This article was last reviewed for Debian 9 (Stretch).
Postfix installation and configuration (Debian, repository)
| Author: | Stefán Örvar Sigmundsson |
|---|---|
| Initial publication: | |
| Last updated: | |
| Written in: | English (United Kingdom) |
Postfix is a free and open-source mail transfer agent (MTA) that has become very popular since its initial release in 1998. This article will demonstrate how to install and configure Postfix on Debian or its derivatives such as Ubuntu and Linux Mint. The MTA will be configured for the domain name example.org and its users will be the system users.
Installation
Postfix can be installed from the official Debian repository using APT:
root@computer:~# apt --assume-yes install postfix
Configuration
main.cf
The main.cf file is the global configuration file:
alias_maps = hash:/etc/aliases
compatibility_level = 3
home_mailbox = Maildir/
mailbox_size_limit = 0
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, $mydomain, example.orgSpam prevention
Basic spam prevention can be added to the configuration:
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domainTLS
Transport Layer Security (TLS) encryption can be added to the configuration:
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/example.org/certificate.crt
smtpd_tls_key_file = /etc/ssl/example.org/certificate.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scacheSASL by Dovecot
Simple Authentication and Security Layer (SASL) authentication by Dovecot can be added to the configuration:
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = example.org
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecotmaster.cf
The master.cf file is the per-service configuration file:
anvil unix - - - - 1 anvil
bounce unix - - - - 0 bounce
cleanup unix n - - - 0 cleanup
defer unix - - - - 0 bounce
discard unix - - - - - discard
error unix - - - - - error
flush unix n - - 1000? 0 flush
local unix - n n - - local
pickup unix n - - 60 1 pickup
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
qmgr unix n - n 300 1 qmgr
relay unix - - - - - smtp
retry unix - - - - - error
rewrite unix - - - - - trivial-rewrite
scache unix - - - - 1 scache
showq unix n - - - - showq
smtp inet n - - - - smtpd
smtp unix - - - - - smtp
submission inet n - - - - smtpd
tlsmgr unix - - - 1000? 1 tlsmgr
trace unix - - - - 0 bounce
verify unix - - - - 1 verifyConclusion
Directory ownership and permissions
The configuration directory should be protected:
root@computer:~# chown --recursive root:adm /etc/postfix/ root@computer:~# chmod --recursive 0750 /etc/postfix/
DNS records
If the domain names intended to be served by the machine running Postfix do not have A records pointing to the machine then MX records must be created otherwise the MTA can only serve the local host.
| Domain Name System | Machine | |
|---|---|---|
| A record | MX record | Internet |
| Yes | Yes | Reachable |
| Yes | No | Reachable |
| No | Yes | Reachable |
| No | No | Unreachable |