Postfix for dummies

Executive Summary

Postfix, written by Wietse Venema, is one of the most serious alternatives to Sendmail, along with Qmail and Exim. Because it is much more recent, it was built from the ground up to be as secure as possible. Postfix supports features such as ESMTP, ETRN (eg. two-way SMTP connections), LMTP (uses the LHLO command and expects to receive an ACK to check that the message is correctly delivered to each recipient), UUCP (to deliver mail between two servers with no access to the Net), AUTH to authenticate MATs at both ends (Cyrus-SASL supports AUTH), etc.

Postfix uses multiple programs to handle emails; The main process is called master, and uses its own configuration file called master.cf . Unlike Sendmail, and thanks to "postfix reload", there is no need to restart the whole of Postfix after a change is made to its configuration files. Postfix relies on three main configuration files: install.cf (generated when installing Postfix the first time; useful if you want to re-install it later), master.cf (used by the main process master), and main.cf (the meat).

In addition, Postfix relies heavily on hashed lookup tables: access, aliases, canonical, relocated, transport, virtual. Three binary formats are available: btree, hash, and dbm (BSD uses dbm; Linux usually uses hash). In addition, Postfix can use regex files, and information from external sources like NIS, LDAP, or MySQL. Two standards for regular expressions are available: regexp (POSIX), and Perl Compatible Regular Expressions (PCRE). Older Unices might not be available, so download PCRE.

The core programs are: master, bounce, cleanup, error, local, pickup, pipe, postdrop, qmgr, showq, smtp, smtpd, trivial-rewrite. Utilities are: mailq, postaliases, postcat, postconf, postfix, postkick, postlock, postlog, postmap, postsuper, sendmail. Postfix uses "postfix flush" to deliver spooled emails when receiving the ETRN command; Other commands used with the postfix program are abort, check, reload, start, and stop. Postfix uses different queues, in /var/spool/postfix, to reflect the different states an email find itself until it is finally delivered; a new file is created for each message; Queues are: maildrop, incoming, active, deferred, mail.

Initial setup

  1. If another MTA is already installed, shut it down, and remove it, eg. /etc/rc.d/init.d/sendmail stop ; rpm -e --nodeps sendmail
  2. Install Postfix: rpm -Uvh postfix.rpm
  3. Edit /etc/postfix/main.cf (see below)

    myhostname = linux.acme.com
    mydomain = acme.com
    myorigin = $mydomain
    mynetworks = 192.168.0.0/16, 127.0.0.0/8
    mydestination = $myhostname, $mydomain, localhost.$mydomain, mail.$mydomain

    Important: As of Sept 2001, Postfix doesn't support domains that don't have a dot in them. For private intranets, use eg. "intranet.acme" instead of just "acme".
     
  4. If available, move the legacy mail aliases file from /etc/aliases into /etc/postfix/aliases, and run either "newaliases" or "postalias /etc/postfix/aliases" (or you'll get a non-fatal open database /etc/postfix/aliases.db: File or directory not found).
  5. Launch Postfix through /etc/rc.d/init.d/postfix start
  6. Run "telnet localhost smtp" to check that the mail server accepts connections from the local host

Mailbox formats

Postfix supports different ways to deliver emails:

If you wish to use mailboxes different from the default Sendmail scheme, the following directives are used: mail_spool_directory, home_mailbox, mail_box_command.

Security

Maildrop directory

To enhance security, create a postfix.maildrop user under which to run postix, make this account the owner of the maildrop/ directory to make sure no other user can mess up with the files located in its sub-directories, and use the postdrop program to write messages. Messages are delivered by the programs local, smtp, pipe, or bounce.

Chrooting

Take advantage of the fact that Postfix can run chrooted (a script is provided in examples/chroot-setup).

Limiting use of Postfix services

Editing master.cf makes it possible to limit use of a service from a given host, eg. using "localhost: smtp", Postfix only accepts connection to the SMTP service from localhost.

Use of ETRN command

By default, any remote MTA can run the ETRN command to download spooled emails for that domain. You can restrict which hosts are granted or refused access with the "smtpd_etrn_restrictions" directive.

Handling abuse and spam (a.k.a. Unsolicited Commercial E-mail/UCE)

smtpd_*_restrictions directives

Postfix offer good granularity on what data is accepted for any SMTP command:

Each of those directives can be defined by one or more values that either permit or deny access.

Reject

Permit

Check (Uses hashed files)

Examples

  1. Edit /etc/postfix/clients:

    ispnet1.net        OK
    spammer.org    REJECT
     
  2. Build hashed file: postmap hash: /etc/postfix/clients
  3. Edit main.cf:

    relay_domains = $mydestination
    maps_rbl_domains = rbl.maps.vix.com, dul.maps.vix.com
    smtpd_recipient_restrictions = check_client_access hash: /etc/postfix/clients
    smtpd_sender_restrictions = check_client_access hash: /etc/postfix/clients
    smtpd_client_restricitions = check_client_access hash:/etc/postfix/access, check_relay_domains, reject_maps_rbl, permit_mynetworks, reject_unknown_client
    smtpd_helo_required = yes
     
  4. postfix reload

Header filtering

Postfix can search for any string in an incoming email:

  1. Edit main.cf:

    header_checks = regexp: /etc/postfix/headers_checks

  2. Edit /etc/postfix/header_checks:

    /^o: *friend@public\.com$/ REJECT
    /^ubject: Get rich quick!/ REJECT

  3. Refresh Postfix: postfix reload

Relaying

Relaying means that a sender whose host lives in domain A, connects to your mailer in domain B to send an email to a user in domain C. A great aid to spammers. The easiest way to control relaying is to use the "smtpd_recipient_restrictions" directive; If this directive is left undefined, Postfix uses the information given in the directives "permit_mynetworks" and "check_relay_domains":

permit_mynetwork = $mynetworks
check_relay_domains = $relay_domains, $inet_interfaces, virtual table
#smtpd_recipient_restrictions =

Note: permit_mynetwork is enough for most uses.

Accessing your mailer

This restrictions comes before relaying: It tells Postfix which hosts are allowed to even connect to the SMTPd program. To limit access to your mailer, edit the access table (in main.cf: access???). Here's a sample:

user@domain

OK

hostname.domain

OK

domain

OK

a.b.c.d //full IP network address

REJECT

a.b.c //prefix of IP network address

XXX Go away

XXX stands for an SMTP error message. Some samples:

Possible restrictions come aplenty in Postfix. See the samples/sample-smtpd.cf for more information.

Outsourcing data in MySQL

Edit main.cf, and set "alias_maps = /etc/postfix/mysql_alias.cf".

Edit /etc/postfix/mysql_alias.cf:

user = postfix
password = itsasecret
dbname = postfix
table = postfix
select_field =
where_field =
additional_conditions =
hosts =

Outsourcing data in OpenLDAP

Tips & tricks

Listening on a virtual interface

  1. Run the following commands: ifconfig add eth0:1 10.0.0.1 ; route add 10.0.0.1 dev eth0:1
  2. Edit main.cf: inet_interfaces = 10.0.0.1

Displaying the current Postfix configuration

postconf (-n)

Limiting the size of messages

To force users to use either FTP or WebDAV to send big files, limit the size of allowed messages: message_size_limit (unit is 1K).

Hiding the login banner

It's a good idea to hide the name of the MTA you are running and its version. To do this, edit main.cf, and set "smtpd_banner = $myhostname ESMTP". Also check if the name of the MTA is revealed by typing HELP.

Important: To avoid message loops, the FQDN hostname must be included in the login banner.

Handling unknown users

Either bounce the message, or forward it to another user or domain by editing main.cf, and setting "luser_relay = $user@other.host".

Allowing users to create mailing lists

This lets users receive email in the form jdoe+mysoftware@acme.com without admins having to do anything. Edit main.cf, and set "recipient_delimiters = +". Next, have user jdoe create a file named .forward+mysoftware in his home directory, which contains a list of e-mail addresses that will receive a copy of any email addresses to that user-defined mailing list.

Using aliases

Two directives are supported in main.cf: alias_maps (both independent and Postfix-controlled files), and alias_database (Postfix-controlled files only).

alias_map = hash: /etc/postfix/aliases nis: mail.aliases
alias_database = hash: /etc/postfix/aliases hash: /etc/majordomo/aliases

Rewriting sender name, recipient name, or both

The aliases file is used to forward incoming messages from a fake, public address (John.Doe) to a real, internal user account (jdoe). The canonical file is used to rewrite addresses in outgoing messages, either the From field, the To field, or both. This is useful to make sure that the names used match corporate rules, eg. rewrite jdoe as John.Doe. Edit main.cf, and change the following directives: canonical_maps, recipient_canonical_maps, and sender_canonical_maps .

Rewriting incoming messages

  1. Edit /etc/postfix/aliases:

    John.Doe    joe
     
  2. Build the hashed file: postalias hash:/etc/postfix/aliases
  3. Edit main.cf: aliases_maps = hash: /etc/postfix/aliases
  4. Refresh Postfix: postfix reload 

Rewriting outgoing messages

  1. Edit /etc/postfix/canonical:

    joe    John.Doe
     
  2. Build the hashed file: postmap hash:/etc/postfix/canonical
  3. Edit main.cf: canonical_maps = hash: /etc/postfix/canonical
  4. Refresh Postfix: postfix reload 

Masquerading

Edit main.cf:

masquerade_domains = $mydomain
masquerade_exceptions = root

/etc/postfix/aliases

This file can be edited either directly (vi /etc/postfix/aliases ; newaliases (or postalias /etc/postfix/aliases) ; postfix reload), or through the postalias program: To check whether a key exists, use "postalias -q jdoe /etc/postfix/aliases". To insert a new key, run "echo jdoe | postalias -i /etc/postfix/aliases". To remove a key, run "postalias -d jdoe /etc/postfix/aliases".

Warning: When running the postalias command above, the text-based file /etc/postfix/aliases file is not updated, so I recommend doing it the manual way instead.

/etc/postfix/main.cf

Just like the above, you can modify the content of main.cf either manually (vi /etc/postfix/main.cf ; postfix reload), or through a dedicated program: "postconf -e mykey=myvalue", or "postconf -n".

/etc/postfix/virtual

Besides manually editing the file, you can manipulate its content with: postmap -q katie virtual (to query), postmap -d katie virtual (to delete), echo katie katie@otherhost.net | postmap -i virtual (to include).

After a crash...

In case the server or Postfix crashed, it's a good idea to run postsuper -v before proceeding, so as to recover messages that were not properly handled because of the crash.

Reducing time spent checking for valid user accounts

It is faster to look up keys and values in an indexed file than /etc/password. To force Postfix to first use a binary file, edit main.cf: local_recipient_maps=$alias_maps unix:passwd.byname .

Forwarding emails to former users

Create a hash file, eg. /etc/postfix/relocated, and edit main.cf:

relocated_maps = hash: /etc/postfix/relocated
local_recipient_maps = hash: /etc/postfix/relocated

Postfix as smart mailer

Edit main.cf, and set relayhost to the IP address of the mail server over at your ISP that will forward your outgoing emails to the Internet. By not requiring DNS lookups, using IP addresses offers better performance, and protects your mailer from a DNS failure.

Virtual domains

This allows your Postfix mailer to accept mails for domains other than its own. By default, you must create a user account in /etc/passwd, and add a mapping in eg. /etc/postfix/virtual between the public email address and the actual account that lives in /etc/passwd.

If no mapping is required (ie. the user account used in the virtual address matches a unique account in /etc/passwd), you can simplify things by editing /etc/postfix/transport, and tell it to just deliver any email meant for virtual accounts locally. The latter is dangerous, however, because eg. any email for mike@abc.com and mike.@xyz.com will be delivered to the same mailbox.

The standard way

In the following example, we'll create a Unix user account, tell Postfix to accept accounts for the virtual domain "testcompany.com", and have it forward any email meant for jdoe@testcompany.com to the real Unix account janed.

  1. useradd -c "Postfix user account" -s /bin/false janed ; passwd janed
  2. Edit /etc/postfix/main.cf: virtual_maps = hash:/etc/postfix/virtual
  3. Build the hashed file: postmap /etc/postfix/virtual
  4. Edit /etc/postfix/virtual:

    testcompany.com    virtual

    jdoe@testcompany.com    janed

    Note: In the hashed virtual table, Postfix can discriminate between the list of virtual domains and the list of email redirectors by checking for the presence of the @ sign.
     
  5. postfix reload

The funny way

Here, we don't want to bother keeping an up-to-date mapping between virtual email addresses and Unix user accounts. This is OK if any user account is unique, regardless of the domain to which it belongs:

  1. useadd -c "Postfix user account" -s /bin/false janed ; passwd janed
  2. Edit /etc/postfix/main.cf: transport_maps = hash: /etc/postfix/transport
  3. Edit /etc/postfix/transport:
    othercompany.com    local:
  4. postmap hash: /etc/postfix/transport
  5. postfix reload

Important: Again, this shortcut only works if Unix user accounts are unique!

For instance, suppose that...

  1. The Postfix mailer lives in the domain @acme.com, ie. in main.cf, mydomain = acme.com
  2. An entry in /etc/passwd is called "janed"
  3. You are asked to support messages for the virtual domain @testcompany.com
  4. Another Jane Doe exists in that other company whose virtual domain you handle, and thus, needs an email called janed@testcompany.com

Now, any email meant for janed@acme.com or janed@testcompany.com is delivered into a single /var/spool/mail/janed (or whatever mailbox scheme you are using).  For this reason, it is recommended to use The Standard Way.

Postfix on a dial-up network

If your network has no permanent connection to the Net, your ISP provides a relay mailer where emails for your team are spooled until you connect and download them. Likewise, any email sent through your Postfix intranet mailer to emails addresses on the Internet must be spooled locally, and sent when Postfix is connected to the Net.

  1. Edit main.cf:

    mydestination = $mydomain, localhost.$mydomain, $myhostname
    myorigin = $mydomain
    relay_host = 10.0.0.1 #IP address of your ISP's mailer
    disable_dns_lookups = yes
    defer_transport = smtp
     
  2. postfix reload
  3. Edit /etc/crontab, so that a PPP dial-up connection is made regularly, and Postfix's mail queue is emptied using /usr/bin/sendmail -q

Smart host

A Postfix server is running in your public network, in front of a firewall, and forwards any emails from the Internet to a server in the private network, without storing emails locally.

  1. Edit main.cf:

    relay_domains = #Important: Just hit RETURN, to tell Postfix to not store emails locally
    transport_maps = hash: /etc/postfix/transport
     
  2. Edit /etc/postfix/transport:

    othercompany.com    smtp:internal.othercompany.com #internal.othercompany.com is the mailer sitting in the private network
     
  3. Build the hashed transport file: postmap hash:/etc/postfix/transport
  4. Refresh Postfix: postfix reload

Hub & spokes

Here, we have one Postfix mailer through which all incoming and outgoing emails are sent.

Hub

Emails meant for user joe is sent to host spoke1.small.org, where his mailbox lives:

  1. Edit main.cf:

    virtual_maps = hash: /etc/postfix/virtual
     
  2. Edit /etc/postfix/virtual:

    joe@small.org    joe@spoke1.small.org
     
  3. Build the hashed file: postmap hash: /etc/postfix/virtual
  4. Refresh Postfix: postfix reload

Spokes

All spokes must forward non-local emails to the hub, and masquerade address so that email address use the @small.org domain instead of the spoke's hostname.

  1. Edit main.cf:

    relay_host = hub.small.org
    myorigin = small.org
     
  2. On spoke1, create a Unix user account for joe: useradd -c "Postfix account" -s /bin/false joe
  3. Refresh Postfix: postfix reload

Q&A

How to use the ETRN command?

I don't have a permanent connection to the Net, and my acts as smart host, ie. all incoming emails for my domain are temporarily spooled on the ISP's mail server. How do I tell Postfix to connect to it, and run the ETRN command to download spooled emails instead of using Fetchmail, which requires that users tell me their password?

Why multiple programs to edit configuration files (postalias, postconf, postmap)?

Because each file has a different structure: For backward compatibility with Sendmail, /etc/postfix/aliases requires a ": " separator between two tokens; main.cf uses a "=" sign to separate a key and its value; Files like virtual use a space or tab character to separate a key and its value.

Rewriting headers: What's the difference between mydomain and masquerade_domains in main.cf?

mydomain only rewrites headers, while masquerade_domain directive can rewrite headers and envelops.

mail for mylinux.acme loops back to myself

In main.cf, the mydestination parameter does not include all the possible tokens right of the @ sign. This should include $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, and possibly others. Any email with a different token on the right side of the @ sign is considered to be meant for another mailer, and will be routed, ie. not delivered locally.

myhostname, mydomain, myorigin, mydestination: Confused!

Postfix rewrites the domain part incorrectly if my domain has not . in it!

If you set up your intranet to use a fake domain name with no dot in it, eg. acme, Postfix gets confused:

# hostname
mylinux.acme
 
# less /etc/postfix/main.cf
myhostname = mylinux.acme
mydomain = acme
mydestination = $myhostname, localhost.$mydomain, $mydomain
 
Let's leave #myorigin = $mydomain, ie. $myorigin defaults to $myhostname
 
mail ffaure OK (-> ffaure@mylinux.acme)
mail ffaure@mylinux.acme OK (-> ffaure@mylinux.acme)
mail ffaure@acme NOK (-> ffaure@acme.acme)
 
Let's set myorigin = $mydomain
 
mail ffaure NOK (-> ffaure@acme.acme)
mail ffaure@mylinux.acme OK (-> ffaure@mylinux.acme)
mail ffaure@acme NOK (-> ffaure@acme.acme)
 

The solution is to use a domain name with a dot in it, eg. intranet.acme .

I try to send mail to root@acme.com, must it doesn't get there!

As explained in /etc/postfix/aliases:
# For various security reasons, postfix WILL NOT deliver mail as root, so ensure that the root alias is aliased to a HUMAN user, as otherwise # mail may get delivered to the $default_privs user (nobody).
(snip)
root: amy

/var/spool/postfix/etc/resolv.conf and /etc/resolv.conf differ

You seem to have updated /etc/resolv.conf between the time you installed Postfix and the time you launched it, so /var/spool/postfix/etc/resolve.conf doesn't match. Make sure all changes made to the former are copied into the latter.

Biff?

Aug 23 14:33:04 miami postfix/local[3299]: warning: biff_notify: Connection refused

Add the following to main.cf: biff = no

Domain in locally-posted mail ends up wrong

With hostname as mylinux.acme, and the following:

myhostname = mylinux.acme
mydomain = doe
myorigin = jane

Logged locally on mailer, and sending email to ffaure:

Sep 18 01:09:37 mylinux postfix/qmgr[2457]: 7921643788: from=<root@jane.doe>, size=282, nrcpt=1 (queue active)

In other words, in incoming emails that have no domain specified, Postfix makes up a domain by concatenating $myorigin and $mydomain.

How to have Postfix run ETRN to download spooled emails on my ISP's relay host?

... as an alternative to using FetchMail (requires asking users for their POP password)

Outsourcing files to MySQL

#Using MySQL to save user-related infos alias_maps = mysql:/etc/postfix/mysql-aliases.cf #mysql-aliases.cf user = someone password = some_password dbname = customer_database table = mxaliases select_field = forw_addr where_field = alias additional_conditions = and status = 'paid' hosts = maildb1.example.org maildbt2.example.org Use the TLS (Transport Layer Security = SSL for e-mail) add-on to Postfix (http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/). TLS allows you to encrypt email transfers from server to server, but more importantly, it allows you to add authentication to the mail server. Instead of having to allow access based on IP and hostname, you can use usernames and passwords. Regular expressions There's support for basic regex (regexp), and support for perl-compatible regular expressions (PCRE). See man regexp_table(5) for more information. See man pcre_table(5) for more information. header_checks = regexp:/etc/postfix/header-checks #header-checks /^Subject: Make money fast/ REJECT /^X-Mailer: Microsoft Outlook Express/ REJECT /^friend@(?!my.domain).*$/ 550 Stick this in your pipe $0

Man pages

/usr/man/man1/mailq.1.gz
/usr/man/man1/newaliases.1.gz
/usr/man/man1/postalias.1.gz
/usr/man/man1/postcat.1.gz
/usr/man/man1/postconf.1.gz
/usr/man/man1/postdrop.1.gz
/usr/man/man1/postfix.1.gz
/usr/man/man1/postkick.1.gz
/usr/man/man1/postlock.1.gz
/usr/man/man1/postlog.1.gz
/usr/man/man1/postmap.1.gz
/usr/man/man1/postsuper.1.gz
/usr/man/man1/sendmail.1.gz
/usr/man/man5/access.5.gz
/usr/man/man5/aliases.5.gz
/usr/man/man5/canonical.5.gz
/usr/man/man5/pcre_table.5.gz
/usr/man/man5/regexp_table.5.gz
/usr/man/man5/relocated.5.gz
/usr/man/man5/transport.5.gz
/usr/man/man5/virtual.5.gz
/usr/man/man8/bounce.8.gz
/usr/man/man8/cleanup.8.gz
/usr/man/man8/defer.8.gz
/usr/man/man8/error.8.gz
/usr/man/man8/flush.8.gz
/usr/man/man8/lmtp.8.gz
/usr/man/man8/local.8.gz
/usr/man/man8/master.8.gz
/usr/man/man8/nqmgr.8.gz
/usr/man/man8/pickup.8.gz
/usr/man/man8/pipe.8.gz
/usr/man/man8/qmgr.8.gz
/usr/man/man8/showq.8.gz
/usr/man/man8/smtp.8.gz
/usr/man/man8/smtpd.8.gz
/usr/man/man8/spawn.8.gz
/usr/man/man8/trivial-rewrite.8.gz

Adding an anti-virus to Postfix

Amavis (http://www.amavis.org/) en liaison avec Antivir/x (http://www.antivir.de/) et viruscan de McAfee (http://www.nai.com/registration/survey_submit.asp) http://www.linux-france.org/article/sys/antivirus/index.html

D'après la page Web d'AMaViS, il existe plusieurs antivirus pour Linux/Unix : MacAfee uvscan, version d'évaluation limitée à 30 jours d'utilisation. Le binaire continue à fonctionner au bout des trente jours, mais c'est une question morale : il faut acheter une licence d'utilisation. Les fichiers .DAT, contenant les signatures des virus connus et la manière de s'en débarrasser, sont exactement les mêmes que pour DOS/Windows, il est donc facile de mettre à jour régulièrement l'antivirus, le moteur restant le même. Dr Solomon Antivirus Toolkit, binaire SCO Unix, à utiliser avec le module iBCS, non testé ; AntiVir/X, gratuit pour une utilisation non commerciale, prometteur car il s'intègre bien avec AMaViS, mais je n'ai pas réussi à le faire fonctionner -- problèmes de bibliothèques partagées en version glibc -- peut-être que ça fonctionne bien en glibc 2.1 ; Sophos Antivirus, commercial, non testé. ftp://ftp.mcafee.com/pub/antivirus/unix/ Si on parle du meme Sanitize (a savoir celui de http://mailtools.anomy.net/sanitizer.html), c'est un script Perl appele par procmail (son appel et gere via le fichier procmailrc). Le processus est celui la : MTA --- MDA (aka procmail) --- Sanitize --- mailbox Amavis, lui, s'intercale entre le MTA et le MDA (procmail par defaut, et ca tombe bien, ca nous arrange), selon un schema de ce genre : MTA --- Amavis --- MDA --- mailbox Il n'y a donc aucune restriction a pouvoir utiliser Amavis et Sanitize en meme temps. On aura alors : MTA --- Amavis --- MDA --- Sanitize --- mailbox Donc, oui, on peut utiliser les deux en meme temps. Cependant, cela suppose que tu utilises procmail comme MDA. Or, dans sa configuration par defaut, Postfix inclue son propre MDA. Il te faudra donc faire deux choses : 1. dire a Postifx que son MDA est Amavis (ce qui doit deja etre fait). 2. dire a Amavis qu'il utilise procmail et non le MDA Postix (i.e. revenir a la configuration par defaut). 3. Installation du scruteur de courrier électronique

AMaViS est maintenant distribué sous licence GPL. Ceci veut dire entre autres que nous disposons du code source du programme et que nous pouvons contrôler ce qu'il fait (a contrario des programmes d'antivirus qui ne sont distribués que sous forme binaire). Son installation est simple. Après avoir décompressé les sources, un script ./configure facilite la compilation. Il suffit d'effectuer les étapes suivantes : $ ./configure --prefix=/usr/local/antivirus $ make # make install L'étape de configuration recherche un antivirus sur le système, en particulier elle cherche uvscan dans les répertoires /usr/bin et /usr/local/bin. Vous vous souvenez des liens symboliques que nous avons faits tout à l'heure ? Voici une explication de leur utilité ! Assurez-vous aussi d'avoir installé le binaire metamail (généralement dans le paquet du même nom dans votre distribution), car c'est le programme utilisé pour séparer les attachements des courriers reçus. J'ai cherché pendant pas mal de temps pourquoi ça ne marchait pas avant de comprendre ce qui manquait... Le principal élément d'AMaViS est un script shell : scanmails, qui prend le courrier électronique sur l'entrée standard (c'est sendmail qui lui envoie), passe chaque attachement à l'antivirus et, selon le résultat, envoie le courrier à l'agent de livraison s'il n'y a pas de virus détecté, ou envoie un courrier à l'administrateur en cas de problèmes. Assurez-vous ensuite d'avoir un alias nommé virusalert dans les aliases de courrier électronique. C'est en effet l'adresse à laquelle un courrier est envoyé en cas de découverte d'un virus dans un courrier. Toutefois, cette adresse est paramétrable dans le script scanmails. Ensuite, il faut penser au fichier de log, qui est situé par défaut dans /var/log/scanmails/logfile. Il faut donc créer le répertoire /var/log/scanmails/ et peut-être même le fichier logfile. Attention, avec sendmail l'agent de distribution (le programme sendmail lui-même) tourne en tant que root, alors que pour Postfix, l'agent de distribution (le programme local) tourne en tant qu'utilisateur postfix. Il faut en tenir compte, car c'est cet utilisateur qui va écrire dans le fichier de log. Je préconise donc les manipulations suivantes : # mkdir /var/log/scanmails # touch /var/log/scanmails/logfile # chown postfix:postfix /var/log/scanmails /var/log/scanmails/logfile Un dernier petit point à régler, c'est celui des logs gérés avec syslog. En effet, scanmails envoie à syslog (c'est paramétrable) une notification d'exécution, avec la priorité mail.info. Le fichier /var/log/mail.info grandira alors lui aussi. Il faudra penser à regarder et purger périodiquement les fichiers /var/log/mail.info et /var/log/scanmails/logfile.

4.1 Postfix La configuration de Postfix pour passer le courrier à l'antivirus est la suivante : il y a une variable mailbox_command permettant de spécifier à Postfix un programme de livraison externe. Généralement, cette variable n'est pas utilisée et on laisse Postfix gérer lui-même la livraison, ou bien, pour les sites utilisant procmail comme agent de livraison, la variable devient : mailbox_command = /usr/bin/procmail Pour utiliser AMaViS avec Postfix, il suffit de modifier cette variable en : mailbox_command = /usr/local/antivirus/sbin/scanmails dans le fichier /etc/postfix/main.cf. Le tour est joué ! Un petit coup de postfix reload pour prendre cette modification en compte et Postfix pourra alors passer le courrier entrant à l'antivirus.

5. Tests de l'installation Les tests ne sont pas trop pénibles et permettent de vérifier que l'installation fonctionne correctement : c'est la partie qu'il ne faut pas oublier, sinon il est difficile de voir « si ça marche » et de comprendre pourquoi « ça ne marche pas ». Si l'installation n'est pas effectuée correctement, il est possible que tous les courriers électroniques passent sans être véritablement vérifiés, et donc l'installation décrite ci-dessus ne sert à rien ! (Ça sent le vécu, oui oui).

5.1 Un fichier contenant une signature de virus Comme il serait très mal venu de faire les tests avec un vrai virus, il existe une signature de test permettant de tester sans douleur un antivirus. Cette signature est citée sur le site Web d'AMaViS. Mettez dans le fichier eicar.com la chaîne suivante : X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Le fichier résultant doit faire 69 octets. C'est ce fichier qui nous permettra de tester le système.

5.2 Test de l'antivirus En premier lieu, nous allons tester l'antivirus. Pour cela, lancez simplement la commande suivante : $ uvscan eicar.com En plus des informations sur la licence du logiciel, uvscan doit vous donner le résultat suivant : File eicar.com is infected with EICAR-STANDARD-AV-TEST-FILE Si ce n'est pas le cas, n'allez pas plus loin ! Vous avez déjà un problème sur le fonctionnement de votre antivirus. Si vous avez un message tel que : Missing or invalid virus info file Check the location and integrity of your data files. c'est sans doute un problème avec les liens symboliques : vérifiez que /usr/local/lib/neta pointe sur le répertoire dans lequel vous avez mis les fichiers .dat !

5.3 Test du scanner C'est sans doute l'opération la plus délicate des tests, car il faut l'exécuter avec les droits du processus qui appelle scanmails. C'est root dans le cas de Sendmail, postfix dans le cas de Postfix... Si Postfix a été installé correctement, son répertoire HOME et son shell de login doivent être invalides. J'ai perdu pas mal de temps à modifier les permissions du fichier de log afin de faire les tests en tant qu'un autre utilisateur, avant de me rendre compte que le problème venait d'ailleurs : metamail n'était pas installé... :-( A priori, scanmails fonctionne correctement, je suggère donc de continuer les tests avec le serveur de courrier.

5.4 Test du serveur de courrier C'est l'étape ultime. Ayez des fenêtres dans lesquelles vous ferez défiler (avec tail -f, par exemple) les fichiers de log divers, tels que /var/log/mail.log ou /var/log/scanmails/logfile. N'hésitez pas à numéroter les courriers que vous envoyez, afin de les différencier. Envoyez-vous un courrier normal, qui devrait vous parvenir sans encombre. Envoyez maintenant un courrier en attachant le fichier eicar.com construit précédemment. Le courrier doit être refusé, root (ou la personne recevant le courrier destiné à virusalert) doit recevoir une notification comme quoi un courrier contenait un virus, et le destinataire (local, donc) doit recevoir un courrier indiquant qu'il a failli recevoir un courrier vérolé, à voir avec l'administrateur système. Normalement, le courrier contenant le virus doit atterrir dans le répertoire /root/virusmails, il serait judicieux de le créer et d'en donner les droits au propriétaire du processus qui fait la livraison (donc à l'utilisateur postfix pour Postfix, à root pour Sendmail). Si tout s'est bien passé, votre système fonctionne !

5.5 Si ça ne fonctionne toujours pas... Assurez-vous d'avoir lu tous les fichiers d'aide et les README que vous trouverez ; ce document est un guide d'installation, mais il ne vous dispense pas de lire les documentations fournies avec les programmes, pour vous permettre une compréhension plus approfondie qu'une simple « recette de cuisine ».

Temp stuff

Scenario 1: Delivering mail via an external mail server

This method has the advantage that it leaves the actual delivering of the mail to a server which is connected permanently to the Internet. This server has a better chance to deliver mail to servers which are hard to reach or are temporarily disconnected. The disadvantage is that you usually have to use the mail-address given to you by your provider. Most providers do not allow relaying mail using a self-made sender-address for spam-protect reasons.

Add this line to 'main.cf': relayhost = [mail.provider.com] [mail.provider.com] is the name of your provider's SMTP server. Edit '/etc/postfix/aliases' and change the second field of the last line (" Person who should get root's mail") to your user account. Now build 'aliases.db' with postalias /etc/postfix/aliases Important: Issue this command, even if you haven't made any changes to 'aliases'! Postfix won't work without a 'aliases.db' file!

If you use Dial-On-Demand, you want to prevent Postfix from delivering mail if you do not explicitely tell it to do so. Add this line to 'main.cf': defer_transports = smtp If your machine is part of a local network which doesn't provide DNS, you should turn off DNS lookups: disable_dns_lookups = yes To get the mail out every time you connect to the Internet, create the file 'ip-up.local' in '/etc/ppp' and put these lines in it: #!/bin/bash /usr/sbin/sendmail -q Save and run chmod +x /etc/ppp/ip-up.local to make the file executable.

Received: from bigfoot.com (bflitemail6.bigfoot.com [208.156.39.208]) 
        by front2.grolier.fr (8.9.3/No_Relay+No_Spam_MGC990224) with SMTP id TAA03210 
        for ; Mon, 4 Sep 2000 19:07:07 +0200 (MET DST) 
Received: from orlando.ftci.net ([62.161.120.245]) 
        by BFLITEMAIL5.bigfoot.com (LiteMail v2.43(BFLITEMAIL5)) with SMTP id 04Sep2000_BFLITEMAIL5_33200_45452172; 
        Mon, 04 Sep 2000 13:07:06 -0400 EST 
Received: from ffaure.ftci.net (unknown [192.168.1.43]) 
        by orlando.ftci.net (Postfix) with ESMTP id 1D4FB36D6A 
        for ; Mon,  4 Sep 2000 19:00:08 +0200 (CEST) 
Message-Id: <5.0.0.13.0.20000904150304.00a28020@mail.ftci.net> 
X-Sender: ffaure@mail.ftci.net 
X-Mailer: QUALCOMM Windows Eudora Version 5.0.0.13 (Beta) 
Date: Mon, 04 Sep 2000 17:25:32 +0200 
To: ffaure@bigfoot.com 
From: Frederic Faure  
Subject: Postfix 
Mime-Version: 1.0 
Content-Type: text/plain; charset="us-ascii"; format=flowed 
Status:   
X-Mmail: \Recent                                 
X-M-Uid: 0001071.968087227 


1. Add  cp -pf /etc/resolve.conf /var/spool/postfix/etc/ in /etc/cron.daily 
to avoid having to copy/paste whenever any change is made to the former.


2. [root@orlando /root]# less /etc/postfix/main.cf
#Undocumented feature....
biff = no
#So Postfix doesn't needlessly bounce to SPAMmers
luser_relay = /dev/null


On Mon, Sep 04, 2000 at 03:03:52PM +0000, Ralf Hildebrandt wrote:
 > >That's what local_recipient_maps is for. You can bounce emails for 
non-existant
 > >users before actually receiving it, just as with sendmail:
 > >local_recipient_maps = $alias_maps, $virtual_maps, unix:passwd.byname
 >
 > Note that unix:passwd.byname might give you some troubles when running
 > chrooted. At least on HP-UX I had some troubles with that.


Probably. Actually I have all of my users in $virtual_maps (because their
mails may be delivered to different maildrops), but getpwnam() may cause
problems when running chrooted. It is the same problem that applies for
SASL and /etc/passwd, as SASL also uses getpwnam when asked to work
with /etc/passwd...


3. Still NOK
#FF : warning: restriction `reject_maps_rbl' after `check_relay_domains' is 
ignored
maps_rbl_domains = rbl.maps.vix.com, dul.maps.vix.com
smtpd_recipient_restrictions = 
permit_mynetworks,check_relay_domains,reject_maps_rbl


Sep  4 16:35:55 orlando postfix/smtpd[13316]: warning: restriction 
`reject_maps_rbl' after `check_relay_domains' is ignored

 

TO DO

Délivrance locale

Soit directe (voir mail_spool_directory = /var/spool/mail)

Soit via un agent externe : mailbox_command = /usr/bin/procmail

Anti-relayage: Remplir mynetworks = 192.168.0.0/24, ... (ou via /etc/postfix/fichier)

Remplir relay_domains = (idem) smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains

Eventuellement, ajouter "permit_mx_backup" si on ne connait pas tous les domaines dont on est MX secondaire.

Configuration anti-spam : utilisation de liste noire

Dans la connexion:

# Ne pas accepter les machines sans DNS inverse (stupide et dangereux)

# Spammers a mettre dehors à la connexion smtpd_client_restrictions = reject_unkown_client, hash:/etc/postfix/Access

Dans le MAIL FROM: smtpd_sender_restrictions = hash:/etc/postfix/Access, reject_non_fqdn_sender, reject_unknown_address, reject_maps_rbl

Dans le RCPT TO: smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/accesseveryone, check_relay_domains

Par défaut, les erreurs sont renvoyées à la fin de la phase (cf smtpd_delay_reject)

Autres paramètres: smtpd_helo_required, smtpd_etrn_restrictions, ...

Recevoir les messages rejetés : notify_classes = resource,software,bounce,policy,protocol,delay error_notice_recipient = (postmaster par défaut)

Utilisation d'une table standard: transport_maps = hash:/etc/postfix/transport domaine.com smtp:[interne.domaine.com] pauvre.domaine.com uucp:pauvre .domaine.com smtp:[interne.domaine.com]

Utilisation de regexp: transport_maps = regexp:/etc/postfix/regtrans /(.*)\.anciendomaine\.com/ smtp:[$1.nouveaudomaine.com]

On peut dupliquer des transports dans master.cf (par exemple pour avoir un nombre fixé de démons SMTP pour les machines internes). smtpint unix - - y - 10 smtp yoko.hsc.fr smtpint:[yoko.hsc.fr]

Masquerading: masquerade_domains = domaine.fr : réécrit tout user@machine.domaine.fr en user@domaine.fr masquerade_exceptions = root : permet de spécifier que root n'est pas réécrit (comportement par défaut de sendmail).

Canonical: canonical_maps = hash:/etc/postfix/canonical user autreuser user@domaine1.fr autreutilisateur@domaine5.fr @domaine1.fr @domaine2.fr @domaine3.fr user@domaine4.fr Variantes : sender_canonical_maps et recipient_canonical_maps

On peut aussi utiliser les regexp, mysql, ...

Permet d'héberger plusieurs domaines sur la même machine sans réécrire les headers (ne réécrit que l'enveloppe): virtual_maps = hash:/etc/postfix/virtual domaine0 nimportequoi user1@domaine1 adresse1,adresse2,... user2 adresse3,adresse4, .... (comme les alias) @domaine3.fr adresse5,adresse6,... @domaine4.fr @domaine5.fr (pas de changement de la partie gauche)

Utilisateur en dialup-ip

Contraintes: Envoie tout au serveur de son FAI A un domaine non existant à cacher Reçoit par fetchmail a un réseau interne pour le reste de la famille.

Configuration: mydestination=machine.domaine.maison,localhost.domaine.maison,domaine.maison myorigin=machine.domaine.maison relayhost=smtp:[mailhost.fai.fr] disable_dns_lookups=yes deferred_transport=smtp sender_canonical_maps=hash:/etc/postfix/canonical mynetworks=192.168.3.0/24,127.0.0.1 La table /etc/postfix/canonical contient: monlogin monadresse@fai.fr papa adressedepapa@fai.fr maman adressedemaman@fai.fr # Pour inn et les groupes modérés news monadresse@fai.fr

main.cf : smtpd

# The default is to allow ETRN from any host.  The following restrictions
# are available:
#
#   reject_unknown_client: reject the request if the client hostname is unknown.
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   check_client_access maptype:mapname
#   maptype:mapname: look up client name, parent domains, client address,
#       or networks obtained by stripping octets.
#       Reject if result is REJECT or "[45]xx text"
#       Permit otherwise.
#   reject_maps_rbl: reject if the reverse client network address
#       is listed under $maps_rbl_domains.
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
smtpd_etrn_restrictions =
 
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix.  See the smtpd_recipient_restrictions parameter
# in file sample-smtpd.cf.
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network.  Instead, specify an explicit
# mynetworks list by hand, as described below.
#  
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
# mynetworks_style = class
mynetworks_style = subnet
# mynetworks_style = host
 
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
 
# The smtpd_client_restrictions parameter specifies optional restrictions
# on SMTP client host names and addresses.
#
# The default is to allow connections from any host.  The following
# restrictions are available:
#
#   reject_unknown_client: reject the request if the client hostname is unknown.
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   check_client_access maptype:mapname
#   maptype:mapname: look up client name, parent domains, client address,
#       or networks obtained by stripping octets.
#       Reject if result is REJECT or "[45]xx text"
#       Permit otherwise.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
#smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
#smtpd_client_restrictions = reject_maps_rbl, reject_unknown_client
smtpd_client_restrictions =
 
# The smtpd_helo_required parameter optionally turns on the requirement
# that SMTP clients must introduce themselves at the beginning of an
# SMTP session.
#
# smtpd_helo_required = yes
smtpd_helo_required = no
 
# The smtpd_helo_restrictions parameter specifies optional restrictions
# on what SMTP clients can send in SMTP HELO and EHLO commands.
#
# The default is to permit everything.  The following restrictions
# are available:
#
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   reject_unknown_client: reject the request if the client hostname is unknown.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject_invalid_hostname: reject HELO hostname with bad syntax.
#   reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
#   reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
#   check_helo_access maptype:mapname
#   maptype:mapname: look up HELO hostname or parent domains.
#       Reject if result is REJECT or "[45]xx text"
#       Permit otherwise.
#   check_client_access maptype:mapname: see smtpd_client_restrictions.
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
# smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
# smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname
smtpd_helo_restrictions =
 
# The smtpd_sender_restrictions parameter specifies optional restrictions
# on sender addresses that SMTP clients can send in MAIL FROM commands.
#
# The default is to permit any sender address.  The following
# restrictions are available:
#
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   reject_unknown_client: reject the request if the client hostname is unknown.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject_invalid_hostname: reject HELO hostname with bad syntax.
#   reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
#   reject_unknown_sender_domain: reject sender domain without A or MX record.
#   check_sender_access maptype:mapname
#   maptype:mapname: look up sender address, parent domain, or localpart@.
#       Reject if result is REJECT or "[45]xx text"
#       Permit otherwise.
#   check_client_access maptype:mapname: see smtpd_client_restrictions.
#   check_helo_access maptype:mapname: see smtpd_helo_restrictions.
#   reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
#   reject_non_fqdn_sender: reject sender address that is not in FQDN form
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
# smtpd_sender_restrictions = reject_unknown_sender_domain
# smtpd_sender_restrictions = reject_unknown_sender_domain, hash:/etc/postfix/access
smtpd_sender_restrictions =
 
# The smtpd_recipient_restrictions parameter specifies restrictions on
# recipient addresses that SMTP clients can send in RCPT TO commands.
#
# By default, Postfix relays mail
# - from trusted clients whose IP address matches $mynetworks,
# - from trusted clients matching $relay_domains or subdomains thereof,
# - from untrusted clients to destinations that match $relay_domains
#   or subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_maps.
# These destinations do not need to be listed in $relay_domains.
#
# The following restrictions are available (* is part of default setting):
#
#  *permit_mynetworks: permit if the client address matches $mynetworks.
#   reject_unknown_client: reject the request if the client hostname is unknown.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject_invalid_hostname: reject HELO hostname with bad syntax.
#   reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
#   reject_unknown_sender_domain: reject sender domain without A or MX record.
#  *check_relay_domains: permit only mail
#       - to destinations matching $inet_interfaces, $mydestination,
#         or $virtual_maps,
#       - from trusted clients matching $relay_domains or subdomain thereof,
#       - from untrusted clients to destinations matching $relay_domains or
#         subdomain thereof (except addresses with sender-specified routing),
#       Reject anything else.
#   permit_auth_destination: permit mail
#       - to destinations matching $inet_interfaces, $mydestination,
#         or $virtual_maps.
#       - to destinations matching $relay_domains or subdomain thereof,
#         except for addresses with sender-specified routing.
#   reject_unauth_destination: reject mail unless it is sent
#       - to destinations matching $inet_interfaces, $mydestination,
#         or $virtual_maps.
#       - to destinations matching $relay_domains or subdomain thereof,
#         except for addresses with sender-specified routing.
#   reject_unauth_pipelining: reject mail from improperly pipelining spamware
#   permit_mx_backup: accept mail for sites whose primary MX hosts
#       match the networks specified with auth_mx_backup_networks.
#   reject_unknown_recipient_domain: reject domains without A or MX record.
#   check_recipient_access maptype:mapname
#   maptype:mapname: look up recipient address, parent domain, or localpart@.
#       Reject if result is REJECT or "[45]xx text"
#       Permit otherwise.
#   check_client_access maptype:mapname: see smtpd_client_restrictions.
#   check_helo_access maptype:mapname: see smtpd_helo_restrictions.
#   check_sender_access maptype:mapname: see smtpd_sender_restrictions.
#   reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
#   reject_non_fqdn_sender: reject sender address that is not in FQDN form
#   reject_non_fqdn_recipient: reject recipient address that is not in FQDN form
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
# NOTE: YOU MUST SPECIFY AT LEAST ONE OF THE FOLLOWING RESTRICTIONS
# OTHERWISE POSTFIX REFUSES TO RECEIVE MAIL:
#       reject, check_relay_domains, reject_unauth_destination
#
smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains
 
# The auth_mx_backup_networks parameter specifies a list of networks
# for which the permit_mx_backup feature (see above) can be used.
#
# By default, auth_mx_backup_networks is empty and no networks are
# authorized to use the permit_mx_backup feature.  You can specify
# a complete class A network (X.0.0.0/8), a complete class B network
# (X.X.0.0/16), and so on. If you want stricter control, specify a
# list of network/mask patterns, where the mask specifies the number
# of bits in the network part of a host address. You can also specify
# the absolute pathname of a pattern file instead of listing the
# patterns here.
#
auth_mx_backup_networks =
 
#
# ADDITIONAL UCE CONTROLS
#
 
# The maps_rbl_domains parameter specifies an optional list of DNS
# domains that publish the network addresses of blacklisted hosts.
#
# By default, RBL blacklist lookups are disabled. See the
# smtpd_client_restrictions parameter.
#
# The real-time blackhole list works as follows: reverse the client
# network address, and reject service if it is listed below any of
# the following domains.
#
#maps_rbl_domains = blackholes.mail-abuse.org relays.mail-abuse.org
maps_rbl_domains = blackholes.mail-abuse.org
 
# The relay_domains parameter restricts what client hostname domains
# (and subdomains thereof) this mail system will relay mail from,
# and restricts what destination domains (and subdomains thereof)
# this system will relay mail to.
#
# By default, Postfix relays mail
# - from trusted clients whose IP address matches $mynetworks,
# - from trusted clients matching $relay_domains or subdomains thereof,
# - from untrusted clients to destinations that match $relay_domains
#   or subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.  
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_maps.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace.  Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction, in the description of the
# smtpd_recipient_restrictions parameter.
#
relay_domains = $mydestination
 
#
# RESPONSE CODES
#
 
# The access_map_reject_code parameter specifies the SMTP server
# response code when a client violates an access map restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
access_map_reject_code = 550
 
# The invalid_hostname_reject_code parameter specifies the SMTP server
# response when a client violates the reject_invalid_hostname anti-UCE
# restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
invalid_hostname_reject_code = 501
 
# The maps_rbl_reject_code parameter specifies the SMTP server response
# when a client violates the maps_rbl_domains restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
maps_rbl_reject_code = 550
 
# The reject_code parameter specifies the SMTP server response code
# when an SMTP client matches a reject restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
reject_code = 550
 
# The relay_domains_reject_code parameter specifies the SMTP server
# response when a client attempts to violate the mail relay policy.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
relay_domains_reject_code = 550
 
# The unknown_address_reject_code parameter specifies the SMTP server
# response when a client violates the reject_unknown_sender_domain
# or reject_unknown_recipient_domain restrictions.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
unknown_address_reject_code = 450
 
# The unknown_client_reject_code parameter specifies the SMTP server
# response when a client without address to name mapping violates
# the reject_unknown_clients restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
unknown_client_reject_code = 450
 
# The unknown_hostname_reject_code parameter specifies the SMTP server
# response when a client violates the reject_unknown_hostname
# restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
unknown_hostname_reject_code = 450

Resources