Complete Virtual Mail Server/Postfix

Introduction
Over the years, postfix has become the new defacto standard. It has beaten qmail which in turn had taken down sendmail from the throne. This document will describe how to setup and test a basic postfix server.

Pre-installation
Depending on the USE flag settings and what else is installed in the system, another MTA may have already been installed (e.g. ssmtp, exim, qmail, sendmail, etc.). If one is already installed, this will block the installation of postfix when trying to emerge it. To check this, is used.

In the above example, it can be seen that is installed and is blocking the installation of postfix. Before this process is started,  needs to be called to remove.

Installation
With the previous chapter complete, postfix can now be installed. For quotas to work, the useflag needs to be set. Enabling quota's on postfix also allows to report quota usage directly to the mail client. There are plugins for such as Display Quota and native support in rich webclients such as.

Introduction
After postfix is installed, it's time to configure it. Below I have listed the usual suspects for configuring postfix. It is important that the description for each parameter is read so that one, it is understood what it is for and two, to know if is really need to set it or not. For example, if the operating system is installed properly, the setting myhostname and postfix will use gethostname to set it and thus can be omitted. This ensures that postfix would be using the FQDN defined for the box and not something left in a config file when copying.

For each parameter below, there are representative examples of settings and default settings have been identified (which are most of them).

Soft Bounce
The soft_bounce parameter can help with testing. It should be enabled during setup and testing, but disabled once the system behaves completely as expected.

Directories and privileges
Unless specific changes are needed by the system postfix is running on, the defaults should be sufficient.

Fully Qualified Domain Name (FQDN)
When installing an operating system for a server that is connected to the internet and serving data, it is imperative its hostname is set up correctly. Under Gentoo it is setup in the and the  files. In the following example the mailserver is set up as foo.example.com. The name used should be the name of the system, not 'mail', just because it might be externally known as mail.example.com. Of course it could be named 'mail' if so desired.

To verify the hostname functions properly, is used.

The following settings need to be changed if the hostname is not properly configured. Otherwise accept the default, which is uncommenting them.

Sending and receiving Mail
Since this is a basic installation, nothing fancy will be done here. All interfaces will be listened on and no gateway or backup settings will be enabled yet.

The myorigin parameter specifies the domain locally-posted mail comes from. Since nearly all our mail will not be locally posted, only services might, the default will be fine.

Local delivery
Since all our users will be virtual, local_recipient_maps are to be commented out. The default for unknown_local_recipient_reject_code is fine as they won't be used anyway.

Trust and Relay
This is one really important thing to get right. By default, postfix install is pretty tight, only allowing users on the same subnet as the mail server to relay through postfix. If this gets messed around with, it can potentially open the door to all users from anywhere. It is begging for abuse by spam merchants and the domain will be quickly blacklisted. Kind of defeats the purpose of setting up a personal mail server, if nobody will talk or listen to it.

Since later, relay control will be through SMTP Authorization later, postfix can be tightened even further then default. It is much easier to test if internal systems aren't allowed to relay either. Nobody gets to go through. Also it has the benefit, if an internal system is compromised, they cannot use it as launch pad to gain open relay access to the mail server. Long and short of it is, that only the mail server itself is considered a trusted system, all others must login.

ADDRESS EXTENSIONS
Postfix has a neat feature called address extensions. With address extensions it becomes possible to have several aliases under one mailbox. The way it works if a message arrives for testuser+spam@example.com postfix will try to deliver the message to testuser+spam first, if no such user is found, it will be delivered to testuser@example.com. This can be quite useful for all these sites that require email address registration. Signing up with testuser+somesite@example.com would allow one to easily filter and trace where a message originated from. If for example some unsolicited mail was delivered to that address, it could have come from somesite. Also amavis will later use this to deliver spam.

The End Mess
When postfix is emerged it adds some dupes to the bottom of the file. These variables should be located in the document and moved to the proper location. Find below a collection of these settings.

That is all that will be configured for now. There are other parameters that other HOWTO's would want to change already, but they are not needed yet. They will be setup later when virtual users are being setup with the database connection.

Before testing the basic mail server, the verbose flag of the smtp server should be enabled by adding a -v to the smtp daemon.

Starting Postfix
Before starting postfix for the first time, the local alias database has to be compiled. If this is not done, postfix may seem to start normally, but won't work and the log will be spammed by errors.

The default local alias database contains rfc required default local accounts and pseudo accounts. Simply run the command to generate the database.

Now it is time to start postfix for the very first time.

The mail.log file should yield some information. Remember that can be extremely helpful here.

Testing postfix
Now that postfix is running properly, it should accept connection from telnet on port 25 and send mail to anywhere in the world. Replace the example @. with a real e-mail address to see it work.

Looking at it can be verified that the message got properly relayed.

This test should also be performed from any other internal machine to see if it is indeed untrusted.