Postfix/Standartkonfigurationen: Unterschied zwischen den Versionen
K Textersetzung - „Man-Pages“ durch „Man-Page“ |
|||
(55 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
== | Typische '''Postfix-Standartkonfigurationen''' | ||
== Beschreibung == | |||
; Voraussetzungen | |||
* [https://www.postfix.org/BASIC_CONFIGURATION_README.html BASIC_CONFIGURATION_README] | |||
* Insbesondere sollten Sie hier nicht fortfahren, wenn Sie Postfix noch nicht für die lokale Posteinreichung und -zustellung eingerichtet haben. | |||
== Standardkonfigurationen == | |||
===Eigenständigen Internet-Host=== | |||
Postfix sollte auf einem Einzelplatzrechner mit direktem Internetzugang ohne Änderungen funktionieren. | |||
Sie können den Befehl "postconf -n" verwenden, um herauszufinden, welche Einstellungen durch Ihre [https://www.postfix.org/postconf.5.html main.cf] überschrieben werden. | |||
* Abgesehen von ein paar Pfadeinstellungen sollten auf einer Standalone-Box nur wenige Parameter gesetzt werden, die über das hinausgehen, was im Dokument [https://www.postfix.org/BASIC_CONFIGURATION_README.html BASIC_CONFIGURATION_README] beschrieben ist: | |||
*[https://www.postfix.org/ | |||
== | ;/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf] | ||
# Optional: Mail als user@domainname statt user@hostname senden. | |||
#[https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain] | |||
# Optional: externe NAT/Proxy-Adresse angeben. | |||
#[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] = 1.2.3.4 | |||
# Alternative 1: keine Weiterleitung von Mails von anderen Hosts. | |||
[https://www.postfix.org/postconf.5.html#mynetworks_style mynetworks_style] = host | |||
[https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = | |||
# Alternative 2: nur Mails von lokalen Clients weiterleiten. | |||
# [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 192.168.1.0/28 | |||
# [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = | |||
Siehe auch den Abschnitt "[#fantasy Postfix auf Hosts ohne echten Internet-Hostnamen]", wenn dies auf Ihre Konfiguration zutrifft. | |||
===Null-Client=== | |||
Ein Null-Client ist ein Rechner, der nur Mails versenden kann. | |||
* Er empfängt keine Mails aus dem Netz und stellt auch keine Mails lokal zu. | |||
* Ein Null-Client verwendet in der Regel POP, IMAP oder NFS für den Zugriff auf Postfächer. | |||
In diesem Beispiel wird davon ausgegangen, dass der Internet-Domänenname "example.com" lautet und dass der Rechner "hostname.example.com" heißt. | |||
* Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden. | |||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | |||
2 [https://www.postfix.org/postconf.5.html#myhostname myhostname] = hostname.example.com | |||
3 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain] | |||
4 [https://www.postfix.org/postconf.5.html#relayhost relayhost] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain] | |||
5 [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] = loopback-only | |||
6 [https://www.postfix.org/postconf.5.html#mydestination mydestination] = | |||
= | ; Beschreibung: | ||
* Zeile 2: Setzen Sie [https://www.postfix.org/postconf.5.html#myhostname myhostname] auf hostname.example.com, falls der Rechnername nicht auf einen vollqualifizierten Domänennamen gesetzt ist (verwenden Sie den Befehl "postconf -d [https://www.postfix.org/postconf.5.html#myhostname myhostname]", um den Rechnernamen zu ermitteln). | |||
*Zeile 2: Der Wert [https://www.postfix.org/postconf.5.html#myhostname myhostname] gibt auch den Standardwert für den Parameter [https://www.postfix.org/postconf.5.html#mydomain mydomain] an (hier: "[https://www.postfix.org/postconf.5.html#mydomain mydomain] = example.com"). | |||
*Zeile 3: Senden Sie E-Mails als "user@example.com" (statt "user@hostname.example.com"), so dass es keinen Grund gibt, E-Mails an "user@hostname.example.com" zu senden. | |||
*Linie 4: Leiten Sie alle Mails an den Mailserver weiter, der für die Domäne "example.com" zuständig ist. | |||
** Dies verhindert, dass E-Mails auf dem Null-Client hängen bleiben, wenn dieser ausgeschaltet ist, während ein entferntes Ziel nicht erreichbar ist. | |||
** Geben Sie hier einen echten Hostnamen an, wenn Ihre "example.com"-Domäne keinen MX-Eintrag hat. | |||
*Zeile 5: Keine Mails aus dem Netz annehmen. | |||
*Zeile 6: Deaktivieren Sie die lokale Postzustellung. | |||
** Alle E-Mails gehen an den in Zeile 4 angegebenen Mailserver. | |||
===Im lokalen Netzwerk=== | |||
Dieser Abschnitt beschreibt eine lokale Netzwerkumgebung mit einem Hauptserver und mehreren anderen Systemen, die E-Mails senden und empfangen. | |||
* Wie üblich gehen wir davon aus, dass der Internet-Domänenname "example.com" lautet. | |||
* Alle Systeme sind so konfiguriert, dass sie E-Mails unter dem Namen "user@example.com" senden, und alle Systeme empfangen E-Mails für "user@hostname.example.com". | |||
* Der Hauptserver empfängt auch Mails für "user@example.com". | |||
* Wir nennen diesen Rechner "mailhost.example.com". | |||
Ein Nachteil des Versendens von Mails als "user@example.com" ist, dass Mails für "root" und andere Systemkonten ebenfalls an den zentralen Mailhost gesendet werden. | |||
* Mögliche Lösungen finden Sie im Abschnitt "[#some_local Einige, aber nicht alle Konten lokal zustellen]" weiter unten. | |||
* | |||
Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden. | |||
Zuerst stellen wir die Nicht-Mailhost-Konfiguration vor, weil sie die einfachere ist. | |||
* Dieser Rechner sendet Mails als "user@example.com" und ist das endgültige Ziel für "user@hostname.example.com". | |||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | |||
2 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain] | |||
3 [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 10.0.0.0/24 | |||
4 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = | |||
5 # Optional: alle nicht-lokalen Mails an mailhost weiterleiten | |||
6 #[https://www.postfix.org/postconf.5.html#relayhost relayhost] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain] | |||
; Beschreibung: | |||
* Zeile 2: Mail als "user@example.com" senden. | |||
* Zeile 3: Geben Sie die vertrauenswürdigen Netzwerke an. | |||
* Zeile 4: Dieser Host leitet keine Mails aus nicht vertrauenswürdigen Netzen weiter. | |||
* Zeile 6: Dies ist erforderlich, wenn kein direkter Internetzugang verfügbar ist. | |||
** Siehe auch unten, "[#firewall Postfix hinter einer Firewall]". | |||
Als Nächstes stellen wir die Mailhost-Konfiguration vor. | |||
* Dieser Rechner sendet Mails als "user@example.com" und ist sowohl für "user@hostname.example.com" als auch für "user@example.com" das endgültige Ziel. | |||
1 DNS: | |||
2 example.com IN MX 10 mailhost.example.com. | |||
3 | |||
4 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | |||
5 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain] | |||
6 [https://www.postfix.org/postconf.5.html#mydestination mydestination] = $[https://www.postfix.org/postconf.5.html#myhostname myhostname] localhost.$[https://www.postfix.org/postconf.5.html#mydomain mydomain] localhost $[https://www.postfix.org/postconf.5.html#mydomain mydomain] | |||
7 [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 10.0.0.0/24 | |||
8 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = | |||
9 # Optional: alle nicht-lokalen Mails an die Firewall weiterleiten | |||
10 #[https://www.postfix.org/postconf.5.html#relayhost relayhost] = [firewall.example.com] | |||
; Beschreibung: | |||
* Zeile 2: Senden Sie Mails für die Domain "example.com" an den Rechner mailhost.example.com. | |||
** Denken Sie daran, das "." am Ende der Zeile anzugeben. | |||
*Zeile 5: Senden Sie die E-Mail als "user@example.com". | |||
*Zeile 6: This host is the final mail destination for the "example.com" domain, in addition to the names of the machine itself. | |||
* | |||
* | |||
*Line 7: Specify the trusted networks. | *Line 7: Specify the trusted networks. | ||
*Line 8: This host does not relay mail from untrusted networks. | *Line 8: This host does not relay mail from untrusted networks. | ||
*Line 10: This is needed only when the mailhost has to forward non-local mail via a mail server on a firewall. The <tt>[]</tt> forces Postfix to do no MX record lookups. | *Line 10: This is needed only when the mailhost has to forward non-local mail via a mail server on a firewall. | ||
**The <tt>[]</tt> forces Postfix to do no MX record lookups. | |||
In an environment like this, users access their mailbox in one or more of the following ways: | In an environment like this, users access their mailbox in one or more of the following ways: | ||
*Mailbox access via NFS or equivalent. | *Mailbox access via NFS or equivalent. | ||
*Mailbox access via POP or IMAP. | *Mailbox access via POP or IMAP. | ||
*Mailbox on the user's preferred machine. | *Mailbox on the user's preferred machine. | ||
In the latter case, each user has an alias on the mailhost that forwards mail to her preferred machine: | In the latter case, each user has an alias on the mailhost that forwards mail to her preferred machine: | ||
; /etc/aliases: | |||
joe: joe@joes.preferred.machine | |||
jane: jane@janes.preferred.machine | |||
/etc/aliases | On some systems the alias database is not in /etc/aliases. | ||
* To find out the location for your system, execute the command "postconf [https://www.postfix.org/postconf.5.html#alias_maps alias_maps]". | |||
Execute the command "newaliases" whenever you change the aliases file. | |||
===E-Mail-Firewall/Gateway=== | |||
Die Idee ist, eine Postfix-E-Mail-Firewall/einen Postfix-E-Mail-Gateway einzurichten, der E-Mails für "example.com" an einen internen Gateway-Rechner weiterleitet, E-Mails für "anything.example.com" jedoch ablehnt. | |||
* Es gibt nur ein Problem: Mit "[https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = example.com" nimmt die Firewall normalerweise auch Mails für "anything.example.com" an. | |||
* Das wäre nicht richtig. | |||
Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus. | |||
* Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]" aus. | |||
Die Lösung wird in mehreren Teilen präsentiert. | |||
* Der erste Teil beseitigt die lokale E-Mail-Zustellung auf der Firewall, wodurch die Firewall schwieriger zu knacken ist. | |||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | |||
2 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = example.com | |||
3 [https://www.postfix.org/postconf.5.html#mydestination meinZiel] = | |||
4 [https://www.postfix.org/postconf.5.html#local_recipient_maps local_recipient_maps] = | |||
5 [https://www.postfix.org/postconf.5.html#local_transport local_transport] = [https://www.postfix.org/error.8.html error]:local mail delivery is disabled | |||
6 | |||
7 /etc/postfix/[https://www.postfix.org/master.5.html master.cf]: | |||
8 Kommentieren Sie den lokalen Zustellungsagenten aus | |||
; Beschreibung: | |||
* Zeile 2: Sende Mails von diesem Rechner als "user@example.com", so dass kein Grund besteht, Mails an "user@firewall.example.com" zu senden. | |||
*Zeilen 3-8: Deaktiviere die lokale Postzustellung auf dem Firewall-Rechner. | |||
* | |||
Der technischen Korrektheit halber muss die Firewall in der Lage sein, Mails für postmaster@[firewall ip address] zu empfangen. | |||
* Angeblich wird diese Fähigkeit in manchen Fällen sogar vorausgesetzt. | |||
* Der zweite Teil der Lösung fügt daher Unterstützung für postmaster@[firewall ip address] hinzu, und als Bonus gibt es auch noch abuse@[firewall ip address]. | |||
* Alle E-Mails an diese beiden Konten werden an eine interne Adresse weitergeleitet. | |||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | 1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | ||
2 | 2 [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual | ||
3 | |||
4 /etc/postfix/virtual: | |||
5 postmaster postmaster@example.com | |||
6 abuse abuse@example.com | |||
; Beschreibung: | |||
* Da [https://www.postfix.org/postconf.5.html#mydestination mydestination] leer ist (siehe das vorherige Beispiel), werden nur Adressliterale, die mit $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] oder $[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] übereinstimmen, als lokal angesehen. | |||
* So kann "localpart@[a.d.d.r]" einfach als "localpart" in [https://www.postfix.org/canonical.5.html canonical(5)] und [https://www.postfix.org/virtual.5.html virtual(5)] übereinstimmen. | |||
* Dadurch wird die Angabe von Firewall-IP-Adressen in den Postfix-Konfigurationsdateien überflüssig. | |||
Der letzte Teil der Lösung übernimmt die E-Mail-Weiterleitung, was der eigentliche Zweck der Firewall-E-Mail-Funktion ist. | |||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | |||
2 [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 12.34.56.0/24 | |||
3 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = example.com | |||
4 [https://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains parent_domain_matches_subdomains] = | |||
5 [https://www.postfix.org/postconf.5.html#debug_peer_list debug_peer_list] smtpd_access_maps | |||
6a # Postfix 2.10 und höher unterstützen separate Relay-Kontrolle und | |||
7a # Spam-Kontrolle. | |||
8a [https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions] = | |||
9a [https://www.postfix.org/postconf.5.html#permit_mynetworks permit_mynetworks] [https://www.postfix.org/postconf.5.html#reject_unauth_destination reject_unauth_destination] | |||
10a [https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions] = ...spam blocking rules.... | |||
6b # Ältere Konfigurationen kombinieren Relay-Kontrolle und Spam-Kontrolle. Zu | |||
7b # dies mit Postfix ≥ 2.10 zu verwenden, geben Sie "[https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions]=" an. | |||
8b [https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions] = | |||
9b [https://www.postfix.org/postconf.5.html#permit_mynetworks permit_mynetworks] [https://www.postfix.org/postconf.5.html#reject_unauth_destination reject_unauth_destination] | |||
10b ...spam blocking rules.... | |||
11 [https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/relay_recipients | |||
12 [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport | |||
13 | |||
14 /etc/postfix/relay_recipients: | |||
15 user1@example.com x | |||
16 user2@example.com x | |||
17 . . . | |||
18 | |||
19 /etc/postfix/transport: | |||
20 example.com relay:[inside-gateway.example.com] | |||
Translation: | |||
* Lines 1-10: Accept mail from local systems in $[https://www.postfix.org/postconf.5.html#mynetworks mynetworks], and accept mail from outside for "user@example.com" but not for "user@anything.example.com". | |||
** The magic is in lines 4-5. | |||
*Lines 11, 13-16: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet. | |||
** This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages. | |||
** If you can't maintain a list of valid recipients then you must specify "[https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table. | |||
*Lines 12, 19-20: Route mail for "example.com" to the inside gateway machine. | |||
** The <tt>[]</tt> forces Postfix to do no MX lookup. | |||
** This uses the "relay" delivery transport (a copy of the default "smtp" delivery transport) to forward inbound mail. | |||
** Dies kann die Leistung von Zustellungen an interne Domänen verbessern, da diese um SMTP-Clients vom "relay"-Zustellungstransport konkurrieren, anstatt mit anderen SMTP-Zustellungen um SMTP-Clients vom Standard-"smtp"-Zustellungstransport zu konkurrieren. | |||
Geben Sie dbm anstelle von hash an, wenn Ihr System dbm-Dateien anstelle von db-Dateien verwendet. | |||
* Um herauszufinden, welche Lookup-Tabellen Postfix unterstützt, verwenden Sie den Befehl "postconf -m". | |||
Führen Sie den Befehl "postmap /etc/postfix/relay_recipients" aus, wenn Sie die Tabelle relay_recipients ändern. | |||
Führen Sie den Befehl "postmap /etc/postfix/transport" aus, wenn Sie die Transporttabelle ändern. | |||
In | In einigen Installationen kann es getrennte Instanzen von Postfix geben, die eingehende und ausgehende Post auf einer Firewall mit mehreren Hosts verarbeiten. | ||
* Die eingehende Postfix-Instanz hat einen SMTP-Server, der auf der externen Firewall-Schnittstelle lauscht, und die ausgehende Postfix-Instanz hat einen SMTP-Server, der auf der internen Schnittstelle lauscht. | |||
* In einer solchen Konfiguration ist es verlockend, $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] in jeder Instanz nur mit der entsprechenden Schnittstellenadresse zu konfigurieren. | |||
In den meisten Fällen wird die Verwendung von [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] auf diese Weise nicht funktionieren, da, wie im Referenzhandbuch zu $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] beschrieben, der [https://www.postfix.org/smtp.8.html smtp(8)]-Zustellungsagent die angegebene Schnittstellenadresse auch als Quelladresse für ausgehende Verbindungen verwendet und nicht in der Lage ist, Hosts auf der "anderen Seite" der Firewall zu erreichen. | |||
* Die Symptome sind, dass die Firewall nicht in der Lage ist, sich mit Hosts zu verbinden, die tatsächlich aktiv sind. | |||
* Siehe die [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces]-Parameterdokumentation für vorgeschlagene Abhilfemaßnahmen. | |||
== Zusätzliche Konfigurationen == | |||
===Betrieb von Postfix hinter einer Firewall=== | |||
Der einfachste Weg, Postfix auf einem Rechner hinter einer Firewall einzurichten, besteht darin, alle Mails an einen Gateway-Host zu schicken und diesen Mail-Host die interne und externe Weiterleitung übernehmen zu lassen. Beispiele dafür finden Sie im Abschnitt [#local_network local area network] oben. Ein ausgefeilterer Ansatz besteht darin, nur externe Mails an den Gateway-Host zu senden und Intranet-Mails direkt zu versenden. | |||
== | |||
Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus. Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]" aus. | |||
Das folgende Beispiel zeigt eine zusätzliche Konfiguration. Sie müssen diese mit den grundlegenden Konfigurationsinformationen kombinieren, die in der ersten Hälfte dieses Dokuments beschrieben werden. | |||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | |||
2 [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport | |||
3 [https://www.postfix.org/postconf.5.html#relayhost relayhost] = | |||
4 # Optional für einen Rechner, der nicht "always on" ist | |||
5 #[https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] = [gateway.example.com] | |||
6 | |||
7 /etc/postfix/transport: | |||
8 # Internal delivery. | |||
9 example.com : | |||
10 | 10 .example.com : | ||
11 | 11 # External delivery. | ||
12 | 12 * [https://www.postfix.org/smtp.8.html smtp]:[gateway.example.com] | ||
Translation: * Lines 2, 7-12: Request that intranet mail is delivered directly, and that external mail is given to a gateway. Obviously, this example assumes that the organization uses DNS MX records internally. The <tt>[]</tt> forces Postfix to do no MX lookup. | Translation: | ||
* Lines 2, 7-12: Request that intranet mail is delivered directly, and that external mail is given to a gateway. Obviously, this example assumes that the organization uses DNS MX records internally. The <tt>[]</tt> forces Postfix to do no MX lookup. | |||
*Line 3: IMPORTANT: do not specify a [https://www.postfix.org/postconf.5.html#relayhost relayhost] in [https://www.postfix.org/postconf.5.html main.cf]. | *Line 3: IMPORTANT: do not specify a [https://www.postfix.org/postconf.5.html#relayhost relayhost] in [https://www.postfix.org/postconf.5.html main.cf]. | ||
*Line 5: This prevents mail from being stuck in the queue when the machine is turned off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway. | *Line 5: This prevents mail from being stuck in the queue when the machine is turned off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway. | ||
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | ||
Execute the command "postmap /etc/postfix/transport" whenever you edit the transport table. | Execute the command "postmap /etc/postfix/transport" whenever you edit the transport table. | ||
==Configuring Postfix as primary or backup MX host for a remote site== | ===Configuring Postfix as primary or backup MX host for a remote site=== | ||
This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | ||
When your system is SECONDARY MX host for a remote site this is all you need: | When your system is SECONDARY MX host for a remote site this is all you need: | ||
1 DNS: | 1 DNS: | ||
2 the.backed-up.domain.tld IN MX 100 your.machine.tld. | 2 the.backed-up.domain.tld IN MX 100 your.machine.tld. | ||
3 | 3 | ||
4 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | 4 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | ||
5 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = . . . the.backed-up.domain.tld | 5 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = . . . the.backed-up.domain.tld | ||
Zeile 250: | Zeile 276: | ||
11 # You must specify your NAT/proxy external address. | 11 # You must specify your NAT/proxy external address. | ||
12 #[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] = 1.2.3.4 | 12 #[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] = 1.2.3.4 | ||
13 | 13 | ||
14 [https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/relay_recipients | 14 [https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/relay_recipients | ||
15 | 15 | ||
16 /etc/postfix/relay_recipients: | 16 /etc/postfix/relay_recipients: | ||
17 user1@the.backed-up.domain.tld x | 17 user1@the.backed-up.domain.tld x | ||
Zeile 258: | Zeile 284: | ||
19 . . . | 19 . . . | ||
When your system is PRIMARY MX host for a remote site you need the above, plus: | When your system is PRIMARY MX host for a remote site you need the above, plus: | ||
20 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | 20 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | ||
21 [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport | 21 [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport | ||
22 | 22 | ||
23 /etc/postfix/transport: | 23 /etc/postfix/transport: | ||
24 the.backed-up.domain.tld relay:[their.mail.host.tld] | 24 the.backed-up.domain.tld relay:[their.mail.host.tld] | ||
Important notes: | Important notes: | ||
*Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#mydestination mydestination]. | *Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#mydestination mydestination]. | ||
*Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#virtual_alias_domains virtual_alias_domains]. | *Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#virtual_alias_domains virtual_alias_domains]. | ||
Zeile 275: | Zeile 301: | ||
*Line 24: The <tt>[]</tt> forces Postfix to do no MX lookup. | *Line 24: The <tt>[]</tt> forces Postfix to do no MX lookup. | ||
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | ||
Execute the command "postmap /etc/postfix/transport" whenever you change the transport table. | Execute the command "postmap /etc/postfix/transport" whenever you change the transport table. | ||
NOTE for Postfix < 2.2: Do not use the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] host when the final destination is unavailable. | NOTE for Postfix < 2.2: Do not use the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] host when the final destination is unavailable. | ||
*In [https://www.postfix.org/postconf.5.html main.cf] specify "[https://www.postfix.org/postconf.5.html#relay_transport relay_transport] = relay</tt>", | *In [https://www.postfix.org/postconf.5.html main.cf] specify "[https://www.postfix.org/postconf.5.html#relay_transport relay_transport] = relay</tt>", | ||
*In [https://www.postfix.org/master.5.html master.cf] specify "<tt>-o [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] =</tt>" at the end of the <tt>relay</tt> entry. | *In [https://www.postfix.org/master.5.html master.cf] specify "<tt>-o [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] =</tt>" at the end of the <tt>relay</tt> entry. | ||
*In transport maps, specify "<tt>relay:nexthop...</tt>" as the right-hand side for backup or primary MX domain entries. | *In transport maps, specify "<tt>relay:nexthop...</tt>" as the right-hand side for backup or primary MX domain entries. | ||
These are default settings in Postfix version 2.2 and later. | These are default settings in Postfix version 2.2 and later. | ||
==Postfix on a dialup machine== | ===Postfix on a dialup machine=== | ||
This section applies to dialup connections that are down most of the time. For dialup connections that are up 24x7, see the [ | This section applies to dialup connections that are down most of the time. For dialup connections that are up 24x7, see the [#local_network local area network] section above. | ||
This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | ||
If you do not have your own hostname and IP address (usually with dialup, cable TV or DSL connections) then you should also study the section on "[ | If you do not have your own hostname and IP address (usually with dialup, cable TV or DSL connections) then you should also study the section on "[#fantasy Postfix on hosts without a real Internet hostname]". | ||
*Route all outgoing mail to your network provider. <br />If your machine is disconnected most of the time, there isn't a lot of opportunity for Postfix to deliver mail to hard-to-reach corners of the Internet. It's better to give the mail to a machine that is connected all the time. In the example below, the <tt>[]</tt> prevents Postfix from trying to look up DNS MX records. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br /> [https://www.postfix.org/postconf.5.html#relayhost relayhost] = [smtprelay.someprovider.com] | *Route all outgoing mail to your network provider. <br />If your machine is disconnected most of the time, there isn't a lot of opportunity for Postfix to deliver mail to hard-to-reach corners of the Internet. It's better to give the mail to a machine that is connected all the time. In the example below, the <tt>[]</tt> prevents Postfix from trying to look up DNS MX records. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br /> [https://www.postfix.org/postconf.5.html#relayhost relayhost] = [smtprelay.someprovider.com] | ||
*Disable spontaneous SMTP mail delivery (if using on-demand dialup IP only). <br />Normally, Postfix attempts to deliver outbound mail at its convenience. If your machine uses on-demand dialup IP, this causes your system to place a telephone call whenever you submit new mail, and whenever Postfix retries to deliver delayed mail. To prevent such telephone calls from being placed, disable spontaneous SMTP mail deliveries. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br /> [https://www.postfix.org/postconf.5.html#defer_transports defer_transports] = smtp (Only for on-demand dialup IP hosts) | *Disable spontaneous SMTP mail delivery (if using on-demand dialup IP only). <br />Normally, Postfix attempts to deliver outbound mail at its convenience. If your machine uses on-demand dialup IP, this causes your system to place a telephone call whenever you submit new mail, and whenever Postfix retries to deliver delayed mail. To prevent such telephone calls from being placed, disable spontaneous SMTP mail deliveries. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br /> [https://www.postfix.org/postconf.5.html#defer_transports defer_transports] = smtp (Only for on-demand dialup IP hosts) | ||
Zeile 298: | Zeile 324: | ||
#Start mail deliveries.<br />/usr/sbin/sendmail -q<br /> | #Start mail deliveries.<br />/usr/sbin/sendmail -q<br /> | ||
#Allow deliveries to start.<br />sleep 10<br /> | #Allow deliveries to start.<br />sleep 10<br /> | ||
#Loop until all messages have been tried at least once.<br />while mailq | grep '^[^ ]*\*' >/dev/null<br />do <br /> sleep 10<br />done<br />If you have disabled [ | #Loop until all messages have been tried at least once.<br />while mailq | grep '^[^ ]*\*' >/dev/null<br />do <br /> sleep 10<br />done<br />If you have disabled [#spontaneous_smtp spontaneous SMTP mail delivery], you also need to run the "sendmail -q" command every now and then while the dialup link is up, so that newly-posted mail is flushed from the queue. | ||
==Postfix on hosts without a real Internet hostname== | ===Postfix on hosts without a real Internet hostname=== | ||
This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names. | This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names. | ||
Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]". | Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]". | ||
===Solution 1: Postfix version 2.2 and later=== | ====Solution 1: Postfix version 2.2 and later==== | ||
Postfix 2.2 uses the [https://www.postfix.org/generic.5.html generic(5)] address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine. | Postfix 2.2 uses the [https://www.postfix.org/generic.5.html generic(5)] address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine. | ||
The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | ||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | 1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | ||
2 [https://www.postfix.org/postconf.5.html#smtp_generic_maps smtp_generic_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/generic | 2 [https://www.postfix.org/postconf.5.html#smtp_generic_maps smtp_generic_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/generic | ||
3 | 3 | ||
4 /etc/postfix/generic: | 4 /etc/postfix/generic: | ||
5 his@localdomain.local hisaccount@hisisp.example | 5 his@localdomain.local hisaccount@hisisp.example | ||
Zeile 318: | Zeile 344: | ||
7 @localdomain.local hisaccount+local@hisisp.example | 7 @localdomain.local hisaccount+local@hisisp.example | ||
When mail is sent to a remote host via SMTP: * Line 5 replaces his@localdomain.local by his ISP mail address, | When mail is sent to a remote host via SMTP: * Line 5 replaces his@localdomain.local by his ISP mail address, | ||
*Line 6 replaces her@localdomain.local by her ISP mail address, and | *Line 6 replaces her@localdomain.local by her ISP mail address, and | ||
*Line 7 replaces other local addresses by his ISP account, with an address extension of +local (this example assumes that the ISP supports "+" style address extensions). | *Line 7 replaces other local addresses by his ISP account, with an address extension of +local (this example assumes that the ISP supports "+" style address extensions). | ||
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | ||
Execute the command "postmap /etc/postfix/generic" whenever you change the generic table. | Execute the command "postmap /etc/postfix/generic" whenever you change the generic table. | ||
===Solution 2: Postfix version 2.1 and earlier=== | ====Solution 2: Postfix version 2.1 and earlier==== | ||
The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own. | The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own. | ||
The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document. | ||
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | 1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]: | ||
2 [https://www.postfix.org/postconf.5.html#myhostname myhostname] = hostname.localdomain | 2 [https://www.postfix.org/postconf.5.html#myhostname myhostname] = hostname.localdomain | ||
3 [https://www.postfix.org/postconf.5.html#mydomain mydomain] = localdomain | 3 [https://www.postfix.org/postconf.5.html#mydomain mydomain] = localdomain | ||
4 | 4 | ||
5 [https://www.postfix.org/postconf.5.html#canonical_maps canonical_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/canonical | 5 [https://www.postfix.org/postconf.5.html#canonical_maps canonical_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/canonical | ||
6 | 6 | ||
7 [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual | 7 [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual | ||
8 | 8 | ||
9 /etc/postfix/canonical: | 9 /etc/postfix/canonical: | ||
10 your-login-name your-account@your-isp.com | 10 your-login-name your-account@your-isp.com | ||
11 | 11 | ||
12 /etc/postfix/virtual: | 12 /etc/postfix/virtual: | ||
13 your-account@your-isp.com your-login-name | 13 your-account@your-isp.com your-login-name | ||
Translation: * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is already in use by real organizations on the Internet. See RFC 2606 for examples of domain names that are guaranteed not to be owned by anyone. | Translation: * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is already in use by real organizations on the Internet. See RFC 2606 for examples of domain names that are guaranteed not to be owned by anyone. | ||
*Lines 5, 9, 10: This provides the mapping from "your-login-name@hostname.localdomain" to "your-account@your-isp.com". This part is required. | *Lines 5, 9, 10: This provides the mapping from "your-login-name@hostname.localdomain" to "your-account@your-isp.com". This part is required. | ||
*Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally, instead of sending it to the ISP. This part is not required but is convenient. | *Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally, instead of sending it to the ISP. This part is not required but is convenient. | ||
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m". | ||
Execute the command "postmap /etc/postfix/canonical" whenever you change the canonical table. | |||
Execute the command "postmap /etc/postfix/virtual" whenever you change the virtual table. | |||
Quelle: | |||
[[Kategorie:Postfix/Konfiguration]] | |||
== Dokumentation == | |||
=== RFC === | |||
=== Man-Page === | |||
=== Info-Pages === | |||
== Siehe auch == | |||
== Links == | |||
=== Projekt === | |||
=== Weblinks === | |||
== Testfragen == | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
''Testfrage 1'' | |||
<div class="mw-collapsible-content">'''Antwort1'''</div> | |||
</div> | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
''Testfrage 2'' | |||
<div class="mw-collapsible-content">'''Antwort2'''</div> | |||
</div> | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
''Testfrage 3'' | |||
<div class="mw-collapsible-content">'''Antwort3'''</div> | |||
</div> | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
''Testfrage 4'' | |||
<div class="mw-collapsible-content">'''Antwort4'''</div> | |||
</div> | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
''Testfrage 5'' | |||
<div class="mw-collapsible-content">'''Antwort5'''</div> | |||
</div> |
Aktuelle Version vom 6. November 2024, 12:42 Uhr
Typische Postfix-Standartkonfigurationen
Beschreibung
- Voraussetzungen
- BASIC_CONFIGURATION_README
- Insbesondere sollten Sie hier nicht fortfahren, wenn Sie Postfix noch nicht für die lokale Posteinreichung und -zustellung eingerichtet haben.
Standardkonfigurationen
Eigenständigen Internet-Host
Postfix sollte auf einem Einzelplatzrechner mit direktem Internetzugang ohne Änderungen funktionieren.
Sie können den Befehl "postconf -n" verwenden, um herauszufinden, welche Einstellungen durch Ihre main.cf überschrieben werden.
- Abgesehen von ein paar Pfadeinstellungen sollten auf einer Standalone-Box nur wenige Parameter gesetzt werden, die über das hinausgehen, was im Dokument BASIC_CONFIGURATION_README beschrieben ist:
- /etc/postfix/main.cf
# Optional: Mail als user@domainname statt user@hostname senden. #myorigin = $mydomain # Optional: externe NAT/Proxy-Adresse angeben. #proxy_interfaces = 1.2.3.4 # Alternative 1: keine Weiterleitung von Mails von anderen Hosts. mynetworks_style = host relay_domains = # Alternative 2: nur Mails von lokalen Clients weiterleiten. # mynetworks = 192.168.1.0/28 # relay_domains =
Siehe auch den Abschnitt "[#fantasy Postfix auf Hosts ohne echten Internet-Hostnamen]", wenn dies auf Ihre Konfiguration zutrifft.
Null-Client
Ein Null-Client ist ein Rechner, der nur Mails versenden kann.
- Er empfängt keine Mails aus dem Netz und stellt auch keine Mails lokal zu.
- Ein Null-Client verwendet in der Regel POP, IMAP oder NFS für den Zugriff auf Postfächer.
In diesem Beispiel wird davon ausgegangen, dass der Internet-Domänenname "example.com" lautet und dass der Rechner "hostname.example.com" heißt.
- Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden.
1 /etc/postfix/main.cf: 2 myhostname = hostname.example.com 3 myorigin = $mydomain 4 relayhost = $mydomain 5 inet_interfaces = loopback-only 6 mydestination =
- Beschreibung
- Zeile 2: Setzen Sie myhostname auf hostname.example.com, falls der Rechnername nicht auf einen vollqualifizierten Domänennamen gesetzt ist (verwenden Sie den Befehl "postconf -d myhostname", um den Rechnernamen zu ermitteln).
- Zeile 2: Der Wert myhostname gibt auch den Standardwert für den Parameter mydomain an (hier: "mydomain = example.com").
- Zeile 3: Senden Sie E-Mails als "user@example.com" (statt "user@hostname.example.com"), so dass es keinen Grund gibt, E-Mails an "user@hostname.example.com" zu senden.
- Linie 4: Leiten Sie alle Mails an den Mailserver weiter, der für die Domäne "example.com" zuständig ist.
- Dies verhindert, dass E-Mails auf dem Null-Client hängen bleiben, wenn dieser ausgeschaltet ist, während ein entferntes Ziel nicht erreichbar ist.
- Geben Sie hier einen echten Hostnamen an, wenn Ihre "example.com"-Domäne keinen MX-Eintrag hat.
- Zeile 5: Keine Mails aus dem Netz annehmen.
- Zeile 6: Deaktivieren Sie die lokale Postzustellung.
- Alle E-Mails gehen an den in Zeile 4 angegebenen Mailserver.
Im lokalen Netzwerk
Dieser Abschnitt beschreibt eine lokale Netzwerkumgebung mit einem Hauptserver und mehreren anderen Systemen, die E-Mails senden und empfangen.
- Wie üblich gehen wir davon aus, dass der Internet-Domänenname "example.com" lautet.
- Alle Systeme sind so konfiguriert, dass sie E-Mails unter dem Namen "user@example.com" senden, und alle Systeme empfangen E-Mails für "user@hostname.example.com".
- Der Hauptserver empfängt auch Mails für "user@example.com".
- Wir nennen diesen Rechner "mailhost.example.com".
Ein Nachteil des Versendens von Mails als "user@example.com" ist, dass Mails für "root" und andere Systemkonten ebenfalls an den zentralen Mailhost gesendet werden.
- Mögliche Lösungen finden Sie im Abschnitt "[#some_local Einige, aber nicht alle Konten lokal zustellen]" weiter unten.
Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden.
Zuerst stellen wir die Nicht-Mailhost-Konfiguration vor, weil sie die einfachere ist.
- Dieser Rechner sendet Mails als "user@example.com" und ist das endgültige Ziel für "user@hostname.example.com".
1 /etc/postfix/main.cf: 2 myorigin = $mydomain 3 mynetworks = 127.0.0.0/8 10.0.0.0/24 4 relay_domains = 5 # Optional: alle nicht-lokalen Mails an mailhost weiterleiten 6 #relayhost = $mydomain
- Beschreibung
- Zeile 2: Mail als "user@example.com" senden.
- Zeile 3: Geben Sie die vertrauenswürdigen Netzwerke an.
- Zeile 4: Dieser Host leitet keine Mails aus nicht vertrauenswürdigen Netzen weiter.
- Zeile 6: Dies ist erforderlich, wenn kein direkter Internetzugang verfügbar ist.
- Siehe auch unten, "[#firewall Postfix hinter einer Firewall]".
Als Nächstes stellen wir die Mailhost-Konfiguration vor.
- Dieser Rechner sendet Mails als "user@example.com" und ist sowohl für "user@hostname.example.com" als auch für "user@example.com" das endgültige Ziel.
1 DNS: 2 example.com IN MX 10 mailhost.example.com. 3 4 /etc/postfix/main.cf: 5 myorigin = $mydomain 6 mydestination = $myhostname localhost.$mydomain localhost $mydomain 7 mynetworks = 127.0.0.0/8 10.0.0.0/24 8 relay_domains = 9 # Optional: alle nicht-lokalen Mails an die Firewall weiterleiten 10 #relayhost = [firewall.example.com]
- Beschreibung
- Zeile 2: Senden Sie Mails für die Domain "example.com" an den Rechner mailhost.example.com.
- Denken Sie daran, das "." am Ende der Zeile anzugeben.
- Zeile 5: Senden Sie die E-Mail als "user@example.com".
- Zeile 6: This host is the final mail destination for the "example.com" domain, in addition to the names of the machine itself.
- Line 7: Specify the trusted networks.
- Line 8: This host does not relay mail from untrusted networks.
- Line 10: This is needed only when the mailhost has to forward non-local mail via a mail server on a firewall.
- The [] forces Postfix to do no MX record lookups.
In an environment like this, users access their mailbox in one or more of the following ways:
- Mailbox access via NFS or equivalent.
- Mailbox access via POP or IMAP.
- Mailbox on the user's preferred machine.
In the latter case, each user has an alias on the mailhost that forwards mail to her preferred machine:
- /etc/aliases
joe: joe@joes.preferred.machine jane: jane@janes.preferred.machine
On some systems the alias database is not in /etc/aliases.
- To find out the location for your system, execute the command "postconf alias_maps".
Execute the command "newaliases" whenever you change the aliases file.
E-Mail-Firewall/Gateway
Die Idee ist, eine Postfix-E-Mail-Firewall/einen Postfix-E-Mail-Gateway einzurichten, der E-Mails für "example.com" an einen internen Gateway-Rechner weiterleitet, E-Mails für "anything.example.com" jedoch ablehnt.
- Es gibt nur ein Problem: Mit "relay_domains = example.com" nimmt die Firewall normalerweise auch Mails für "anything.example.com" an.
- Das wäre nicht richtig.
Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus.
- Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf mail_version" aus.
Die Lösung wird in mehreren Teilen präsentiert.
- Der erste Teil beseitigt die lokale E-Mail-Zustellung auf der Firewall, wodurch die Firewall schwieriger zu knacken ist.
1 /etc/postfix/main.cf: 2 myorigin = example.com 3 meinZiel = 4 local_recipient_maps = 5 local_transport = error:local mail delivery is disabled 6 7 /etc/postfix/master.cf: 8 Kommentieren Sie den lokalen Zustellungsagenten aus
- Beschreibung
- Zeile 2: Sende Mails von diesem Rechner als "user@example.com", so dass kein Grund besteht, Mails an "user@firewall.example.com" zu senden.
- Zeilen 3-8: Deaktiviere die lokale Postzustellung auf dem Firewall-Rechner.
Der technischen Korrektheit halber muss die Firewall in der Lage sein, Mails für postmaster@[firewall ip address] zu empfangen.
- Angeblich wird diese Fähigkeit in manchen Fällen sogar vorausgesetzt.
- Der zweite Teil der Lösung fügt daher Unterstützung für postmaster@[firewall ip address] hinzu, und als Bonus gibt es auch noch abuse@[firewall ip address].
- Alle E-Mails an diese beiden Konten werden an eine interne Adresse weitergeleitet.
1 /etc/postfix/main.cf: 2 virtual_alias_maps = hash:/etc/postfix/virtual 3 4 /etc/postfix/virtual: 5 postmaster postmaster@example.com 6 abuse abuse@example.com
- Beschreibung
- Da mydestination leer ist (siehe das vorherige Beispiel), werden nur Adressliterale, die mit $inet_interfaces oder $proxy_interfaces übereinstimmen, als lokal angesehen.
- So kann "localpart@[a.d.d.r]" einfach als "localpart" in canonical(5) und virtual(5) übereinstimmen.
- Dadurch wird die Angabe von Firewall-IP-Adressen in den Postfix-Konfigurationsdateien überflüssig.
Der letzte Teil der Lösung übernimmt die E-Mail-Weiterleitung, was der eigentliche Zweck der Firewall-E-Mail-Funktion ist.
1 /etc/postfix/main.cf: 2 mynetworks = 127.0.0.0/8 12.34.56.0/24 3 relay_domains = example.com 4 parent_domain_matches_subdomains = 5 debug_peer_list smtpd_access_maps 6a # Postfix 2.10 und höher unterstützen separate Relay-Kontrolle und 7a # Spam-Kontrolle. 8a smtpd_relay_restrictions = 9a permit_mynetworks reject_unauth_destination 10a smtpd_recipient_restrictions = ...spam blocking rules.... 6b # Ältere Konfigurationen kombinieren Relay-Kontrolle und Spam-Kontrolle. Zu 7b # dies mit Postfix ≥ 2.10 zu verwenden, geben Sie "smtpd_relay_restrictions=" an. 8b smtpd_recipient_restrictions = 9b permit_mynetworks reject_unauth_destination 10b ...spam blocking rules.... 11 relay_recipient_maps = hash:/etc/postfix/relay_recipients 12 transport_maps = hash:/etc/postfix/transport 13 14 /etc/postfix/relay_recipients: 15 user1@example.com x 16 user2@example.com x 17 . . . 18 19 /etc/postfix/transport: 20 example.com relay:[inside-gateway.example.com]
Translation:
- Lines 1-10: Accept mail from local systems in $mynetworks, and accept mail from outside for "user@example.com" but not for "user@anything.example.com".
- The magic is in lines 4-5.
- Lines 11, 13-16: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet.
- This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages.
- If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table.
- Lines 12, 19-20: Route mail for "example.com" to the inside gateway machine.
- The [] forces Postfix to do no MX lookup.
- This uses the "relay" delivery transport (a copy of the default "smtp" delivery transport) to forward inbound mail.
- Dies kann die Leistung von Zustellungen an interne Domänen verbessern, da diese um SMTP-Clients vom "relay"-Zustellungstransport konkurrieren, anstatt mit anderen SMTP-Zustellungen um SMTP-Clients vom Standard-"smtp"-Zustellungstransport zu konkurrieren.
Geben Sie dbm anstelle von hash an, wenn Ihr System dbm-Dateien anstelle von db-Dateien verwendet.
- Um herauszufinden, welche Lookup-Tabellen Postfix unterstützt, verwenden Sie den Befehl "postconf -m".
Führen Sie den Befehl "postmap /etc/postfix/relay_recipients" aus, wenn Sie die Tabelle relay_recipients ändern.
Führen Sie den Befehl "postmap /etc/postfix/transport" aus, wenn Sie die Transporttabelle ändern.
In einigen Installationen kann es getrennte Instanzen von Postfix geben, die eingehende und ausgehende Post auf einer Firewall mit mehreren Hosts verarbeiten.
- Die eingehende Postfix-Instanz hat einen SMTP-Server, der auf der externen Firewall-Schnittstelle lauscht, und die ausgehende Postfix-Instanz hat einen SMTP-Server, der auf der internen Schnittstelle lauscht.
- In einer solchen Konfiguration ist es verlockend, $inet_interfaces in jeder Instanz nur mit der entsprechenden Schnittstellenadresse zu konfigurieren.
In den meisten Fällen wird die Verwendung von inet_interfaces auf diese Weise nicht funktionieren, da, wie im Referenzhandbuch zu $inet_interfaces beschrieben, der smtp(8)-Zustellungsagent die angegebene Schnittstellenadresse auch als Quelladresse für ausgehende Verbindungen verwendet und nicht in der Lage ist, Hosts auf der "anderen Seite" der Firewall zu erreichen.
- Die Symptome sind, dass die Firewall nicht in der Lage ist, sich mit Hosts zu verbinden, die tatsächlich aktiv sind.
- Siehe die inet_interfaces-Parameterdokumentation für vorgeschlagene Abhilfemaßnahmen.
Zusätzliche Konfigurationen
Betrieb von Postfix hinter einer Firewall
Der einfachste Weg, Postfix auf einem Rechner hinter einer Firewall einzurichten, besteht darin, alle Mails an einen Gateway-Host zu schicken und diesen Mail-Host die interne und externe Weiterleitung übernehmen zu lassen. Beispiele dafür finden Sie im Abschnitt [#local_network local area network] oben. Ein ausgefeilterer Ansatz besteht darin, nur externe Mails an den Gateway-Host zu senden und Intranet-Mails direkt zu versenden.
Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus. Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf mail_version" aus.
Das folgende Beispiel zeigt eine zusätzliche Konfiguration. Sie müssen diese mit den grundlegenden Konfigurationsinformationen kombinieren, die in der ersten Hälfte dieses Dokuments beschrieben werden.
1 /etc/postfix/main.cf: 2 transport_maps = hash:/etc/postfix/transport 3 relayhost = 4 # Optional für einen Rechner, der nicht "always on" ist 5 #fallback_relay = [gateway.example.com] 6 7 /etc/postfix/transport: 8 # Internal delivery. 9 example.com : 10 .example.com : 11 # External delivery. 12 * smtp:[gateway.example.com]
Translation:
- Lines 2, 7-12: Request that intranet mail is delivered directly, and that external mail is given to a gateway. Obviously, this example assumes that the organization uses DNS MX records internally. The [] forces Postfix to do no MX lookup.
- Line 3: IMPORTANT: do not specify a relayhost in main.cf.
- Line 5: This prevents mail from being stuck in the queue when the machine is turned off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway.
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".
Execute the command "postmap /etc/postfix/transport" whenever you edit the transport table.
Configuring Postfix as primary or backup MX host for a remote site
This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.
When your system is SECONDARY MX host for a remote site this is all you need:
1 DNS: 2 the.backed-up.domain.tld IN MX 100 your.machine.tld. 3 4 /etc/postfix/main.cf: 5 relay_domains = . . . the.backed-up.domain.tld
6a # Postfix 2.10 and later support separate relay control and 7a # spam control. 8a smtpd_relay_restrictions = 9a permit_mynetworks reject_unauth_destination
10a smtpd_recipient_restrictions = ...spam blocking rules....
6b # Older configurations combine relay control and spam control. To 7b # use this with Postfix ≥ 2.10 specify "smtpd_relay_restrictions=". 8b smtpd_recipient_restrictions = 9b permit_mynetworks reject_unauth_destination
10b ...spam blocking rules....
11 # You must specify your NAT/proxy external address. 12 #proxy_interfaces = 1.2.3.4 13 14 relay_recipient_maps = hash:/etc/postfix/relay_recipients 15 16 /etc/postfix/relay_recipients: 17 user1@the.backed-up.domain.tld x 18 user2@the.backed-up.domain.tld x 19 . . .
When your system is PRIMARY MX host for a remote site you need the above, plus:
20 /etc/postfix/main.cf: 21 transport_maps = hash:/etc/postfix/transport 22 23 /etc/postfix/transport: 24 the.backed-up.domain.tld relay:[their.mail.host.tld]
Important notes:
- Do not list the.backed-up.domain.tld in mydestination.
- Do not list the.backed-up.domain.tld in virtual_alias_domains.
- Do not list the.backed-up.domain.tld in virtual_mailbox_domains.
- Lines 1-9: Forward mail from the Internet for "the.backed-up.domain.tld" to the primary MX host for that domain.
- Line 12: This is a must if Postfix receives mail via a NAT relay or proxy that presents a different IP address to the world than the local machine.
- Lines 14-18: Define the list of valid addresses in the "the.backed-up.domain.tld" domain. This prevents your mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@the.backed-up.domain.tld x" wild-card in the relay_recipients table.
- Line 24: The [] forces Postfix to do no MX lookup.
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".
Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.
NOTE for Postfix < 2.2: Do not use the fallback_relay feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the fallback_relay host when the final destination is unavailable.
- In main.cf specify "relay_transport = relay",
- In master.cf specify "-o fallback_relay =" at the end of the relay entry.
- In transport maps, specify "relay:nexthop..." as the right-hand side for backup or primary MX domain entries.
These are default settings in Postfix version 2.2 and later.
Postfix on a dialup machine
This section applies to dialup connections that are down most of the time. For dialup connections that are up 24x7, see the [#local_network local area network] section above.
This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.
If you do not have your own hostname and IP address (usually with dialup, cable TV or DSL connections) then you should also study the section on "[#fantasy Postfix on hosts without a real Internet hostname]".
- Route all outgoing mail to your network provider.
If your machine is disconnected most of the time, there isn't a lot of opportunity for Postfix to deliver mail to hard-to-reach corners of the Internet. It's better to give the mail to a machine that is connected all the time. In the example below, the [] prevents Postfix from trying to look up DNS MX records.
/etc/postfix/main.cf:
relayhost = [smtprelay.someprovider.com] - Disable spontaneous SMTP mail delivery (if using on-demand dialup IP only).
Normally, Postfix attempts to deliver outbound mail at its convenience. If your machine uses on-demand dialup IP, this causes your system to place a telephone call whenever you submit new mail, and whenever Postfix retries to deliver delayed mail. To prevent such telephone calls from being placed, disable spontaneous SMTP mail deliveries.
/etc/postfix/main.cf:
defer_transports = smtp (Only for on-demand dialup IP hosts) - Disable SMTP client DNS lookups (dialup LAN only).
/etc/postfix/main.cf:
disable_dns_lookups = yes (Only for on-demand dialup IP hosts) - Flush the mail queue whenever the Internet link is established.
Put the following command into your PPP or SLIP dialup scripts:
/usr/sbin/sendmail -q (whenever the Internet link is up)
The exact location of the Postfix sendmail command is system-specific. Use the command "postconf sendmail_path" to find out where the Postfix sendmail command is located on your machine.
In order to find out if the mail queue is flushed, use something like:
#!/bin/sh
- Start mail deliveries.
/usr/sbin/sendmail -q - Allow deliveries to start.
sleep 10 - Loop until all messages have been tried at least once.
while mailq | grep '^[^ ]*\*' >/dev/null
do
sleep 10
done
If you have disabled [#spontaneous_smtp spontaneous SMTP mail delivery], you also need to run the "sendmail -q" command every now and then while the dialup link is up, so that newly-posted mail is flushed from the queue.
Postfix on hosts without a real Internet hostname
This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.
Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "postconf mail_version".
Solution 1: Postfix version 2.2 and later
Postfix 2.2 uses the generic(5) address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.
The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.
1 /etc/postfix/main.cf: 2 smtp_generic_maps = hash:/etc/postfix/generic 3 4 /etc/postfix/generic: 5 his@localdomain.local hisaccount@hisisp.example 6 her@localdomain.local heraccount@herisp.example 7 @localdomain.local hisaccount+local@hisisp.example
When mail is sent to a remote host via SMTP: * Line 5 replaces his@localdomain.local by his ISP mail address,
- Line 6 replaces her@localdomain.local by her ISP mail address, and
- Line 7 replaces other local addresses by his ISP account, with an address extension of +local (this example assumes that the ISP supports "+" style address extensions).
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".
Execute the command "postmap /etc/postfix/generic" whenever you change the generic table.
Solution 2: Postfix version 2.1 and earlier
The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own.
The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.
1 /etc/postfix/main.cf: 2 myhostname = hostname.localdomain 3 mydomain = localdomain 4 5 canonical_maps = hash:/etc/postfix/canonical 6 7 virtual_alias_maps = hash:/etc/postfix/virtual 8 9 /etc/postfix/canonical:
10 your-login-name your-account@your-isp.com 11 12 /etc/postfix/virtual: 13 your-account@your-isp.com your-login-name
Translation: * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is already in use by real organizations on the Internet. See RFC 2606 for examples of domain names that are guaranteed not to be owned by anyone.
- Lines 5, 9, 10: This provides the mapping from "your-login-name@hostname.localdomain" to "your-account@your-isp.com". This part is required.
- Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally, instead of sending it to the ISP. This part is not required but is convenient.
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".
Execute the command "postmap /etc/postfix/canonical" whenever you change the canonical table.
Execute the command "postmap /etc/postfix/virtual" whenever you change the virtual table.
Quelle:
Dokumentation
RFC
Man-Page
Info-Pages
Siehe auch
Links
Projekt
Weblinks
Testfragen
Testfrage 1
Testfrage 2
Testfrage 3
Testfrage 4
Testfrage 5