MX - Mail Exchange Servers

Postfix Logo

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail on a Linux system. It is estimated that around 26% of public mail servers on the internet run Postfix.

Install Software

$ sudo apt-get install postfix postfix-mysql

On Ubuntu server 20.04 (focal) the installed version is Postfix version 3.4.13, released on June 14, 2020.

Main Configuration

Postfix uses a number of different configuration files, with the /etc/postfix/main.cf being the most important.

The documentation website has a page dedicated to main.cf which includes every possible configuration paramter.

The whole file, as presented below, is also provided for download at /server/config-files/etc/postfix/mx-main.cf here.

General Settings

13# General Mail Server Setttings
14# ------------------------------------------------------------
15
16# Disable backwards-compatibility safety net
17compatibility_level = 2
18
19# What is my domainname?
20mydomain = example.net
21
22# What is my hostname (FQDN)?
23myhostname = maeve.${mydomain}
24
25# Do I have to append a dot and my domain-name (.$mydomain) to addresses?
26append_dot_mydomain = no
27
28# What characters in a recipient address separate users from extensions?
29recipient_delimiter = +-
30
31# Should I refuse mails with non-standard FROM or RCPT address formats?
32strict_rfc821_envelopes = yes
33
34# What domains do I receive mail for?
35mydestination =
36local_recipient_maps =
37local_transport = error:local mail delivery is disabled
38
39# Which clients do I trust and will relay mail to other domains?
40mynetworks = ${config_directory}/mynetworks
41
42# To which 3rd-party domains do I accept and forward (relay) mails?
43#relay_domains =
44
45# What trouble do I need to report to a human (postmaster)?
46notify_classes = resource, software, 2bounce
47
48# After how long should I notify if mail-delivery is delayed?
49delay_warning_time = 6h
50
51# Do I need to notify local users of new mail?
52biff = no
53
54
55# ------------------------------------------------------------

Local Aliases Map

56# Local Aliases Map
57# ------------------------------------------------------------
58
59# Which recipient addresses I have to rewrite before sending out mail?
60recipient_canonical_maps = hash:${config_directory}/recipient_canonical
61
62
63# ------------------------------------------------------------

Virtual Relay Maps

64# Virtual Relay Maps
65# ------------------------------------------------------------
66
67# How can I lookup virtual mail-domains to relay?
68relay_domains = mysql:${config_directory}/sql/relay_domains.cf
69
70# How do I lookup individual mailbox addresses of virtual mail-domains to relay?
71relay_recipient_maps = mysql:${config_directory}/sql/relay_mailboxes.cf
72                       mysql:${config_directory}/sql/relay_aliases.cf
73
74# How do I relay mail for virtual domains?
75transport_maps = mysql:${config_directory}/sql/relay_transports.cf
76
77
78# ------------------------------------------------------------

Mail Queue Settings

79# Mail Queue Settings
80# ------------------------------------------------------------
81
82# Fow how long I should retry to deliver mails after temporary failures (default 5d)
83#maximal_queue_lifetime = 5d
84
85# Fow how long I should retry to deliver bounce mails after temporary failures (default 5d)
86#bounce_queue_lifetime = 5d
87
88# The maximal time between attempts to deliver a deferred message (default 4000s/~1h).
89#maximal_backoff_time = 4000s
90
91# The minimal time between attempts to deliver a deferred message (default 5m)
92#minimal_backoff_time = 5m
93
94# The time interval to run queue management tasks (default 5m)
95#queue_run_delay = 5m
96
97
98# ------------------------------------------------------------

TCP/IP Protocols Settings

 99# TCP/IP Protocols Settings
100#
101# Changes made here need a full server restart:
102#     'sudo systemctl restart postfix.service'
103# ------------------------------------------------------------
104
105# Which IPv4 addres do I use for outbound connections?
106smtp_bind_address = 198.51.100.7
107
108# Which IPv6 addres do I use for outbound connections?
109smtp_bind_address6 = 2001:db8:48d1::1
110
111# On which interfaces / IP addresses do I listen for inbound connections?
112inet_interfaces = ${smtp_bind_address}, ${smtp_bind_address6}
113
114# Digital Ocean blocks SMTP traffic over IPv6 at their network level.
115#smtp_address_preference = ipv4
116
117
118# ------------------------------------------------------------

General TLS Settings

119# General TLS Settings
120# ------------------------------------------------------------
121
122# What ciphers suites do I use for opportunistic ecnryption?
123# Note: While using non-mandatory opportunistic encryption, its preferable to
124# use bad encryption, then no encrpytion at all.
125# Generated 2020-12-13, Mozilla Guideline v5.6,
126# Postfix 3.4.13, OpenSSL 1.1.1f, old configuration
127# https://ssl-config.mozilla.org/
128tls_low_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
129
130# What ciphers suites do I use for mandatory ecnryption?
131# Generated 2020-12-13, Mozilla Guideline v5.6,
132# Postfix 3.4.13, OpenSSL 1.1.1f, intermediate configuration
133tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
134
135#tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
136
137# Let the server select the used cipher, to possibly avoid the bad ones, which
138# we support but would like to avoid.
139tls_preempt_cipherlist = yes
140
141# What OpenSSL options do I enable?
142tls_ssl_options = NO_COMPRESSION
143                  NO_RENEGOTIATION
144                  NO_SESSION_RESUMPTION_ON_RENEGOTIATION
145
146# TLS certificate and key for outgoing SMTP connections?
147smtp_tls_cert_file = /etc/letsencrypt/live/${myhostname}/fullchain.pem
148smtp_tls_key_file  = /etc/letsencrypt/live/${myhostname}/privkey.pem
149
150# TLS certificate and key for incoming connections?
151smtpd_tls_cert_file = $smtp_tls_cert_file
152smtpd_tls_key_file  = $smtp_tls_key_file
153
154# Where do I find trusted CA certificates to verify SMTP clients or servers?
155smtp_tls_CApath = /etc/ssl/certs
156smtpd_tls_CApath = ${smtp_tls_CApath}
157
158# Which TLS protocols do I use for opportunistic TLS policies, if a security
159# level is set to 'may' or 'dane'?
160# Note: While using non-mandatory opportunistic encryption, its preferable to
161# use bad encryption, then no encrpytion at all.
162#smtp_tls_protocols = !SSLv2, !SSLv3
163#smtpd_tls_protocols = ${smtp_tls_protocols}
164
165# Which TLS protocols am I allowed to use if a security level is set to anything
166# other then 'none' or 'may'?
167smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
168smtpd_tls_mandatory_protocols = ${smtp_tls_mandatory_protocols}
169
170# Which set of cipher suites shoud I use for opportunistic TLS policies, if
171# security level is set to 'may' or 'dane'?
172# Note: While using non-mandatory opportunistic encryption, its preferable to
173# use bad encryption, then no encrpytion at all.
174#smtp_tls_ciphers = medium
175#smtpd_tls_ciphers = ${smtp_tls_ciphers}
176
177# Which set of ciphers suites should I use, if a security level is set to
178# anything other then 'none' or 'may'?
179smtp_tls_mandatory_ciphers = high
180smtpd_tls_mandatory_ciphers = ${smtp_tls_mandatory_ciphers}
181
182# Where do I get Diffie-Hellmann key-exchange (DHE) parameters from?
183# Required bye DHE ciphers for perfect forward secrecy
184smtpd_tls_dh1024_param_file = /etc/ssl/dhparams/dh_4096.pem
185smtpd_tls_dh512_param_file  = /etc/ssl/dhparams/dh_2048.pem
186
187# Where do I cache outgoing SMTP TLS sessions?
188smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
189
190# Where do I cache incoming SMTP TLS sessions?
191smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
192
193# Should I ask connecting clients for their own certificate?
194smtpd_tls_ask_ccert = yes
195
196# Should I make a note if I encounter servers who offer encryption?
197smtp_tls_note_starttls_offer = yes
198
199# Should I include protocol and cipher used in the "Received:" message headers?
200smtpd_tls_received_header = yes
201
202# How much of the TLS transactions should I log?
203smtp_tls_loglevel = 1
204smtpd_tls_loglevel = ${smtp_tls_loglevel}
205
206
207# ------------------------------------------------------------

SMTP Client Settings

208# SMTP Client Settings
209# ------------------------------------------------------------
210
211# What DNS lookup methods do I use for outgoing SMTP sessions?
212# Possible values:
213# 'disabled', 'enabled' or 'dnssec'
214smtp_dns_support_level = dnssec
215
216# What TLS encryption and verifications are required for outgoing SMTP connections?
217# Possible values:
218# 'none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify' or 'secure'.
219smtp_tls_security_level = dane
220
221# How to handle DANE TLSA certified MX hosts that where not secured by DNSSEC?
222#smtp_tls_dane_insecure_mx_policy = dane
223
224# Where do I lookup domain specific TLS policies when sending mail?
225smtp_tls_policy_maps =
226    mysql:${meta_directory}/sql/tls-policy.cf
227    socketmap:unix:/mta-sts/mta-sts.sock
228
229# ------------------------------------------------------------

SMTP Server Settings

230# SMTP Server Settings
231# ------------------------------------------------------------
232
233# Is TLS encryption required for incoming connections?
234# Possible values: 'none', 'may' or ''encrypt
235smtpd_tls_security_level = may
236
237
238# ------------------------------------------------------------

SMTP Relay Restrictions

239# SMTP Relay Restrictions
240# ------------------------------------------------------------
241
242# What message digest algorithm do I use to verify relay client certificates?
243smtpd_tls_fingerprint_digest = sha256
244
245# Where do I lookup public-key fingerprints of allowed relay client certificates?
246relay_clientcerts = hash:${meta_directory}/relay_clientcerts
247
248# What restrictions apply to relayed mails?
249smtpd_relay_restrictions =
250    permit_mynetworks
251    permit_tls_clientcerts
252    reject_unauth_destination
253
254
255# ------------------------------------------------------------

SMTP Server Restrictions

256# SMTP Server Restrictions
257# ------------------------------------------------------------
258
259# What is the maximum message size (in bytes)?
260# 25 Megabytes = 26,214,400 Bytes
261message_size_limit = 26214400
262
263# What restrictins apply to connecting clients?
264smtp_client_restrictions =
265    permit_mynetworks
266    check_client_access hash:${meta_directory}/without_ptr
267    reject_unknown_client_hostname
268
269# Are connecting clients required to greet me properly before anything else?
270smtpd_helo_required = yes
271
272# What restrictins apply to SMTP HELO greetings
273smtpd_helo_restrictions =
274    permit_mynetworks
275    reject_invalid_helo_hostname
276    reject_non_fqdn_helo_hostname
277    reject_unknown_helo_hostname
278
279# What restrictins apply to any mail sender address?
280smtp_sender_restrictions =
281    permit_mynetworks
282    reject_non_fqdn_sender
283    reject_unknown_sender_domain
284    reject_unlisted_sender
285
286# What restrictins apply to any mail recipient address?
287smtpd_recipient_restrictions =
288    reject_non_fqdn_recipient
289    reject_unknown_recipient_domain
290
291# What restrictins apply to mail content?
292smtpd_data_restrictions = reject_unauth_pipelining
293
294
295# ------------------------------------------------------------

Mail Filters (Milters)

296# Mail Filters (Milters)
297# ------------------------------------------------------------
298
299# Milters which handle mail that arrives via smtpd(8)
300# Note: UNIX Socket files are relative to '/var/spool/postfix'
301smtpd_milters = unix:/rspamd/rspamd_proxy.sock
302
303# Milters which handle mail that arrives via sendmail(1) command-line or qmqpd(8)
304# Note: UNIX Socket files are relative to '/var/spool/postfix'
305non_smtpd_milters = unix:/rspamd/rspamd_proxy.sock
306
307milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
308
309# What to do in case a milter is not working as expected?
310# Possible values:
311#   'accept', 'reject', 'tempfail', or 'quarantine'.
312#milter_default_action = tempfail
313
314# -*- mode: txt; tab-width: 4; indent-tabs-mode:nil  -*-