Skip to content

Postfix configurations

Anushka Bandara edited this page Jul 18, 2018 · 10 revisions

Most of the configurations of the postfix are included in main.cf and master.cf files (/etc/postfix/). These files are the main configuration files of Postfix. Configurations are already commented in the mentioned files when installing postfix. You can uncomment or add necessary configurations in order to your requirement.

main.cf

This configuration file specifies a very small subset of all parameters that control the operations of Postfix mail system. Initially, they are left with initial values.

  • compatibility_level

    • A safety net that causes Postfix to run with backwards-compatible default settings after an upgrade to a newer Postfix version. We have disabled the backward compatibility by assigning value 2.
  • smtpd_banner

    • The text that follows the 220 status code in the SMTP greeting banner. Some people like to see the mail version advertised. By default, Postfix shows no version
  • biff

    • Whether or not to use the local biff service. This service sends "new mail" notifications to users who have requested new mail notification with the UNIX command "biff y". For compatibility reasons this feature is on by default. On systems with lots of interactive users, the biff service can be a performance drain. Specify "biff = no" to disable.
  • append_dot_mydomain

    • With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information. With remotely submitted mail, append the string ".$remote_header_rewrite_domain" instead. This feature is enabled by default. If disabled, users will not be able to send mail to "user@partialdomainname" but will have to specify full domain names instead.
  • readme_directory

    • The location of Postfix README files that describe how to build, configure or operate a specific Postfix subsystem or feature.
  • smtpd_tls_cert_file

    • File with the Postfix SMTP server RSA certificate in PEM format. Public Internet MX hosts without certificates signed by a "reputable" CA must generate, and be prepared to present to most clients, a self-signed or private-CA signed certificate. The client will not be able to authenticate the server, but unless it is running Postfix 2.3 or similar software, it will still insist on a server certificate.
  • smtpd_tls_key_file

    • File with the Postfix SMTP server RSA private key in PEM format. The private key must be accessible without a pass-phrase, i.e. it must not be encrypted. File permissions should grant read-only access to the system superuser account ("root"), and no access to anyone else.
  • smtpd_use_tls

    • Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption.
  • smtpd_tls_auth_only

    • Mandatory TLS: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. This option is therefore off by default.
  • smtp_tls_security_level

    • The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
      • Its value "may" means - Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. Since sending in the clear is acceptable.
  • smtpd_tls_security_level

    • The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with "smtpd_tls_wrappermode = yes".
      • Its value "may" means - Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption.
  • smtpd_sasl_type

    • The SASL plug-in type that the Postfix SMTP server should use for authentication. Our solution use "Dovecot".
  • smtpd_sasl_path

    • Implementation-specific information that the Postfix SMTP server passes through to the SASL plug-in implementation that is selected with smtpd_sasl_type. Typically this specifies the name of a configuration file or rendezvous point.
  • smtpd_sasl_auth_enable

    • Enable SASL authentication in the Postfix SMTP server. By default, the Postfix SMTP server does not use authentication.
  • smtpd_client_restrictions (default: empty)

    • Optional restrictions that the Postfix SMTP server applies in the context of a client connection request. The default is to allow all connection requests.
  • smtpd_helo_restrictions

    • Optional restrictions that the Postfix SMTP server applies in the context of a client HELO command. The default is to permit everything.
  • myhostname

    • The internet hostname of this mail system. The default is to use the fully-qualified domain name (FQDN) from gethostname(), or to use the non-FQDN result from gethostname() and append ".$mydomain". $myhostname is used as a default value for many other configuration parameters.
  • alias_maps

    • The alias databases that are used for local delivery.
  • alias_database

    • The alias databases for local delivery that are updated with "newaliases" or with "sendmail -bi". This is a separate configuration parameter because not all the tables specified with $alias_maps have to be local files.
  • myorigin

    • The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. The default, $myhostname, is adequate for small sites. If you run a domain with multiple machines, you should change this to $mydomain and set up a domain-wide alias database that aliases each user to [email protected].
  • mydestination

    • The list of domains that are delivered via the $local_transport mail delivery transport. By default this is the Postfix local delivery agent which looks up all recipients in /etc/passwd and /etc/aliases. The SMTP server validates recipient addresses with $local_recipient_maps and rejects non-existent recipients. The default mydestination value specifies names for the local machine only. On a mail domain gateway, you should also include $mydomain.
  • message_size_limit

    • The maximal size in bytes of a message, including envelope information.
  • mailbox_size_limit

    • The maximal size of any local individual mailbox or maildir file, or zero (no limit). In fact, this limits the size of any file that is written to upon local delivery, including files written by external commands that are executed by the local delivery agent. This limit must not be smaller than the message size limit.
  • recipient_delimiter

    • The set of characters that can separate a user name from its extension (example: user+foo), or a .forward file name from its extension (example: .forward+foo). Basically, the software tries user+foo and .forward+foo before trying user and .forward. This implementation recognizes one delimiter character and one extension per email address or .forward file name.
      • "recipient_delimiter = +" means, Handle Postfix-style extensions.
  • relayhost

    • The next-hop destination of non-local mail; overrides non-local domains in recipient addresses. On an intranet, specify the organizational domain name. If your internal DNS uses no MX records, specify the name of the intranet gateway host instead.
  • mynetworks

    • The list of "trusted" remote SMTP clients that have more privileges than "strangers".
  • inet_interfaces

    • The network interface addresses that this mail system receives mail on. This parameter specifies to "all" means, receive mail on all network interfaces (default), and "loopback-only" to receive mail on loopback network interfaces only.
  • virtual_transport

    • The default mail delivery transport and next-hop destination for final delivery to domains listed with $virtual_mailbox_domains.
  • virtual_mailbox_domains

    • Postfix is final destination for the specified list of domains; mail is delivered via the $virtual_transport mail delivery transport. By default this is the Postfix virtual delivery agent. The SMTP server validates recipient addresses with $virtual_mailbox_maps and rejects mail for non-existent recipients. This parameter expects the same syntax as the mydestination configuration parameter.
  • virtual_mailbox_maps

    • Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains.
  • virtual_alias_maps

    • Optional lookup tables that alias specific mail addresses or domains to other local or remote address.
  • milter_protocol

    • The mail filter protocol version and optional protocol extensions for communication with a Milter application. Postfix sends this version number during the initial protocol handshake. It should match the version number that is expected by the mail filter application (or by its Milter library).
  • milter_default_action

    • The default action when a Milter (mail filter) application is unavailable or mis-configured. (accept - Proceed as if the mail filter was not present)
  • smtpd_milters

    • A list of Milter (mail filter) applications for new mail that arrives via the Postfix smtpd server.
  • non_smtpd_milters

    • A list of Milter (mail filter) applications for new mail that does not arrive via the Postfix smtpd server.
  • milter_mail_macros

    • The macros that are sent to Milter (mail filter) applications after the SMTP MAIL FROM command.

master.cf

The Postfix mail system is implemented by small number of (mostly) client commands that are invoked by users, and by a larger number of services that run in the background. Postfix services are implemented by daemon processes. They run in the background under control of the master process. The Postfix master daemon launches all of the other Postfix services as they are needed. The various services, and how they are run, are specified in the master.cf file.

There is a unique way to initialize a service in this file. It has table like a structure to do so. This structure has mandatory parameters and all the parameters must be define when entering a service or else a dash (-) in the related column indicates the default setting for that column. Some default values come from parameters in main.cf file.

Columns of the structure is like below.

service type private unpriv chroot wakeup maxproc command

Here you may find a sample "master.cf" configuration and explanation.

smtp inet n - n - - smtpd
  • service - smtp (The name of the component. )
  • type - inet (Valid transport types are inet , unix, and fifo. Each of these indicates a method of communication for this service)
  • private - n (Access to some components is restricted to the Postfix system itself. This column is marked with a y for private access (the default) or an n for public access. inet components must be marked n for public access, since network sockets are necessarily available to other processes)
  • unpriv - Postfix components run with the least amount of privilege required to accomplish their tasks. They set their identity to that of the unprivileged account specified by the mail_owner parameter. The default installation uses postfix. The default value of y for this column indicates that the service runs under the normal unprivileged account. Services that require root privileges are marked with n.
  • chroot - Many components can be chrooted for additional security. The chroot location is specified in the queue_directory parameter in main.cf. The default is for a service to run in a chroot environment; however, the normal installation marks all components with an n so they are not chrooted when they run. Chrooting a service adds a level of complexity that you should thoroughly understand before taking advantage of the added security.
  • wakeup - Some components require a wake-up timer to kick them into action at the specified interval. The pickup daemon is one example. At its default setting of 60 seconds, the master daemon wakes it up every minute to see if any new messages have arrived in the maildrop queue. The other services that require a wake-up are the qmgr and flush daemons. A question mark character (?) can be added at the end of the time to indicate that a wake-up event should be sent only if the component is being used. A 0 for the time interval indicates that no wake-up is required. The default is 0, since only the three components mentioned require a wake-up. The values as they are set in the Postfix distribution should work for almost all situations. Other services should not have wakeup enabled.
  • maxproc - Limits the number of processes that can be invoked simultaneously. If unspecified here, the value comes from the parameter default_process_limit in main.cf, which is set to 100 by default. A setting of 0 means no process limit. You may want to adjust maxproc settings if you run Postfix on a system with limited resources or you want to optimize different aspects of the system.
  • command - The actual command used to execute a service is listed in the final column. The command is specified with no path information, because it is expected to be in the Postfix daemon directory specified by the daemon_directory parameter in main.cf. By default the directory is /usr/libexec/postfix. All of the Postfix commands can be specified with one or more -v options to turn on increasingly more verbose logging information, which can be helpful if you must troubleshoot a problem. You can also enable information for a debugging program with the -D option.