# postfix setup

## redwood

Hi, I have a question for a postfix guru.

I followed this Gentoo guide to setup a postfix server

[url]

http://en.gentoo-wiki.com/wiki/Postfix,_Courier,_Squirrelmail_and_Spamassassin

[/url]

and also setup SenderPolicyFramework authentication

[url]

http://www.gentoo.org/proj/en/infrastructure/spf-howto.xml

[/url]

Following the configuration guide, 

I have a setup which filters out most spam.

However, I'm also rejecting some legitimate emails.

such as email from state goverment agencies and some banks.

I believe the problem is that these particular domains are not using SPF 

and that they have outsourced their mail servers.

For instance, I've had to whitelist the following email address in my client_access hash file:

```

# XXXXXX@co.accomack.va.us

# cocotel.accomack.gov

38.124.138.118          permit_auth_destination

```

I've checked the mx and spf records for co.accomack.va.us using mxtoolbox.com's tools

and there is no spf record for the county domain and the mx server is listed as

d18888a.ess.barracudanetworks.com 	64.235.150.197 	

d18888b.ess.barracudanetworks.com 	64.235.150.197 	

And similarly for Virginia's State Corporation Commission:

# user@scc.virginia.gov

# mail0134.smtp25.com [reverse dns]

75.126.84.134 permit_auth_destination

And CHASE bank sends its secure email using isentry

so mail from user@chase.com

actually comes from:

# isentry.com

# ChaseSecureMail@isentry.com

178.32.180.60 permit_auth_destination

And I've just recently run into a problem getting mail

from a mortgage company which seems to be sending

its mail through

smtp[xxx].iad.emailsrvr.com where xxx would be the last 

part of the ip address 207.97.245.xxx

and there are many, many xxx where mail is being sent from

for any particular user.

So mail from user@MORTGAGECO.com 

actually comes from smtp[xxx].iad.emailsrvr.com

If all these domains used SPF records, then there would be no problem

authenticating the clients in order to receive mail from them.

Does anybody know if my postfix setup is sane?

I want to reject mail with spoofed rfc822 FROM records

and only accept mail delivery to actual users on my system.

I don't want to be a relay and I will authenticate clients with a proper SPF record.

My /etc/postfix/main.cf :

```

# cat main.cf|grep -v '^#'|grep -v '^$'

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

myhostname = mx.mydomain.net

mydomain = mydomain.net

myorigin = $mydomain

inet_interfaces = all

proxy_interfaces = 192.168.1.1

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,  www.$mydomain, ftp.$mydomain, pbx.$mydomain

local_transport = local

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

virtual_transport = virtual

virtual_mailbox_domains = mysql:$config_directory/virtual_mailbox_domains.cf

virtual_minimum_uid = 1000

virtual_gid_maps = static:5022

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_uid_maps = static:5006

virtual_mailbox_base = /

unknown_local_recipient_reject_code = 550

mynetworks = 192.168.1.0/24, 127.0.0.0/8, 10.0.0.0/24

relayhost = [outgoing.verizon.net]

alias_maps     = mysql:/etc/postfix/mysql-aliases.cf

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

home_mailbox = .maildir/

 

mail_spool_directory = /var/spool/mail

mailbox_command = /usr/bin/procmail -a "DOMAIN"

  

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = /usr/share/doc/postfix-2.9.3/html

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.9.3/readme

inet_protocols = ipv4

mail_spool_directory = /var/spool/mail

smtpd_sasl2_auth_enable = yes

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous 

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain =

smtpd_use_tls = yes

smtpd_tls_security_level = may

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/ssl/postfix/mydomain.net.crt

smtpd_tls_key_file  = /etc/ssl/postfix/mydomain.net.key

smtpd_tls_CAfile = /etc/ssl/postfix/cacert.org.crt

smtpd_tls_CApath = /etc/ssl/certs

smtpd_tls_loglevel = 9

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtp_tls_cert_file = /etc/ssl/postfix/mydomain.net.crt

smtp_tls_key_file = /etc/ssl/postfix/mydomain.net.key

smtp_tls_CAfile = /etc/ssl/postfix/cacert.org.crt

tls_random_source = dev:/dev/urandom

check_sender_access = hash:/etc/postfix/sender_access

smtpd_restriction_classes = greylist

greylist = check_policy_service inet:127.0.0.1:10030

owner_request_special = no

recipient_delimiter = +

virtual_alias_maps = hash:/etc/postfix/valias

alias_maps         = mysql:/etc/postfix/mysql-aliases.cf

smtp_generic_maps = hash:/etc/postfix/generic

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = 

allow_mail_to_commands = alias,forward

message_size_limit=30720000

biff = no

empty_address_recipient = MAILER-DAEMON

queue_minfree = 120000000

smtpd_helo_required = yes

content_filter = smtp-amavis:[127.0.0.1]:10024

strict_rfc821_envelopes = yes 

smtpd_reject_unlisted_sender = yes

smtpd_client_restrictions = permit_mynetworks, 

                            check_client_access hash:/etc/postfix/client_access,

                            reject_unknown_client

smtpd_sender_restrictions = permit_sasl_authenticated, 

        permit_mynetworks, 

        reject_sender_login_mismatch,

        reject_unauthenticated_sender_login_mismatch,

        reject_unlisted_sender,

        warn_if_reject reject_unverified_sender,

        reject_unknown_sender_domain,

        reject_unknown_address

policy_time_limit = 3600

smtpd_recipient_restrictions = 

        permit_sasl_authenticated, 

        permit_mynetworks, 

        reject_unauth_destination,

        check_policy_service unix:private/policy,

        check_sender_access hash:/etc/postfix/sender_access,

        reject_non_fqdn_sender, 

        reject_non_fqdn_recipient,

        reject_unknown_sender_domain, 

        reject_unknown_recipient_domain,

        reject_unauth_pipelining, 

        reject_invalid_hostname,

        reject_non_fqdn_hostname,

        reject_rbl_client zen.spamhaus.org,

        reject_rbl_client list.dsbl.org,

        reject_rbl_client cbl.abuseat.org,

        reject_rbl_client bl.spamcop.net,

        permit

smtpd_data_restrictions = reject_unauth_pipelining, permit

```

Thanks for any suggestions.

----------

## redwood

For now I'm going to try the following 

```

smtpd_client_restrictions = permit_mynetworks,

                            check_client_access hash:/etc/postfix/client_access,

                            reject_unknown_reverse_client_hostname,

                            warn_if_reject reject_unknown_client

```

which will reject using the more foregiving "reject_unknown_reverse_client_hostname"

and warn instead of reject when using the stricter rule 'reject_unknown_client"

I think there may be a separate issue with receiving emails 

from some companies with large attachments.

I was receiving most emails from a mortgage company 

but was not receiving the critical emails with attachments.

I initially thought postfix was rejecting the client email servers, 

but looking throught the maillog 

I now think the connections were getting disconnected after a timeout.

(The maillog can be confusing since the log messages 

for all the clients trying to deliver mail are all interleaved together

making following the processing of a single email difficult to sort through)

Some Googling suggested I may need to set the MTU of my nic to 1492 to match the setting in

my DD-WRT router for my aDSL connection to internet.  

So I've set mtu_eth0=1492   in  /etc/conf.d/net 

I've also set CLAMPMSS=Yes in  shorewall.conf

Hopefully, these changes will fix the postfix missing emails.

----------

## cach0rr0

one thing to remember with postfix config

the settings you add to main.cf are not "starting from scratch" settings

they are overrides for postfix's defaults

so many of the settings you have in main.cf are not necessarily needed. 

as root, type:

```

postconf -d

```

this will show you postfix defaults. Anything postconf -d shows, that you have set in main.cf, probably does not need to be in main.cf

this will make your main.cf much easier to read and manage - especially for me, since i am too lazy to look up what every one of those settings mean in the order you've used them  :Smile: 

indeed this is not SPF related. The SPF guide you quoted relates to you, the user, sending e-mail, rather than a MTA receiving the e-mail. Specifically, that SPF document is for Gentoo staff using Gentoo mail systems to send e-mail, and instructs Gentoo staff how to set up their mail clients to use Gentoo servers to send their @gentoo.org e-mail.

----------

## redwood

Thanks for your tips!

I setup my postfix mail server years ago and couldn't remember the exact  Gentoo guides (which might have changed anyhow since then) so I just Googled for  "Gentoo postfix + courier-imap + squirrelmail"

and "Gentoo spf" so maybe I got the spf url wrong -- my apologies.

Anyhow I do use  spf  policy delegation in my master.cf:

```

policy  unix  -       n       n       -       -       spawn

   user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl

```

There is a Gentoo package for a python script for spf (mail-filter/pypolicyd-spf)

but I think I downloaded the perl script instead from 

[url]

http://www.openspf.org/Software

https://launchpad.net/postfix-policyd-spf-perl/

[/url]

----------

## cach0rr0

only thing in that that is somewhat foreign to me is courier - never given it much time. I've either had very simple needs, for which Dovecot fit the bill perfectly, or more complex needs, for which I've used Cyrus IMAP. Result of which, I put together this bit of doc: http://whitehathouston.com/documentation/gentoo/postfix_cyrus_vhost_howto.htm

based on this thread

might be of some use.

----------

