Postfix Installation: Difference between revisions

Introduction

Installing Postfix on Lime is not too difficult and if more instructions are needed then a quick web search should give several more verbose installation and error checking notes

Install Postfix

Postfix was can be installed with apt the line is no more complicated than

sudo apt install postfix

once the install gets going it asks a few questions either answer them now or add them to a config file later. The first question is something like General type of mail configuration. The two possible options are either internet with smarthost which would deliver local mail locally but use the smarthost for outgoing mail but as there is no real need for local mail the better option for me is.

Satellite System

If this was a company email system and email directly from postfix the best option would be internet site but that would need a fixed internet facing IP address. The next question is about system name so in my case

seaoffate.net

Any name could be used but as that is the domain name that made more sense. The last question was about SMTP relay host, it should be noted that it should have the square brackets around the relay host so that Postfix does not do some sort of MX lookup. I guess that if internet site only had been chosen earlier there would be different questions. For me to use Brevo as a relay SMTP relay host should be

 [smtp-relay.brevo.com]:587

The setup should finish at this point and extra config will have to be in the file /etc/postfix/main.cf so type

sudo nano /etc/postfix/main.cf

In the config there may be some settings already configured but make sure that these at least are present

• Outgoing relay configuration

relayhost = [smtp-relay.brevo.com]:587

• Enable SASL authentication for outgoing mail

smtp_sasl_auth_enable = yes

• Specify the password file and format and Make sure this points to the file that will be created

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

• Security options: disable anonymous logins

smtp_sasl_security_options = noanonymous

• Enable STARTTLS encryption. Use 'yes' for STARTTLS on port 587. 'encrypt' is for implicit SSL/TLS usually on port 465

smtp_use_tls = yes

• specify the local domains only (remove seaoffate.net from this option

mydestination = localhost.localdomain, localhost # should not have seaoffate.net in this line

• Make sure smtpd_relay_restrictions has permit_mynetworks at or close to the beginning of the list

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

• mynetworks should include any other hosts that need to use this MTA eg include the production network adjust if yours lists specific IPs

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.100.0/24

• make sure that postfix is listening on all of the host's interfaces that it should.

inet_interfaces = all

• Optional, but recommended: Path to CA certificates for verifying the relay server's cert.

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Once that is done we need to create the password file. We have specified that it will be /etc/postfix/sasl_passwd so the command will be

sudo nano /etc/postfix/sasl_passwd

In the file there needs to be a line

[smtp-relay.brevo.com]:587 TheBrevoUsername:TheBrevoPassword

Obviously, chmod the file to 600

sudo chmod 600 /etc/postfix/sasl_passwd

Then create the HashDB with the file /etc/postfix/sasl_passwd.db using the command

sudo postmap /etc/postfix/sasl_passwd

That should be all that is needed to get postfix working so a restart would activate the config changes

sudo systemctl restart postfix

Testing

Once Postfix has restarted it should be ready to roll. As there is no mail app to write an email with we need to use the Mail app. if it isn't installed it should be

sudo apt install mailutils

then send a test email with something like

echo "This is the test body of the email." | mail -s "Postfix Relay Test via Brevo" [email protected]

it is probably better to open another ssh terminal and run

tail -f /var/log/mail.log

Error Message

One obvious error set of messages is

postfix/smtp[167780]: error: open database /etc/postfix/sasl_passwd.db: No such file or directory
postfix/smtp[167780]: warning: hash:/etc/postfix/sasl_passwd is unavailable. open database /etc/postfix/sasl_passwd.db: No such file or directory
postfix/smtp[167780]: warning: hash:/etc/postfix/sasl_passwd lookup error for "smtp-relay.brevo.com"
postfix/smtp[167780]: warning: 1B73C29D44: smtp_sasl_password_maps lookup error 

These mean that there is no password file or it is in the wrong place. Check inside the config for the line that gives the path to the password maps "smtp_sasl_password_maps" ls the dir specified and look for a file "sasl_passwd.db" if it is not present it needs to be created with a line like

sudo postmap /etc/postfix/sasl_passwd

or whatever path is in the config. if postmap fails check the sasl_passwd file

sudo nano /etc/postfix/sasl_passwd

it should have the line

[smtp-relay.brevo.com]:587 TheBrevoUsername:TheBrevoPassword

The format is important when the sasl_passwd is done re run the postmap command so that it creates sasl_passwd.db. then do

sudo systemctl restart postfix

the tails file should clear and send the email.

Joomla Configuration

To set joomla to use Postfix as its MTA simply go to System->Global Configuration->Server scroll down to Mail and set Mailer to PHP Mail. After saving send a test email and it should just work. Now that Postfix is doing the auth to Brevo Joomla can just use the local PHP mail so no need to negotiate any SSL/TLS because Postfix does it all. Postfix is well known and quite reliable, mature and robust service it should be reasonably secure, especially as hostile actors cannot directly connect to it, it is only for the websites to use.

Media Wiki Configuration

We have set mynetworks and smtpd_relay_restrictions to allow production to use the Postfix MTA so there is no need to have Logan install Postfix. All that we need to do to get Wikimedia sending out email is to edit the ubiquitous LocalSettings.php. The item to set is $wgSMTP. so we ssh to Logan and cd to the public_html dir the

sudo nano LocalSettings.php

CTRL + W and search for $wgSMTP then add a message block so it looks like

$wgSMTP = [
'host'        => '192.168.100.10', // the IP of lime
'port'        => '25,              // SMTP port with no encription as this is a private LAN there is no need for SSL
'auth'        => false,            // authentication is not need on a private LAN like this
// 'username' =>,                // auth is false so no username required
// 'password' => ,               // no need for password if there is no username
// 'encription' => ,             // we are on 25 so no encription
];

Save and exit and it should be good to go a simple test is to change a email address of a wiki user and authenticate the new email.

Postfix configuration for other hosts

For servers that do not need to talk to Brevo directly, we configure them as Null Clients. They simply "hand off" all mail to Plum over the local network. This centralizes your Brevo credentials and troubleshooting to one machine.

Simplified Configuration

To allow any Virtual machine to send email we could set it up to forward directly to Brevo but it is a lot simpler to have the extras send their email through Plum's Postfix. To install Postfix on another host go through the same installation procedure as listed above and choose Satellite System as the type. Set the relay host to Plum’s internal IP (use the square brackets ):

sudo postconf -e "relayhost = [192.168.100.22]"

Note Plum must be configured to accept email from the client host or email will be dropped.

On plum check the /etc/postfix/main.cf file to make sure that the client's ip address is allowed

sudo nano /etc/postfix/main.cf

search for the line starting with

mynetworks =

make sure that it includes the IP or IP domain for the client if it is missing add a space then the IP or IP domain eg to add infra VLAN (192.168.110.0/24) the existing line:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.100.0/24

becomes

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.100.0/24 192.168.110.0/24

Validated Domain

Microsoft, Gmail and other big companies will only allow emails that have a sort of validation to give evidence that it is not spam or malicious. To be on the "nice list" email must come from an actual domain and have DKIM (DomainKeys Identified Mail) setup. The simplest method is to have Brevo place a text file on the domain listing in Clouflare, in Brevo look at home->settings from the top right menu, thenSenders, Domains & Dedicated IPs->Domains from the left panel and add a domain. The authentication is virtually automated but needs to login to Cloudflare and allow it to post the text file in the correct domain. DKIM (DomainKeys Identified Mail) allows you to sign your emails with your own domain, just like signing a letter. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that protects a domain from unauthorized use, such as phishing or spoofing. A DMARC policy can be setup to determine what happen to emails that fail the DMARC authentication checks.

Address Rewriting

Brevo only accepts validated domains and the only domains that has been validated by Brevo is the seaoffate.net, seaoffate.uk and seaoffate.co.uk. Brevo will reject any email where the "From" domain is not validated including subdomains eg [email protected] is not accepted but [email protected] is accepted. Each host will by default it's own FQDN eg raisin.seaoffate.net and will therefore be rejected by Brevo when it is eventually received by them. To fix the subdomain problem and make emails acceptable to Brevo we can use Canonical Mapping to mask the internal hostname with our valid domain. First Create the mapping file:

sudo nano /etc/postfix/sender_canonical_regexp

Add the RegEx rule to preserve the username but fix the domain to seaoffate.net add the lines:

/^([^@]+)@raisin\.seaoffate\.(local|net)$/  ${1}@seaoffate.net
/^([^@]+)@localhost$/                     ${1}@seaoffate.net

then to apply the changes and restart postfix:

sudo postconf -e "sender_canonical_maps = regexp:/etc/postfix/sender_canonical_regexp"
sudo systemctl restart postfix

From this moment on any email sent from raisin with the from field as default [email protected] or [email protected] will have the from field rewritten to [email protected], we also included the localhost rewrite rule because some apps insist on sending from localhost. It is also possible to have specific, static rewrite rules using:

sudo nano /etc/postfix/sender_canonical

and adding some fixed rewrite rules

nigel        [email protected]
root         [email protected]
@raisin.seaoffate.local [email protected]

To apply these rules use either the following to just use the fixed rules and not the regex rules:

sudo postmap /etc/postfix/sender_canonical
sudo postconf -e "sender_canonical_maps = hash:/etc/postfix/sender_canonical"
sudo systemctl restart postfix

or alternatively, to use both the fixed and the regex rules so that there is specific rewrite for some users and a generic rewrite for the rest, first define the files in main.cf (The order matters: Hash first, then RegEx)

sudo postconf -e "sender_canonical_maps = hash:/etc/postfix/sender_canonical, regexp:/etc/postfix/sender_canonical_regexp"

Map the static file (This creates/updates the .db file)

sudo postmap /etc/postfix/sender_canonical

No need to postmap the regexp file, just restart to load the config

sudo systemctl restart postfix

How the "Double Map" Works

• When an email is sent, Postfix performs a lookup like this:
  • Check sender_canonical (Hash): Is there an exact match for nigel? If yes, use the specific value you wrote there (e.g., [email protected]) and stop looking.
  • Check sender_canonical_regexp (RegEx): If no exact match was found, does the address fit the pattern /^([^@]+)@raisin\.seaoffate\.local$/? If yes, rewrite it to ${1}@seaoffate.net.
  • Default: If neither matches, it sends the mail as-is (which usually results in a Brevo rejection).