Sometimes, you want a backup mail server. Something that will accept mail and hold it for delivery until your primary mail server is available again. This is the purpose of a backup MX (the MX refers to the type of DNS record that mail exchangers use).
Basic Postfix Config
Bits I added:
- IPv6
- max queue lifetime (you can adjust this to your own needs. If your mailserver may be off for a week or more, make sure you give yourself plenty of time in the queue or messages will be bounced).
- Make sure mydestination does not include an entry for $domain
1alias_maps = hash:/usr/local/etc/postfix/aliases
2command_directory = /usr/local/sbin
3compatibility_level = 3.6
4daemon_directory = /usr/local/libexec/postfix
5data_directory = /var/db/postfix
6debug_peer_level = 2
7debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
8html_directory = /usr/local/share/doc/postfix
9inet_protocols = ipv4, ipv6
10mail_owner = postfix
11mailq_path = /usr/local/bin/mailq
12manpage_directory = /usr/local/man
13maximal_queue_lifetime = 20d
14meta_directory = /usr/local/libexec/postfix
15mydestination = $myhostname, localhost.$mydomain, localhost
16myhostname = backup-mx.domain.tld
17mynetworks = 127.0.0.0/24
18mynetworks_style = host
19newaliases_path = /usr/local/bin/newaliases
20queue_directory = /var/spool/postfix
21readme_directory = /usr/local/share/doc/postfix
22sample_directory = /usr/local/etc/postfix
23sendmail_path = /usr/local/sbin/sendmail
24setgid_group = maildrop
25shlib_directory = /usr/local/lib/postfix
26unknown_local_recipient_reject_code = 550
TLS/SSL
I’m not covering the generation of keys, see a previous post in this series about generating all the SSL bits.
Enabling SSL/TLS for the main.cf
1smtp_tls_loglevel = 1
2smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
3smtp_tls_note_starttls_offer = yes
4smtp_tls_protocols = !SSLv2, !SSLv3
5smtp_tls_security_level = may
6smtp_use_tls = yes
7smtpd_tls_CAfile = $config_directory/tls/cacert.pem
8smtpd_tls_auth_only = yes
9smtpd_tls_cert_file = $config_directory/tls/server.crt
10smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
11smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
12smtpd_tls_eecdh_grade = strong
13smtpd_tls_key_file = $config_directory/tls/server.key
14smtpd_tls_loglevel = 1
15smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
16smtpd_tls_protocols = !SSLv2, !SSLv3
17smtpd_tls_received_header = yes
18smtpd_tls_security_level = may
19smtpd_tls_session_cache_timeout = 3600s
20smtpd_use_tls = yes
21tls_eecdh_strong_curve = prime256v1
22tls_eecdh_ultra_curve = secp384r1
23tls_random_source = dev:/dev/random
Not quite done here, we also need to adjust the master.cf
These bits need to be uncommented, and depending on the ordering in main.cf, you may need to move things around to keep the uncommented bits together.
1smtps inet n - n - - smtpd
2 -o syslog_name=postfix/smtps
3 -o smtpd_tls_wrappermode=yes
4 -o milter_macro_daemon_name=ORIGINATING
1service postfix restart
You should now be able to do a sockstat -4l and see
1[louisk@backup-mx postfix 89 ]$ sockstat -4l
2USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
3root master 9549 13 tcp4 *:25 *:*
4root master 9549 27 tcp4 *:465 *:*
5root sshd 1014 4 tcp4 *:22 *:*
6root syslogd 513 7 udp4 *:514 *:*
7[louisk@backup-mx postfix 90 ]$
The 465 entry tells you that postifx is listening on the SMTPS port (TCP/465)
Relay
There are a couple files here you will need to create after you define these bits in main.cf
1relay_domains = hash:$config_directory/relaydomains
2relay_recipient_maps =
3transport_maps = hash:$config_directory/transport
The transport file will have the format of
1domain.tld smtp:[final.destination.domain.tld]
The relaydomains file will have the format of
1domain.tld OK
1service postfix restart
At this point, you should be able to send a message and see it get delivered to the correct destination in /var/log/maillog. Something like
1echo "test" | mail -s "test" user@relay-domain.tld
Postscreen
We should have a functional mail relay now, but we want to add some basic checks on incoming mail to reduce the junk. Postscreen is a nice built-in tool for this. Familiarize yourself with it here .
main.cf additions
1postscreen_access_list = permit_mynetworks
2postscreen_bare_newline_action = ignore
3postscreen_bare_newline_enable = yes
4postscreen_bare_newline_ttl = 30d
5postscreen_blacklist_action = drop
6postscreen_cache_cleanup_interval = 12h
7postscreen_cache_map = btree:$data_directory/postscreen_cache
8postscreen_cache_retention_time = 7d
9postscreen_disable_vrfy_command = $disable_vrfy_command
10postscreen_dnsbl_action = enforce
11postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
12postscreen_dnsbl_threshold = 3
13postscreen_dnsbl_ttl = 1h
14postscreen_dnsbl_whitelist_threshold = -1
15postscreen_greet_action = enforce
16postscreen_greet_banner = $smtpd_banner
17postscreen_greet_ttl = 1d
18postscreen_greet_wait = ${stress?2}${stress:6}s
19postscreen_helo_required = $smtpd_helo_required
20postscreen_non_smtp_command_action = drop
21postscreen_non_smtp_command_enable = yes
22postscreen_non_smtp_command_ttl = 30d
23postscreen_pipelining_enable = yes
24postscreen_whitelist_interfaces = static:all
You may want to change weights of the DNSBL based on your own mail traffic.
master.cf
The first line gets commented out, and the rest of them get uncommented. It should look like this.
1#smtp inet n - n - - smtpd
2smtp inet n - n - 1 postscreen
3smtpd pass - - n - - smtpd
4dnsblog unix - - n - 0 dnsblog
5tlsproxy unix - - n - 0 tlsproxy
Whole main.cf
Obtained with postconf -n
1alias_maps = hash:/usr/local/etc/postfix/aliases
2command_directory = /usr/local/sbin
3compatibility_level = 3.6
4daemon_directory = /usr/local/libexec/postfix
5data_directory = /var/db/postfix
6debug_peer_level = 2
7debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
8html_directory = /usr/local/share/doc/postfix
9inet_protocols = ipv4, ipv6
10mail_owner = postfix
11mailq_path = /usr/local/bin/mailq
12manpage_directory = /usr/local/man
13maximal_queue_lifetime = 20d
14meta_directory = /usr/local/libexec/postfix
15mydestination = $myhostname, localhost.$mydomain, localhost
16myhostname = backup-mx.domain.tld
17mynetworks = 127.0.0.0/8
18mynetworks_style = host
19newaliases_path = /usr/local/bin/newaliases
20postscreen_access_list = permit_mynetworks
21postscreen_bare_newline_action = ignore
22postscreen_bare_newline_enable = yes
23postscreen_bare_newline_ttl = 30d
24postscreen_blacklist_action = drop
25postscreen_cache_cleanup_interval = 12h
26postscreen_cache_map = btree:$data_directory/postscreen_cache
27postscreen_cache_retention_time = 7d
28postscreen_disable_vrfy_command = $disable_vrfy_command
29postscreen_dnsbl_action = enforce
30postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
31postscreen_dnsbl_threshold = 3
32postscreen_dnsbl_ttl = 1h
33postscreen_dnsbl_whitelist_threshold = -1
34postscreen_greet_action = enforce
35postscreen_greet_banner = $smtpd_banner
36postscreen_greet_ttl = 1d
37postscreen_greet_wait = ${stress?2}${stress:6}s
38postscreen_helo_required = $smtpd_helo_required
39postscreen_non_smtp_command_action = drop
40postscreen_non_smtp_command_enable = yes
41postscreen_non_smtp_command_ttl = 30d
42postscreen_pipelining_enable = yes
43postscreen_whitelist_interfaces = static:all
44queue_directory = /var/spool/postfix
45readme_directory = /usr/local/share/doc/postfix
46relay_domains = hash:$config_directory/relaydomains
47relay_recipient_maps =
48sample_directory = /usr/local/etc/postfix
49sendmail_path = /usr/local/sbin/sendmail
50setgid_group = maildrop
51shlib_directory = /usr/local/lib/postfix
52smtp_tls_loglevel = 1
53smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
54smtp_tls_note_starttls_offer = yes
55smtp_tls_protocols = !SSLv2, !SSLv3
56smtp_tls_security_level = may
57smtp_use_tls = yes
58smtpd_banner = $myhostname ESMTP Sendmail 8.10 (Solaris 2.6)
59smtpd_client_connection_count_limit = 5
60smtpd_client_connection_rate_limit = 10
61smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
62smtpd_error_sleep_time = 0
63smtpd_hard_error_limit = 10
64smtpd_helo_required = yes
65smtpd_recipient_limit = 50
66smtpd_recipient_restrictions = permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], permit_mynetworks, permit_auth_destination, warn_if_reject reject_non_fqdn_recipient, warn_if_reject reject_unknown_client, warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_non_fqdn_hostname, reject_unverified_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient, reject_unknown_hostname, reject_unauth_destination, permit
67smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
68smtpd_sender_restrictions = warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_unknown_client, warn_if_reject reject_unknown_sender_domain, permit
69smtpd_soft_error_limit = 5
70smtpd_timeout = 30s
71smtpd_tls_CAfile = $config_directory/tls/cacert.pem
72smtpd_tls_auth_only = yes
73smtpd_tls_cert_file = $config_directory/tls/server.crt
74smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
75smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
76smtpd_tls_eecdh_grade = strong
77smtpd_tls_key_file = $config_directory/tls/server.key
78smtpd_tls_loglevel = 1
79smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
80smtpd_tls_protocols = !SSLv2, !SSLv3
81smtpd_tls_received_header = yes
82smtpd_tls_security_level = may
83smtpd_tls_session_cache_timeout = 3600s
84smtpd_use_tls = yes
85tls_eecdh_strong_curve = prime256v1
86tls_eecdh_ultra_curve = secp384r1
87tls_random_source = dev:/dev/random
88transport_maps = hash:$config_directory/transport
89unknown_local_recipient_reject_code = 550
Whole master.cf
I’ve removed any lines that are comments
1smtp inet n - n - 1 postscreen
2smtpd pass - - n - - smtpd
3dnsblog unix - - n - 0 dnsblog
4tlsproxy unix - - n - 0 tlsproxy
5smtps inet n - n - - smtpd
6 -o syslog_name=postfix/smtps
7 -o smtpd_tls_wrappermode=yes
8 -o milter_macro_daemon_name=ORIGINATING
9pickup unix n - n 60 1 pickup
10cleanup unix n - n - 0 cleanup
11qmgr unix n - n 300 1 qmgr
12tlsmgr unix - - n 1000? 1 tlsmgr
13rewrite unix - - n - - trivial-rewrite
14bounce unix - - n - 0 bounce
15defer unix - - n - 0 bounce
16trace unix - - n - 0 bounce
17verify unix - - n - 1 verify
18flush unix n - n 1000? 0 flush
19proxymap unix - - n - - proxymap
20proxywrite unix - - n - 1 proxymap
21smtp unix - - n - - smtp
22relay unix - - n - - smtp
23 -o syslog_name=postfix/$service_name
24showq unix n - n - - showq
25error unix - - n - - error
26retry unix - - n - - error
27discard unix - - n - - discard
28local unix - n n - - local
29virtual unix - n n - - virtual
30lmtp unix - - n - - lmtp
31anvil unix - - n - 1 anvil
32scache unix - - n - 1 scache
33postlog unix-dgram n - n - 1 postlogd
Comments