Archive for the Postfix Configuration Category

Postfix Features

Posted by Filed Under Postfix Configuration with Comments Off

Sometimes when you are working with Postfix you may be on an older version that does not support a feature you need.  Here is a list of the version and the major features that were added for that version.

Postfix 2.5 Stress-dependent configuration
Postfix 2.3 DKIM, DomainKeys and SenderID authentication, DSN status notifications, Enhanced status codes, Plug-in support for multiple SASL implementations (Cyrus, Dovecot), Configurable delivery status notification message text, Sender-dependent SMTP relay lookup, Sender-dependent SASL password lookup, Sendmail Milter (mail filter) protocol
Postfix 2.2 Connection cache for SMTP, IP version 6, TLS encryption and authentication, SMTP server per-client rate and concurrency limits, CDB database, Masquerading addresses in outbound SMTP mail, Selective address rewriting
Postfix 2.1 Access control per client/sender/recipient/etc., Address probing callout, Greylisting plug-in, SPF plug-in
Postfix 2.0 MIME (including 8BITMIME to 7BIT conversion), PostgreSQL database
Postfix 1.1 QMQP server, Content filter, VERP envelope return addresses
Postfix 1.0 ETRN on-demand relay, LMTP client, Pipelining (SMTP client and server), SASL authentication, Berkeley DB database, DBM database, LDAP database, MySQL database, Maildir and mailbox format, Virtual domains

Changes in Postfix for Ubuntu 9.10

Posted by Filed Under Postfix Configuration with Comments Off

The postcont -n command for Postfix shows you changes made to the default configuration.  Here is a listing of the new Ubuntu 9.10 and the output for Postfix.  As you can see nothing too significant except you see a focus on TLS for secure communication which is great, however this really needs to be addressed for users from the client side as TLS is still a problem with some clients.  The other change you see with Ubuntu 9.10 is there is no limit to mailbox size which by default is limited to 50 MB.  As an admin you will want to keep this in mind as no mailbox limits could bite you if you are not careful.

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = ub910, localhost.localdomain, , localhost
myhostname = ub910
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Why Do You Use Postfix?

Posted by Filed Under Postfix Configuration with Comments Off

Recently we asked administrators why they used Postfix Mail Server.  Here are some of the responses:

“Being able to manage users and pretty much all mail aspects from a MySQL table”

“Security.  Postfix is rock solid and I do not have to worry about the security of the system once it is set up correctly”

“Flexibility!”

“I’ve been running Postfix on an array of servers for the last eight years.  I don’t think I’d ever switch to anything else.”

“We’ve run Postfix here at our company and couldn’t be happier”

“I am able to add whatever I want to it.  Including webmail options which we use.”

“We use Postfix because it is easier to configure than Sendmail and the modular design helps us save resources.”

“We actually use Zimbra but underneath at the heart of the program is Postfix.  We have the Zimbra interface to keep users happy”

“Stable … seems like all we do is keep getting mail like we are supposed to”

“Easy to set up”

Ubuntu 9.04 Postfix Install Evaluation

Posted by Filed Under Postfix Configuration with Comments Off

One of the newest features of Ubuntu 9.04 is the Postfix Mail Server/Dovecot enhancements to make it easier to set up a mail server.  This article is a review of those improvements and a tutorial on how to fix several problems that were experienced.

Before you jump to any conclusions about the new features it is important to understand the goal of both Ubuntu and the Ubuntu-server team, at least as I understand it.  The mail server is one of the most difficult to set up and manage correctly.  Sure Postfix is easier than some but there are a lot of issues you must deal with like; security, configuring anti_virus, spam reduction, integrating Dovecot, Spamassassin, amavisd-new, Postfix, squirrelmail, etc.  It is the integration that presents so many issues.  That said, the goal seems to be to move in the direction of a one click install to make this all happen.

Here is the claim on the enhanced mail stack:

“In Ubuntu-server team we’ve decided that this should be much easier and, based on experience of our members, created integrated mail stack with safe default setup. This setup won’t solve all mail configuration problems (we don’t setup any antispam and antivirus countermeasures), but it will enable your startup to get working e-mail server out of the box.

So, what’s included? Mail server stack is based on dovecot for IMAP/POP3 protocols and postfix for SMTP. Feature list:

  • POP3, IMAP, POP3S, IMAPS
  • SMTP, SMTP/TLS
  • Maildir storage for e-mails
  • SASL authentication (SMTP-AUTH)
  • dovecot MDA (mail delivery agent)
  • support for sieve scripting
  • managesieve protocol for managing sieve scripts on *server* from your *client*, like thunderbird or kmail
  • IMAP & POP3 workarounds for buggy clients”
  • See the whole blog article: HERE

It is an interesting idea to create a one click install, however if you are looking at easy mail installs take a look at Citadel which is easier and has more features or Zimbra which has everything done…the one click install all complete with 10 times the features.  The problem with the Ubuntu install is twofold.  First, since there is no documentation, you are left with a lot of questions about what was done and what needs yet to be done with the install.  Now as you will see below I have listed for you the changes to dovecot-postfix.conf and main.cf of Postfix.  That is a good place to see what changes were done.

Here is a look at the install procedure:

sudo apt-get install dovecot-postfix

The following extra packages will be installed:
dovecot-common dovecot-imapd dovecot-pop3d
The following NEW packages will be installed:
dovecot-common dovecot-imapd dovecot-pop3d dovecot-postfix

Creating config file /etc/dovecot/dovecot-sql.conf with new version
adduser: Warning: The home directory `/usr/lib/dovecot’ does not belong to the user you are currently creating.
You already have ssl certs for dovecot.

Creating config file /etc/dovecot/dovecot-postfix.conf with new version
* Restarting IMAP/POP3 mail server dovecot                                                                            Error: ssl_cert_file: Can’t use /etc/ssl/certs/ssl-mail.pem: No such file or directory

In fact the file does exist and once I restarted it was OK.
Fatal: Invalid configuration in /etc/dovecot/dovecot-postfix.conf
[fail]

This failure was also fixed with a restart of Dovecot.

Dovecot Not Start Correctly
After install a check with netstat showed that Postfix was running but Dovecot was not.  So I started Dovecot manually with:

/etc/init.d/dovecot start

Now a review of netstat shows it is all running.
# netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2000            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN

Here are the config options set by default for Dovecot.  This is found in the /etc/dovecot/dovecot-postfix.conf file and is part of what has been set up by the Ubuntu team.  Note that if you do not want all options listed for imap,pop3, imaps,pop3s and managesieve just remove them and restart Dovecot and Postfix.

protocols = imap pop3 imaps pop3s managesieve

disable_plaintext_auth = yes
log_timestamp = “%Y-%m-%d %H:%M:%S ”
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/ssl-mail.pem
ssl_key_file = /etc/ssl/private/ssl-mail.ke
ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
mail_location = maildir:~/Maildir
mail_privileged_group = mail
protocol imap {
mail_max_userip_connections = 10
login_greeting_capability = yes
imap_client_workarounds = outlook-idle delay-newmail
}

protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_max_userip_connections = 3
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

protocol managesieve {
sieve=~/.dovecot.sieve
sieve_storage=~/sieve
}

protocol lda {
postmaster_address = postmaster
mail_plugins = cmusieve
quota_full_tempfail = yes
deliver_log_format = msgid=%m: %$
rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

auth default {
mechanisms = plain login
passdb pam {

}
userdb passwd {
}

user = root
socket listen {
client { path = /var/spool/postfix/private/dovecot-auth
path = /var/spool/postfix/private/dovecot-auth
mode = 0660
user = postfix
group = postfix
}
}
}

dict {
}
plugin {
}

Postfix Configuration
These are settings hat the Ubuntu team has configured to help with setting up the mail server.  The major time savers is the TLS setup so you can have encrypted connections.  If TLS is what you want to use be sure to turn off imap and pop3 so you are forced to use the secure connections.

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA’s job.
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = ub904
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = ub904, localhost.localdomain, , localhost
relayhost =
mynetwork = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m “${EXTENSION}”
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

Summary;

If you have set up Postfix with Dovecot and TLS in the past you will certainly appreciate the work done by the Ubuntu team.  This will save you a lot of time making those decisions.  On the other hand there is a lot left to do and if you are new to mail servers ….you will be lost initially trying to find the holes.  Several things you will need to fix:

1. Send mail to another user instead of root – See Here
2. Check your Relays - See Here
3. Review how the TLS and Dovecot work – See Here
4. Verify your identity settings – See Here
5. Check your Postfix install – See Here
5. Set Up Spamassassin – See Here
6. Set Up Anti-Virus – See Here

Options
7. Multiple Domains – See Here
8. Set Up filters - See Here
9. Send yourself mail stats - See Here

There is certainly a lot left to do but you have a start and it will save you time.

Explanation of notify_classes in Postfix

Posted by Filed Under Postfix Configuration with Comments Off

The notify_classes allows you to send mail reports to the postmaster.  This is additional information that is not usually reported because only the worst situations are typically reported.  Here is a list of the notify_classes that you can use.  The default for Postfix is to use resource and software.

bounce – This option will send copies of the headers that are bounced.  It will also send the information about the SMTP session that led to the bounce.

2bounce – Any undeliverable mail will be sent to the postmaster by default.

delay – When mail is delayed it will send copies of the headers to the postmaster.

policy – If a client is rejected based on UCE policy (Unsolicitated Commercial Email) the transcript of the SMTP session is sent to postmaster.

protocol – If there are client server protocol errors the transcript of the SMTP session will be sent to postmaster.

resource – If Postfix cannot deliver mail because of resource problems send a message to the postmaster.

software – This option will notify postmaster if there are software problems that are associated with why mail cannot be delivered.

If you would like to get this information delivered to an email, you may want to add your email to the postmaster aliases so it comes to your email account and you do not have to dig for it.

postmaster:        root,your_email
Run newaliases once you saved our changes.

This will allow you to receive that information to your email account.  This is something that you can do on a temporary situation as you will surely get tired of receiving all this stuff….

Here is an example you can place in your main.cf.

notify_classes = bounce, delay, resource, software

Manage Mail In the Deferred Queue

Posted by Filed Under Postfix Configuration with Comments Off

Deferred  queue
If Postfix cannot deliver a message to a recipient it is placed in the deferred queue.  The queue manager will scan the deferred queue to see it if can place mail back into the active queue.  How often this scan occurs is determined by the queue_run_delay.  Postfix will scan the incoming queue at the same time as the deferred queue just to make sure that one does not take all the resources and so each can continue to move messages.

The queue_run_delay is by default 300s or 300 seconds.  Each time the deferred queue is scanned it will only reinject a portion of the messages.

If you have a very busy mail server you may see a large deferred queue.  The first instinct is to flush the queue but that actually may be counter productive.  The only reason you would flush the deferred queue is if you think that the messages now have a good chance of delivery.  If they still do not have a good chance of delivery it will only slow down an already busy server.

The real question is, What is causing messages to be deferred?  One of the major reasons that messages are deferred is that your server is going to place mail to “unknown recipients” into the deferred queue if they do not have a legitimate user to go to.

Here is the process to view and analyze why mail is deferred.  The fist warning is that you see deferred mail in your messages logs.  In the example there are 2 listed.

Postfix log summaries for Feb 17

Grand Totals
————
messages

101   received
106   delivered
0   forwarded
2   deferred  (35  deferrals)
0   bounced
104   rejected (49%)
0   reject warnings
0   held
0   discarded (0%)

1263k  bytes received
1331k  bytes delivered
32   senders
23   sending hosts/domains
17   recipients
11   recipient hosts/domains

Once you know that mail is in the deferred queue you need to locate the message Ids so you can read the mail in the queue.  Use the command postqueue to view mail Ids.

postqueue -p
-Queue ID- –Size– —-Arrival Time—- -Sender/Recipient——-
9DF7520804A     3726 Mon Feb 16 03:06:41  MAILER-DAEMON
(connect to hydra.udag.de[89.31.140.33]: Connection timed out)
www-data@hydra.udag.de

CC1D4208048     3786 Mon Feb 16 02:39:50  MAILER-DAEMON
(connect to bootes.caixa.gov.br[200.201.166.138]: Connection timed out)
servicos@caixa.gov.br

– 8 Kbytes in 2 Requests.

Once you have the message ID you can use postcat to open the message in the queue.  The first line shows that it is one of the deferred messages.  As you view the contents of the email you can see the reason it is deferred, in this example someone is trying to send mail as if it is from the real user, thus this is SPAM and has been detected.

postcat -q 9DF7520804A
*** ENVELOPE RECORDS deferred/9/9DF7520804A ***
message_size:            3726             589               1               0
message_arrival_time: Mon Feb 16 03:06:41 2009
create_time: Mon Feb 16 03:06:41 2009
named_attribute: rewrite_context=local
named_attribute: envelope_id=AM..20090216T110641Z@ns.example.org
sender:
named_attribute: log_client_name=ns.example.org
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=ns.example.org[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=ns.example.org
named_attribute: reverse_client_name=ns.example.org
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=localhost
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;www-data@hydra.udag.de
original_recipient: www-data@hydra.udag.de
recipient: www-data@hydra.udag.de
*** MESSAGE CONTENTS deferred/9/9DF7520804A ***
Received: from localhost (ns.example.org [127.0.0.1])
by ns.example.org (Postfix) with ESMTP id 9DF7520804A
for <www-data@hydra.udag.de>; Mon, 16 Feb 2009 03:06:41 -0800 (PST)
Content-Type: multipart/report; report-type=delivery-status;
boundary=”———-=_1234782401-3999-0″
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: Considered UNSOLICITED BULK EMAIL, apparently from you
In-Reply-To: <9d798f4d2f18e5879bdfe20b2504d376@www.team-koeln.de>
Message-ID: <SSlkPbEmzalURU@ns.example.org>
From: “Content-filter at ns.example.org” <postmaster@example.org>
To: <www-data@hydra.udag.de>
Date: Mon, 16 Feb 2009 03:06:34 -0800 (PST)

This is a multi-part message in MIME format…

————=_1234782401-3999-0
Content-Type: text/plain; charset=”iso-8859-1″
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

A message from <www-data@hydra.udag.de> to:
-> user@gmail.com

was considered unsolicited bulk e-mail (UBE).

Our internal reference code for your message is 03999-12/lkPbEmzalURU

The message carried your return address, so it was either a genuine mail
from you, or a sender address was faked and your e-mail address abused
by third party, in which case we apologize for undesired notification.

We do try to minimize backscatter for more prominent cases of UBE and
for infected mail, but for less obvious cases of UBE some balance
between losing genuine mail and sending undesired backscatter is sought,
and there can be some collateral damage on both sides.

First upstream SMTP client IP address: [89.31.140.33]
According to a ‘Received:’ trace, the message originated at: [89.31.140.33],

Return-Path: <www-data@hydra.udag.de>
From: Caixa Economica Federal <servicos@caixa.gov.br>
Message-ID: <9d798f4d2f18e5879bdfe20b2504d376@www.team-koeln.de>
Subject: Atualizacao Caixa

Delivery of the email was stopped!

————=_1234782401-3999-0
Content-Type: message/delivery-status; name=”dsn_status”
Content-Disposition: inline; filename=”dsn_status”
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report

Reporting-MTA: dns; ns.example.org
Received-From-MTA: smtp; ns.example.org ([127.0.0.1])
Arrival-Date: Mon, 16 Feb 2009 03:06:34 -0800 (PST)

Original-Recipient: rfc822;fred@example.com
Final-Recipient: rfc822;user@gmail.com
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Reject, id=03999-12 – SPAM
Last-Attempt-Date: Mon, 16 Feb 2009 03:06:34 -0800 (PST)
Final-Log-ID: 03999-12/lkPbEmzalURU

————=_1234782401-3999-0
Content-Type: text/rfc822-headers; name=”header”
Content-Disposition: inline; filename=”header”
Content-Transfer-Encoding: 7bit
Content-Description: Message header section

Return-Path: <www-data@hydra.udag.de>
Received: from hydra.udag.de (hydra.udag.de [89.31.140.33])
by ns.example.org (Postfix) with ESMTP id 4CA89208029
for <fred@example.com>; Mon, 16 Feb 2009 03:06:33 -0800 (PST)
Received: by hydra.udag.de (Postfix, from userid 33)
id 32D3E45C463; Mon, 16 Feb 2009 12:21:10 +0100 (CET)
To: fred@example.com
Subject: Atualizacao Caixa
Date: Mon, 16 Feb 2009 12:21:07 +0100
From: Caixa Economica Federal <servicos@caixa.gov.br>
Reply-to: Caixa Economica Federal <servicos@caixa.gov.br>
Message-ID: <9d798f4d2f18e5879bdfe20b2504d376@www.team-koeln.de>
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.10.2800.1409.518512323.rg.sm31
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=”iso-8859-1″

————=_1234782401-3999-0–
*** HEADER EXTRACTED deferred/9/9DF7520804A ***
*** MESSAGE FILE END deferred/9/9DF7520804A ***

Postfix Default Settings

Posted by Filed Under Postfix Configuration with Comments Off

You can list the default settings with Postfix with this command:

postconf -d

2bounce_notice_recipient = postmaster
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = postmaster
address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, nis:mail.aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = yes
allow_untrusted_routing = no
alternate_config_directories =
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_at_myorigin = yes
append_dot_mydomain = yes
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
biff = yes
body_checks =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 50000
bounce_template_file =
broken_sasl_auth_clients = no
canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
canonical_maps =
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
debug_peer_level = 2
debug_peer_list =
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_limit = 20
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 10000
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
disable_dns_lookups = no
disable_mime_input_processing = no
disable_mime_output_conversion = no
disable_verp_bounces = no
disable_vrfy_command = no
dont_remove = 0
double_bounce_sender = double-bounce
duplicate_filter_limit = 1000
empty_address_recipient = MAILER-DAEMON
enable_original_recipient = yes
error_notice_recipient = postmaster
error_service_name = error
execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
expand_owner_alias = no
export_environment = TZ MAIL_CONFIG LANG
fallback_transport =
fallback_transport_maps =
fast_flush_domains = $relay_domains
fast_flush_purge_time = 7d
fast_flush_refresh_time = 12h
fault_injection_code = 0
flush_service_name = flush
fork_attempts = 5
fork_delay = 1s
forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
frozen_delivered_to = yes
hash_queue_depth = 1
hash_queue_names = deferred, defer
header_address_token_limit = 10240
header_checks =
header_size_limit = 102400
helpful_warnings = yes
home_mailbox =
hopcount_limit = 50
html_directory = no
ignore_mx_lookup_error = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
internal_mail_filter_classes =
invalid_hostname_reject_code = 501
ipc_idle = 100s
ipc_timeout = 3600s
ipc_ttl = 1000s
line_length_limit = 2048
lmtp_bind_address =
lmtp_bind_address6 =
lmtp_cname_overrides_servername = no
lmtp_connect_timeout = 0s
lmtp_connection_cache_destinations =
lmtp_connection_cache_on_demand = yes
lmtp_connection_cache_time_limit = 2s
lmtp_connection_reuse_time_limit = 300s
lmtp_data_done_timeout = 600s
lmtp_data_init_timeout = 120s
lmtp_data_xfer_timeout = 180s
lmtp_defer_if_no_mx_address_found = no
lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
lmtp_destination_recipient_limit = $default_destination_recipient_limit
lmtp_discard_lhlo_keyword_address_maps =
lmtp_discard_lhlo_keywords =
lmtp_enforce_tls = no
lmtp_generic_maps =
lmtp_host_lookup = dns
lmtp_lhlo_name = $myhostname
lmtp_lhlo_timeout = 300s
lmtp_line_length_limit = 990
lmtp_mail_timeout = 300s
lmtp_mx_address_limit = 5
lmtp_mx_session_limit = 2
lmtp_pix_workaround_delay_time = 10s
lmtp_pix_workaround_threshold_time = 500s
lmtp_quit_timeout = 300s
lmtp_quote_rfc821_envelope = yes
lmtp_randomize_addresses = yes
lmtp_rcpt_timeout = 300s
lmtp_rset_timeout = 20s
lmtp_sasl_auth_enable = no
lmtp_sasl_mechanism_filter =
lmtp_sasl_password_maps =
lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
lmtp_send_xforward_command = no
lmtp_sender_dependent_authentication = no
lmtp_skip_5xx_greeting = yes
lmtp_starttls_timeout = 300s
lmtp_tcp_port = 24
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 5
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
lmtp_xforward_timeout = 300s
local_command_shell =
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 1
local_header_rewrite_clients = permit_inet_interfaces
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = local:$myhostname
luser_relay =
mail_name = Postfix
mail_owner = postfix
mail_release_date = 200600825
mail_spool_directory = /var/mail
mail_version = 2.3.3
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = fcntl, dotlock
mailbox_size_limit = 51200000
mailbox_transport =
mailbox_transport_maps =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
maps_rbl_domains =
maps_rbl_reject_code = 554
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions =
max_idle = 100s
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_reject_characters =
message_size_limit = 10240000
message_strip_characters =
milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} v
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_data_macros = i
milter_default_action = tempfail
milter_end_of_data_macros = i
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
milter_macro_daemon_name = $myhostname
milter_macro_v = $mail_name $mail_version
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
milter_protocol = 2
milter_rcpt_macros = i {rcpt_addr}
milter_unknown_command_macros =
mime_boundary_length_limit = 2048
mime_header_checks = $header_checks
mime_nesting_limit = 100
minimal_backoff_time = 1000s
multi_recipient_bounce_reject_code = 550
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = spidertools.org
myhostname = ns.spidertools.org
mynetworks = 127.0.0.0/8 127.0.0.1/32 12.32.36.123/32
mynetworks_style = subnet
myorigin = $myhostname
nested_header_checks = $header_checks
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 504
non_smtpd_milters =
notify_classes = resource, software
owner_request_special = yes
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
permit_mx_backup_networks =
pickup_service_name = pickup
plaintext_reject_code = 450
prepend_delivered_header = command, file, forward
process_id_directory = pid
propagate_unmatched_extensions = canonical, virtual
proxy_interfaces =
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
qmgr_clog_warn_time = 300s
qmgr_fudge_factor = 100
qmgr_message_active_limit = 20000
qmgr_message_recipient_limit = 20000
qmgr_message_recipient_minimum = 10
qmqpd_authorized_clients =
qmqpd_error_delay = 1s
qmqpd_timeout = 300s
queue_directory = /var/spool/postfix
queue_file_attribute_count_limit = 100
queue_minfree = 0
queue_run_delay = 1000s
queue_service_name = qmgr
rbl_reply_maps =
readme_directory = no
receive_override_options =
recipient_bcc_maps =
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_canonical_maps =
recipient_delimiter =
reject_code = 554
relay_clientcerts =
relay_destination_concurrency_limit = $default_destination_concurrency_limit
relay_destination_recipient_limit = $default_destination_recipient_limit
relay_domains = $mydestination
relay_domains_reject_code = 554
relay_recipient_maps =
relay_transport = relay
relayhost =
relocated_maps =
remote_header_rewrite_domain =
require_home_directory = no
resolve_dequoted_address = yes
resolve_null_domain = no
resolve_numeric_domain = no
rewrite_service_name = rewrite
sample_directory = /etc/postfix
sender_bcc_maps =
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps =
sender_dependent_relayhost_maps =
sendmail_path = /usr/sbin/sendmail
service_throttle_time = 60s
setgid_group = postdrop
show_user_unknown_table_name = yes
showq_service_name = showq
smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_enforce_tls = no
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_threshold_time = 500s
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_enable = no
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 5
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_delay_open_until_valid_rcpt = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter = \t\40!”#$%&’()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = 20
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_milters =
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
soft_bounce = no
stale_lock_time = 500s
strict_7bit_headers = no
strict_8bitmime = no
strict_8bitmime_body = no
strict_mime_encoding_domain = no
strict_rfc821_envelopes = no
sun_mailtool_compatibility = no
swap_bangpath = yes
syslog_facility = mail
syslog_name = postfix
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
tls_low_cipherlist = !EXPORT:ALL:+RC4:@STRENGTH
tls_medium_cipherlist = !EXPORT:!LOW:ALL:+RC4:@STRENGTH
tls_null_cipherlist = !aNULL:eNULL+kRSA
tls_random_bytes = 32
tls_random_exchange_name = ${config_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
trace_service_name = trace
transport_maps =
transport_retry_time = 60s
trigger_timeout = 10s
undisclosed_recipients_header = To: undisclosed-recipients:;
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450
verp_delimiter_filter = -=+
virtual_alias_domains = $virtual_alias_maps
virtual_alias_expansion_limit = 1000
virtual_alias_maps = $virtual_maps
virtual_alias_recursion_limit = 1000
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
virtual_destination_recipient_limit = $default_destination_recipient_limit
virtual_gid_maps =
virtual_mailbox_base =
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_limit = 51200000
virtual_mailbox_lock = fcntl
virtual_mailbox_maps =
virtual_minimum_uid = 100
virtual_transport = virtual
virtual_uid_maps =

Queue Management

Posted by Filed Under Postfix Configuration with Comments Off

Understanding the mail queues, what they do and how they work are important steps to Postfix configuration.  Here are the queues listed with a summary of what they do and where they are located.

Incoming
The incoming queue is the location a message is sent once it has entered the system through SMTP or qmqpd  and then was sent to the cleanup service.  The cleanup service will provide the last evaluation of email before it is queued.  The cleanup service can fix missing headers and do some content evaluation with regular expressions.  The queue file is  changed to the Postfix user with permissions of 0600 until the cleanup service is ready to move the file to the incoming queue then the permissions are changed to 0700.  When the queue manager reviews the incoming queue to send messages to the active queue it will also evaluate the resource limits for the active queue to verify that they have not been exceeded.

Active
The  active queue has a default resource limit of 20,000 messages which when it is exceeded the queue manager will stop scanning the incoming and deferred queues.  The messages in the active queue are ready to be delivered.  The active queue is different than the other queues as it is stored in memory and not on disk.    This is why it is important to have a limit as it is necessary to guard the available memory on the system.

Maildrop
The maildrop queue will hold messages sent by the sendmail command.  The pickup service will scan and send mail in the maildrop on a regular basis.

Deferred
If Postfix cannot deliver a message to a recipient it is placed in the deferred queue.  The queue manager will scan the deferred queue to see it if can place mail back into the active queue.  How often this scan occurs is determined by the queue_run_delay.

If you have a very busy mail server you may see a large deferred queue.  The first instinct is to flush the queue but that actually may be counter productive.  The only reason you would flush the deferred queue is if you think that the messages now have a good chance of delivery.  If they still do not have a good chance of delivery it will only slow down an already busy server.

Hold
The SMTP policies that you set as well as the header and body checks can force mail to be placed in the hold queue.  Any messages that arrive here will remain here until an administer acts upon the message.  An administrator can run the postsuper -r command to send mail in the hold queue to the maildrop queue.  Mail will remain here until the maximal_queue_lifetime parameter is exceeded, at that point it is bounced back to the sender.

Corrupt
The queue files that are damaged are placed in the corrupt directory.  Any corrupt files can be viewed by an administrator with the postcat command.

Each queue has a directory found in /var/spool/postfix as seen below.
/var/spool/postfix/incoming
/var/spool/postfix/active
/var/spool/postfix/bounce
/var/spool/postfix/corrupt
/var/spool/postfix/deferred
/var/spool/postfix/hold

« Older Entries