Today we’ll look at configuring a mail service for LFCS objectives. We’ll use the Postfix implementation that already comes preinstalled on CentOS.
The configuration file with all Postfix parameters is /etc/postfix/main.cf
and it is massive. Instead of manually editing it, it’s easier to use postconf. Without arguments, it displays all parameters. If given a parameter name, it will show that parameter’s value, and with the -e flag it can modify parameters.
Another important file for mail configuration is /etc/aliases
. If you want a mail destined to a user to be delivered to another user, you can set an alias:
1
|
|
The alias will get the mails destined for the user. I’ve added an alias on my system so that root’s mail will be delivered to nixhat:
1
|
|
After changing any alias settings, you have to refresh the alias DB with the command postalias /etc/aliases
Now it’s time to edit some parameters in order to setup a working mail configuration.
- The myorigin parameter specifies the domain that locally-posted mail appears to come from
The default is to use the hostname for this, but I will change it to use just the domain (example.com in this case)
1 2 3 |
|
- The inet_interfaces parameter specifies the network interface addresses that this mail system receives mail on
Here I have mine listening on the Ethernet interface in addition to localhost:
1 2 |
|
- The relayhost parameter specifies the default host to send mail to when no entry is matched in the optional transport(5) table. When no relayhost is given, mail is routed directly to the destination. On an intranet, specify the organizational domain name. In the case of SMTP, specify a domain, host, host:port, [host]:port, [address] or [address]:port; the form [host] turns off MX lookups.
If you want to forward mail to a central host, use the relayhost parameter
- The mydestination parameter specifies the list of domains that this machine considers itself the final destination for. This parameter is important for receiving messages
1 2 |
|
- The mynetworks parameter specifies the list of “trusted” SMTP clients that are allowed to relay mail through Postfix. It can allow clients on the local subnet, in a range, just a host, or manually specified.
1 2 |
|
Restricting access to the server
For receiving mail, you can add some settings to harden the security of your server:
- smtpd_helo_required – Require that a remote SMTP client sends HELO or EHLO before commencing a MAIL transaction
1 2 |
|
- smtpd_helo_restrictions – other optional restrictions:
permit_mynetworks – Permit the request when the client IP address matches any network or network address listed in $mynetworks
reject_invalid_helo_hostname – Reject the request when the HELO or EHLO hostname is malformed
1 2 |
|
- smtpd_sender_restrictions – Optional restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command:
reject_unknown_sender_domain – Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname
1 2 |
|
- smtpd_recipient_restrictions – Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command
reject_unauth_destination – reject the request unless 1) Postfix is the mail forwarder; or 2) Postfix is the final destination
1 2 |
|
After changing Postfix settings, it is a good idea to run postfix check
to check the validity of the config file. Then restart Postfix.
Now to test it:
1
|
|
On user nixhat:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
|
So it works. If you want to see more about the status of your mails, look inside /var/log/maillog
:
1 2 3 4 5 |
|
Some other useful actions with mail would be to view the mail queue with mailq and flush the queue with postfix flush
Also see man 5 postconf for all Postfix parameters
1 2 3 4 5 6 7 8 9 |
|