Postfix needs two major config files: main.cf and master.cf. Both need your attention.
You need to change just one line:
old:
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} |
new:
flags= user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user} |
What does that change affect?
A look to the cyrus man-pages man deliver clears up that issue:
The Postfix default setup uses a wrong path to cyrus deliver, this is the first change. The parameter »-r« inserts a proper return path. Without that, mail rejected/retured by sieve will be sent to the cyrus user at yourdomain.
Here you need to change some more things like hostname, relaying, alias-lookups etc.
First change the hostname:
myhostname = foo.bar.org |
mydestination
Here you have to put all domainnames that are local (corresponding to sendmail's /etc/mail/sendmail.cw). If you have multiple domains, separate them with comma.
mydestination = foo.bar.org, example.com, furchbar-grausam.ch, whatever.domain.tld, mysql:/etc/postfix/mysql-mydestination.cf |
Relayhost
Here you define where to deliver outgoing mails. If you do not provide any host, mail is delivered directly to the destination smtp host. Usually your relayhosts are your internet service provider's smtp server.
relayhost = relay01.foobar.net relay02.foobar.net relay03.foobar.net |
Mailtransport
Here you define how the mails accepted for local delivery should be handled. In your situation, mail should be delivered by the cyrus delivery program.
mailbox_transport = cyrus |
At the end of file you need to add:
virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf |
If you don't want to have a overriding /etc/postfix/virtual, skip the hash entry
Outgoing addresses should be rewritten from test0002 at domain to user.name at virtualhost.com. This is important if you want to use a webmail interface.
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf |
Now you need to create the file /etc/postfix/mysql-virtual.cf:
# # mysql config file for alias lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = secret # the database name on the servers dbname = mail # the table name table = virtual # select_field = dest where_field = alias additional_conditions = and status = '1' |
The file /etc/postfix/mysql-canonical.cf:
# mysql config file for canonical lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = secret # the database name on the servers dbname = mail # the table name table = virtual # select_field = alias where_field = username # Return the first match only additional_conditions = and status = '1' limit 1 |
Finally the file /etc/postfix/mysql-mydestination.cf:
# mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = secret # the database name on the servers dbname = mail # the table name table = domain # select_field = domain_name where_field = domain_name |
SMTP Authentication with SASL and PAM
Put the following in your /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes |
You also need to create the file /usr/local/lib/sasl2/smtpd.conf with the following contents:
pwcheck_method: saslauthd |
The next step is to tell postfix how to find the saslauthd socket:
mv /var/run/sasl2 /var/run/sasl2-old ln -s /var/run/saslauthd /var/run/sasl2 |
This section describes how to implement a basic SPAM protection setup with postfix. It does not use any external software like spamassassin, etc.
Postfix has some built-in filters that allow you to stop obvious SPAM attempts. In particular these are:
smtpd_helo_required = yes
This switch in main.cf means that SMTP clients connecting to your mail server must give a »helo« when connecting.
smtpd_recipient_restrictions
This option in main.cf lets you define different rules on the handling the acceptance of mail. The following example simply rejects all invalid sender and recipient data. Additionally it defines how to lookup known spammers from online blacklists.
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
permit |
mime_header_checks=pcre:/etc/postfix/body_checks
MIME header checks let you reject mail which contains malicious MIME content, i.e dangerous attachments such as Windows executables. Create the file /etc/postfix/body_checks. The following example rejects all mail that contains potentially dangerous attachments. In my experience, using this example would filter out most of viruses delivered by e-mail. In any event, a virus scanner should always be installed.
/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed |