postfix/postfix.txt@0ba300bdf30a (annotated)
postfix/postfix.txt
Mon, 20 Apr 2009 19:22:00 +0200
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Mon, 20 Apr 2009 19:22:00 +0200
- changeset 178
- 0ba300bdf30a
- child 179
- 6539a982f682
- permissions
- -rw-r--r--
Change unfortunate but partly useful overreaching security tradeoff.
The principle of allocating each running process an individual system
user and group can have security benefits, however maintining a plethora
of users, groups, processes, file modes, file permissions, and even
nonportable file ACLs on a host serving from a hundred processes has
some security disadvantages. This tradeoff is even worse for systems
like OpenPKG which benefit from administration transparency through the
use of minimal system intrusion and only three usage privilege levels.
| michael@146 | 1 | <file name="Makefile"> |
| michael@146 | 2 | ## |
| michael@146 | 3 | ## @l_prefix@/etc/postfix/Makefile -- maintainance procedures |
| michael@146 | 4 | ## |
| michael@146 | 5 | |
| michael@146 | 6 | # path configuration |
| michael@146 | 7 | PREFIX = @l_prefix@ |
| michael@146 | 8 | SBINDIR = $(PREFIX)/sbin |
| michael@146 | 9 | ETCDIR = $(PREFIX)/etc |
| michael@146 | 10 | |
| michael@146 | 11 | # program configuration |
| michael@146 | 12 | RC = $(ETCDIR)/rc |
| michael@146 | 13 | POSTALIAS = $(SBINDIR)/postalias |
| michael@146 | 14 | POSTMAP = $(SBINDIR)/postmap |
| michael@146 | 15 | POSTFIX = $(SBINDIR)/postfix |
| michael@146 | 16 | |
| michael@146 | 17 | # table filename configuration |
| michael@146 | 18 | T_ACCESS = access |
| michael@146 | 19 | T_CANONICAL = canonical |
| michael@146 | 20 | T_GENERIC = generic |
| michael@146 | 21 | T_VIRTUAL = virtual |
| michael@146 | 22 | T_RELOCATED = relocated |
| michael@146 | 23 | T_TRANSPORT = transport |
| michael@146 | 24 | T_ALIASES = aliases |
| michael@146 | 25 | |
| michael@146 | 26 | # dependency tracking |
| michael@146 | 27 | TIMESTAMP = .up-to-date |
| michael@146 | 28 | DEPENDENCIES = Makefile master.cf main.cf $(TABLES) |
| michael@146 | 29 | |
| michael@146 | 30 | # managed tables: |
| michael@146 | 31 | # - use extension ".db" for hash tables ("hash") |
| michael@146 | 32 | # - use no extension for regex tables ("pcre") |
| michael@146 | 33 | TABLES = \ |
| michael@146 | 34 | $(T_ACCESS).db \ |
| michael@146 | 35 | $(T_CANONICAL).db \ |
| michael@146 | 36 | $(T_GENERIC).db \ |
| michael@146 | 37 | $(T_VIRTUAL).db \ |
| michael@146 | 38 | $(T_RELOCATED).db \ |
| michael@146 | 39 | $(T_TRANSPORT).db \ |
| michael@146 | 40 | $(T_ALIASES).db |
| michael@146 | 41 | |
| michael@146 | 42 | # default target |
| michael@146 | 43 | all: $(TABLES) $(TIMESTAMP) |
| michael@146 | 44 | |
| michael@146 | 45 | # implicit checking and reloading |
| michael@146 | 46 | $(TIMESTAMP): $(DEPENDENCIES) |
| michael@146 | 47 | $(POSTFIX) check |
| michael@146 | 48 | $(POSTFIX) reload >/dev/null 2>&1 || true |
| michael@146 | 49 | touch $(TIMESTAMP) && chmod 600 $(TIMESTAMP) |
| michael@146 | 50 | |
| michael@146 | 51 | # explicit checking |
| michael@146 | 52 | check: |
| michael@146 | 53 | $(POSTFIX) check |
| michael@146 | 54 | |
| michael@146 | 55 | # hash table update targets |
| michael@146 | 56 | $(T_ACCESS).db: $(T_ACCESS) $(MAKEFILE) |
| michael@146 | 57 | $(POSTMAP) hash:$(T_ACCESS) |
| michael@146 | 58 | $(T_CANONICAL).db: $(T_CANONICAL) $(MAKEFILE) |
| michael@146 | 59 | $(POSTMAP) hash:$(T_CANONICAL) |
| michael@146 | 60 | $(T_GENERIC).db: $(T_GENERIC) $(MAKEFILE) |
| michael@146 | 61 | $(POSTMAP) hash:$(T_GENERIC) |
| michael@146 | 62 | $(T_VIRTUAL).db: $(T_VIRTUAL) $(MAKEFILE) |
| michael@146 | 63 | $(POSTMAP) hash:$(T_VIRTUAL) |
| michael@146 | 64 | $(T_RELOCATED).db: $(T_RELOCATED) $(MAKEFILE) |
| michael@146 | 65 | $(POSTMAP) hash:$(T_RELOCATED) |
| michael@146 | 66 | $(T_TRANSPORT).db: $(T_TRANSPORT) $(MAKEFILE) |
| michael@146 | 67 | $(POSTMAP) hash:$(T_TRANSPORT) |
| michael@146 | 68 | $(T_ALIASES).db: $(T_ALIASES) $(MAKEFILE) |
| michael@146 | 69 | $(POSTALIAS) hash:$(T_ALIASES) |
| michael@146 | 70 | |
| michael@146 | 71 | # cleanup target |
| michael@146 | 72 | clean: |
| michael@146 | 73 | -rm -f $(TABLES) |
| michael@146 | 74 | -rm -f $(TIMESTAMP) |
| michael@146 | 75 | |
| michael@146 | 76 | # process management |
| michael@146 | 77 | start: |
| michael@146 | 78 | $(RC) postfix start |
| michael@146 | 79 | reload: |
| michael@146 | 80 | $(RC) postfix reload |
| michael@146 | 81 | stop: |
| michael@146 | 82 | $(RC) postfix stop |
| michael@146 | 83 | |
| michael@146 | 84 | </file> |
| michael@146 | 85 | <file name="master.cf"> |
| michael@146 | 86 | ## |
| michael@146 | 87 | ## @l_prefix@/etc/postfix/master.cf -- Postfix master process table |
| michael@146 | 88 | ## |
| michael@146 | 89 | # ========================================================================== |
| michael@146 | 90 | # service type private unpriv chroot wakeup maxproc command + args |
| michael@146 | 91 | # (yes) (yes) (yes) (never) (100) |
| michael@146 | 92 | # ========================================================================== |
| michael@146 | 93 | smtp inet n - n - - smtpd |
| michael@146 | 94 | #628 inet n - n - - qmqpd |
| michael@146 | 95 | pickup fifo n - n 60 1 pickup |
| michael@146 | 96 | cleanup unix n - n - 0 cleanup |
| michael@146 | 97 | qmgr fifo n - n 300 1 qmgr |
| michael@146 | 98 | tlsmgr unix - - n 1000? 1 tlsmgr |
| michael@146 | 99 | rewrite unix - - n - - trivial-rewrite |
| michael@146 | 100 | bounce unix - - n - 0 bounce |
| michael@146 | 101 | defer unix - - n - 0 bounce |
| michael@146 | 102 | trace unix - - n - 0 bounce |
| michael@146 | 103 | verify unix - - n - 1 verify |
| michael@146 | 104 | flush unix n - n 1000? 0 flush |
| michael@146 | 105 | proxymap unix - - n - - proxymap |
| michael@146 | 106 | proxywrite unix - - n - - proxymap |
| michael@146 | 107 | smtp unix - - n - - smtp |
| michael@146 | 108 | relay unix - - n - - smtp -o fallback_relay= |
| michael@146 | 109 | showq unix n - n - - showq |
| michael@146 | 110 | error unix - - n - - error |
| michael@146 | 111 | retry unix - - n - - error |
| michael@146 | 112 | local unix - n n - - local |
| michael@146 | 113 | virtual unix - n n - - virtual |
| michael@146 | 114 | lmtp unix - - n - - lmtp |
| michael@146 | 115 | anvil unix - - n - 1 anvil |
| michael@146 | 116 | scache unix - - n - 1 scache |
| michael@146 | 117 | #maildrop unix - n n - - pipe flags=DRhu user=@l_nusr@ argv=@l_prefix@/bin/maildrop -d ${recipient} |
| michael@146 | 118 | #cyrus unix - n n - - pipe user=@l_nusr@ argv=@l_prefix@/bin/cyrdeliver -e -r ${sender} -m ${extension} ${user} |
| michael@146 | 119 | #uucp unix - n n - - pipe flags=Fqhu user=@l_nusr@ argv=@l_prefix@/bin/uux -r -n -z -a$sender - $nexthop!rmail ($recipient) |
| michael@146 | 120 | #ifmail unix - n n - - pipe flags=F user=@l_nusr@ argv=@l_prefix@/bin/ifmail -r $nexthop ($recipient) |
| michael@146 | 121 | #bsmtp unix - n n - - pipe flags=Fq. user=@l_nusr@ argv=@l_prefix@/bin/bsmtp -f $sender $nexthop $recipient |
| michael@146 | 122 | </file> |
| michael@146 | 123 | <file name="main.cf"> |
| michael@146 | 124 | ## |
| michael@146 | 125 | ## @l_prefix@/etc/postfix/main.cf -- Postfix main configuration |
| michael@146 | 126 | ## |
| michael@146 | 127 | ## Run "@l_prefix@/sbin/postconf -n" to see all parameters overriding |
| michael@146 | 128 | ## defaults, run "@l_prefix@/sbin/postconf -d" to see all possible |
| michael@146 | 129 | ## parameters and their defaults and read the following manual |
| michael@146 | 130 | ## pages for description of each parameter: bounce(8), cleanup(8), |
| michael@146 | 131 | ## defer(8), error(8), flush(8), lmtp(8), local(8), master(8), |
| michael@146 | 132 | ## pickup(8), pipe(8), qmgr(8), showq(8), smtp(8), smtpd(8), spawn(8), |
| michael@146 | 133 | ## trivial-rewrite(8). |
| michael@146 | 134 | ## |
| michael@146 | 135 | |
| michael@146 | 136 | # users |
| michael@146 | 137 | mail_owner = @l_musr@ |
| michael@146 | 138 | setgid_group = @l_rgrp@ |
| michael@146 | 139 | default_privs = @l_nusr@ |
| michael@146 | 140 | |
| michael@146 | 141 | # local host |
| michael@146 | 142 | myhostname = mail.example.com |
| michael@146 | 143 | mydomain = example.com |
| michael@146 | 144 | myorigin = $myhostname |
| michael@146 | 145 | |
| michael@146 | 146 | # smtp daemon |
| michael@146 | 147 | #smtpd_banner = $myhostname ESMTP $mail_name |
| michael@146 | 148 | inet_interfaces = 127.0.0.1 |
| michael@146 | 149 | |
| michael@146 | 150 | # smtp client |
| michael@146 | 151 | smtp_bind_address = 127.0.0.1 |
| michael@146 | 152 | |
| michael@146 | 153 | # relaying |
| michael@146 | 154 | mynetworks = 127.0.0.0/8 |
| michael@146 | 155 | #mydestination = $myhostname, localhost.$mydomain |
| michael@146 | 156 | #relay_domains = $mydestination, |
| michael@146 | 157 | # hash:@l_prefix@/etc/postfix/access |
| michael@146 | 158 | #smtpd_recipient_restrictions = permit_mynetworks, |
| michael@146 | 159 | # check_client_access hash:@l_prefix@/etc/postfix/access, |
| michael@146 | 160 | # reject_unauth_destination |
| michael@146 | 161 | |
| michael@146 | 162 | # maps |
| michael@146 | 163 | #canonical_maps = hash:@l_prefix@/etc/postfix/canonical |
| michael@146 | 164 | #smtp_generic_maps = hash:@l_prefix@/etc/postfix/generic |
| michael@146 | 165 | #virtual_alias_maps = hash:@l_prefix@/etc/postfix/virtual |
| michael@146 | 166 | #relocated_maps = hash:@l_prefix@/etc/postfix/relocated |
| michael@146 | 167 | #transport_maps = hash:@l_prefix@/etc/postfix/transport |
| michael@146 | 168 | alias_maps = hash:@l_prefix@/etc/postfix/aliases |
| michael@146 | 169 | alias_database = hash:@l_prefix@/etc/postfix/aliases |
| michael@146 | 170 | |
| michael@146 | 171 | # local delivery |
| michael@146 | 172 | #local_recipient_maps = proxy:unix:passwd.byname $alias_maps |
| michael@146 | 173 | recipient_delimiter = + |
| michael@146 | 174 | mailbox_command = @l_prefix@/bin/procmail -a "$EXTENSION" |
| michael@146 | 175 | |
| michael@146 | 176 | </file> |
| michael@146 | 177 | <file name="access"> |
| michael@146 | 178 | ## |
| michael@146 | 179 | ## @l_prefix@/etc/postfix/access -- access control for relaying |
| michael@146 | 180 | ## |
| michael@146 | 181 | ## Searched for both the client (hostname, parent domains, IP address, |
| michael@146 | 182 | ## networks obtained by stripping least significant octets from IP |
| michael@146 | 183 | ## address) and destination address (resolved destination address, |
| michael@146 | 184 | ## parent domain, or localpart@) in order to allow relaying. Rejects |
| michael@146 | 185 | ## the request if the result is REJECT or "[45]XX text". Permits the |
| michael@146 | 186 | ## request if the result is OK or RELAY or all-numerical. |
| michael@146 | 187 | ## |
| michael@146 | 188 | |
| michael@146 | 189 | # Syntax (see access(5)): |
| michael@146 | 190 | # | user@domain action |
| michael@146 | 191 | # | domain action |
| michael@146 | 192 | # | user@ action |
| michael@146 | 193 | # | net.work.addr.ess action |
| michael@146 | 194 | # | net.work.addr action |
| michael@146 | 195 | # | net.work action |
| michael@146 | 196 | # | net action |
| michael@146 | 197 | # where "action" is one of: |
| michael@146 | 198 | # "[45]NN text", "REJECT", "OK", "restriction..." |
| michael@146 | 199 | # |
| michael@146 | 200 | # Examples: |
| michael@146 | 201 | # | mail.example.com OK |
| michael@146 | 202 | # | example.com REJECT |
| michael@146 | 203 | # | 192.168.0.1 OK |
| michael@146 | 204 | # | 192.168 REJECT |
| michael@146 | 205 | # | postmaster@ OK |
| michael@146 | 206 | |
| michael@146 | 207 | </file> |
| michael@146 | 208 | <file name="virtual"> |
| michael@146 | 209 | ## |
| michael@146 | 210 | ## @l_prefix@/etc/postfix/virtual -- virtual address translation |
| michael@146 | 211 | ## |
| michael@146 | 212 | ## Searched for virtual addresses user@domain, user and @domain |
| michael@146 | 213 | ## (in this order). It redirect mail for all recipients, local or |
| michael@146 | 214 | ## remote. The mapping affects only envelope recipients. |
| michael@146 | 215 | ## |
| michael@146 | 216 | |
| michael@146 | 217 | # Syntax (see virtual(5)): |
| michael@146 | 218 | # | user@domain address, address, ... |
| michael@146 | 219 | # | user address, address, ... |
| michael@146 | 220 | # | @domain address, address, ... |
| michael@146 | 221 | # |
| michael@146 | 222 | # Examples: |
| michael@146 | 223 | # | @example.com john@example.com |
| michael@146 | 224 | # | postmaster@example.com postmaster |
| michael@146 | 225 | # | john@example1.com john1 |
| michael@146 | 226 | # | john@example2.com john2 |
| michael@146 | 227 | |
| michael@146 | 228 | </file> |
| michael@146 | 229 | <file name="aliases"> |
| michael@146 | 230 | ## |
| michael@146 | 231 | ## @l_prefix@/etc/postfix/aliases -- local mailbox aliases |
| michael@146 | 232 | ## |
| michael@146 | 233 | ## Searched for virtual addresses user@domain, user and @domain |
| michael@146 | 234 | ## (in this order). It redirect mail for all recipients, local or |
| michael@146 | 235 | ## remote. The mapping affects only envelope recipients. |
| michael@146 | 236 | ## |
| michael@146 | 237 | |
| michael@146 | 238 | # Syntax (see aliases(5)): |
| michael@146 | 239 | # | name: value, value, ... |
| michael@146 | 240 | # where value is one of: |
| michael@146 | 241 | # "address", "/file/name", "|command", ":include:/file/name" |
| michael@146 | 242 | # |
| michael@146 | 243 | # Examples: |
| michael@146 | 244 | # | john.doe: john, doe |
| michael@146 | 245 | # | robot: |/path/to/robot |
| michael@146 | 246 | # | archive: /path/to/archive |
| michael@146 | 247 | # | users: :include:/path/to/users.list |
| michael@146 | 248 | # | owner-users: john.doe |
| michael@146 | 249 | |
| michael@146 | 250 | # standard mail targets |
| michael@146 | 251 | nobody: /dev/null |
| michael@146 | 252 | MAILER-DAEMON: postmaster |
| michael@146 | 253 | |
| michael@146 | 254 | # mailbox names for common services, roles and functions |
| michael@146 | 255 | # (see RFC2142 for more details and expanded list of names) |
| michael@146 | 256 | postmaster: root |
| michael@146 | 257 | hostmaster: root |
| michael@146 | 258 | security: root |
| michael@146 | 259 | abuse: root |
| michael@146 | 260 | |
| michael@146 | 261 | # save unprivileged user storage of careless admins |
| michael@146 | 262 | root: /dev/null |
| michael@146 | 263 | |
| michael@146 | 264 | </file> |
| michael@146 | 265 | <file name="canonical"> |
| michael@146 | 266 | ## |
| michael@146 | 267 | ## @l_prefix@/etc/postfix/canonical -- address canonification on mail receiving |
| michael@146 | 268 | ## |
| michael@146 | 269 | ## Searched for canonical addresses for user@domain, user and @domain |
| michael@146 | 270 | ## (in this order). |
| michael@146 | 271 | ## |
| michael@146 | 272 | |
| michael@146 | 273 | # Syntax (see canonical(5)): |
| michael@146 | 274 | # | user@domain address |
| michael@146 | 275 | # | user address |
| michael@146 | 276 | # | @domain address |
| michael@146 | 277 | # |
| michael@146 | 278 | # Examples: |
| michael@146 | 279 | # | postmaster@mail.example.com postmaster@example.com |
| michael@146 | 280 | # | john John.Doe |
| michael@146 | 281 | # | @example.com @example.com |
| michael@146 | 282 | |
| michael@146 | 283 | </file> |
| michael@146 | 284 | <file name="relocated"> |
| michael@146 | 285 | ## |
| michael@146 | 286 | ## @l_prefix@/etc/postfix/relocated -- relocate obsolete addresses |
| michael@146 | 287 | ## |
| michael@146 | 288 | ## Searched for relocated addresses user@domain, user and @domain |
| michael@146 | 289 | ## (in this order). It bounces mail for all recipients. |
| michael@146 | 290 | ## |
| michael@146 | 291 | |
| michael@146 | 292 | # Syntax (see relocated(5)): |
| michael@146 | 293 | # | user@domain address |
| michael@146 | 294 | # | user address |
| michael@146 | 295 | # | @domain address |
| michael@146 | 296 | # |
| michael@146 | 297 | # Examples: |
| michael@146 | 298 | # | john@invalid john@example.com |
| michael@146 | 299 | # | john john@example.com |
| michael@146 | 300 | # | @invalid john@example.com |
| michael@146 | 301 | |
| michael@146 | 302 | </file> |
| michael@146 | 303 | <file name="generic"> |
| michael@146 | 304 | ## |
| michael@146 | 305 | ## @l_prefix@/etc/postfix/generic -- address canonification on mail sending |
| michael@146 | 306 | ## |
| michael@146 | 307 | ## Searched for canonical addresses for user@domain, user and @domain |
| michael@146 | 308 | ## (in this order). |
| michael@146 | 309 | ## |
| michael@146 | 310 | |
| michael@146 | 311 | # Syntax (see generic(5)): |
| michael@146 | 312 | # | user@domain address |
| michael@146 | 313 | # | user address |
| michael@146 | 314 | # | @domain address |
| michael@146 | 315 | # |
| michael@146 | 316 | # Examples: |
| michael@146 | 317 | # | postmaster@mail.example.com postmaster@example.com |
| michael@146 | 318 | # | john John.Doe |
| michael@146 | 319 | # | @example.com @example.com |
| michael@146 | 320 | |
| michael@146 | 321 | </file> |
| michael@146 | 322 | <file name="transport"> |
| michael@146 | 323 | ## |
| michael@146 | 324 | ## @l_prefix@/etc/postfix/transport -- transport selection |
| michael@146 | 325 | ## |
| michael@146 | 326 | ## Searched for domain and .domain (in this order). It selects the |
| michael@146 | 327 | ## specified transport facility for delivery. |
| michael@146 | 328 | ## |
| michael@146 | 329 | |
| michael@146 | 330 | # Syntax (see transport(5)): |
| michael@146 | 331 | # | domain transport:nexthop |
| michael@146 | 332 | # | .domain transport:nexthop |
| michael@146 | 333 | # |
| michael@146 | 334 | # Examples: |
| michael@146 | 335 | # | me.example.com local: |
| michael@146 | 336 | # | you.example.com smtp:mail.example.com:2525 |
| michael@146 | 337 | # | example.com smtp:mail.example.com |
| michael@146 | 338 | # | .example.com smtp:mail.example.com |
| michael@146 | 339 | |
| michael@146 | 340 | </file> |
