• Generally considered one of the most secure MTAs.
• Very old, battle tested.
• More annoying to set up than Exim.

Configs

• /etc/postfix/master.cf: sets up ports and processes involved in the mail chain.
• /etc/postfix/main.cf: default settings for postfix daemons; can be partly overridden with options in master.cf

No spamming

One of the most important configuration settings:

/etc/postfix/main.cf

smtpd_recipient_restrictions =
	permit_sasl_authenticated,
	permit_mynetworks,
	reject_unauth_destination,
	permit

• permit_sasl_authenticated: Allow mail to be sent/received if the client has logged in (say, has a valid dovecot account credential.)
• permit_mynetworks: Allow mail to be sent/received if the client is on the local network (say, allows localhost to send mail via script.)
• reject_unauth_destination: Do not allow mail to be sent/received unless the To: address is on our whitelist.
• permit: Allow mail which has reached the end of the chain through.

The first rule lets you send mail out of the server if you are logged in. The second rule allows scripts to send mail from this server. The third rule stops people who are not localhost or logged in from sending mail from here. It does not affect our users because once a rule is matched no further rules are tested.

Delivering to dovecot

/etc/postfix/main.cf

mailbox_transport = lmtp:unix:private/dovecot-lmtp

Using logins via dovecot

If someone has a valid name/password according to your dovecot server, postfix will count that person as authorized.

/etc/postfix/main.cf

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

SSL is cool and good

/etc/postfix/main.cf

smtpd_tls_cert_file=/path/to/cert
smtpd_tls_key_file=/path/to/key
smtpd_tls_CAfile=/path/to/ca
smtpd_use_tls = yes

Let's Encrypt keys are prefectly valid here. Use something like `acme.sh` to get them.

Only trust yourself

Sets the "mynetworks" authentication rules to only count the server itself as a trusted node.

It is possible to set this to other things; perhaps everyone on your LAN is allowed to send e-mail here.

I don't think anyone does this anymore.

/etc/postfix/main.cf

mynetworks_style = host

Valid destinations

Tells postfix when someone is talking about sending things to iceworks, it means us.

Otherwise it will try to forward it to someone else. Possibly this will also fail because the person trying to give us mail isn't permitted to send messages to anyone else here.

/etc/postfix/main.cf

mydestination=iceworks, iceworks.cc, localhost, localhost.iceworks.cc

The "localhost" parts are a bit stupid but apparently necessary.

No identity crises

/etc/postfix/main.cf

inet_interfaces = $myhostname, localhost
myhostname = iceworks.cc

Accept encrypted mail tunnels

/etc/postfix/master.cf

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes

• -o: change an option for this specific instance
• smtpd_tls_wrappermode: says this instance wraps the entire connection; there is no "starttls" command, you just TLS handshake immediately upon connection.