Postfix/Standartkonfigurationen: Unterschied zwischen den Versionen

Aus Foxwiki
K Textersetzung - „Man-Pages“ durch „Man-Page“
 
(46 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
==Purpose of this document==
Typische '''Postfix-Standartkonfigurationen'''
This document presents a number of typical Postfix configurations. This document should be reviewed after you have followed the basic configuration steps as described in the [https://www.postfix.org/BASIC_CONFIGURATION_README.html BASIC_CONFIGURATION_README] document. In particular, do not proceed here if you don't already have Postfix working for local mail submission and for local mail delivery.  
== Beschreibung ==
; Voraussetzungen
* [https://www.postfix.org/BASIC_CONFIGURATION_README.html BASIC_CONFIGURATION_README]
* Insbesondere sollten Sie hier nicht fortfahren, wenn Sie Postfix noch nicht für die lokale Posteinreichung und -zustellung eingerichtet haben.


The first part of this document presents standard configurations that each solve one specific problem.  
== Standardkonfigurationen ==
===Eigenständigen Internet-Host===
Postfix sollte auf einem Einzelplatzrechner mit direktem Internetzugang ohne Änderungen funktionieren.


* [https://www.postfix.org/STANDARD_CONFIGURATION_README.html#stand_alone Postfix on a stand-alone Internet host]  
Sie können den Befehl "postconf -n" verwenden, um herauszufinden, welche Einstellungen durch Ihre [https://www.postfix.org/postconf.5.html main.cf] überschrieben werden.
*[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client Postfix on a null client]
* Abgesehen von ein paar Pfadeinstellungen sollten auf einer Standalone-Box nur wenige Parameter gesetzt werden, die über das hinausgehen, was im Dokument [https://www.postfix.org/BASIC_CONFIGURATION_README.html BASIC_CONFIGURATION_README] beschrieben ist:
*[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#local_network Postfix on a local network]
*[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall Postfix email firewall/gateway]


The second part of this document presents additional configurations for hosts in specific environments.
;/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]
 
# Optional: Mail als user@domainname statt user@hostname senden.
* [https://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local Delivering some but not all accounts locally]
#[https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
*[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#intranet Running Postfix behind a firewall]
*[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup Configuring Postfix as primary or backup MX host for a remote site]
*[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#dialup Postfix on a dialup machine]
*[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy Postfix on hosts without a real Internet hostname]
 
==Postfix on a stand-alone Internet host==
Postfix should work out of the box without change on a stand-alone machine that has direct Internet access. At least, that is how Postfix installs when you download the Postfix source code via http://www.postfix.org/.
 
You can use the command "postconf -n" to find out what settings are overruled by your [https://www.postfix.org/postconf.5.html main.cf]. Besides a few pathname settings, few parameters should be set on a stand-alone box, beyond what is covered in the [https://www.postfix.org/BASIC_CONFIGURATION_README.html BASIC_CONFIGURATION_README] document:
 
/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
    # Optional: send mail as user@domainname instead of user@hostname.
    #[https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
   
   
  # Optional: specify NAT/proxy external address.
  # Optional: externe NAT/Proxy-Adresse angeben.
  #[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] = 1.2.3.4
  #[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] = 1.2.3.4
   
   
  # Alternative 1: don't relay mail from other hosts.
  # Alternative 1: keine Weiterleitung von Mails von anderen Hosts.
  [https://www.postfix.org/postconf.5.html#mynetworks_style mynetworks_style] = host
  [https://www.postfix.org/postconf.5.html#mynetworks_style mynetworks_style] = host
  [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =
  [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =
   
   
  # Alternative 2: relay mail from local clients only.
  # Alternative 2: nur Mails von lokalen Clients weiterleiten.
  # [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 192.168.1.0/28
  # [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 192.168.1.0/28
  # [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =
  # [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =


See also the section "[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy Postfix on hosts without a real Internet hostname]" if this is applicable to your configuration.
Siehe auch den Abschnitt "[#fantasy Postfix auf Hosts ohne echten Internet-Hostnamen]", wenn dies auf Ihre Konfiguration zutrifft.


==Postfix on a null client==
===Null-Client===
A null client is a machine that can only send mail. It receives no mail from the network, and it does not deliver any mail locally. A null client typically uses POP, IMAP or NFS for mailbox access.  
Ein Null-Client ist ein Rechner, der nur Mails versenden kann.
* Er empfängt keine Mails aus dem Netz und stellt auch keine Mails lokal zu.
* Ein Null-Client verwendet in der Regel POP, IMAP oder NFS für den Zugriff auf Postfächer.


In this example we assume that the Internet domain name is "example.com" and that the machine is named "hostname.example.com". As usual, the examples show only parameters that are not left at their default settings.  
In diesem Beispiel wird davon ausgegangen, dass der Internet-Domänenname "example.com" lautet und dass der Rechner "hostname.example.com" heißt.
* Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden.


  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  2     [https://www.postfix.org/postconf.5.html#myhostname myhostname] = hostname.example.com
  2 [https://www.postfix.org/postconf.5.html#myhostname myhostname] = hostname.example.com
  3     [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
  3 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
  4     [https://www.postfix.org/postconf.5.html#relayhost relayhost] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
  4 [https://www.postfix.org/postconf.5.html#relayhost relayhost] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
  5     [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] = loopback-only
  5 [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] = loopback-only
  6     [https://www.postfix.org/postconf.5.html#mydestination mydestination] =
  6 [https://www.postfix.org/postconf.5.html#mydestination mydestination] =


Translation:  
; Beschreibung:
* Line 2: Set [https://www.postfix.org/postconf.5.html#myhostname myhostname] to hostname.example.com, in case the machine name isn't set to a fully-qualified domain name (use the command "postconf -d [https://www.postfix.org/postconf.5.html#myhostname myhostname]" to find out what the machine name is).  
* Zeile 2: Setzen Sie [https://www.postfix.org/postconf.5.html#myhostname myhostname] auf hostname.example.com, falls der Rechnername nicht auf einen vollqualifizierten Domänennamen gesetzt ist (verwenden Sie den Befehl "postconf -d [https://www.postfix.org/postconf.5.html#myhostname myhostname]", um den Rechnernamen zu ermitteln).
*Line 2: The [https://www.postfix.org/postconf.5.html#myhostname myhostname] value also provides the default value for the [https://www.postfix.org/postconf.5.html#mydomain mydomain] parameter (here, "[https://www.postfix.org/postconf.5.html#mydomain mydomain] = example.com").
*Zeile 2: Der Wert [https://www.postfix.org/postconf.5.html#myhostname myhostname] gibt auch den Standardwert für den Parameter [https://www.postfix.org/postconf.5.html#mydomain mydomain] an (hier: "[https://www.postfix.org/postconf.5.html#mydomain mydomain] = example.com").
*Line 3: Send mail as "user@example.com" (instead of "user@hostname.example.com"), so that nothing ever has a reason to send mail to "user@hostname.example.com".
*Zeile 3: Senden Sie E-Mails als "user@example.com" (statt "user@hostname.example.com"), so dass es keinen Grund gibt, E-Mails an "user@hostname.example.com" zu senden.
*Line 4: Forward all mail to the mail server that is responsible for the "example.com" domain. This prevents mail from getting stuck on the null client if it is turned off while some remote destination is unreachable. Specify a real hostname here if your "example.com" domain has no MX record.
*Linie 4: Leiten Sie alle Mails an den Mailserver weiter, der für die Domäne "example.com" zuständig ist.
*Line 5: Do not accept mail from the network.
** Dies verhindert, dass E-Mails auf dem Null-Client hängen bleiben, wenn dieser ausgeschaltet ist, während ein entferntes Ziel nicht erreichbar ist.
*Line 6: Disable local mail delivery. All mail goes to the mail server as specified in line 4.
** Geben Sie hier einen echten Hostnamen an, wenn Ihre "example.com"-Domäne keinen MX-Eintrag hat.
*Zeile 5: Keine Mails aus dem Netz annehmen.
*Zeile 6: Deaktivieren Sie die lokale Postzustellung.
** Alle E-Mails gehen an den in Zeile 4 angegebenen Mailserver.


==Postfix on a local network==
===Im lokalen Netzwerk===
This section describes a local area network environment of one main server and multiple other systems that send and receive email. As usual we assume that the Internet domain name is "example.com". All systems are configured to send mail as "user@example.com", and all systems receive mail for "user@hostname.example.com". The main server also receives mail for "user@example.com". We call this machine by the name of mailhost.example.com.  
Dieser Abschnitt beschreibt eine lokale Netzwerkumgebung mit einem Hauptserver und mehreren anderen Systemen, die E-Mails senden und empfangen.
* Wie üblich gehen wir davon aus, dass der Internet-Domänenname "example.com" lautet.
* Alle Systeme sind so konfiguriert, dass sie E-Mails unter dem Namen "user@example.com" senden, und alle Systeme empfangen E-Mails für "user@hostname.example.com".
* Der Hauptserver empfängt auch Mails für "user@example.com".
* Wir nennen diesen Rechner "mailhost.example.com".


A drawback of sending mail as "user@example.com" is that mail for "root" and other system accounts is also sent to the central mailhost. See the section "[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local Delivering some but not all accounts locally]" below for possible solutions.  
Ein Nachteil des Versendens von Mails als "user@example.com" ist, dass Mails für "root" und andere Systemkonten ebenfalls an den zentralen Mailhost gesendet werden.
* Mögliche Lösungen finden Sie im Abschnitt "[#some_local Einige, aber nicht alle Konten lokal zustellen]" weiter unten.


As usual, the examples show only parameters that are not left at their default settings.  
Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden.


First we present the non-mailhost configuration, because it is the simpler one. This machine sends mail as "user@example.com" and is the final destination for "user@hostname.example.com".  
Zuerst stellen wir die Nicht-Mailhost-Konfiguration vor, weil sie die einfachere ist.
* Dieser Rechner sendet Mails als "user@example.com" und ist das endgültige Ziel für "user@hostname.example.com".


  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  2     [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
  2 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
  3     [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 10.0.0.0/24
  3 [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 10.0.0.0/24
  4     [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =
  4 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =
  5     # Optional: forward all non-local mail to mailhost
  5 # Optional: alle nicht-lokalen Mails an mailhost weiterleiten
  6     #[https://www.postfix.org/postconf.5.html#relayhost relayhost] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
  6 #[https://www.postfix.org/postconf.5.html#relayhost relayhost] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]


Translation:  
; Beschreibung:
* Line 2: Send mail as "user@example.com".  
* Zeile 2: Mail als "user@example.com" senden.
* Line 3: Specify the trusted networks.
* Zeile 3: Geben Sie die vertrauenswürdigen Netzwerke an.
* Line 4: This host does not relay mail from untrusted networks.
* Zeile 4: Dieser Host leitet keine Mails aus nicht vertrauenswürdigen Netzen weiter.
* Line 6: This is needed if no direct Internet access is available. See also below, "[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall Postfix behind a firewall]".
* Zeile 6: Dies ist erforderlich, wenn kein direkter Internetzugang verfügbar ist.
** Siehe auch unten, "[#firewall Postfix hinter einer Firewall]".


Next we present the mailhost configuration. This machine sends mail as "user@example.com" and is the final destination for "user@hostname.example.com" as well as "user@example.com".  
Als Nächstes stellen wir die Mailhost-Konfiguration vor.
* Dieser Rechner sendet Mails als "user@example.com" und ist sowohl für "user@hostname.example.com" als auch für "user@example.com" das endgültige Ziel.


   1 DNS:
   1 DNS:
   2     example.com   IN   MX 10 mailhost.example.com.
   2 example.com IN MX 10 mailhost.example.com.
   3  
   3
   4 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
   4 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
   5     [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
   5 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
   6     [https://www.postfix.org/postconf.5.html#mydestination mydestination] = $[https://www.postfix.org/postconf.5.html#myhostname myhostname] localhost.$[https://www.postfix.org/postconf.5.html#mydomain mydomain] localhost $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
   6 [https://www.postfix.org/postconf.5.html#mydestination mydestination] = $[https://www.postfix.org/postconf.5.html#myhostname myhostname] localhost.$[https://www.postfix.org/postconf.5.html#mydomain mydomain] localhost $[https://www.postfix.org/postconf.5.html#mydomain mydomain]
   7     [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 10.0.0.0/24
   7 [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 10.0.0.0/24
   8     [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =
   8 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] =
   9     # Optional: forward all non-local mail to firewall
   9 # Optional: alle nicht-lokalen Mails an die Firewall weiterleiten
  10     #[https://www.postfix.org/postconf.5.html#relayhost relayhost] = [firewall.example.com]
  10 #[https://www.postfix.org/postconf.5.html#relayhost relayhost] = [firewall.example.com]


Translation:  
; Beschreibung:
* Line 2: Send mail for the domain "example.com" to the machine mailhost.example.com. Remember to specify the "." at the end of the line.  
* Zeile 2: Senden Sie Mails für die Domain "example.com" an den Rechner mailhost.example.com.
*Line 5: Send mail as "user@example.com".
** Denken Sie daran, das "." am Ende der Zeile anzugeben.
*Line 6: This host is the final mail destination for the "example.com" domain, in addition to the names of the machine itself.
*Zeile 5: Senden Sie die E-Mail als "user@example.com".
*Zeile 6: This host is the final mail destination for the "example.com" domain, in addition to the names of the machine itself.
*Line 7: Specify the trusted networks.
*Line 7: Specify the trusted networks.
*Line 8: This host does not relay mail from untrusted networks.
*Line 8: This host does not relay mail from untrusted networks.
*Line 10: This is needed only when the mailhost has to forward non-local mail via a mail server on a firewall. The <tt>[]</tt> forces Postfix to do no MX record lookups.
*Line 10: This is needed only when the mailhost has to forward non-local mail via a mail server on a firewall.
**The <tt>[]</tt> forces Postfix to do no MX record lookups.


In an environment like this, users access their mailbox in one or more of the following ways:  
In an environment like this, users access their mailbox in one or more of the following ways:
*Mailbox access via NFS or equivalent.
*Mailbox access via NFS or equivalent.
*Mailbox access via POP or IMAP.
*Mailbox access via POP or IMAP.
*Mailbox on the user's preferred machine.
*Mailbox on the user's preferred machine.


In the latter case, each user has an alias on the mailhost that forwards mail to her preferred machine:  
In the latter case, each user has an alias on the mailhost that forwards mail to her preferred machine:
; /etc/aliases:
; /etc/aliases:
     joe:   joe@joes.preferred.machine
     joe: joe@joes.preferred.machine
     jane:   jane@janes.preferred.machine
     jane: jane@janes.preferred.machine


On some systems the alias database is not in /etc/aliases. To find out the location for your system, execute the command "postconf [https://www.postfix.org/postconf.5.html#alias_maps alias_maps]".  
On some systems the alias database is not in /etc/aliases.
* To find out the location for your system, execute the command "postconf [https://www.postfix.org/postconf.5.html#alias_maps alias_maps]".


Execute the command "newaliases" whenever you change the aliases file.
Execute the command "newaliases" whenever you change the aliases file.


==Postfix email firewall/gateway==
===E-Mail-Firewall/Gateway===
The idea is to set up a Postfix email firewall/gateway that forwards mail for "example.com" to an inside gateway machine but rejects mail for "anything.example.com". There is only one problem: with "[https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = example.com", the firewall normally also accepts mail for "anything.example.com". That would not be right.  
Die Idee ist, eine Postfix-E-Mail-Firewall/einen Postfix-E-Mail-Gateway einzurichten, der E-Mails für "example.com" an einen internen Gateway-Rechner weiterleitet, E-Mails für "anything.example.com" jedoch ablehnt.
* Es gibt nur ein Problem: Mit "[https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = example.com" nimmt die Firewall normalerweise auch Mails für "anything.example.com" an.
* Das wäre nicht richtig.


Note: this example requires Postfix version 2.0 and later. To find out what Postfix version you have, execute the command "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]".  
Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus.
* Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]" aus.


The solution is presented in multiple parts. This first part gets rid of local mail delivery on the firewall, making the firewall harder to break.  
Die Lösung wird in mehreren Teilen präsentiert.
* Der erste Teil beseitigt die lokale E-Mail-Zustellung auf der Firewall, wodurch die Firewall schwieriger zu knacken ist.


  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  2     [https://www.postfix.org/postconf.5.html#myorigin myorigin] = example.com
  2 [https://www.postfix.org/postconf.5.html#myorigin myorigin] = example.com
  3     [https://www.postfix.org/postconf.5.html#mydestination mydestination] =
  3 [https://www.postfix.org/postconf.5.html#mydestination meinZiel] =
  4     [https://www.postfix.org/postconf.5.html#local_recipient_maps local_recipient_maps] =
  4 [https://www.postfix.org/postconf.5.html#local_recipient_maps local_recipient_maps] =
  5     [https://www.postfix.org/postconf.5.html#local_transport local_transport] = [https://www.postfix.org/error.8.html error]:local mail delivery is disabled
  5 [https://www.postfix.org/postconf.5.html#local_transport local_transport] = [https://www.postfix.org/error.8.html error]:local mail delivery is disabled
  6  
  6
  7 /etc/postfix/[https://www.postfix.org/master.5.html master.cf]:
  7 /etc/postfix/[https://www.postfix.org/master.5.html master.cf]:
  8     Comment out the local delivery agent
  8 Kommentieren Sie den lokalen Zustellungsagenten aus


Translation:  
; Beschreibung:
* Line 2: Send mail from this machine as "user@example.com", so that no reason exists to send mail to "user@firewall.example.com".  
* Zeile 2: Sende Mails von diesem Rechner als "user@example.com", so dass kein Grund besteht, Mails an "user@firewall.example.com" zu senden.
*Lines 3-8: Disable local mail delivery on the firewall machine.
*Zeilen 3-8: Deaktiviere die lokale Postzustellung auf dem Firewall-Rechner.


For the sake of technical correctness the firewall must be able to receive mail for postmaster@[firewall ip address]. Reportedly, some things actually expect this ability to exist. The second part of the solution therefore adds support for postmaster@[firewall ip address], and as a bonus we do abuse@[firewall ip address] as well. All the mail to these two accounts is forwarded to an inside address.  
Der technischen Korrektheit halber muss die Firewall in der Lage sein, Mails für postmaster@[firewall ip address] zu empfangen.
* Angeblich wird diese Fähigkeit in manchen Fällen sogar vorausgesetzt.
* Der zweite Teil der Lösung fügt daher Unterstützung für postmaster@[firewall ip address] hinzu, und als Bonus gibt es auch noch abuse@[firewall ip address].
* Alle E-Mails an diese beiden Konten werden an eine interne Adresse weitergeleitet.


  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  2     [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual
  2 [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual
  3  
  3
  4 /etc/postfix/virtual:
  4 /etc/postfix/virtual:
  5     postmaster     postmaster@example.com
  5 postmaster postmaster@example.com
  6     abuse           abuse@example.com
  6 abuse abuse@example.com


Translation:  
; Beschreibung:
* Because [https://www.postfix.org/postconf.5.html#mydestination mydestination] is empty (see the previous example), only address literals matching $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] or $[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] are deemed local. So "localpart@[a.d.d.r]" can be matched as simply "localpart" in [https://www.postfix.org/canonical.5.html canonical(5)] and [https://www.postfix.org/virtual.5.html virtual(5)]. This avoids the need to specify firewall IP addresses in Postfix configuration files.  
* Da [https://www.postfix.org/postconf.5.html#mydestination mydestination] leer ist (siehe das vorherige Beispiel), werden nur Adressliterale, die mit $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] oder $[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] übereinstimmen, als lokal angesehen.
* So kann "localpart@[a.d.d.r]" einfach als "localpart" in [https://www.postfix.org/canonical.5.html canonical(5)] und [https://www.postfix.org/virtual.5.html virtual(5)] übereinstimmen.
* Dadurch wird die Angabe von Firewall-IP-Adressen in den Postfix-Konfigurationsdateien überflüssig.


The last part of the solution does the email forwarding, which is the real purpose of the firewall email function.  
Der letzte Teil der Lösung übernimmt die E-Mail-Weiterleitung, was der eigentliche Zweck der Firewall-E-Mail-Funktion ist.


   1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
   1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
   2     [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 12.34.56.0/24
   2 [https://www.postfix.org/postconf.5.html#mynetworks mynetworks] = 127.0.0.0/8 12.34.56.0/24
   3     [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = example.com
   3 [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = example.com
   4     [https://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains parent_domain_matches_subdomains] =  
   4 [https://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains parent_domain_matches_subdomains] =
   5         [https://www.postfix.org/postconf.5.html#debug_peer_list debug_peer_list] smtpd_access_maps
   5 [https://www.postfix.org/postconf.5.html#debug_peer_list debug_peer_list] smtpd_access_maps
   
   
   6a   # Postfix 2.10 and later support separate relay control and
   6a # Postfix 2.10 und höher unterstützen separate Relay-Kontrolle und
   7a   # spam control.
   7a # Spam-Kontrolle.
   8a   [https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions] =
   8a [https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions] =
   9a       [https://www.postfix.org/postconf.5.html#permit_mynetworks permit_mynetworks] [https://www.postfix.org/postconf.5.html#reject_unauth_destination reject_unauth_destination]
   9a [https://www.postfix.org/postconf.5.html#permit_mynetworks permit_mynetworks] [https://www.postfix.org/postconf.5.html#reject_unauth_destination reject_unauth_destination]
  10a   [https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions] = ...spam blocking rules....
  10a [https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions] = ...spam blocking rules....
   
   
   6b   # Older configurations combine relay control and spam control. To
   6b # Ältere Konfigurationen kombinieren Relay-Kontrolle und Spam-Kontrolle. Zu
   7b   # use this with Postfix ≥ 2.10 specify "[https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions]=".
   7b # dies mit Postfix ≥ 2.10 zu verwenden, geben Sie "[https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions smtpd_relay_restrictions]=" an.
   8b   [https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions] =
   8b [https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions] =
   9b       [https://www.postfix.org/postconf.5.html#permit_mynetworks permit_mynetworks] [https://www.postfix.org/postconf.5.html#reject_unauth_destination reject_unauth_destination]
   9b [https://www.postfix.org/postconf.5.html#permit_mynetworks permit_mynetworks] [https://www.postfix.org/postconf.5.html#reject_unauth_destination reject_unauth_destination]
  10b       ...spam blocking rules....
  10b ...spam blocking rules....
   
   
  11     [https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/relay_recipients
  11 [https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/relay_recipients
  12     [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport
  12 [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport
  13  
  13
  14 /etc/postfix/relay_recipients:
  14 /etc/postfix/relay_recipients:
  15     user1@example.com   x
  15 user1@example.com x
  16     user2@example.com   x
  16 user2@example.com x
  17     . . .
  17 . . .
  18  
  18
  19 /etc/postfix/transport:
  19 /etc/postfix/transport:
  20     example.com   relay:[inside-gateway.example.com]
  20 example.com relay:[inside-gateway.example.com]


Translation:  
Translation:
* Lines 1-10: Accept mail from local systems in $[https://www.postfix.org/postconf.5.html#mynetworks mynetworks], and accept mail from outside for "user@example.com" but not for "user@anything.example.com". The magic is in lines 4-5.  
* Lines 1-10: Accept mail from local systems in $[https://www.postfix.org/postconf.5.html#mynetworks mynetworks], and accept mail from outside for "user@example.com" but not for "user@anything.example.com".
*Lines 11, 13-16: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet. This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "[https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table.
** The magic is in lines 4-5.
*Lines 12, 19-20: Route mail for "example.com" to the inside gateway machine. The <tt>[]</tt> forces Postfix to do no MX lookup. This uses the "relay" delivery transport (a copy of the default "smtp" delivery transport) to forward inbound mail. This can improve performance of deliveries to internal domains because they will compete for SMTP clients from the "relay" delivery transport, instead of competing with other SMTP deliveries for SMTP clients from the default "smtp" delivery transport.
*Lines 11, 13-16: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet.
** This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages.
** If you can't maintain a list of valid recipients then you must specify "[https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table.
*Lines 12, 19-20: Route mail for "example.com" to the inside gateway machine.
** The <tt>[]</tt> forces Postfix to do no MX lookup.
** This uses the "relay" delivery transport (a copy of the default "smtp" delivery transport) to forward inbound mail.
** Dies kann die Leistung von Zustellungen an interne Domänen verbessern, da diese um SMTP-Clients vom "relay"-Zustellungstransport konkurrieren, anstatt mit anderen SMTP-Zustellungen um SMTP-Clients vom Standard-"smtp"-Zustellungstransport zu konkurrieren.


Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".  
Geben Sie dbm anstelle von hash an, wenn Ihr System dbm-Dateien anstelle von db-Dateien verwendet.
* Um herauszufinden, welche Lookup-Tabellen Postfix unterstützt, verwenden Sie den Befehl "postconf -m".


Execute the command "postmap /etc/postfix/relay_recipients" whenever you change the relay_recipients table.  
Führen Sie den Befehl "postmap /etc/postfix/relay_recipients" aus, wenn Sie die Tabelle relay_recipients ändern.


Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.  
Führen Sie den Befehl "postmap /etc/postfix/transport" aus, wenn Sie die Transporttabelle ändern.


In some installations, there may be separate instances of Postfix processing inbound and outbound mail on a multi-homed firewall. The inbound Postfix instance has an SMTP server listening on the external firewall interface, and the outbound Postfix instance has an SMTP server listening on the internal interface. In such a configuration is it is tempting to configure $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] in each instance with just the corresponding interface address.  
In einigen Installationen kann es getrennte Instanzen von Postfix geben, die eingehende und ausgehende Post auf einer Firewall mit mehreren Hosts verarbeiten.
* Die eingehende Postfix-Instanz hat einen SMTP-Server, der auf der externen Firewall-Schnittstelle lauscht, und die ausgehende Postfix-Instanz hat einen SMTP-Server, der auf der internen Schnittstelle lauscht.
* In einer solchen Konfiguration ist es verlockend, $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] in jeder Instanz nur mit der entsprechenden Schnittstellenadresse zu konfigurieren.


In most cases, using [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] in this way will not work, because as documented in the $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] reference manual, the [https://www.postfix.org/smtp.8.html smtp(8)] delivery agent will also use the specified interface address as the source address for outbound connections and will be unable to reach hosts on "the other side" of the firewall. The symptoms are that the firewall is unable to connect to hosts that are in fact up. See the [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] parameter documentation for suggested work-arounds.
In den meisten Fällen wird die Verwendung von [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] auf diese Weise nicht funktionieren, da, wie im Referenzhandbuch zu $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] beschrieben, der [https://www.postfix.org/smtp.8.html smtp(8)]-Zustellungsagent die angegebene Schnittstellenadresse auch als Quelladresse für ausgehende Verbindungen verwendet und nicht in der Lage ist, Hosts auf der "anderen Seite" der Firewall zu erreichen.
* Die Symptome sind, dass die Firewall nicht in der Lage ist, sich mit Hosts zu verbinden, die tatsächlich aktiv sind.
* Siehe die [https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces]-Parameterdokumentation für vorgeschlagene Abhilfemaßnahmen.


==Delivering some but not all accounts locally==
== Zusätzliche Konfigurationen ==
A drawback of sending mail as "user@example.com" (instead of "user@hostname.example.com") is that mail for "root" and other system accounts is also sent to the central mailhost. In order to deliver such accounts locally, you can set up virtual aliases as follows:
===Betrieb von Postfix hinter einer Firewall===
Der einfachste Weg, Postfix auf einem Rechner hinter einer Firewall einzurichten, besteht darin, alle Mails an einen Gateway-Host zu schicken und diesen Mail-Host die interne und externe Weiterleitung übernehmen zu lassen. Beispiele dafür finden Sie im Abschnitt [#local_network local area network] oben. Ein ausgefeilterer Ansatz besteht darin, nur externe Mails an den Gateway-Host zu senden und Intranet-Mails direkt zu versenden.


1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus. Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]" aus.
2    [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual
3
4 /etc/postfix/virtual:
5    root    root@localhost
6    . . .


Translation:
Das folgende Beispiel zeigt eine zusätzliche Konfiguration. Sie müssen diese mit den grundlegenden Konfigurationsinformationen kombinieren, die in der ersten Hälfte dieses Dokuments beschrieben werden.
*Line 5: As described in the [https://www.postfix.org/virtual.5.html virtual(5)] manual page, the bare name "root" matches "root@site" when "site" is equal to $[https://www.postfix.org/postconf.5.html#myorigin myorigin], when "site" is listed in $[https://www.postfix.org/postconf.5.html#mydestination mydestination], or when it matches $[https://www.postfix.org/postconf.5.html#inet_interfaces inet_interfaces] or $[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces].
 
Execute the command "postmap /etc/postfix/virtual" after editing the file.
 
==Running Postfix behind a firewall==
The simplest way to set up Postfix on a host behind a firewalled network is to send all mail to a gateway host, and to let that mail host take care of internal and external forwarding. Examples of that are shown in the [https://www.postfix.org/STANDARD_CONFIGURATION_README.html#local_network local area network] section above. A more sophisticated approach is to send only external mail to the gateway host, and to send intranet mail directly.
 
Note: this example requires Postfix version 2.0 and later. To find out what Postfix version you have, execute the command "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]".
 
The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.  


   1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
   1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
   2     [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport
   2 [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport
   3     [https://www.postfix.org/postconf.5.html#relayhost relayhost] =
   3 [https://www.postfix.org/postconf.5.html#relayhost relayhost] =
   4     # Optional for a machine that isn't "always on"
   4 # Optional für einen Rechner, der nicht "always on" ist
   5     #[https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] = [gateway.example.com]
   5 #[https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] = [gateway.example.com]
   6  
   6
   7 /etc/postfix/transport:
   7 /etc/postfix/transport:
   8     # Internal delivery.
   8 # Internal delivery.
   9     example.com     :
   9 example.com :
  10     .example.com     :
  10 .example.com :
  11     # External delivery.
  11 # External delivery.
  12     *               [https://www.postfix.org/smtp.8.html smtp]:[gateway.example.com]
  12 * [https://www.postfix.org/smtp.8.html smtp]:[gateway.example.com]


Translation:  
Translation:
* Lines 2, 7-12: Request that intranet mail is delivered directly, and that external mail is given to a gateway. Obviously, this example assumes that the organization uses DNS MX records internally. The <tt>[]</tt> forces Postfix to do no MX lookup.  
* Lines 2, 7-12: Request that intranet mail is delivered directly, and that external mail is given to a gateway. Obviously, this example assumes that the organization uses DNS MX records internally. The <tt>[]</tt> forces Postfix to do no MX lookup.
*Line 3: IMPORTANT: do not specify a [https://www.postfix.org/postconf.5.html#relayhost relayhost] in [https://www.postfix.org/postconf.5.html main.cf].
*Line 3: IMPORTANT: do not specify a [https://www.postfix.org/postconf.5.html#relayhost relayhost] in [https://www.postfix.org/postconf.5.html main.cf].
*Line 5: This prevents mail from being stuck in the queue when the machine is turned off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway.
*Line 5: This prevents mail from being stuck in the queue when the machine is turned off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway.


Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".  
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".


Execute the command "postmap /etc/postfix/transport" whenever you edit the transport table.
Execute the command "postmap /etc/postfix/transport" whenever you edit the transport table.


==Configuring Postfix as primary or backup MX host for a remote site==
===Configuring Postfix as primary or backup MX host for a remote site===
This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.  
This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.


When your system is SECONDARY MX host for a remote site this is all you need:  
When your system is SECONDARY MX host for a remote site this is all you need:


  1 DNS:
  1 DNS:
  2    the.backed-up.domain.tld        IN      MX 100 your.machine.tld.
  2    the.backed-up.domain.tld        IN      MX 100 your.machine.tld.
  3  
  3
  4 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  4 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  5    [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = . . . the.backed-up.domain.tld
  5    [https://www.postfix.org/postconf.5.html#relay_domains relay_domains] = . . . the.backed-up.domain.tld
Zeile 263: Zeile 276:
11    # You must specify your NAT/proxy external address.
11    # You must specify your NAT/proxy external address.
12    #[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] = 1.2.3.4
12    #[https://www.postfix.org/postconf.5.html#proxy_interfaces proxy_interfaces] = 1.2.3.4
13  
13
14    [https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/relay_recipients
14    [https://www.postfix.org/postconf.5.html#relay_recipient_maps relay_recipient_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/relay_recipients
15  
15
16 /etc/postfix/relay_recipients:
16 /etc/postfix/relay_recipients:
17    user1@the.backed-up.domain.tld  x
17    user1@the.backed-up.domain.tld  x
Zeile 271: Zeile 284:
19      . . .
19      . . .


When your system is PRIMARY MX host for a remote site you need the above, plus:  
When your system is PRIMARY MX host for a remote site you need the above, plus:


20 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
20 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
21    [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport
21    [https://www.postfix.org/postconf.5.html#transport_maps transport_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/transport
22  
22
23 /etc/postfix/transport:
23 /etc/postfix/transport:
24    the.backed-up.domain.tld      relay:[their.mail.host.tld]
24    the.backed-up.domain.tld      relay:[their.mail.host.tld]


Important notes:  
Important notes:
*Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#mydestination mydestination].
*Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#mydestination mydestination].
*Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#virtual_alias_domains virtual_alias_domains].
*Do not list the.backed-up.domain.tld in [https://www.postfix.org/postconf.5.html#virtual_alias_domains virtual_alias_domains].
Zeile 288: Zeile 301:
*Line 24: The <tt>[]</tt> forces Postfix to do no MX lookup.
*Line 24: The <tt>[]</tt> forces Postfix to do no MX lookup.


Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".  
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".


Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.  
Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.


NOTE for Postfix < 2.2: Do not use the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] host when the final destination is unavailable.  
NOTE for Postfix < 2.2: Do not use the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] host when the final destination is unavailable.
*In [https://www.postfix.org/postconf.5.html main.cf] specify "[https://www.postfix.org/postconf.5.html#relay_transport relay_transport] = relay</tt>",
*In [https://www.postfix.org/postconf.5.html main.cf] specify "[https://www.postfix.org/postconf.5.html#relay_transport relay_transport] = relay</tt>",
*In [https://www.postfix.org/master.5.html master.cf] specify "<tt>-o [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] =</tt>" at the end of the <tt>relay</tt> entry.
*In [https://www.postfix.org/master.5.html master.cf] specify "<tt>-o [https://www.postfix.org/postconf.5.html#fallback_relay fallback_relay] =</tt>" at the end of the <tt>relay</tt> entry.
*In transport maps, specify "<tt>relay:nexthop...</tt>" as the right-hand side for backup or primary MX domain entries.
*In transport maps, specify "<tt>relay:nexthop...</tt>" as the right-hand side for backup or primary MX domain entries.


These are default settings in Postfix version 2.2 and later.  
These are default settings in Postfix version 2.2 and later.


==Postfix on a dialup machine==
===Postfix on a dialup machine===
This section applies to dialup connections that are down most of the time. For dialup connections that are up 24x7, see the [https://www.postfix.org/STANDARD_CONFIGURATION_README.html#local_network local area network] section above.  
This section applies to dialup connections that are down most of the time. For dialup connections that are up 24x7, see the [#local_network local area network] section above.


This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.  
This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.


If you do not have your own hostname and IP address (usually with dialup, cable TV or DSL connections) then you should also study the section on "[https://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy Postfix on hosts without a real Internet hostname]".  
If you do not have your own hostname and IP address (usually with dialup, cable TV or DSL connections) then you should also study the section on "[#fantasy Postfix on hosts without a real Internet hostname]".
*Route all outgoing mail to your network provider. <br />If your machine is disconnected most of the time, there isn't a lot of opportunity for Postfix to deliver mail to hard-to-reach corners of the Internet. It's better to give the mail to a machine that is connected all the time. In the example below, the <tt>[]</tt> prevents Postfix from trying to look up DNS MX records. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br />    [https://www.postfix.org/postconf.5.html#relayhost relayhost] = [smtprelay.someprovider.com]
*Route all outgoing mail to your network provider. <br />If your machine is disconnected most of the time, there isn't a lot of opportunity for Postfix to deliver mail to hard-to-reach corners of the Internet. It's better to give the mail to a machine that is connected all the time. In the example below, the <tt>[]</tt> prevents Postfix from trying to look up DNS MX records. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br />    [https://www.postfix.org/postconf.5.html#relayhost relayhost] = [smtprelay.someprovider.com]
*Disable spontaneous SMTP mail delivery (if using on-demand dialup IP only). <br />Normally, Postfix attempts to deliver outbound mail at its convenience. If your machine uses on-demand dialup IP, this causes your system to place a telephone call whenever you submit new mail, and whenever Postfix retries to deliver delayed mail. To prevent such telephone calls from being placed, disable spontaneous SMTP mail deliveries. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br />    [https://www.postfix.org/postconf.5.html#defer_transports defer_transports] = smtp (Only for on-demand dialup IP hosts)
*Disable spontaneous SMTP mail delivery (if using on-demand dialup IP only). <br />Normally, Postfix attempts to deliver outbound mail at its convenience. If your machine uses on-demand dialup IP, this causes your system to place a telephone call whenever you submit new mail, and whenever Postfix retries to deliver delayed mail. To prevent such telephone calls from being placed, disable spontaneous SMTP mail deliveries. <br />/etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:<br />    [https://www.postfix.org/postconf.5.html#defer_transports defer_transports] = smtp (Only for on-demand dialup IP hosts)
Zeile 311: Zeile 324:
#Start mail deliveries.<br />/usr/sbin/sendmail -q<br />
#Start mail deliveries.<br />/usr/sbin/sendmail -q<br />
#Allow deliveries to start.<br />sleep 10<br />
#Allow deliveries to start.<br />sleep 10<br />
#Loop until all messages have been tried at least once.<br />while mailq | grep '^[^ ]*\*' >/dev/null<br />do  <br />    sleep 10<br />done<br />If you have disabled [https://www.postfix.org/STANDARD_CONFIGURATION_README.html#spontaneous_smtp spontaneous SMTP mail delivery], you also need to run the "sendmail -q" command every now and then while the dialup link is up, so that newly-posted mail is flushed from the queue.
#Loop until all messages have been tried at least once.<br />while mailq | grep '^[^ ]*\*' >/dev/null<br />do  <br />    sleep 10<br />done<br />If you have disabled [#spontaneous_smtp spontaneous SMTP mail delivery], you also need to run the "sendmail -q" command every now and then while the dialup link is up, so that newly-posted mail is flushed from the queue.


==Postfix on hosts without a real Internet hostname==
===Postfix on hosts without a real Internet hostname===
This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.  
This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.


Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]".  
Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "postconf [https://www.postfix.org/postconf.5.html#mail_version mail_version]".


===Solution 1: Postfix version 2.2 and later===
====Solution 1: Postfix version 2.2 and later====
Postfix 2.2 uses the [https://www.postfix.org/generic.5.html generic(5)] address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.  
Postfix 2.2 uses the [https://www.postfix.org/generic.5.html generic(5)] address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.


The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.  
The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.


1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
2    [https://www.postfix.org/postconf.5.html#smtp_generic_maps smtp_generic_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/generic
2    [https://www.postfix.org/postconf.5.html#smtp_generic_maps smtp_generic_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/generic
3  
3
4 /etc/postfix/generic:
4 /etc/postfix/generic:
5    his@localdomain.local            hisaccount@hisisp.example
5    his@localdomain.local            hisaccount@hisisp.example
Zeile 331: Zeile 344:
7    @localdomain.local                hisaccount+local@hisisp.example
7    @localdomain.local                hisaccount+local@hisisp.example


When mail is sent to a remote host via SMTP: * Line 5 replaces his@localdomain.local by his ISP mail address,  
When mail is sent to a remote host via SMTP: * Line 5 replaces his@localdomain.local by his ISP mail address,
*Line 6 replaces her@localdomain.local by her ISP mail address, and
*Line 6 replaces her@localdomain.local by her ISP mail address, and
*Line 7 replaces other local addresses by his ISP account, with an address extension of +local (this example assumes that the ISP supports "+" style address extensions).
*Line 7 replaces other local addresses by his ISP account, with an address extension of +local (this example assumes that the ISP supports "+" style address extensions).


Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".  
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".


Execute the command "postmap /etc/postfix/generic" whenever you change the generic table.  
Execute the command "postmap /etc/postfix/generic" whenever you change the generic table.


===Solution 2: Postfix version 2.1 and earlier===
====Solution 2: Postfix version 2.1 and earlier====
The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own.
The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own.


The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.  
The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.


  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  1 /etc/postfix/[https://www.postfix.org/postconf.5.html main.cf]:
  2    [https://www.postfix.org/postconf.5.html#myhostname myhostname] = hostname.localdomain
  2    [https://www.postfix.org/postconf.5.html#myhostname myhostname] = hostname.localdomain
  3    [https://www.postfix.org/postconf.5.html#mydomain mydomain] = localdomain
  3    [https://www.postfix.org/postconf.5.html#mydomain mydomain] = localdomain
  4  
  4
  5    [https://www.postfix.org/postconf.5.html#canonical_maps canonical_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/canonical
  5    [https://www.postfix.org/postconf.5.html#canonical_maps canonical_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/canonical
  6  
  6
  7    [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual
  7    [https://www.postfix.org/postconf.5.html#virtual_alias_maps virtual_alias_maps] = [https://www.postfix.org/DATABASE_README.html#types hash]:/etc/postfix/virtual
  8  
  8
  9 /etc/postfix/canonical:
  9 /etc/postfix/canonical:
10    your-login-name    your-account@your-isp.com
10    your-login-name    your-account@your-isp.com
11  
11
12 /etc/postfix/virtual:
12 /etc/postfix/virtual:
13    your-account@your-isp.com      your-login-name
13    your-account@your-isp.com      your-login-name


Translation: * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is already in use by real organizations on the Internet. See RFC 2606 for examples of domain names that are guaranteed not to be owned by anyone.  
Translation: * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is already in use by real organizations on the Internet. See RFC 2606 for examples of domain names that are guaranteed not to be owned by anyone.
*Lines 5, 9, 10: This provides the mapping from "your-login-name@hostname.localdomain" to "your-account@your-isp.com". This part is required.
*Lines 5, 9, 10: This provides the mapping from "your-login-name@hostname.localdomain" to "your-account@your-isp.com". This part is required.
*Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally, instead of sending it to the ISP. This part is not required but is convenient.
*Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally, instead of sending it to the ISP. This part is not required but is convenient.


Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".  
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".
 
Execute the command "postmap /etc/postfix/canonical" whenever you change the canonical table.
 
Execute the command "postmap /etc/postfix/virtual" whenever you change the virtual table.
 
Quelle:


Execute the command "postmap /etc/postfix/canonical" whenever you change the canonical table.
[[Kategorie:Postfix/Konfiguration]]


Execute the command "postmap /etc/postfix/virtual" whenever you change the virtual table.
== Dokumentation ==
=== RFC ===
=== Man-Page ===
=== Info-Pages ===
== Siehe auch ==
== Links ==
=== Projekt ===
=== Weblinks ===


Quelle: https://www.postfix.org/STANDARD_CONFIGURATION_README.html
== Testfragen ==
[[Kategorie:Postfix:Konfiguration]]
<div class="toccolours mw-collapsible mw-collapsed">
''Testfrage 1''
<div class="mw-collapsible-content">'''Antwort1'''</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed">
''Testfrage 2''
<div class="mw-collapsible-content">'''Antwort2'''</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed">
''Testfrage 3''
<div class="mw-collapsible-content">'''Antwort3'''</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed">
''Testfrage 4''
<div class="mw-collapsible-content">'''Antwort4'''</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed">
''Testfrage 5''
<div class="mw-collapsible-content">'''Antwort5'''</div>
</div>

Aktuelle Version vom 6. November 2024, 12:42 Uhr

Typische Postfix-Standartkonfigurationen

Beschreibung

Voraussetzungen
  • BASIC_CONFIGURATION_README
  • Insbesondere sollten Sie hier nicht fortfahren, wenn Sie Postfix noch nicht für die lokale Posteinreichung und -zustellung eingerichtet haben.

Standardkonfigurationen

Eigenständigen Internet-Host

Postfix sollte auf einem Einzelplatzrechner mit direktem Internetzugang ohne Änderungen funktionieren.

Sie können den Befehl "postconf -n" verwenden, um herauszufinden, welche Einstellungen durch Ihre main.cf überschrieben werden.

  • Abgesehen von ein paar Pfadeinstellungen sollten auf einer Standalone-Box nur wenige Parameter gesetzt werden, die über das hinausgehen, was im Dokument BASIC_CONFIGURATION_README beschrieben ist:
/etc/postfix/main.cf
# Optional: Mail als user@domainname statt user@hostname senden.
#myorigin = $mydomain

# Optional: externe NAT/Proxy-Adresse angeben.
#proxy_interfaces = 1.2.3.4

# Alternative 1: keine Weiterleitung von Mails von anderen Hosts.
mynetworks_style = host
relay_domains =

# Alternative 2: nur Mails von lokalen Clients weiterleiten.
# mynetworks = 192.168.1.0/28
# relay_domains =

Siehe auch den Abschnitt "[#fantasy Postfix auf Hosts ohne echten Internet-Hostnamen]", wenn dies auf Ihre Konfiguration zutrifft.

Null-Client

Ein Null-Client ist ein Rechner, der nur Mails versenden kann.

  • Er empfängt keine Mails aus dem Netz und stellt auch keine Mails lokal zu.
  • Ein Null-Client verwendet in der Regel POP, IMAP oder NFS für den Zugriff auf Postfächer.

In diesem Beispiel wird davon ausgegangen, dass der Internet-Domänenname "example.com" lautet und dass der Rechner "hostname.example.com" heißt.

  • Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden.
1 /etc/postfix/main.cf:
2 myhostname = hostname.example.com
3 myorigin = $mydomain
4 relayhost = $mydomain
5 inet_interfaces = loopback-only
6 mydestination =
Beschreibung
  • Zeile 2: Setzen Sie myhostname auf hostname.example.com, falls der Rechnername nicht auf einen vollqualifizierten Domänennamen gesetzt ist (verwenden Sie den Befehl "postconf -d myhostname", um den Rechnernamen zu ermitteln).
  • Zeile 2: Der Wert myhostname gibt auch den Standardwert für den Parameter mydomain an (hier: "mydomain = example.com").
  • Zeile 3: Senden Sie E-Mails als "user@example.com" (statt "user@hostname.example.com"), so dass es keinen Grund gibt, E-Mails an "user@hostname.example.com" zu senden.
  • Linie 4: Leiten Sie alle Mails an den Mailserver weiter, der für die Domäne "example.com" zuständig ist.
    • Dies verhindert, dass E-Mails auf dem Null-Client hängen bleiben, wenn dieser ausgeschaltet ist, während ein entferntes Ziel nicht erreichbar ist.
    • Geben Sie hier einen echten Hostnamen an, wenn Ihre "example.com"-Domäne keinen MX-Eintrag hat.
  • Zeile 5: Keine Mails aus dem Netz annehmen.
  • Zeile 6: Deaktivieren Sie die lokale Postzustellung.
    • Alle E-Mails gehen an den in Zeile 4 angegebenen Mailserver.

Im lokalen Netzwerk

Dieser Abschnitt beschreibt eine lokale Netzwerkumgebung mit einem Hauptserver und mehreren anderen Systemen, die E-Mails senden und empfangen.

  • Wie üblich gehen wir davon aus, dass der Internet-Domänenname "example.com" lautet.
  • Alle Systeme sind so konfiguriert, dass sie E-Mails unter dem Namen "user@example.com" senden, und alle Systeme empfangen E-Mails für "user@hostname.example.com".
  • Der Hauptserver empfängt auch Mails für "user@example.com".
  • Wir nennen diesen Rechner "mailhost.example.com".

Ein Nachteil des Versendens von Mails als "user@example.com" ist, dass Mails für "root" und andere Systemkonten ebenfalls an den zentralen Mailhost gesendet werden.

  • Mögliche Lösungen finden Sie im Abschnitt "[#some_local Einige, aber nicht alle Konten lokal zustellen]" weiter unten.

Wie üblich werden in den Beispielen nur Parameter gezeigt, die nicht auf ihren Standardeinstellungen belassen werden.

Zuerst stellen wir die Nicht-Mailhost-Konfiguration vor, weil sie die einfachere ist.

  • Dieser Rechner sendet Mails als "user@example.com" und ist das endgültige Ziel für "user@hostname.example.com".
1 /etc/postfix/main.cf:
2 myorigin = $mydomain
3 mynetworks = 127.0.0.0/8 10.0.0.0/24
4 relay_domains =
5 # Optional: alle nicht-lokalen Mails an mailhost weiterleiten
6 #relayhost = $mydomain
Beschreibung
  • Zeile 2: Mail als "user@example.com" senden.
  • Zeile 3: Geben Sie die vertrauenswürdigen Netzwerke an.
  • Zeile 4: Dieser Host leitet keine Mails aus nicht vertrauenswürdigen Netzen weiter.
  • Zeile 6: Dies ist erforderlich, wenn kein direkter Internetzugang verfügbar ist.
    • Siehe auch unten, "[#firewall Postfix hinter einer Firewall]".

Als Nächstes stellen wir die Mailhost-Konfiguration vor.

  • Dieser Rechner sendet Mails als "user@example.com" und ist sowohl für "user@hostname.example.com" als auch für "user@example.com" das endgültige Ziel.
 1 DNS:
 2 example.com IN MX 10 mailhost.example.com.
 3
 4 /etc/postfix/main.cf:
 5 myorigin = $mydomain
 6 mydestination = $myhostname localhost.$mydomain localhost $mydomain
 7 mynetworks = 127.0.0.0/8 10.0.0.0/24
 8 relay_domains =
 9 # Optional: alle nicht-lokalen Mails an die Firewall weiterleiten
10 #relayhost = [firewall.example.com]
Beschreibung
  • Zeile 2: Senden Sie Mails für die Domain "example.com" an den Rechner mailhost.example.com.
    • Denken Sie daran, das "." am Ende der Zeile anzugeben.
  • Zeile 5: Senden Sie die E-Mail als "user@example.com".
  • Zeile 6: This host is the final mail destination for the "example.com" domain, in addition to the names of the machine itself.
  • Line 7: Specify the trusted networks.
  • Line 8: This host does not relay mail from untrusted networks.
  • Line 10: This is needed only when the mailhost has to forward non-local mail via a mail server on a firewall.
    • The [] forces Postfix to do no MX record lookups.

In an environment like this, users access their mailbox in one or more of the following ways:

  • Mailbox access via NFS or equivalent.
  • Mailbox access via POP or IMAP.
  • Mailbox on the user's preferred machine.

In the latter case, each user has an alias on the mailhost that forwards mail to her preferred machine:

/etc/aliases
   joe: joe@joes.preferred.machine
   jane: jane@janes.preferred.machine

On some systems the alias database is not in /etc/aliases.

  • To find out the location for your system, execute the command "postconf alias_maps".

Execute the command "newaliases" whenever you change the aliases file.

E-Mail-Firewall/Gateway

Die Idee ist, eine Postfix-E-Mail-Firewall/einen Postfix-E-Mail-Gateway einzurichten, der E-Mails für "example.com" an einen internen Gateway-Rechner weiterleitet, E-Mails für "anything.example.com" jedoch ablehnt.

  • Es gibt nur ein Problem: Mit "relay_domains = example.com" nimmt die Firewall normalerweise auch Mails für "anything.example.com" an.
  • Das wäre nicht richtig.

Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus.

  • Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf mail_version" aus.

Die Lösung wird in mehreren Teilen präsentiert.

  • Der erste Teil beseitigt die lokale E-Mail-Zustellung auf der Firewall, wodurch die Firewall schwieriger zu knacken ist.
1 /etc/postfix/main.cf:
2 myorigin = example.com
3 meinZiel =
4 local_recipient_maps =
5 local_transport = error:local mail delivery is disabled
6
7 /etc/postfix/master.cf:
8 Kommentieren Sie den lokalen Zustellungsagenten aus
Beschreibung
  • Zeile 2: Sende Mails von diesem Rechner als "user@example.com", so dass kein Grund besteht, Mails an "user@firewall.example.com" zu senden.
  • Zeilen 3-8: Deaktiviere die lokale Postzustellung auf dem Firewall-Rechner.

Der technischen Korrektheit halber muss die Firewall in der Lage sein, Mails für postmaster@[firewall ip address] zu empfangen.

  • Angeblich wird diese Fähigkeit in manchen Fällen sogar vorausgesetzt.
  • Der zweite Teil der Lösung fügt daher Unterstützung für postmaster@[firewall ip address] hinzu, und als Bonus gibt es auch noch abuse@[firewall ip address].
  • Alle E-Mails an diese beiden Konten werden an eine interne Adresse weitergeleitet.
1 /etc/postfix/main.cf:
2 virtual_alias_maps = hash:/etc/postfix/virtual
3
4 /etc/postfix/virtual:
5 postmaster postmaster@example.com
6 abuse abuse@example.com
Beschreibung
  • Da mydestination leer ist (siehe das vorherige Beispiel), werden nur Adressliterale, die mit $inet_interfaces oder $proxy_interfaces übereinstimmen, als lokal angesehen.
  • So kann "localpart@[a.d.d.r]" einfach als "localpart" in canonical(5) und virtual(5) übereinstimmen.
  • Dadurch wird die Angabe von Firewall-IP-Adressen in den Postfix-Konfigurationsdateien überflüssig.

Der letzte Teil der Lösung übernimmt die E-Mail-Weiterleitung, was der eigentliche Zweck der Firewall-E-Mail-Funktion ist.

 1 /etc/postfix/main.cf:
 2 mynetworks = 127.0.0.0/8 12.34.56.0/24
 3 relay_domains = example.com
 4 parent_domain_matches_subdomains =
 5 debug_peer_list smtpd_access_maps

 6a # Postfix 2.10 und höher unterstützen separate Relay-Kontrolle und
 7a # Spam-Kontrolle.
 8a smtpd_relay_restrictions =
 9a permit_mynetworks reject_unauth_destination
10a smtpd_recipient_restrictions = ...spam blocking rules....

 6b # Ältere Konfigurationen kombinieren Relay-Kontrolle und Spam-Kontrolle. Zu
 7b # dies mit Postfix ≥ 2.10 zu verwenden, geben Sie "smtpd_relay_restrictions=" an.
 8b smtpd_recipient_restrictions =
 9b permit_mynetworks reject_unauth_destination
10b ...spam blocking rules....

11 relay_recipient_maps = hash:/etc/postfix/relay_recipients
12 transport_maps = hash:/etc/postfix/transport
13
14 /etc/postfix/relay_recipients:
15 user1@example.com x
16 user2@example.com x
17 . . .
18
19 /etc/postfix/transport:
20 example.com relay:[inside-gateway.example.com]

Translation:

  • Lines 1-10: Accept mail from local systems in $mynetworks, and accept mail from outside for "user@example.com" but not for "user@anything.example.com".
    • The magic is in lines 4-5.
  • Lines 11, 13-16: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet.
    • This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages.
    • If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table.
  • Lines 12, 19-20: Route mail for "example.com" to the inside gateway machine.
    • The [] forces Postfix to do no MX lookup.
    • This uses the "relay" delivery transport (a copy of the default "smtp" delivery transport) to forward inbound mail.
    • Dies kann die Leistung von Zustellungen an interne Domänen verbessern, da diese um SMTP-Clients vom "relay"-Zustellungstransport konkurrieren, anstatt mit anderen SMTP-Zustellungen um SMTP-Clients vom Standard-"smtp"-Zustellungstransport zu konkurrieren.

Geben Sie dbm anstelle von hash an, wenn Ihr System dbm-Dateien anstelle von db-Dateien verwendet.

  • Um herauszufinden, welche Lookup-Tabellen Postfix unterstützt, verwenden Sie den Befehl "postconf -m".

Führen Sie den Befehl "postmap /etc/postfix/relay_recipients" aus, wenn Sie die Tabelle relay_recipients ändern.

Führen Sie den Befehl "postmap /etc/postfix/transport" aus, wenn Sie die Transporttabelle ändern.

In einigen Installationen kann es getrennte Instanzen von Postfix geben, die eingehende und ausgehende Post auf einer Firewall mit mehreren Hosts verarbeiten.

  • Die eingehende Postfix-Instanz hat einen SMTP-Server, der auf der externen Firewall-Schnittstelle lauscht, und die ausgehende Postfix-Instanz hat einen SMTP-Server, der auf der internen Schnittstelle lauscht.
  • In einer solchen Konfiguration ist es verlockend, $inet_interfaces in jeder Instanz nur mit der entsprechenden Schnittstellenadresse zu konfigurieren.

In den meisten Fällen wird die Verwendung von inet_interfaces auf diese Weise nicht funktionieren, da, wie im Referenzhandbuch zu $inet_interfaces beschrieben, der smtp(8)-Zustellungsagent die angegebene Schnittstellenadresse auch als Quelladresse für ausgehende Verbindungen verwendet und nicht in der Lage ist, Hosts auf der "anderen Seite" der Firewall zu erreichen.

  • Die Symptome sind, dass die Firewall nicht in der Lage ist, sich mit Hosts zu verbinden, die tatsächlich aktiv sind.
  • Siehe die inet_interfaces-Parameterdokumentation für vorgeschlagene Abhilfemaßnahmen.

Zusätzliche Konfigurationen

Betrieb von Postfix hinter einer Firewall

Der einfachste Weg, Postfix auf einem Rechner hinter einer Firewall einzurichten, besteht darin, alle Mails an einen Gateway-Host zu schicken und diesen Mail-Host die interne und externe Weiterleitung übernehmen zu lassen. Beispiele dafür finden Sie im Abschnitt [#local_network local area network] oben. Ein ausgefeilterer Ansatz besteht darin, nur externe Mails an den Gateway-Host zu senden und Intranet-Mails direkt zu versenden.

Hinweis: Dieses Beispiel setzt Postfix Version 2.0 und höher voraus. Um herauszufinden, welche Postfix-Version Sie haben, führen Sie den Befehl "postconf mail_version" aus.

Das folgende Beispiel zeigt eine zusätzliche Konfiguration. Sie müssen diese mit den grundlegenden Konfigurationsinformationen kombinieren, die in der ersten Hälfte dieses Dokuments beschrieben werden.

 1 /etc/postfix/main.cf:
 2 transport_maps = hash:/etc/postfix/transport
 3 relayhost =
 4 # Optional für einen Rechner, der nicht "always on" ist
 5 #fallback_relay = [gateway.example.com]
 6
 7 /etc/postfix/transport:
 8 # Internal delivery.
 9 example.com :
10 .example.com :
11 # External delivery.
12 * smtp:[gateway.example.com]

Translation:

  • Lines 2, 7-12: Request that intranet mail is delivered directly, and that external mail is given to a gateway. Obviously, this example assumes that the organization uses DNS MX records internally. The [] forces Postfix to do no MX lookup.
  • Line 3: IMPORTANT: do not specify a relayhost in main.cf.
  • Line 5: This prevents mail from being stuck in the queue when the machine is turned off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway.

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/transport" whenever you edit the transport table.

Configuring Postfix as primary or backup MX host for a remote site

This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.

When your system is SECONDARY MX host for a remote site this is all you need:

1 DNS:
2     the.backed-up.domain.tld        IN      MX 100 your.machine.tld.
3
4 /etc/postfix/main.cf:
5     relay_domains = . . . the.backed-up.domain.tld
6a    # Postfix 2.10 and later support separate relay control and
7a    # spam control.
8a    smtpd_relay_restrictions =
9a        permit_mynetworks reject_unauth_destination

10a smtpd_recipient_restrictions = ...spam blocking rules....

6b    # Older configurations combine relay control and spam control. To
7b    # use this with Postfix ≥ 2.10 specify "smtpd_relay_restrictions=".
8b    smtpd_recipient_restrictions =
9b        permit_mynetworks reject_unauth_destination

10b ...spam blocking rules....

11 # You must specify your NAT/proxy external address. 12 #proxy_interfaces = 1.2.3.4 13 14 relay_recipient_maps = hash:/etc/postfix/relay_recipients 15 16 /etc/postfix/relay_recipients: 17 user1@the.backed-up.domain.tld x 18 user2@the.backed-up.domain.tld x 19 . . .

When your system is PRIMARY MX host for a remote site you need the above, plus:

20 /etc/postfix/main.cf: 21 transport_maps = hash:/etc/postfix/transport 22 23 /etc/postfix/transport: 24 the.backed-up.domain.tld relay:[their.mail.host.tld]

Important notes:

  • Do not list the.backed-up.domain.tld in mydestination.
  • Do not list the.backed-up.domain.tld in virtual_alias_domains.
  • Do not list the.backed-up.domain.tld in virtual_mailbox_domains.
  • Lines 1-9: Forward mail from the Internet for "the.backed-up.domain.tld" to the primary MX host for that domain.
  • Line 12: This is a must if Postfix receives mail via a NAT relay or proxy that presents a different IP address to the world than the local machine.
  • Lines 14-18: Define the list of valid addresses in the "the.backed-up.domain.tld" domain. This prevents your mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@the.backed-up.domain.tld x" wild-card in the relay_recipients table.
  • Line 24: The [] forces Postfix to do no MX lookup.

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/transport" whenever you change the transport table.

NOTE for Postfix < 2.2: Do not use the fallback_relay feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the fallback_relay host when the final destination is unavailable.

  • In main.cf specify "relay_transport = relay",
  • In master.cf specify "-o fallback_relay =" at the end of the relay entry.
  • In transport maps, specify "relay:nexthop..." as the right-hand side for backup or primary MX domain entries.

These are default settings in Postfix version 2.2 and later.

Postfix on a dialup machine

This section applies to dialup connections that are down most of the time. For dialup connections that are up 24x7, see the [#local_network local area network] section above.

This section presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.

If you do not have your own hostname and IP address (usually with dialup, cable TV or DSL connections) then you should also study the section on "[#fantasy Postfix on hosts without a real Internet hostname]".

  • Route all outgoing mail to your network provider.
    If your machine is disconnected most of the time, there isn't a lot of opportunity for Postfix to deliver mail to hard-to-reach corners of the Internet. It's better to give the mail to a machine that is connected all the time. In the example below, the [] prevents Postfix from trying to look up DNS MX records.
    /etc/postfix/main.cf:
    relayhost = [smtprelay.someprovider.com]
  • Disable spontaneous SMTP mail delivery (if using on-demand dialup IP only).
    Normally, Postfix attempts to deliver outbound mail at its convenience. If your machine uses on-demand dialup IP, this causes your system to place a telephone call whenever you submit new mail, and whenever Postfix retries to deliver delayed mail. To prevent such telephone calls from being placed, disable spontaneous SMTP mail deliveries.
    /etc/postfix/main.cf:
    defer_transports = smtp (Only for on-demand dialup IP hosts)
  • Disable SMTP client DNS lookups (dialup LAN only).
    /etc/postfix/main.cf:
    disable_dns_lookups = yes (Only for on-demand dialup IP hosts)
  • Flush the mail queue whenever the Internet link is established.
    Put the following command into your PPP or SLIP dialup scripts:
    /usr/sbin/sendmail -q (whenever the Internet link is up)
    The exact location of the Postfix sendmail command is system-specific. Use the command "postconf sendmail_path" to find out where the Postfix sendmail command is located on your machine.
    In order to find out if the mail queue is flushed, use something like:
    #!/bin/sh
  1. Start mail deliveries.
    /usr/sbin/sendmail -q
  2. Allow deliveries to start.
    sleep 10
  3. Loop until all messages have been tried at least once.
    while mailq | grep '^[^ ]*\*' >/dev/null
    do
    sleep 10
    done
    If you have disabled [#spontaneous_smtp spontaneous SMTP mail delivery], you also need to run the "sendmail -q" command every now and then while the dialup link is up, so that newly-posted mail is flushed from the queue.

Postfix on hosts without a real Internet hostname

This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.

Note: the following information is Postfix version dependent. To find out what Postfix version you have, execute the command "postconf mail_version".

Solution 1: Postfix version 2.2 and later

Postfix 2.2 uses the generic(5) address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.

The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.

1 /etc/postfix/main.cf: 2 smtp_generic_maps = hash:/etc/postfix/generic 3 4 /etc/postfix/generic: 5 his@localdomain.local hisaccount@hisisp.example 6 her@localdomain.local heraccount@herisp.example 7 @localdomain.local hisaccount+local@hisisp.example

When mail is sent to a remote host via SMTP: * Line 5 replaces his@localdomain.local by his ISP mail address,

  • Line 6 replaces her@localdomain.local by her ISP mail address, and
  • Line 7 replaces other local addresses by his ISP account, with an address extension of +local (this example assumes that the ISP supports "+" style address extensions).

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/generic" whenever you change the generic table.

Solution 2: Postfix version 2.1 and earlier

The solution with older Postfix systems is to use valid Internet addresses where possible, and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can send mail to the Internet and to local fantasy addresses, including mail to local fantasy addresses that don't have a valid Internet address of their own.

The following example presents additional configuration. You need to combine this with basic configuration information as discussed in the first half of this document.

1 /etc/postfix/main.cf:
2     myhostname = hostname.localdomain
3     mydomain = localdomain
4
5     canonical_maps = hash:/etc/postfix/canonical
6
7     virtual_alias_maps = hash:/etc/postfix/virtual
8
9 /etc/postfix/canonical:

10 your-login-name your-account@your-isp.com 11 12 /etc/postfix/virtual: 13 your-account@your-isp.com your-login-name

Translation: * Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is already in use by real organizations on the Internet. See RFC 2606 for examples of domain names that are guaranteed not to be owned by anyone.

  • Lines 5, 9, 10: This provides the mapping from "your-login-name@hostname.localdomain" to "your-account@your-isp.com". This part is required.
  • Lines 7, 12, 13: Deliver mail for "your-account@your-isp.com" locally, instead of sending it to the ISP. This part is not required but is convenient.

Specify dbm instead of hash if your system uses dbm files instead of db files. To find out what lookup tables Postfix supports, use the command "postconf -m".

Execute the command "postmap /etc/postfix/canonical" whenever you change the canonical table.

Execute the command "postmap /etc/postfix/virtual" whenever you change the virtual table.

Quelle:

Dokumentation

RFC

Man-Page

Info-Pages

Siehe auch

Links

Projekt

Weblinks

Testfragen

Testfrage 1

Antwort1

Testfrage 2

Antwort2

Testfrage 3

Antwort3

Testfrage 4

Antwort4

Testfrage 5

Antwort5