Tag Archives: postfix

postfix amavis centos


yum install amavisd-new clamav-scanner clamav-scanner-systemd
systemctl start clamd@amavisd amavisd spamassassin
systemctl enable clamd@amavisd amavisd spamassassin

vi /etc/postfix/main.cf
content_filter=smtp-amavis:[127.0.0.1]:10024

vi /etc/postfix/master.cf

smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

service restart postfix

postfix enable rbl centos 7

vi /etc/postfix/main.cf

smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
permit

postfix whitelist domains


vi /etc/postfix/whitelist_domains
google.com OK
gmail.com OK

postmap /etc/postfix/whitelist_domains

vi /etc/postfix/main.cf

smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_client_access hash:/etc/postfix/whitelist_domains,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client combined.rbl.msrbl.net,
reject_rbl_client rabl.nuclearelephant.com,
permit

service postfix restart

● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Tr 2018-08-29 18:32:05 CEST; 1s ago
Process: 10656 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
Process: 10672 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 10669 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
Process: 10666 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
Main PID: 10748 (master)
CGroup: /system.slice/postfix.service
├─10748 /usr/libexec/postfix/master -w
├─10750 pickup -l -t unix -u
└─10751 qmgr -l -t unix -

postfix dovecot virtual mailbox

Centos 7 + Postfix + Dovecot (without database)

vi /etc/postfix/main.cf
home_mailbox = Maildir/
myhostname = localhost

groupadd -g 5000 vmail
useradd -m -u 5000 -g 5000 -s /bin/bash vmail

vi /etc/postfix/main.cf
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

vi /etc/postfix/vhosts
domain1.com
domain2.com

vi /etc/postfix/vmaps
info@domain1.com domain1.com/info/
alias@domain1.com domain1.com/info/
sales@domain1.com domain1.com/sales/
info@domain2.com domain2.com/info/
sales@domain2.com domain2.com/sales/

postmap /etc/postfix/vmaps
service postfix restart

vi /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $myhostname
mynetworks = 127.0.0.0/8, 10.0.0.0/24
mailbox_size_limit = 0
home_mailbox = Maildir/
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
recipient_delimiter = +
inet_interfaces = all

mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vi /etc/dovecot/dovecot.conf
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-327.36.3.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 (Core) ext4
auth_mechanisms = plain cram-md5
auth_verbose = yes
base_dir = /var/run/dovecot/
info_log_path = /var/log/dovecot.info
log_path = /var/log/dovecot
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n
passdb {
args = /etc/dovecot/passwd
driver = passwd-file
}
passdb {
args = /etc/dovecot/passwd
driver = passwd-file
}
protocols = imap pop3
service auth {
executable = /usr/libexec/dovecot/auth
unix_listener /var/spool/postfix/private/auth-client {
group = postfix
mode = 0660
user = postfix
}
user = root
}
service imap-login {
chroot = login
executable = /usr/libexec/dovecot/imap-login
user = dovecot
}
service imap {
executable = /usr/libexec/dovecot/imap
}
service pop3-login {
chroot = login
executable = /usr/libexec/dovecot/pop3-login
user = dovecot
}
service pop3 {
executable = /usr/libexec/dovecot/pop3
}
ssl = no
userdb {
args = /etc/dovecot/users
driver = passwd-file
}
userdb {
args = /etc/dovecot/users
driver = passwd-file
}
valid_chroot_dirs = /var/spool/vmail
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}

service dovecot restart

postconf -e 'smtpd_sasl_type = dovecot'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'smtpd_sasl_path = private/auth'

service postfix restart

postgrey whitelist hotmail or outlook

vi /etc/postfix/postgrey_whitelist_clients

# Do NOT greylist hotmail.com MX servers (see dig in mx hotmail.com)
/^mx[1-4]\.hotmail\.com$/

# Do NOT greylist ANY host from hotmail.com or outlook.com

#hotmail
/^.*\.hotmail\.com$/
#outlook
/^.*\.outlook\.com$/

killall postgrey
service start postgrey

Log:

postgrey[30881]: action=pass, reason=client whitelist, client_name=bay004-omc4s14.hotmail.com, client_address=65.54.190.216, sender=

You also can whitelist *.outbound.protection.outlook.com and etc

centos postfix spf check

yum install perl-Mail-SPF
yum install perl-Sys-Hostname-Long

wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz
tar -xf postfix-policyd-spf-perl-2.010.tar.gz

mkdir /usr/lib/postfix
cp postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl /usr/lib/postfix/

perl /usr/lib/postfix/postfix-policyd-spf-perl

vim /etc/postfix/main.cf
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy
policy_time_limit = 3600s

vim /etc/postfix/master.cf
policy unix – n n – 0 spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl

service postfix restart

postfix generate ssl certificate

openssl genrsa -des3 -out mail.domain.tld.key 2048
chmod 600 mail.domain.tld.key
openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
mv mail.domain.tld.key.nopass mail.domain.tld.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 mail.domain.tld.key
chmod 600 cakey.pem
mv mail.domain.tld.key /etc/ssl/private/
mv mail.domain.tld.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = mail.example.com'