# postfix
MTA


# Installation
`postfix postfix-pcre libsasl2-modules-db libsasl2-modules libgsasl18` packages on debian


# Configuration
A working configuration that relays mail to a smarthost and integrates with dovecot

`/etc/postfix/main.cf`
```sh
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# See http://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 3.9

# Which domain that locally-originated mail appears to come from.
# Debian policy suggests to read this value from /etc/mailname.
myorigin = /etc/mailname

# Domains
myhostname = orion.ctq.ro
mail_name = ctq.ro
mydomain = ctq.ro

# Text that follows the 220 code in the SMTP server's greeting banner.
# You MUST specify $myhostname at the start due to an RFC requirement.
smtpd_banner = $myhostname ESMTP $mail_name (Debian)

# IP protocols to use: ipv4, ipv6, or all
# (set this explicitly so `post-install upgrade-configuration' wont complain)
inet_protocols = all

# List of "trusted" SMTP clients (maptype:mapname allowed) that have more
# privileges than "strangers".  If mynetworks is not specified (the default),
# mynetworks_style is used to compute its value.
mynetworks_style = host
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# List of domains (maptype:mapname allowed) that this machine considers
# itself the final destination for.
mydestination = mail.ctq.ro, orion.ctq.ro, ctq.ro, orion, localhost.localdomain, localhost

# Maximum size of a user mailbox
mailbox_size_limit = 0

# Optional external command to use instead of mailbox delivery.  If set,
# you must set up an alias to forward root mail to a real user.
mailbox_command = /usr/lib/dovecot/deliver

# List of alias maps to use to lookup local addresses.
# Per Debian Policy it should be /etc/aliases.
alias_maps = hash:/etc/aliases

# List of alias maps to make indexes on, when running newaliases.
alias_database = hash:/etc/aliases

# Notify (or not) local biff service when new mail arrives.
# Rarely used these days.
biff = no

# Separator between user name and address extension (user+foo@domain)
recipient_delimiter = +

# A host to send "other" mail to
relayhost = live.smtp.mailtrap.io:587

# Relay restrictions
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination

# Where to look for Cyrus SASL configuration files.  Upstream default is unset
# (use compiled-in SASL library default), Debian Policy says it should be
# /etc/postfix/sasl.
cyrus_sasl_config_path = /etc/postfix/sasl

# SMTP server RSA key and certificate in PEM format
smtpd_tls_key_file = /etc/letsencrypt/live/ctq.ro/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/ctq.ro/fullchain.pem

# SMTP Server security level: none|may|encrypt
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

# SMTP server client cert auth
#smtpd_tls_CAfile = /etc/ssl/orion-ca/ca.crt
#tls_append_default_CA = no

# Listen on all interfaces
inet_interfaces = all

# SMTP daemon TLS
# Disallow insecure SSL/TLS versions
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# Use secure TLS versions
smtpd_tls_protocols = >=TLSv1

# Use strong ciphers
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
tls_preempt_cipherlist = yes

# Sender and recipient restrictions
smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain

# Connection init restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

# Authenticate users via dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# List of CAs for SMTP Client to trust
# Prefer this over _CApath when smtp is running chrooted
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# SMTP Client TLS security level: none|may|encrypt|...
smtp_tls_security_level = may
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_protocols = >=TLSv1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# SMTP Client TLS session cache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# User mail directory
home_mailbox = Mail/Inbox/

# Filter headers for privacy with regex
header_checks = regexp:/etc/postfix/header_checks
```

`/etc/postfix/master.cf`
```sh
# SMTP SUBMISSIONS - port 465
submissions     inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/submissions
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
        -o smtpd_sender_login_maps=pcre:/etc/postfix/login_maps.pcre
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
        -o smtpd_sender_restrictions=reject_unlisted_sender
        -o smtpd_sasl_security_options=noanonymous
```

`/etc/postfix/header_checks`
```sh
/^Received:.*/     IGNORE
/^X-Originating-IP:/    IGNORE
```

`/etc/postfix/login_maps.pcre`
```sh
/^(.*)@ctq\.ro$/   ${1}
```

# Aliases
Configure aliases database:
```sh
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
```

Specify in `/etc/postfix/aliases` in the format `original:alias`
You should have at least an alias for `root`.

After first edit run `postalias /etc/postfix/aliases` to initialise the aliases database.
Afterwards you can run `newaliases`


# Use smarthost for outbound SMTP
Use a smarthost to send outbound mail in case outbound SMTP is blocked in your case.

```sh
# A host to send "other" mail to
relayhost = [relay.smtp.example.com]:587

# Relay credentials, store hashed
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# Relay restrictions
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
```

Create a `sasl_passwd` file with the relay credentials in the format `relay.smtp.example.com RLUSER:RLPASSWD`
Hash the password database with `postmap hash:/etc/postfix/sasl_passwd`.
Remove the plaintext `sasl_passwd` file.

Remember to restart postfix.