Red Hat Enterprise Linux 8 Deploying different types of servers

CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX

SMTP SERVER
As a system administrator, you can configure your email infrastructure by using a mail transport agent
(MTA), such as Postfix, to transport email messages between hosts using the SMTP protocol. Postfix is
a server-side application for routing and delivering mail. You can use Postfix to set up a local mail server,
create a null-client mail relay, use a Postfix server as a destination for multiple domains, or choose an
LDAP directory instead of files for lookups.

The postfix package provides multiple configuration files in the /etc/postfix/ directory.

To configure your email infrastructure, use the following configuration files:

main.cf — contains the global configuration of Postfix.

master.cf — specifies Postfix interaction with various processes to accomplish mail delivery.

access — specifies access rules, for example hosts that are allowed to connect to Postfix.

transport — maps email addresses to relay hosts.

aliases — contains a configurable list required by the mail protocol that describes user ID
aliases. Note that you can find this file in the /etc/ directory.

The key features of Postfix:

Security features to protect against common email related threats

Customization options, including support for virtual domains and aliases

8.1. INSTALLING AND CONFIGURING A POSTFIX SMTP SERVER

You can configure your Postfix SMTP server to receive, store, and deliver email messages. If the mail
server package is not selected during the system installation, Postfix will not be available by default.
Perform the following steps to install Postfix:

Prerequisites

You have the root access.

Register your system

Procedure

1. Remove the Sendmail utility:

# yum remove sendmail

2. Install Postfix:

# yum install postfix

3. To configure Postfix, edit the /etc/postfix/main.cf file and make the following changes:

a. By default, Postfix receives emails only on the loopback interface. To configure Postfix to
232
 CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER

a. By default, Postfix receives emails only on the loopback interface. To configure Postfix to
listen on specific interfaces, update the inet_interfaces parameter to the IP addresses of
these interfaces:

inet_interfaces = 127.0.0.1/32, [::1]/128, 192.0.2.1, [2001:db8:1::1]

To configure Postfix to listen on all interfaces, set:

inet_interfaces = all

b. If you want that Postfix uses a different hostname than the fully-qualified domain name
(FQDN) that is returned by the gethostname() function, add the myhostname parameter:

myhostname = smtp.example.com

For example, Postfix adds this hostname to header of emails it processes.

c. If the domain name differs from the one in the myhostname parameter, add the
mydomain parameter:

mydomain = example.com

d. Add the myorigin parameter and set it to the value of mydomain:

myorigin = $mydomain

With this setting, Postfix uses the domain name as origin for locally posted mails instead of
the hostname.

e. Add the mynetworks parameter, and define the IP ranges of trusted networks that are
allowed to send mails:

mynetworks = 127.0.0.1/32, [::1]/128, 192.0.2.1/24, [2001:db8:1::1]/64

If clients from not trustworthy networks, such as the internet, should be able to send mails
through this server, you must configure relay restrictions in a later step.

4. Verify if the Postfix configuration in the main.cf file is correct:

# postfix check

5. Enable the postfix service to start at boot and start it:

# systemctl enable --now postfix

6. Allow the smtp traffic through firewall and reload the firewall rules:

# firewall-cmd --permanent --add-service smtp

# firewall-cmd --reload

Verification

1. Verify that the postfix service is running:

233
Red Hat Enterprise Linux 8 Deploying different types of servers

# systemctl status postfix

Optional: Restart the postfix service, if the output is stopped, waiting, or the service is not
running:

# systemctl restart postfix

Optional: Reload the postfix service after changing any options in the configuration files in
the /etc/postfix/ directory to apply those changes:

# systemctl reload postfix

2. Verify the email communication between local users on your system:

# echo "This is a test message" | mail -s <subject> <[email protected]>

3. To verify that your mail server does not relay emails from external IP ranges to foreign domains,
follow the below mentioned procedure:

a. Log in to a client which is not within the subnets that you defined in mynetworks.

b. Configure the client to use your mail server.

c. Try to send an email to an email address that is not under the domain you specified in
mydomain on your mail server. For example, try to send an email to non-existing-
[email protected].

d. Check the /var/log/maillog file:

554 Relay access denied - the server is not going to relay.

250 OK or similar - the server is going to relay.

Troubleshooting

In case of errors, check the /var/log/maillog file.

Additional resources

The /etc/postfix/main.cf configuration file

The /usr/share/doc/postfix/README_FILES directory

Using and configuring firewalld

8.2. CUSTOMIZING TLS SETTINGS OF A POSTFIX SERVER

To make your email traffic encrypted and therefore more secure, you can configure Postfix to use a
certificate from a trusted certificate authority (CA) instead of the self-signed certificate and customize
the Transport Layer Security (TLS) security settings. In RHEL 8, the TLS encryption protocol is enabled
in the Postfix server by default. The basic Postfix TLS configuration contains self-signed certificates for
inbound SMTP and the opportunistic TLS for outbound SMTP.

Prerequisites

234
 CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER

You have the root access.

You have the postfix package installed on your server.

You have a certificate signed by a trusted certificate authority (CA) and a private key.

You have copied the following files to the Postfix server:

The server certificate: /etc/pki/tls/certs/postfix.pem

The private key: /etc/pki/tls/private/postfix.key

Procedure

1. Set the path to the certificate and private key files on the server where Postfix is running by
adding the following lines to the /etc/postfix/main.cf file:

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key

2. Restrict the incoming SMTP connections to authenticated users only by editing the
/etc/postfix/main.cf file:

smtpd_tls_auth_only = yes

3. Reload the postfix service to apply the changes:

# systemctl reload postfix

Verification

Configure your client to use TLS encryption and send an email.

NOTE

To get additional information about Postfix client TLS activity, increase the log
level from 0 to 1 by changing the following line in the /etc/postfix/main.cf:

smtp_tls_loglevel = 1

8.3. CONFIGURING POSTFIX TO FORWARD ALL EMAILS TO A MAIL

RELAY
If you want to forward all email to a mail relay, you can configure Postfix server as a null client. In this
configuration Postfix only forwards mail to a different mail server and is not capable of receiving mail.

Prerequisites

You have the root access.

You have the postfix package installed on your server.

You have the IP address or hostname of the relay host to which you want to forward emails.

235
Red Hat Enterprise Linux 8 Deploying different types of servers

Procedure

1. To prevent Postfix from accepting any local email delivery and making it a null client, edit the
/etc/postfix/main.cf file and make the following changes:

a. Configure Postfix to forward all email by setting the mydestination parameter equal to an
empty value:

mydestination =

In this configuration the Postfix server is not a destination for any email and acts as a null
client.

b. Specify the mail relay server that receives the email from your null client:

relayhost = [<ip_address_or_hostname>]

The relay host is responsible for the mail delivery. Enclose <ip_address_or_hostname> in
square brackets.

c. Configure the Postfix mail server to listen only on the loopback interface for emails to
deliver:

inet_interfaces = loopback-only

d. If you want Postfix to rewrite the sender domain of all outgoing emails to the company
domain of your relay mail server, set:

myorigin = relay.example.com

e. To disable the local mail delivery, add the following directive at the end of the configuration
file:

local_transport = error: local delivery disabled

f. Add the mynetworks parameter so that Postfix forwards email from the local system
originating from the 127.0.0.0/8 IPv4 network and the [::1]/128 IPv6 network to the mail
relay server:

mynetworks = 127.0.0.0/8, [::1]/128

2. Verify if the Postfix configuration in the main.cf file is correct:

# postfix check

3. Restart the postfix service to apply the changes:

# systemctl restart postfix

Verification

Verify that the email communication is forwarded to the mail relay:

236
 CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER

# echo "This is a test message" | mail -s <subject> <[email protected]>

Troubleshooting

In case of errors, check the /var/log/maillog file.

Additional resources

The /etc/postfix/main.cf configuration file

8.4. CONFIGURING POSTFIX AS A DESTINATION FOR MULTIPLE

DOMAINS
You can configure Postfix as a mail server that can receive emails for multiple domains. In this
configuration, Postfix acts as the final destination for emails sent to addresses within the specified
domains. You can configure the following:

Set up multiple email addresses that point to the same email destination

Route incoming email for multiple domains to the same Postfix server

Prerequisites

You have the root access.

You have configured a Postfix server.

Procedure

1. In the /etc/postfix/virtual virtual alias file, specify the email addresses for each domain. Add
each email address on a new line:

<[email protected]> <[email protected]>
<[email protected]> <[email protected]>

In this example, Postfix redirects all emails sent to [email protected] to [email protected]

and email sent to [email protected] to [email protected].

2. Create a hash file for the virtual alias map:

# postmap /etc/postfix/virtual

This command creates the /etc/postfix/virtual.db file. Note that you must always re-run this
command after you update the /etc/postfix/virtual file.

3. In the Postfix /etc/postfix/main.cf configuration file, add the virtual_alias_maps parameter

and point it to the hash file:

virtual_alias_maps = hash:/etc/postfix/virtual

4. Reload the postfix service to apply the changes:

# systemctl reload postfix

237
Red Hat Enterprise Linux 8 Deploying different types of servers

Verification

Test the configuration by sending an email to one of the virtual email addresses.

Troubleshooting

In case of errors, check the /var/log/maillog file.

8.5. USING AN LDAP DIRECTORY AS A LOOKUP TABLE

If you use a Lightweight Directory Access Protocol (LDAP) server to store accounts, domains or aliases,
you can configure Postfix to use the LDAP server as a lookup table. Using LDAP instead of files for
lookups enables you to have a central database.

Prerequisites

You have the root access.

You have the postfix package installed on your server.

You have an LDAP server with the required schema and user credentials.

You have the postfix-ldap plugin installed on the server running Postfix.

Procedure

1. Configure the LDAP lookup parameters by creating a /etc/postfix/ldap-aliases.cf file with the
following content:

a. Specify the hostname of the LDAP server:

server_host = ldap.example.com

b. Specify the base domain name for the LDAP search:

search_base = dc=example,dc=com

c. Optional: Customize the LDAP search filter and attributes based on your requirements. The
filter for searching the directory defaults to query_filter = mailacceptinggeneralid=%s.

2. Enable the LDAP source as a lookup table in the /etc/postfix/main.cf configuration file by
adding the following content:

virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf

3. Verify the LDAP configuration by running the postmap command, which checks for any syntax
errors or connectivity issues:

# postmap -q @example.com ldap:/etc/postfix/ldap-aliases.cf

4. Reload the postfix service to apply the changes:

# systemctl reload postfix

238
 CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER

Verification

Send a test email to verify that the LDAP lookup works correctly. Check the mail logs in
/var/log/maillog for any errors.

Additional resources

/usr/share/doc/postfix/README_FILES/LDAP_README file

/usr/share/doc/postfix/README_FILES/DATABASE_README file

8.6. CONFIGURING POSTFIX AS AN OUTGOING MAIL SERVER TO

RELAY FOR AUTHENTICATED USERS
You can configure Postfix to relay mail for authenticated users. In this scenario, you allow users to
authenticate themselves and use their email address to send mail through your SMTP server by
configuring Postfix as an outgoing mail server with SMTP authentication, TLS encryption, and sender
address restrictions.

Prerequisites

You have the root access.

You have configured a Postfix server.

Procedure

1. To configure Postfix as an outgoing mail server, edit the /etc/postfix/main.cf file and add the
following:

a. Enable SMTP authentication:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

b. Disable access without TLS:

smtpd_tls_auth_only = yes

c. Allow mail relaying only for authenticated users:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated

defer_unauth_destination

d. Optional: Restrict users to use their own email address only as a sender:

smtpd_sender_restrictions = reject_sender_login_mismatch

2. Reload the postfix service to apply the changes:

# systemctl reload postfix

239
Red Hat Enterprise Linux 8 Deploying different types of servers

Verification

Authenticate in your SMTP client that supports TLS and SASL. Send an test email to verify that
the SMTP authentication works correctly.

8.7. DELIVERING EMAIL FROM POSTFIX TO DOVECOT RUNNING ON

THE SAME HOST
You can configure Postfix to deliver incoming mail to Dovecot on the same host using LMTP over a
UNIX socket. This socket enables direct communication between Postfix and Dovecot on the local
machine.

Prerequisites

You have the root access.

You have configured a Postfix server.

You have configured a Dovecot server, see Configuring and maintaining a Dovecot IMAP and
POP3 server.

You have configured the LMTP socket on your Dovecot server, see Configuring an LMTP
socket and LMTPS listener.

Procedure

1. Configure Postfix to use the LMTP protocol and the UNIX domain socket for delivering mail to
Dovecot in the /etc/postfix/main.cf file:

If you want to use virtual mailboxes, add the following content:

virtual_transport = lmtp:unix:/var/run/dovecot/lmtp

If you want to use non-virtual mailboxes, add the following content:

mailbox_transport = lmtp:unix:/var/run/dovecot/lmtp

2. Reload postfix to apply the changes:

# systemctl reload postfix

Verification

Send an test email to verify that the LMTP socket works correctly. Check the mail logs in
/var/log/maillog for any errors.

8.8. DELIVERING EMAIL FROM POSTFIX TO DOVECOT RUNNING ON A

DIFFERENT HOST
You can establish a secure connection between Postfix mail server and the Dovecot delivery agent over
the network. To do so, configure the LMTP service to use network socket for delivering mail between
mail servers. By default, the LMTP protocol is not encrypted. However, if you configured TLS

240
 CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER

encryption, Dovecot uses the same settings automatically for the LMTP service. SMTP servers can then
connect to it using the STARTTLS command over LMTP.

Prerequisites

You have the root access.

You have configured a Postfix server.

You have configured a Dovecot server, see Configuring and maintaining a Dovecot IMAP and
POP3 server.

You have configured the LMTP service on your Dovecot server, see Configuring an LMTP
socket and LMTPS listener.

Procedure

1. Configure Postfix to use the LMTP protocol and the INET domain socket for delivering mail to
Dovecot in the /etc/postfix/main.cf file by adding the following content:

mailbox_transport = lmtp:inet:<dovecot_host>:<port>

Replace <dovecot_host> with the IP address or hostname of the Dovecot server and <port>
with the port number of the LMTP service.

2. Reload the postfix service to apply the changes:

# systemctl reload postfix

Verification

Send an test email to an address hosted by the remote Dovecot server and check the Dovecot
logs to ensure that the mail was successfully delivered.

8.9. SECURING THE POSTFIX SERVICE

Postfix is a mail transfer agent (MTA) that uses the Simple Mail Transfer Protocol (SMTP) to deliver
electronic messages between other MTAs and to email clients or delivery agents. Although MTAs can
encrypt traffic between one another, they might not do so by default. You can also mitigate risks to
various attacks by changing setting to more secure values.

8.9.1. Reducing Postfix network-related security risks

To reduce the risk of attackers invading your system through the network, perform as many of the
following tasks as possible.

Do not share the /var/spool/postfix/ mail spool directory on a Network File System (NFS)
shared volume. NFSv2 and NFSv3 do not maintain control over user and group IDs. Therefore, if
two or more users have the same UID, they can receive and read each other’s mail, which is a
security risk.

NOTE
241
Red Hat Enterprise Linux 8 Deploying different types of servers

NOTE

This rule does not apply to NFSv4 using Kerberos, because the SECRPC_GSS
kernel module does not use UID-based authentication. However, to reduce the
security risks, you should not put the mail spool directory on NFS shared
volumes.

To reduce the probability of Postfix server exploits, mail users must access the Postfix server
using an email program. Do not allow shell accounts on the mail server, and set all user shells in
the /etc/passwd file to /sbin/nologin (with the possible exception of the root user).

To protect Postfix from a network attack, it is set up to only listen to the local loopback address
by default. You can verify this by viewing the inet_interfaces = localhost line in the
/etc/postfix/main.cf file. This ensures that Postfix only accepts mail messages (such as cron job
reports) from the local system and not from the network. This is the default setting and
protects Postfix from a network attack. To remove the localhost restriction and allow Postfix to
listen on all interfaces, set the inet_interfaces parameter to all in /etc/postfix/main.cf.

8.9.2. Postfix configuration options for limiting DoS attacks

An attacker can flood the server with traffic, or send information that triggers a crash, causing a denial of
service (DoS) attack. You can configure your system to reduce the risk of such attacks by setting limits
in the /etc/postfix/main.cf file. You can change the value of the existing directives or you can add new
directives with custom values in the <directive> = <value> format.

Use the following list of directives for limiting a DoS attack:

smtpd_client_connection_rate_limit
Limits the maximum number of connection attempts any client can make to this service per time unit.
The default value is 0, which means a client can make as many connections per time unit as Postfix
can accept. By default, the directive excludes clients in trusted networks.
anvil_rate_time_unit
Defines a time unit to calculate the rate limit. The default value is 60 seconds.
smtpd_client_event_limit_exceptions
Excludes clients from the connection and rate limit commands. By default, the directive excludes
clients in trusted networks.
smtpd_client_message_rate_limit
Defines the maximum number of message deliveries from client to request per time unit (regardless
of whether or not Postfix actually accepts those messages).
default_process_limit
Defines the default maximum number of Postfix child processes that provide a given service. You
can ignore this rule for specific services in the master.cf file. By default, the value is 100.
queue_minfree
Defines the minimum amount of free space required to receive mail in the queue file system. The
directive is currently used by the Postfix SMTP server to decide if it accepts any mail at all. By
default, the Postfix SMTP server rejects MAIL FROM commands when the amount of free space is
less than 1.5 times the message_size_limit. To specify a higher minimum free space limit, specify a
queue_minfree value that is at least 1.5 times the message_size_limit. By default, the
queue_minfree value is 0.
header_size_limit

Defines the maximum amount of memory in bytes for storing a message header. If a header is large,

242
 CHAPTER 8. DEPLOYING AND CONFIGURING A POSTFIX SMTP SERVER

Defines the maximum amount of memory in bytes for storing a message header. If a header is large,
it discards the excess header. By default, the value is 102400 bytes.
message_size_limit
Defines the maximum size of a message including the envelope information in bytes. By default, the
value is 10240000 bytes.

8.9.3. Configuring Postfix to use SASL

Postfix supports Simple Authentication and Security Layer (SASL) based SMTP Authentication (AUTH).
SMTP AUTH is an extension of the Simple Mail Transfer Protocol. Currently, the Postfix SMTP server
supports the SASL implementations in the following ways:

Dovecot SASL
The Postfix SMTP server can communicate with the Dovecot SASL implementation using either a
UNIX-domain socket or a TCP socket. Use this method if Postfix and Dovecot applications are
running on separate machines.
Cyrus SASL
When enabled, SMTP clients must authenticate with the SMTP server using an authentication
method supported and accepted by both the server and the client.

Prerequisites

The dovecot package is installed on the system

Procedure

1. Set up Dovecot:

a. Include the following lines in the /etc/dovecot/conf.d/10-master.conf file:

service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}

The previous example uses UNIX-domain sockets for communication between Postfix and
Dovecot. The example also assumes default Postfix SMTP server settings, which include
the mail queue located in the /var/spool/postfix/ directory, and the application running
under the postfix user and group.

b. Optional: Set up Dovecot to listen for Postfix authentication requests through TCP:

service auth {
inet_listener {
port = <port-number>
}
}

c. Specify the method that the email client uses to authenticate with Dovecot by editing the
auth_mechanisms parameter in /etc/dovecot/conf.d/10-auth.conf file:

243
Red Hat Enterprise Linux 8 Deploying different types of servers

auth_mechanisms = plain login

The auth_mechanisms parameter supports different plaintext and non-plaintext

authentication methods.

2. Set up Postfix by modifying the /etc/postfix/main.cf file:

a. Enable SMTP Authentication on the Postfix SMTP server:

smtpd_sasl_auth_enable = yes

b. Enable the use of Dovecot SASL implementation for SMTP Authentication:

smtpd_sasl_type = dovecot

c. Provide the authentication path relative to the Postfix queue directory. Note that the use of
a relative path ensures that the configuration works regardless of whether the Postfix
server runs in chroot or not:

smtpd_sasl_path = private/auth

This step uses UNIX-domain sockets for communication between Postfix and Dovecot.

To configure Postfix to look for Dovecot on a different machine in case you use TCP
sockets for communication, use configuration values similar to the following:

smtpd_sasl_path = inet: <IP_address> : <port_number>

In the previous example, replace the ip-address with the IP address of the Dovecot machine
and port-number with the port number specified in Dovecot’s /etc/dovecot/conf.d/10-
master.conf file.

d. Specify SASL mechanisms that the Postfix SMTP server makes available to clients. Note
that you can specify different mechanisms for encrypted and unencrypted sessions.

smtpd_sasl_security_options = noanonymous, noplaintext

smtpd_sasl_tls_security_options = noanonymous

The previous directives specify that during unencrypted sessions, no anonymous

authentication is allowed and no mechanisms that transmit unencrypted user names or
passwords are allowed. For encrypted sessions that use TLS, only non-anonymous
authentication mechanisms are allowed.

Additional resources

Postfix SMTP server policy - SASL mechanism properties

Postfix and Dovecot SASL

Configuring SASL authentication in the Postfix SMTP server

244