs to be altered from its default.

Time in hours before sending a warning for no delivery

If a message cannot be delivered immediately, it will be queued for later delivery. If after this number of hours, the message still cannot be delivered, a warning will be sent to the sender notifying them that the server has been unable to send the message for a specified time. This correlates to the delay_warning_time directive and defaults to not sending a warning.

Network interfaces for receiving mail

This option configures the network addresses on which Postfic will accept mail deliveries. By default Postfix will accept mail on every active interface. Here, Postfix will accept the variables discussed earlier. This option configures the inet_interfaces directive.

Idle time after internal IPC client disconnects

This option sets the time in seconds after which an internal IPC client disconnects. This allows servers to terminate voluntarily. This feature is used by the address resolution and rewriting clients. This option correlates to the idle_time directive and defaults to 100s. This option should probably never need to be altered under normal circumstances.

Timeout for I/O on internal comm channels

This option determines the amount of time in seconds the server will wait for I/O on internal communication channels before breaking. If the timeout is exceeded, the server aborts with a fatal error. This directive corresponds to the ipc_timeout directive and defaults to 3600 seconds, or 60 minutes.

Mail system name

This option identifies the mail server system in use to connecting users. It will be used in the smtpd_banner which is sent in Received: headrs, the SMTP greeting banner, and in bounced mail. Some security experts, who promote security through obscurity, suggest anonymizing all server software to prevent potential crackers from being able to identify the software in use on the server. It is probably not the best use of an administrators time or effort in most environments, however, and many other security tactics are more effective, without negatively impacting the ability to track software problems. This option correlates to the mail_name directive and defaults to Postfix.

Mail owner

This option specifies the owner of the Postfix mail queue, and most of the Postfix daemon processes. This user should be unique on the system, and share no groups with other accounts or own any other files or processes on the system. After binding to the SMTP port (25), postfix can then drop root privileges and become the user specified here for all new daemon processes. Because of this, if the Postfix daemon is ever compromised the exploiter will only have access to mail and a few other files. Obviously it is good to avoid this as well, but it is certainly better than a root exploit which would allow the exploiter to access and alter anything on the system. This option correlates to the mail_owner directive and defaults to postfix.

Official mail system version

This paremeter configures the version number that will be reported by Postfix in the SMTP greeting banner, among other things. This correlates to the mail_version directive and defaults to the version of Postfix that is installed. Once again, security by obscurity promoters may encourage obfuscation of this value.

Time to wait for next service request

A Postfix daemon process will exit after the time specified here, if it does not receive a new request for service during that time. This option corresponds to the max_idle directive and defaults to 100s. This directive does not impact the queue manager daemon process.

Max service requests handled before exiting

This option configures the maximum number of requests that a single Postfix daemon process will answer before exiting. This option configures the max_use directive and defaults to 100.

Internet hostname of this mail system

This option specifies the internet hostname of the mail server. By default this value will be set to the fully qualified hostname of the server, as determined by a call to gethostname(). This option sets the $myhostname variable which is used in the defaults to many other options. This option correlates to the myhostname directive.

Local internet domain name

This option corresponds to the mydomain directive and defaults to the contents of the $myhostname variable minus the first component. This option defines the $mydomain variable and is used in a number of other configuration option defaults.

Local networks

Postfix provides a flexible set of options to help prevent UCE, or other unauthorized uses of the mail server. This option defines what networks will be considered to be local by Postfix. The value is used to determine whether a client is a local client or a remote client. Policies can be more relaxed for local clients. This option configures the mynetworks directive and defaults to a list of all networks attached to the server. For example, if the server has an IP of 192.168.1.48, and a netmask of 255.255.255.0, all of the 192.168.1.0 network will be considered local. If you would like stricter control, or the ability to treat other network blocks as local clients, you can specify them here in the form of network/netmask pairs (i.e. 172.16.0.0/16. Network/netmask pairs may be inserted from a separate file, if preferred, by specifying the absolute path to the file here.

Send postmaster notice on bounce to…

This option configures the username or email address to whom bounce notices will be sent. This option correlates to the bounce_notice_recipient and is set to postmaster by default.

Send postmaster notice on 2bounce to…

This option configures the username or email address to whom second bounce messages will be sent. This allows an administrator to watch for second bounces warnings more closely than first bounce messages, because first bounces are far more common and less likely to indicate serious problems. The option configures the 2bounce_notice_recipient directive and defaults to postmaster.

Send postmaster notice on delay to…

This option configures where delay warnings will be sent. This option correlates to the delay_notice_recipient directive and defaults to postmaster.

Send postmaster notice on error to…

Specifies where error warnings will be sent. This option correlates to the error_notice_recipient directive and defaults to postmaster.

Mail queue directory

This specifies the directory where Postfix will store queued mail. This will also be the root directory for Postfix daemons that run in a chroot environment. The queue is where messages that are awaiting delivery are stored, thus enough space to accomodate your user mail load should be provided in this directory. This option correlates to the queue_directory directive and usually defaults to a sensible location for your OS. Many Linux systems will have the mail queue in /var/spool/mail or /var/spool/postfix.

Lock file dir, relative to queue dir

This option configures the location of the Postfix lock directory. It should be specified relative to the queue directory, and generally will simply be a subdirectory of the queue directory. This option configures the process_id_directory directive and defaults to pid.

Separator between user names and address extensions

This option specifies the separator character between usernames and address extensions. This option correlates to the recipient_delimiter directive and defaults to using no delimiter. This option impacts Canonical MappingRelocated Mapping and Virtual Domains.

Postfix support programs and daemons dir

This option specifies the directory where Postfix will look for its various support programs and daemons. The directory should be owned by root. This option correlates to the program_directory directive and defaults vary depending on installation method and OS variant. On many Linux systems this will be /usr/libexec/postfix.

Relocated mapping lookup tables

Postfix can provide a relocation notice in response to messages sent to users who no longer receive mail from this server. If enabled, this option specifies the location of the file containing a table of contact information for users who no longer exist on this system. By default this feature is disabled. This option correlates to the relocated_maps directive. If enabled a reasonable choice for this option might be /etc/postfix/relocated.

Disable kernel file lock on mailboxes

On Sun workstatsions, kernel file locks can cause problems, because the mailtool program holds an exclusive lock whenever its window is open. Users of other OS variants, or Sun systems where no Sun mail software is in use, may ignore this option. This option correlates to the sun_mailtool_compatibility directive and defaults to No.

Max time to send a trigger to a daemon

This option specifies the maximum amount of time allowed to send a trigger to a Postfix daemon. This limit helps prevent programs from getting hung when the mail system is under extremely heavy load. This option correlates to the opts_trigger_timeout directive and defaults to 10s.