Basic Postfix Config, Backed by PostgreSQL

May 1st, 2014 by exhuma.twn

Following my previous post, I now have a working config with PostgreSQL.

This post is meant to set up a config which is “just enough” to get postfix working with PostgreSQL. There are many tutorials out there, but they all give you a full-blown set-up with spam/virus checking, POP/IMAP access with authentication, webmail, and so on and so on. None of those I have read managed to explain the inner workings of postfix, and just gave you a bunch of copy/pasteable “templates”. This post intentionally leaves out additional features. You can add more support yourself if you want to.

Database administrative stuff (database/user creation, authentication, pg_hba.conf & co) is out of the scope of this document. You should read up on those topics somewhere else if you don’t feel comfortable with it!

The aim of this is to have a postfix installation capable mainly of “aliasing” e-mails. Let’s say I have a domain “example.com” and I want to manage e-mail addresses for that domain. But, it’s a small domain with only a handful of users and I don’t want to store mails locally, just alias them to the users private e-mails addresses.

While the aim is only to alias e-maile, the config explained below is still capable of delivering mail locally (storing them directly to disk), but as there is no set-up to access those mails (POP/IMAP/webmail), it’s only marginally useful. But it gives you a working framework if you want to add these features yourself. Read the rest of this entry »

Posted in Linux | No Comments »

postfix config from scratch.

April 27th, 2014 by exhuma.twn

There are many postfix tutorials out there. I’ve always wondered what the hell I was copy/pasting onto my system and decided to start (nearly) from scratch. I took one of those tutorials (don’t remember which one) as inspiration, but based the final result on the official docs. I kept what I liked, changed some settings I did not like so much, and threw out a few other things which I deemed useless.

The main problem with those tutorials is that they show you a final result without telling you how they ended up with the result, sometimes it looks like an amalgam of other tutorials ending up in a huge “frankenconfig”. I don’t like deploying something where I don’t know what it’s doing…

The final result is a config which is stripped down to my most basic needs.

The first iteration will be an extremely simple config:

  • No database will be used to store mail config. This however is something I will certainly implement.
  • Only simple spam handling using blocklists.
  • No antivirus.
  • No webmail access.
  • No POP access.
  • No IMAP access.
  • Not relay mails for other hosts (only local delivery)j.

For now, I only require e-mail aliasing. That is, I only want to handle e-mails destined for my domains, but I only want to “forward” them to other destinations. Local delivery (and access to those mails) may or may not be implemented later. It will be set up on an Ubuntu Precise Pangolin Server and should get you started for a basic mail server.

Here’s the main config:

Note:

The template contains 3 “variables”. Those variables need to be replaced by your values before deploying this!

{{fqdn}}
The fully qualified hostname of your server
{{vgid}}
The group-id of the local system group for files stored on the local disk.
{{vuid}}
The user-id of the local system user for files stored on the local disk.

The most interesting part of the config is at the end of the config after the “Virtual Mail” header. This part defines which e-mail addresses the MTA is handling and how. Will the mails be stored locally? Will they be “aliased” to another e-mail?

The config should be documented well-enough.

    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    delay_warning_time = 4h

    readme_directory = no

    # TLS parameters
    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = {{fqdn}}
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    mydestination = {{fqdn}}, $myorigin
    relayhost =
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 51200000
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all

    # how long to keep message on queue before return as failed.
    maximal_queue_lifetime = 7d
    # how many address can be used in one message.
    # effective stopper to mass spammers, accidental copy in whole address list
    # but may restrict intentional mail shots.
    smtpd_recipient_limit = 16
    # how many error before back off.
    smtpd_soft_error_limit = 3
    # how many max errors before blocking it.
    smtpd_hard_error_limit = 12
    # Requirements for the HELO statement
    smtpd_helo_restrictions = permit_mynetworks, warn_if_reject
        reject_non_fqdn_hostname, reject_invalid_hostname, permit
    # Requirements for the sender details
    smtpd_sender_restrictions = permit_mynetworks, warn_if_reject
        reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining,
        permit
    # Requirements for the connecting server
    smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client blackholes.easynet.nl
    # Requirement for the recipient address
    smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,
        reject_non_fqdn_recipient, reject_unknown_recipient_domain,
        reject_unauth_destination, permit
    smtpd_data_restrictions = reject_unauth_pipelining
    # require proper helo at connections
    smtpd_helo_required = yes
    # waste spammers time before rejecting them
    smtpd_delay_reject = yes
    disable_vrfy_command = yes


    # ----------------------------------------------------------------------------
    #   Virtual Mail
    # ----------------------------------------------------------------------------

    # basic security (user ID mapping)
    virtual_minimum_uid = 100
    virtual_gid_maps = static:{{vgid}}
    virtual_uid_maps = static:{{vuid}}

    # base folder
    virtual_mailbox_base = /var/spool/mail/virtual

    # Domains for which we only ALIAS (mail will not be stored on the local disk).
    virtual_alias_domains = hash:/etc/postfix/valias_domains

    # Domains for which we deliver mail LOCALLY (mail will be stored on local
    # disk).
    virtual_mailbox_domains = hash:/etc/postfix/vdomains

    # Aliases. Maps one e-mail to another.
    # delivered (i.e. stored on the local disk), the end-point of the alias (the
    # "right-hand side") must be on a domain which is delivered LOCALLY (see
    # below).
    virtual_alias_maps = hash:/etc/postfix/valiases

    # Mappings for locally delivered mail (maps to files/folders which are stored
    # below the base folder `virtual_mailbox_base`)
    virtual_mailbox_maps = hash:/etc/postfix/vmailbox

Examples for the hash files (for an explanation what they do, see above):

---- valias_domains -- This is a "list", so the left-hand-side
---- is usually the same as the right-hand-side.

domain1.tld    domain1.tld
domain2.tld    domain2.tld

---- vdomains -- This is another list.

domain3.tld    domain3.tld

---- valiases -- This is a "map". Think "key/value". So,
---- forcibly the LHS differs from the RHS

user@domain1.tld          john.doe@external.domain.tld
user2@domain2.tld         user@domain1.tld

---- vmailbox -- This is another "map"
# the trailing slash defines a Maildir format.
user3@domain3.tld         folder/subfolder/user3/

# Not having a trailing slash makes it an Mbox file.
user4@domain3.tld         folder/subfolder/user4

Posted in Linux | No Comments »

Setting up Cygwin/X

January 15th, 2014 by exhuma.twn

Setting up Cygwin/X

In this article we will set-up Cygwin with an X11 server so you can use X11
forwarding to run remote graphical applications on Windows. To allow a
passwordless log-in, we will use public-key authentication. Even though this is
technically out of scope of this document, I will summarize the necessary steps
to make this a comprehensive guide.

Read the rest of this entry »

Posted in Linux | No Comments »

Tunnel your browser connections (i.e. your web traffic) through an SSH tunnel.

August 24th, 2012 by exhuma.twn

I actually did not believe it’s this simple.

Creating the tunnel is as easy as typing:

ssh -D 1080 user@remote_host

Which can be improved with

ssh -fND 1080 user@remote_host

See the man page on the details of the extra options.

This will open up port 1080 on your local machine, providing a SOCKS proxy (SOCKS5 if I’m right). You can then specify this in any application supporting SOCKS proxies. This includes Firefox and Chrome. With Firefox it’s straight-forward. You can find it in the usual proxy page in the settings.

For chrome it’s a bit more tricky. While you can specify a SOCKS proxy, it seems to ignore it. If you want to enable your tunnel, you have to run chrome with the following command-line flag:

chromium-browser --proxy-server="socks5://localhost:1080"

(or use chrome. Whatever rocks your boat).

Once this is set up, what will happen is that your application/browser will send all requests to your locally running SSH instance. This in turn will forward it to the remote host, where the request will be sent out on the web. The response takes the inverse direction. As stated by linode, this is great if you’re on an untrustworthy network!

Sources:

Posted in Linux, Techno Voodoo | No Comments »

Git visualization with gource

May 7th, 2012 by latz.twn

Are you using git/svn/mercurial/bazaar as version control system and you ever wanted to visualize your work, how the project developed over time well Gource is there to visualize all this in a beautiful way. It takes the history of your svn/git/mercurial/bazaar repository and visualizes the changes over time, by whom they were done and so forth.

sudo apt-get install gource

Now run the following with path/to/project being your projects root directory, and give gource the .git subfolder. Run it and you should see the animation being presented.

gource /path/to/project/.git/

Now to export this to an mpeg4 video do the following.

gource /path/to/project/.git/ --stop-at-end --output-ppm-stream - | ffmpeg -y -b 6000k -r 60 -f image2pipe -vcodec ppm -i - -vcodec mpeg4 /tmp/gource.mp4

Here an example I created from one of my projects.

Posted in Linux | No Comments »

Monitoring memory on Solaris

April 24th, 2012 by exhuma.twn

I am currently writing a new munin plugin to monitor memory usage on Solaris machines. Strangely the existing plugins are fairly useless. Currently the script is running on a test-machine. If the results are satisfactory, I’ll post them here. Stay tuned.

Posted in Linux | No Comments »

Custom bash completion for fabric tasks

March 20th, 2012 by exhuma.twn
cURL error 28: Connection timed out after 5000 milliseconds
Fatal error: Uncaught Error: Cannot use object of type WP_Error as array in /var/www/foobar.lu/www/htdocs/wp/wp-content/plugins/embed-github-gist/embed-github-gist.php:86 Stack trace: #0 /var/www/foobar.lu/www/htdocs/wp/wp-content/plugins/embed-github-gist/embed-github-gist.php(164): embed_github_gist('2136677', NULL, '1', NULL) #1 /var/www/foobar.lu/www/htdocs/wp/wp-includes/shortcodes.php(325): handle_embed_github_gist_shortcode(Array, '', 'gist') #2 [internal function]: do_shortcode_tag(Array) #3 /var/www/foobar.lu/www/htdocs/wp/wp-includes/shortcodes.php(199): preg_replace_callback('/\\[(\\[?)(gist)(...', 'do_shortcode_ta...', '<p>Here&#8217;s...') #4 /var/www/foobar.lu/www/htdocs/wp/wp-includes/class-wp-hook.php(286): do_shortcode('<p>Here&#8217;s...') #5 /var/www/foobar.lu/www/htdocs/wp/wp-includes/plugin.php(208): WP_Hook->apply_filters('<p>Here&#8217;s...', Array) #6 /var/www/foobar.lu/www/htdocs/wp/wp-includes/post-template.php(247): apply_filters('the_content', 'Here's a small ...') #7 /var/www/foobar.lu/www/htd in /var/www/foobar.lu/www/htdocs/wp/wp-content/plugins/embed-github-gist/embed-github-gist.php on line 86