PostfixMail.com

Postfix Relay Control

Posted by mike Filed Under Postfix Configuration with Comments Off

Control Relays

Controlling which domains can relay mail through Postfix is a very important setting. You certainly will need to relay mail from the domain that Postfix is on.

You do not want Postfix to relay mail from other sources, unless they are domains that you control as you will end up begin an open relay for spammers.

How to Control Relays

Postfix will not allow the server to be an open relay by default. Several parameters control who can use Postfix as a relay, mynetworks_style and mynetworks. The default configuration will allow Postfix to relay from those machines on the same subnet as the server. You are able to control this further by modifying the mynetworks_style parameter. Here are several examples:

mynetworks_style=host

This limits the relay to the local machine or host only.

mynetworks_style=class

This setting broadens the scope to the class A,B or C network that the server is on. This easily could be a problem as it will allow relaying from far too many other systems. The best way to limit the systems that can relay is to use the mynetworks parameter.

The mynetworks parameter allows you to set individual IP Addresses or subnets. When this parameter is used the mynetworks_style parameter is ignored. In the example below an internal private network is included as well as a public subnet. The example also includes a single IP Address. This gives you flexibility in configuring the options.

mynetworks=192.168.5.0/24 12.32.34.32 216.168.0.1/24

The only problem in the above example is that it requires that users have static Ip Addresses. If they have dynamic IP Addresses then Postfix must be configured fro SMTP authentication.

SMTP
SMTP is a complex solution that is difficult to implement correctly for dynamic IP Addresses. One of the problems that is involved is the ability of spammers to fake envelope addresses making your mail server an open relay. It is better to try to use the dynamic IP Addresses that are current than to use SMTP.

Setting Relay Permissions

By default Postfix is safe in that it will not allow relays from other domains or networks. Postfix scans your network to detect the networks that it is attached directly to. This means that Postfix will review the network cards on the server and relay for those networks represented on the cards. This typical configuration will not work well if your Postfix server is in a DMZ. Therefore skills in managing this configuration are important. The mynetworks parameter will help you set up any networks to relay mail for those networks.

mynetworks = 127.0.0/8. 192.168.5.0/24, 192.168.3.0/24

This configuration will send mail for the business network, the DMZ hosts and the localhost, the Postfix server itself.

Postfix Map Types

Posted by mike Filed Under Postfix Configuration with Comments Off

Maps are the files and databases created from files that are used to look up information. The basic structure of maps are two columns, a left-hand side (key) and a right-hand side (value).

key value

Postfix uses a number of map types. These maps are critical to Postfix looking up information quickly.

To view the supported map types on your system use this command:

# postconf -m

btree

cidr

environ

hash

nis

proxy

regexp

sdbm

static

tcp

unix

Run the postconf -m command to review the supported map types.

Indexed Maps (hash, btree,dbm)

These maps are actually binary files built from text files that you can edit. The alias file is a good example. In the example you can see that the key is “root:” and the value is “someuser@somewhere.com”.

root: someuser@somewhere.com

This file allows you to edit it and then when you are done you can run the newaliases command to create the binary file aliases.db which is the file read by Postfix. Because these maps are indexed they can be read quickly by Postfix. In addition, these maps are placed in memory when the system starts, a further enhancement to speed.

Linear Maps (PCRE, regexp, CIDR and Flat Files)

These are typical text files. The purpose of these files is to allow Postfix to read them from top to bottom and when a match is found to take some action. This process is much like iptables in that the first match is what counts so order in the file is extremely important. One problem with these maps is that as they get larger it takes more time for Postfix to read them.

Database Maps (MySQL, PostgreSQL, LDAP)

When you use a database Postfix looks for a match or no match when it uses a query. The advantage of a database is that if a change occurs in the database it does not have to be restarted like an indexed map. The disadvantage is that a database will have to be able to handle a large number of queries as a single connection requires 3 queries. Since the default simultaneous processes is 100 (set with the default_process_limit) this could easily mean 300 simultaneous queries. These database queries have a high latency as the request is made and then Postfix must wait for the response. With index maps the data is already loaded in memory.

Postfix Lookup Tables

Posted by mike Filed Under Postfix Configuration with Comments Off

Lookup Tables are simple tables that allow Postfix to access configuration information that it needs. An example is when an organization would like to rewrite the email addresses so that they look different to outside clients. The parameter canonical_maps is the file that is used to make these changes and is used as a Lookup Table. In the example the organization wants to change the tsmith@example.org to tom.smith@example.org outside of the network. The file Lookup Table must be created like the example below:

# canonical mappings # tsmith@example.org tom.smith@example.org

It should be saved as /etc/postfix/canonical

Once you have saved the file you must run the postmap command:

postmap /etc/postfix/canonical

Now you can run a query on the mappings that you have set.

postmap -q tsmith@example.org /etc/postfix/canonical tom.smith@example.org

Postfix Mail Limits

Posted by mike Filed Under Postfix Configuration with Comments Off

Managing Mail Limits

The main.cf file contains several settings to manage mail limits.

Limit Recipients
This parameter limits the number of recipients for a single message. The default is 1000 set in the smtpd_recipient_limit setting.

Message Size Limit
The message size is restricted to 10 MB by default. This is a setting that you will need to consider disk space and the needs of users. This is set in the message_size_limit parameter.

Error Protection
Postfix tracks errors or attacks from a client. To ensure the safety of the system Postfix increases a delay limit each time an error or an attack comes from a client. This error limit is found in the smtpd_error_sleep_time and has a default of 1 second. Postfix increases the delay by 1 second for each additional error after error reach the smtpd_soft_error_limit. The client is disconnected when the error count goes to the smtpd_hard_error_limit.

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

This example demonstrates that Postfix will increase delay 1 second after error reach 10 and then disconnect one error reach 20.

The mail size can be limited by placing a parameter into main.cf.  The parameter is the message_size_limit = size

If you wanted to change from the default 10 M size maximum for mail you could add this line in the main.cf at the end of the file:

message_size_limt = 12