Skip to content

Postfix

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail.

Further Reading:

http://www.postfix.org/documentation.html
http://www.postfix.org/docs.html

Installing Postfix

First step is to install Postfix. we'll enter a sudo shell first to save typing sudo for every command!:

sudo -s
apt update && apt install postfix -y

You will have to answer two questions about the type of mail and the name of your mail server. Make sure to replace the hostname and domain values with yours

  • the type of mail configuration: Internet Site
  • the system mail name: example.com

Once installed, check the Postfix version with:

postconf mail_version

Now open port 25 inbound and outbound in IPTables (see the IPTables guide)

Send a test email to an external account eg Gmail:

echo "test email" | sendmail your-account@gmail.com

This will almost certainly end up in the Spam folder. This will be dealt with later on with further configurations.

Install a command line mail user agent. This is useful to read and send email from the command line.

apt install mailutils

To check the maximum attachment size:

postconf | grep message_size_limit

The resulting value will be in bytes. To increase the limit, eg to 50MB, run the following command:

postconf -e message_size_limit=52428800

Check that the mailbox size has no limit:

postconf | grep mailbox_size_limit

The value should be set to 0.

Now we need to set the hostname in the main Postfix config file:

nano /etc/postfix/main.cf

myhostname = websrv1.example.com

Add an email alias:

nano /etc/aliases

Add the following alias to the bottom of the file:

root: username

replacing 'username' with your actual username. Once that's done, rebuild the alias database:

newaliases

Securing Email Traffic with TLS

We'll now create the TLS certificates for our mail server.

su -

~/.acme.sh/acme.sh --issue --dns dns_cloudns -d websrv1.example.com --keylength 4096 --key-file /etc/letsencrypt/rsa-certs/websrv1.example.com/privkey.pem --ca-file /etc/letsencrypt/rsa-certs/websrv1.example.com/chain.pem --cert-file /etc/letsencrypt/rsa-certs/websrv1.example.com/cert.pem --fullchain-file /etc/letsencrypt/rsa-certs/websrv1.example.com/fullchain.pem --pre-hook "mkdir -p /etc/letsencrypt/rsa-certs/websrv1.example.com" --post-hook "find /etc/letsencrypt/rsa-certs/websrv1.example.com/ -name '*.pem' -type f -exec chmod 600 {} \;" --renew-hook "find /etc/letsencrypt/rsa-certs/websrv1.example.com/ -name '*.pem' -type f -exec chmod 600 {} \; -exec service postfix restart \; -exec service dovecot restart \;"

~/.acme.sh/acme.sh --issue --dns dns_cloudns -d websrv1.example.com --keylength ec-384 --key-file /etc/letsencrypt/ecc-certs/websrv1.example.com/privkey.pem --ca-file /etc/letsencrypt/ecc-certs/websrv1.example.com/chain.pem --cert-file /etc/letsencrypt/ecc-certs/websrv1.example.com/cert.pem --fullchain-file /etc/letsencrypt/ecc-certs/websrv1.example.com/fullchain.pem --pre-hook "mkdir -p /etc/letsencrypt/ecc-certs/websrv1.example.com" --post-hook "find /etc/letsencrypt/ecc-certs/websrv1.example.com/ -name '*.pem' -type f -exec chmod 600 {} \;" --renew-hook "find /etc/letsencrypt/ecc-certs/websrv1.example.com/ -name '*.pem' -type f -exec chmod 600 {} \; -exec service postfix restart \; -exec service dovecot restart \;"

Exit back to the sudo shell:

exit

To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server:

nano /etc/postfix/master.cf

Uncomment or add the following lines to the submission section:

submission     inet     n    -    y    -    -    smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_tls_wrappermode=no
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth

The above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS encryption. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.

We need to specify the location of TLS certificate and private key in Postfix configuration file:

nano /etc/postfix/main.cf

Edit as follows:

smtpd_tls_cert_file=/etc/letsencrypt/rsa-certs/websrv1.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/rsa-certs/websrv1.example.com/privkey.pem
smtpd_tls_security_level=may 
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Enable the Postfix service to start on boot:

systemctl enable postfix

And restart Postfix:

systemctl restart postfix

Further Reading:

https://www.oreilly.com/library/view/postfix-the-definitive/0596002122/ch04s05.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html
https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
http://www.postfix.org/TLS_README.html
https://help.ubuntu.com/lts/serverguide/postfix.html
https://access.redhat.com/articles/1468593 https://wiki.archlinux.org/index.php/Postfix