First Time Configuration assistance

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

First Time Configuration assistance

Paul Cocker
I'm setting up a postfix 2.3.3 mail server which is to be the primary
outgoing mail server and act as a secondary incoming mail server for
three domains (only one of which is of any real size).

I haven't used postfix before so I'm wading through the configuration
and documentation and without having any special requirements most of
the defaults appear sane.

So far as I understand it I will need to configure the following
parameters:

Mydestination - to allow it to collect mail on behalf of my domains
Mynetworks - so it knows where internal mail will be coming from

Both of those seem simple enough, my question is about having it as the
secondary MX record. Is there a parameter you need to configure to tell
postfix it is to pass e-mail to the top of the MX chain, or will it do a
name lookup and discover this for itself?

Is there anything else I need to take into consideration or configure?
Beyond chroot that is, which is something I will investigate next.

Many thanks,

Paul Cocker




TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

FW: First Time Configuration assistance

Paul Cocker
Actually I do believe I have misunderstood the nature of mydestination,
by putting my domain in there I think I'll stop the e-mail chain dead.
Whoops.

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

That appears to be the sort of thing I am looking for, wish I'd seen it
before posting. Ah well.


Paul Cocker

Systems Infrastructure Support

Network Administrator and Security Specialist


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Paul Cocker
Sent: 05 September 2008 12:00
To: [hidden email]
Subject: First Time Configuration assistance

I'm setting up a postfix 2.3.3 mail server which is to be the primary
outgoing mail server and act as a secondary incoming mail server for
three domains (only one of which is of any real size).

I haven't used postfix before so I'm wading through the configuration
and documentation and without having any special requirements most of
the defaults appear sane.

So far as I understand it I will need to configure the following
parameters:

Mydestination - to allow it to collect mail on behalf of my domains
Mynetworks - so it knows where internal mail will be coming from

Both of those seem simple enough, my question is about having it as the
secondary MX record. Is there a parameter you need to configure to tell
postfix it is to pass e-mail to the top of the MX chain, or will it do a
name lookup and discover this for itself?

Is there anything else I need to take into consideration or configure?
Beyond chroot that is, which is something I will investigate next.

Many thanks,

Paul Cocker




TNT Post is the trading name for TNT Post UK Ltd (company number:
04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland
Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd
(05983401). Emma's Diary and Lifecycle are trading names for Lifecycle
Marketing (Mother and Baby) Ltd (02556692). All companies are registered
in England and Wales; registered address: 1 Globeside Business Park,
Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.





TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

Re: First Time Configuration assistance

Charles Marcus
In reply to this post by Paul Cocker
On 9/5/2008, Paul Cocker ([hidden email]) wrote:
> I'm setting up a postfix 2.3.3 mail server

Why use something so old if you're setting up a new server?

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

RE: First Time Configuration assistance

Paul Cocker
It's CentOS 5.2, it's the version in the repository. It's not a bleeding
edge distribution, but with seven years patching it doesn't aim to be.

Paul Cocker
Systems Infrastructure Support
Network Administrator and Security Specialist


-----Original Message-----
From: Charles Marcus [mailto:[hidden email]]
Sent: 05 September 2008 12:12
To: Paul Cocker
Cc: [hidden email]
Subject: Re: First Time Configuration assistance

On 9/5/2008, Paul Cocker ([hidden email]) wrote:
> I'm setting up a postfix 2.3.3 mail server

Why use something so old if you're setting up a new server?

--

Best regards,

Charles




TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

Re: First Time Configuration assistance

mouss-2
In reply to this post by Paul Cocker
Paul Cocker wrote:
> I'm setting up a postfix 2.3.3 mail server which is to be the primary
> outgoing mail server and act as a secondary incoming mail server for
> three domains (only one of which is of any real size).
>
> I haven't used postfix before so I'm wading through the configuration
> and documentation and without having any special requirements most of
> the defaults appear sane.
>

Make sure to read the doc on
        http://www.postfix.com/documentation.html

> So far as I understand it I will need to configure the following
> parameters:
>
> Mydestination - to allow it to collect mail on behalf of my domains

mydestination is the list of "local" domains: mail is delivered to unix
accounts on this machine.

> Mynetworks - so it knows where internal mail will be coming from

these are networks you control and trust. by default, they are allowed
to relay via the server (there is a permit_mynetworks in the default
smtpd_recipient_restrictions). if the box need not relay mail for other
machines, just set
mynetworks = 127.0.0.1

>
> Both of those seem simple enough, my question is about having it as the
> secondary MX record. Is there a parameter you need to configure to tell
> postfix it is to pass e-mail to the top of the MX chain, or will it do a
> name lookup and discover this for itself?
>

if you want this, don't put the domain in mydestination. put the domain
relay_domains, and put the list of valid addresses in relay_recipient_maps.

the list of valid recipients is required to avoid backscatter (later
bounces when your postfix finds out that the address doesn't exist, but
since spammers forge the sender address, the bounce goes to an
innocent). see the BACKSCATTER README
        http://www.postfix.org/BACKSCATTER_README.html

An alternative is to use reject_unverified_recipient at the end of
smtpd_recipient_restrictions. but you'd better avoid this. in particular
if you are talking about a "backup MX", reject_unverified_recipient may
fail (it checks the cache, but otherwise asks the other server. the last
action will obviously fail if the final server is down). if you insist,
check the docs about reject_unverified_recipient and other *_verify_*
parameters (all parameters are documented on
http://www.postfix.org/postconf.5.html
)



> Is there anything else I need to take into consideration or configure?
> Beyond chroot that is, which is something I will investigate next.

don't chroot untill everything works as desired.

More generally, don't bang bang. go step by step. change one thing, test
the results, document that somewhere, then go for the next change. while
this may be boring, you'll have a working configuration all the time, it
makes it troubleshooting easier, and you have a documentation of
everything you did (so if the machine dies, you can reproduce the steps.
and if you go on vacation, quit or hire someone else, he can does the job).

Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: First Time Configuration assistance

Paul Cocker
With an ever changing list of over 600 e-mail addresses, manually
maintaining relay_recepient_maps doesn't strike me as appealing, or
practical.

Unsurprisingly we have an AD back-end, is there any way for the two to
communicate? I see this as being the only practical way to check valid
recipients, though let me know if there is a better way.

Thanks for all the advice.

Paul Cocker


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of mouss
Sent: 05 September 2008 12:53
Cc: [hidden email]
Subject: [SPAM?] Re: First Time Configuration assistance
Importance: Low

Paul Cocker wrote:
> I'm setting up a postfix 2.3.3 mail server which is to be the primary
> outgoing mail server and act as a secondary incoming mail server for
> three domains (only one of which is of any real size).
>
> I haven't used postfix before so I'm wading through the configuration
> and documentation and without having any special requirements most of
> the defaults appear sane.
>

Make sure to read the doc on
        http://www.postfix.com/documentation.html

> So far as I understand it I will need to configure the following
> parameters:
>
> Mydestination - to allow it to collect mail on behalf of my domains

mydestination is the list of "local" domains: mail is delivered to unix
accounts on this machine.

> Mynetworks - so it knows where internal mail will be coming from

these are networks you control and trust. by default, they are allowed
to relay via the server (there is a permit_mynetworks in the default
smtpd_recipient_restrictions). if the box need not relay mail for other
machines, just set mynetworks = 127.0.0.1

>
> Both of those seem simple enough, my question is about having it as
the
> secondary MX record. Is there a parameter you need to configure to
tell
> postfix it is to pass e-mail to the top of the MX chain, or will it do
a
> name lookup and discover this for itself?
>

if you want this, don't put the domain in mydestination. put the domain
relay_domains, and put the list of valid addresses in
relay_recipient_maps.

the list of valid recipients is required to avoid backscatter (later
bounces when your postfix finds out that the address doesn't exist, but
since spammers forge the sender address, the bounce goes to an
innocent). see the BACKSCATTER README
        http://www.postfix.org/BACKSCATTER_README.html

An alternative is to use reject_unverified_recipient at the end of
smtpd_recipient_restrictions. but you'd better avoid this. in particular

if you are talking about a "backup MX", reject_unverified_recipient may
fail (it checks the cache, but otherwise asks the other server. the last

action will obviously fail if the final server is down). if you insist,
check the docs about reject_unverified_recipient and other *_verify_*
parameters (all parameters are documented on
http://www.postfix.org/postconf.5.html
)



> Is there anything else I need to take into consideration or configure?
> Beyond chroot that is, which is something I will investigate next.

don't chroot untill everything works as desired.

More generally, don't bang bang. go step by step. change one thing, test

the results, document that somewhere, then go for the next change. while

this may be boring, you'll have a working configuration all the time, it

makes it troubleshooting easier, and you have a documentation of
everything you did (so if the machine dies, you can reproduce the steps.

and if you go on vacation, quit or hire someone else, he can does the
job).





TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: First Time Configuration assistance

Stefan Palme-2
> With an ever changing list of over 600 e-mail addresses, manually
> maintaining relay_recepient_maps doesn't strike me as appealing, or
> practical.
>
> Unsurprisingly we have an AD back-end, is there any way for the two to
> communicate? I see this as being the only practical way to check valid
> recipients, though let me know if there is a better way.

We have a similar setup, where a "frontend mailserver" is relaying
incoming mail to an intranet Domino mail server. Because its very
ugly to automatically extract a list of valid email addresses from
the Domino server we are currently switching to recipient address
verification on the frontend mail server (postfix), so that postfix
always "asks" the Domino server "is this a valid address?"

Regards
-stefan-


Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: First Time Configuration assistance

Adam Tauno Williams-4
In reply to this post by Paul Cocker
On Fri, 2008-09-05 at 14:56 +0100, Paul Cocker wrote:
> With an ever changing list of over 600 e-mail addresses, manually
> maintaining relay_recepient_maps doesn't strike me as appealing, or
> practical.
> Unsurprisingly we have an AD back-end, is there any way for the two to
> communicate?

Sure, just use an LDAP map.

>  I see this as being the only practical way to check valid
> recipients, though let me know if there is a better way.


Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: First Time Configuration assistance

MacShane, Tracy
In reply to this post by Paul Cocker
 

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Paul Cocker
> Sent: Friday, 5 September 2008 11:56 PM
> To: [hidden email]
> Subject: RE: [SPAM?] Re: First Time Configuration assistance
>
> With an ever changing list of over 600 e-mail addresses,
> manually maintaining relay_recepient_maps doesn't strike me
> as appealing, or practical.
>
> Unsurprisingly we have an AD back-end, is there any way for
> the two to communicate? I see this as being the only
> practical way to check valid recipients, though let me know
> if there is a better way.
>
> Thanks for all the advice.
>
> Paul Cocker
>

And for where you are using Postfix as a "bridgehead" server and
relaying to multiple Exchange hosts, I have a solution that builds on a
script that grabs all the valid email recipients from the AD:
http://postfixnotes.wiki.zoho.com/HomePage.html. I also prefer not to be
doing constant AD lookups for mail from servers in the DMZ - it's a wee
bit better for performance to have the map files sitting on the Postfix
servers.