Scott M. Mcdermott

UNIX Systems & Network Administrator
available for contract or salaried positions
site location:

Postfix

We configure Postfix to relay mail via SMTP, but accept it only from the local machine. Local users will be delivered to with the conventional mail spool in mbox format.

Postfix defaults are very sensible, as will be seen.

Installation

The installation, like any other Ubuntu package, works like so:

$ sudo apt-get install postfix

The Ubuntu installer gave me a dialog where I could choose configuration options. But my configuration is so simple, I instructed the dialog not to bother. Postfix has very sane defaults and we can easily configure any one-off required configration statements by hand.

$ sudo touch /etc/postfix/main.cf
$ sudo /etc/init.d/postfix start

Local

Let's go through the process of testing it with its default (empty) configuration.

To begin we'll simply try sending some mail as yourselves:

$ id -un
sysadmin

$ echo testing | mail scott@omnisys.com
-bash: mail: command not found
-bash: echo: write error: Broken pipe

Looks like we have to install the mail utility first.

$ sudo apt-file search /usr/bin/mail
kdenetwork-dbg: /usr/lib/debug/usr/bin/mail.local
mailutils: /usr/bin/mail
mailx: /usr/bin/mail

I am familiar with it as mailx already. It's a local MUA but also can inject mail using the standard sendmail UNIX interface, which postfix provides:

$ sudo apt-get install mailx

$ ls -l /usr/sbin/sendmail
-rwxr-xr-x 1 0 0 24K 20080423165615 /usr/sbin/sendmail*

$ ls -l /usr/lib/sendmail
lrwxrwxrwx 1 0 0 16 20080810011144 /usr/lib/sendmail -> ../sbin/sendmail*

$ sudo dpkg --search /usr/lib/sendmail
postfix: /usr/lib/sendmail

$ type mail
mail is /usr/bin/mail

Now for our test:

$ echo testing | mail sysadmin

We observe from the logs:

pickup[1662]: DBF8F4C334: uid=1000 from=<sysadmin>

cleanup[2271]: DBF8F4C334:
message-id=<20080810083247.DBF8F4C334@1.2.3.4.eng.corp.com>

qmgr[1664]: DBF8F4C334:
from=<sysadmin@1.2.3.4.eng.corp.com>,
size=368, nrcpt=1 (queue active)

local[2292]: fatal: open database /etc/aliases.db:
No such file or directory

It appears that the postfix local process requires the presence of the aliases database. This is actually a good heads-up anyways, because we want to configure where root's mail goes for things like failed cron jobs, etc. Let's just add that single alias to the system and re-test.

$ sudo sh -c 'echo "root: sysadmin" > /etc/aliases'
$ sudo newaliases

The logs now report:

postfix/local[2488]: DBF8F4C334:
to=<sysadmin@1.2.3.4.eng.corp.com>,
orig_to=<sysadmin>, relay=local, delay=184,
delays=0.11/184/0/0.08, dsn=2.0.0, status=sent
(delivered to mailbox) qmgr[1664]: DBF8F4C334:
removed

And indeed, in our spool:

$ cat $MAIL
From sysadmin@1.2.3.4.eng.corp.com  Mon Aug 10 01:35:52 2008
Return-Path: <sysadmin@1.2.3.4.eng.corp.com>
X-Original-To: sysadmin
Delivered-To: sysadmin@1.2.3.4.eng.corp.com
Received: by 1.2.3.4.eng.corp.com (Postfix, from userid 1000)
        id DBF8F4C334; Mon, 10 Aug 2008 01:32:47 -0700 (PDT)
To: sysadmin@1.2.3.4.eng.corp.com
Message-Id: <20080810083247.DBF8F4C334@1.2.3.4.eng.corp.com>
Date: Mon, 10 Aug 2008 01:32:47 -0700 (PDT)
From: sysadmin@1.2.3.4.eng.corp.com

Great, now we know mail is working for local recipients.

Remote

Let's try delivering mail offhost now:

$ echo testing | mail scott@omnisys.com

From the logs:

postfix/pickup[1662]: 601894C335: uid=1000
from=<sysadmin>

postfix/cleanup[2680]: 601894C335:
message-id=<20080810084440.601894C335@1.2.3.4.eng.corp.com>

postfix/qmgr[1664]: 601894C335:
from=<sysadmin@1.2.3.4.eng.corp.com>,
size=341, nrcpt=1 (queue active)

postfix/smtp[2694]: 601894C335:
to=<scott@omnisys.com>,
relay=aspmx.l.google.com[209.85.217.32]:25,
delay=0.48, delays=0.05/0.02/0.16/0.26, dsn=2.0.0,
status=sent (250 2.0.0 OK 1249893880
8si10662978gxk.93)

postfix/qmgr[1664]: 601894C335: removed

Excellent! Everything is working as it should.

Security

Once again, we test whether or not we are exposing ourselves unduly:

$ sudo netstat -nla | grep :25
tcp        0      0 0.0.0.0:25       0.0.0.0:* LISTEN

Indeed, we have to configure Postfix it not to listen only locally. In fact, there is no reason to believe anyone on the machine will be using SMTP at all. Any local client can use the traditional sendmail interface.

For this reason, we disable SMTP entirely:

$ grep ^#smtp /etc/postfix/master.cf
#smtp      inet  n       -       -       -       - smtpd
#smtps     inet  n       -       -       -       - smtpd

Note that it is still enabled on local unix domain sockets for starting the smtp client for outbound mails:

$ grep ^smtp /etc/postfix/master.cf
smtp      unix  -       -       -       -       -
smtp

Indeed, our changes were successful:

$ sudo postfix reload
$ netstat -nla | grep :25 || echo "no smtp listener"
no smtp listener

Our postfix configuration is now complete. Amazing for a single-line change and completely empty configuration. It's hard to believe, if it weren't for our tests...