Postfix

Created on 2020-10-04T00:09:45+00:00

Return to the Index

This card pertains to a resource available on the internet.

This card can also be read via Gemini.

Configs

No spamming

One of the most important configuration settings:

/etc/postfix/main.cf

smtpd_recipient_restrictions =
	permit_sasl_authenticated,
	permit_mynetworks,
	reject_unauth_destination,
	permit

The first rule lets you send mail out of the server if you are logged in. The second rule allows scripts to send mail from this server. The third rule stops people who are not localhost or logged in from sending mail from here. It does not affect our users because once a rule is matched no further rules are tested.

Delivering to dovecot

/etc/postfix/main.cf

mailbox_transport = lmtp:unix:private/dovecot-lmtp

Using logins via dovecot

If someone has a valid name/password according to your dovecot server, postfix will count that person as authorized.

/etc/postfix/main.cf

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

SSL is cool and good

/etc/postfix/main.cf

smtpd_tls_cert_file=/path/to/cert
smtpd_tls_key_file=/path/to/key
smtpd_tls_CAfile=/path/to/ca
smtpd_use_tls = yes

Let's Encrypt keys are prefectly valid here. Use something like `acme.sh` to get them.

Only trust yourself

Sets the "mynetworks" authentication rules to only count the server itself as a trusted node.

It is possible to set this to other things; perhaps everyone on your LAN is allowed to send e-mail here.

I don't think anyone does this anymore.

/etc/postfix/main.cf

mynetworks_style = host

Valid destinations

Tells postfix when someone is talking about sending things to iceworks, it means us.

Otherwise it will try to forward it to someone else. Possibly this will also fail because the person trying to give us mail isn't permitted to send messages to anyone else here.

/etc/postfix/main.cf

mydestination=iceworks, iceworks.cc, localhost, localhost.iceworks.cc

The "localhost" parts are a bit stupid but apparently necessary.

No identity crises

/etc/postfix/main.cf

inet_interfaces = $myhostname, localhost
myhostname = iceworks.cc

Accept encrypted mail tunnels

/etc/postfix/master.cf

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes