Logging with graylog
31.08.2022 - ~7 Minutes
Sometimes, you want a backup mail server. Something that will accept mail and hold it for delivery until your primary mail server is available again. This is the purpose of a backup MX (the MX refers to the type of DNS record that mail exchangers use).
Basic Postfix Config
Bits I added:
- IPv6
- max queue lifetime (you can adjust this to your own needs. If your mailserver may be off for a week or more, make sure you give yourself plenty of time in the queue or messages will be bounced).
- Make sure mydestination does not include an entry for $domain
alias_maps = hash:/usr/local/etc/postfix/aliases
command_directory = /usr/local/sbin
compatibility_level = 3.6
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4, ipv6
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 20d
meta_directory = /usr/local/libexec/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = backup-mx.domain.tld
mynetworks = 127.0.0.0/24
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
unknown_local_recipient_reject_code = 550
TLS/SSL
I’m not covering the generation of keys, see a previous post in this series about generating all the SSL bits.
Enabling SSL/TLS for the main.cf
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols =
!SSLv2,
!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols =
!SSLv2,
!SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_tls_CAfile = $config_directory/tls/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = $config_directory/tls/server.crt
smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = $config_directory/tls/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols =
!SSLv2,
!SSLv3
smtpd_tls_protocols =
!SSLv2,
!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_random_source = dev:/dev/random
Not quite done here, we also need to adjust the master.cf
These bits need to be uncommented, and depending on the ordering in main.cf, you may need to move things around to keep the uncommented bits together.
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o milter_macro_daemon_name=ORIGINATING
service postfix restart
You should now be able to do a sockstat -4l and see
[louisk@backup-mx postfix 89 ]$ sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root master 9549 13 tcp4 *:25 *:*
root master 9549 27 tcp4 *:465 *:*
root sshd 1014 4 tcp4 *:22 *:*
root syslogd 513 7 udp4 *:514 *:*
[louisk@backup-mx postfix 90 ]$
The 465 entry tells you that postifx is listening on the SMTPS port (TCP/465)
Relay
There are a couple files here you will need to create after you define these bits in main.cf
relay_domains = hash:$config_directory/relaydomains
relay_recipient_maps =
transport_maps = hash:$config_directory/transport
The transport file will have the format of
domain.tld smtp:[final.destination.domain.tld]
The relaydomains file will have the format of
domain.tld OK
service postfix restart
At this point, you should be able to send a message and see it get delivered to the correct destination in /var/log/maillog. Something like
echo "test" | mail -s "test" user@relay-domain.tld
Postscreen
We should have a functional mail relay now, but we want to add some basic checks on incoming mail to reduce the junk. Postscreen is a nice built-in tool for this. Familiarize yourself with it here .
main.cf additions
postscreen_access_list =
permit_mynetworks,
cidr:$config_directory/postscreen_access.cidr,
cidr:$config_directory/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = yes
postscreen_bare_newline_ttl = 1d
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
zen.spamhaus.org*3,
b.barracudacentral.org=127.0.0.[2..11]*2,
bl.spameatingmonkey.net*2,
bl.mailspike.net*2,
bl.spamcop.net,
dnsbl.sorbs.net,
swl.spamhaus.org*-4,
wl.mailspike.net=127.0.0.[17;18]*-1,
wl.mailspike.net=127.0.0.[19;20]*-2,
list.dnswl.orq=127.[0..255].[0..255].0*-2,
list.dnswl.org=127.[0..255].[0..255].1*-4,
list.dnswl.orq=127.[0..255].[0..255].[2..255]*-6
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_whitelist_interfaces = static:all
You may want to change weights of the DNSBL based on your own mail traffic.
You should also remove any white/blacklist DNS checks in your smtpd_recipient_restrictions because they should all be done by postscreen and you don’t want to do them more than once.
master.cf
The first line gets commented out, and the rest of them get uncommented. It should look like this.
#smtp inet n - n - - smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
Whole main.cf
Obtained with postconf -n
address_verify_map = btree:$data_directory/verify_cache
alias_maps = hash:/usr/local/etc/postfix/aliases
command_directory = /usr/local/sbin
compatibility_level = 3.6
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4, ipv6
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 20d
meta_directory = /usr/local/libexec/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = www.cryptomonkeys.com
mynetworks = 127.0.0.0/24
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr, cidr:$config_directory/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = yes
postscreen_bare_newline_ttl = 1d
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org=127.0.0.[2..11]*2 bl.spameatingmonkey.net*2 bl.mailspike.net*2 bl.spamcop.net dnsbl.sorbs.net swl.spamhaus.org*-4 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2 list.dnswl.orq=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.orq=127.[0..255].[0..255].[2..255]*-6
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_whitelist_interfaces = static:all
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = hash:$config_directory/relaydomains
relay_recipient_maps =
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP Sendmail 8.10 (Solaris 2.6)
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_recipient_limit = 50
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, warn_if_reject reject_non_fqdn_recipient, warn_if_reject reject_unknown_client, warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_non_fqdn_hostname, reject_unverified_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient, reject_unknown_hostname, warn_if_reject reject_unauth_destination, permit
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions = warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_unknown_client, warn_if_reject reject_unknown_sender_domain, permit
smtpd_soft_error_limit = 5
smtpd_timeout = 30s
smtpd_tls_CAfile = $config_directory/tls/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = $config_directory/tls/server.crt
smtpd_tls_dh1024_param_file = $config_directory/tls/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/tls/dh512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = $config_directory/tls/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_random_source = dev:/dev/random
transport_maps = hash:$config_directory/transport
unknown_local_recipient_reject_code = 550
Whole master.cf
I’ve removed any lines that are comments
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd