Grundabsicherung von Postfix

Das schlimmste, was uns passieren kann, wäre der Betrieb eines offenen Mailrelais gefolgt von einem Mailserver der sich beharrlich weigert eMails anzunehmen, zu versenden und weiterzuleiten. Mit unserer Grundinstallation haben wir schon mal den wichtigsten Part Mailrelay mit den Definitionen in der main.cf erschlagen und sichergestellt, dass kein Fremder Nachrichten an Dritte verschickt, für die unser MX sich nicht zuständig und verantwortlich fühlt.

Auch wurde der Versand unserer eMail bereits entsprechend berücksichtigt.

Damit aber nun unser Mailserver nicht jeden Dreck - aka SPAM & Co - annimmt und auch versendet, definieren wir uns nun ein Regelwerk, mit Hilfe dessen wir festlegen, wann unser Server Mails annehmen oder ablehnen soll. Diese Festlegungen erfolgt mit Hilfe der Restrictions.

Der entscheidenste Moment, an dem wir nicht nur SPAM sondern auch all die anderen unerwünschten Nachrichten abzuwehren, ist der Einlieferungszeitpunkt! Was wir nicht annehmen brauchen wir auch später nicht weiterverarbeiten bzw. beachten. Analog dem Briefverkehr legen wir quasi fest, welche Sendungen überhaupt in unseren Briefkasten geworfen werden können und dürfen.

Wie bereits auch schon bei der Grundkonfiguration wurden die wichtigsten Details mit Hilfe der Postfix-Bibel erarbeitet, bzw. den dortigen Beispielen entnommen. Die Bemerkungen in den nachfolgenden Restriction-Definitionen verweisen auf einzelne Kapitel im Buch!

Bevor wir uns nun die einzelnen Konfigurationsdateien ansehen, werfen wir noch einen Blick in die nachfolgende Übersicht um festzustellen, wann die einzelnen Restriction-Tables in der Mailbearbeitung gezogen werden, also überhaupt einen Einfluß haben.

Postfix MTA

Die nachfolgenden Lookup-Tabelle greift lediglich, wenn die eMails per SMTP beim smtpd-Modul eingeliefert werden. Bei lokal zugestellten Nachrichten, die beim pickup-Modul eingeliefert werden, greifen diese Tabellen nicht!

Restrictions-Regelwerk

Nachfolgende Definitionen fügen wir nun am Ende der /etc/postfix/main.cf ein. Hierzu benutzen wir wie immer den Editor unserer Wahl.

 # vim /etc/postfix/main.cf
#
# Schutz durch Restrictions für unser SOHO 
# Eingetragen am 2008-10-05
#
 
smtpd_recipient_restrictions =
# Postmaster, abuse und andere aufgaben- oder funktionsgebundene E-Mail-Adressen (Role-Accounts) whitelisten
        check_recipient_access btree:/etc/postfix/access_recipient-rfc,
# Black- und Whitelisting                               (Kapitel 8.2.3 White- und Blacklisting)
        check_client_access cidr:/etc/postfix/access_client,
        check_helo_access btree:/etc/postfix/access_helo,
        check_sender_access btree:/etc/postfix/access_sender,
        check_recipient_access btree:/etc/postfix/access_recipient,
# Unsauberer eMails nicht annehmen                      (Kapitel 8.2.4 Anforderungen an Mailadressen)
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
# Unsere eigenen Nutzer zulassen-/erlauben              (Kapitel 8.2.2 Relaying erlauben und verbieten)
        permit_sasl_authenticated,
        permit_tls_clientcerts,
        permit_mynetworks,
# RBL überprüfen (Kapitel 10.11 Realtime Blackhole Lists)
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client ix.dnsbl.manitu.net,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client dnsbl.njabl.org,
        reject_rhsbl_client multi.uribl.com,
# Dynamische Prüfung auf existente Relay-Empfänger      (Kapitel 12.2.2 Dynamische Empfänger-Verifizierung)
#       reject_unverified_recipient,
# Backupserver (MX) erlauben
#       permit_mx_backup,
# alles andere an relaying verbieten                    (Kapitel 8.2.2 Relaying erlauben und verbieten)
        reject_unauth_destination,
# Zu guter Letzt alles durchlassen, was bis jetzt noch nicht beanstandet wurde
        permit

Bei den Lookup-Tabellen verwenden wir das performantere btree-Tabellenformat .

Damit wir später unsere Datenbankfiles einfach durch den Aufruf

 # postmap <lookup-table>

anlegen können, setzen wir noch den Wert default_database_type auf btree. Anderen Falls müssten wir bei jedem Aufruf von postmap den Datenbanktabellentyp mit angeben!

 # postmap btree:<lookup-table>

Hierzu tragen wir in die main.cf noch nachfolgende Zeilen ein.

 # vim /etc/postfix/main.cf
# Django : 2012-02-06
# default default_database_type = hash
# default Datenbank Typ auf das performantere btree umgestellt
default_database_type = btree

Für jede der vorgenannten Restriction-Regeln benötigen wir nun eine passende Lookup-Tabelle. Nachfolgend betrachten wir nun die einzelnen Dateien und gehen kurz auf die Bedeutung und deren Möglichkeiten ein.

Access-Regeln

In unserem Konfigurationsverzeichnis /etc/postfix/ finden wir die Manpage für die access - Postfix SMTP server access table.

 # less /etc/postfix/access
/etc/postfix/access
# ACCESS(5)                                                            ACCESS(5)
# 
# NAME
#        access - Postfix SMTP server access table
# 
# SYNOPSIS
#        postmap /etc/postfix/access
# 
#        postmap -q "string" /etc/postfix/access
# 
#        postmap -q - /etc/postfix/access <inputfile
# 
# DESCRIPTION
#        This  document  describes  access  control  on remote SMTP
#        client information: host  names,  network  addresses,  and
#        envelope  sender or recipient addresses; it is implemented
#        by the  Postfix  SMTP  server.   See  header_checks(5)  or
#        body_checks(5)  for access control on the content of email
#        messages.
# 
#        Normally, the access(5) table is specified as a text  file
#        that  serves  as  input  to  the  postmap(1) command.  The
#        result, an indexed file in dbm or db format, is  used  for
#        fast  searching  by  the  mail system. Execute the command
#        "postmap /etc/postfix/access" to rebuild an  indexed  file
#        after changing the corresponding text file.
# 
#        When  the  table  is provided via other means such as NIS,
#        LDAP or SQL, the same lookups are  done  as  for  ordinary
#        indexed files.
# 
#        Alternatively,  the  table  can  be provided as a regular-
#        expression map where patterns are given as regular expres-
#        sions,  or lookups can be directed to TCP-based server. In
#        those cases, the lookups are done in a slightly  different
#        way  as  described below under "REGULAR EXPRESSION TABLES"
#        or "TCP-BASED TABLES".
# 
# CASE FOLDING
#        The search string is folded to lowercase  before  database
#        lookup.  As  of Postfix 2.3, the search string is not case
#        folded with database types such as regexp: or pcre:  whose
#        lookup fields can match both upper and lower case.
# 
# TABLE FORMAT
#        The input format for the postmap(1) command is as follows:
# 
#        pattern action
#               When pattern matches a mail address, domain or host
#               address, perform the corresponding action.
# 
#        blank lines and comments
#               Empty  lines and whitespace-only lines are ignored,
#               as are lines whose first  non-whitespace  character
#               is a `#'.
# 
#        multi-line text
#               A  logical  line starts with non-whitespace text. A
#               line that starts with whitespace continues a  logi-
#               cal line.
# 
# EMAIL ADDRESS PATTERNS
#        With lookups from indexed files such as DB or DBM, or from
#        networked tables such as NIS, LDAP or  SQL,  patterns  are
#        tried in the order as listed below:
# 
#        user@domain
#               Matches the specified mail address.
# 
#        domain.tld
#               Matches  domain.tld  as the domain part of an email
#               address.
# 
#               The pattern domain.tld also matches subdomains, but
#               only when the string smtpd_access_maps is listed in
#               the Postfix  parent_domain_matches_subdomains  con-
#               figuration  setting  (note that this is the default
#               for some versions of Postfix).  Otherwise,  specify
#               .domain.tld  (note  the  initial  dot)  in order to
#               match subdomains.
# 
#        user@  Matches all mail addresses with the specified  user
#               part.
# 
#        Note:  lookup  of  the null sender address is not possible
#        with some types of lookup table. By default, Postfix  uses
#        <>  as  the  lookup  key  for such addresses. The value is
#        specified with the smtpd_null_access_lookup_key  parameter
#        in the Postfix main.cf file.
# 
# EMAIL ADDRESS EXTENSION
#        When a mail address localpart contains the optional recip-
#        ient delimiter (e.g., user+foo@domain), the  lookup  order
#        becomes:  user+foo@domain, user@domain, domain, user+foo@,
#        and user@.
# 
# HOST NAME/ADDRESS PATTERNS
#        With lookups from indexed files such as DB or DBM, or from
#        networked  tables  such as NIS, LDAP or SQL, the following
#        lookup patterns are examined in the order as listed:
# 
#        domain.tld
#               Matches domain.tld.
# 
#               The pattern domain.tld also matches subdomains, but
#               only when the string smtpd_access_maps is listed in
#               the Postfix  parent_domain_matches_subdomains  con-
#               figuration setting.  Otherwise, specify .domain.tld
#               (note the initial dot) in  order  to  match  subdo-
#               mains.
# 
#        net.work.addr.ess
# 
#        net.work.addr
# 
#        net.work
# 
#        net    Matches  the specified IPv4 host address or subnet-
#               work. An IPv4 host address is a  sequence  of  four
#               decimal octets separated by ".".
# 
#               Subnetworks  are  matched  by repeatedly truncating
#               the last ".octet" from the remote IPv4 host address
#               string  until a match is found in the access table,
#               or until further truncation is not possible.
# 
#               NOTE 1: The access map lookup key must be in canon-
#               ical  form: do not specify unnecessary null charac-
#               ters, and do not enclose network  address  informa-
#               tion with "[]" characters.
# 
#               NOTE  2:  use the cidr lookup table type to specify
#               network/netmask  patterns.  See  cidr_table(5)  for
#               details.
# 
#        net:work:addr:ess
# 
#        net:work:addr
# 
#        net:work
# 
#        net    Matches  the specified IPv6 host address or subnet-
#               work. An IPv6 host address is a sequence  of  three
#               to  eight hexadecimal octet pairs separated by ":".
# 
#               Subnetworks are matched  by  repeatedly  truncating
#               the  last  ":octetpair"  from  the remote IPv6 host
#               address string until a match is found in the access
#               table, or until further truncation is not possible.
# 
#               NOTE 1: the truncation and comparison are done with
#               the string representation of the IPv6 host address.
#               Thus, not all the ":" subnetworks will be tried.
# 
#               NOTE 2: The access map lookup key must be in canon-
#               ical  form: do not specify unnecessary null charac-
#               ters, and do not enclose network  address  informa-
#               tion with "[]" characters.
# 
#               NOTE  3:  use the cidr lookup table type to specify
#               network/netmask  patterns.  See  cidr_table(5)  for
#               details.
# 
#               IPv6 support is available in Postfix 2.2 and later.
# 
# ACCEPT ACTIONS
#        OK     Accept the address etc. that matches the pattern.
# 
#        all-numerical
#               An all-numerical result is treated as OK. This for-
#               mat  is generated by address-based relay authoriza-
#               tion schemes such as pop-before-smtp.
# 
# REJECT ACTIONS
#        Postfix version 2.3  and  later  support  enhanced  status
#        codes  as  defined in RFC 3463.  When no code is specified
#        at the beginning of the  text  below,  Postfix  inserts  a
#        default  enhanced  status  code  of "5.7.1" in the case of
#        reject actions, and "4.7.1" in the case of defer  actions.
#        See "ENHANCED STATUS CODES" below.
# 
#        4NN text
# 
#        5NN text
#               Reject  the  address etc. that matches the pattern,
#               and respond with the numerical three-digit code and
#               text.  4NN means "try again later", while 5NN means
#               "do not try again".
# 
#               The following responses have  special  meaning  for
#               the Postfix SMTP server:
# 
#               421 text (Postfix 2.3 and later)
# 
#               521 text (Postfix 2.6 and later)
#                      After  responding  with the numerical three-
#                      digit code and text, disconnect  immediately
#                      from  the  SMTP  client.  This frees up SMTP
#                      server resources so that they  can  be  made
#                      available to another SMTP client.
# 
#                      Note: The "521" response should be used only
#                      with botnets and other malware where  inter-
#                      operability is of no concern.  The "send 521
#                      and disconnect" behavior is NOT  defined  in
#                      the SMTP standard.
# 
#        REJECT optional text...
#               Reject  the  address etc. that matches the pattern.
#               Reply   with   "$access_map_reject_code    optional
#               text..."  when the optional text is specified, oth-
#               erwise reply with a generic error response message.
# 
#        DEFER optional text...
#               Reject  the  address etc. that matches the pattern.
#               Reply   with    "$access_map_defer_code    optional
#               text..."  when the optional text is specified, oth-
#               erwise reply with a generic error response message.
# 
#               This feature is available in Postfix 2.6 and later.
# 
#        DEFER_IF_REJECT optional text...
#               Defer the request if some later  restriction  would
#               result    in    a   REJECT   action.   Reply   with
#               "$access_map_defer_code  4.7.1  optional   text..."
#               when  the  optional  text  is  specified, otherwise
#               reply with a generic error response message.
# 
#               Prior to Postfix 2.6, the SMTP reply code is 450.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        DEFER_IF_PERMIT optional text...
#               Defer  the  request if some later restriction would
#               result in a an explicit or implicit PERMIT  action.
#               Reply  with "$access_map_defer_code 4.7.1  optional
#               text..." when the optional text is specified,  oth-
#               erwise reply with a generic error response message.
# 
#               Prior to Postfix 2.6, the SMTP reply code is 450.
# 
#               This feature is available in Postfix 2.1 and later.
# 
# OTHER ACTIONS
#        restriction...
#               Apply the named UCE restriction(s) (permit, reject,
#               reject_unauth_destination, and so on).
# 
#        BCC user@domain
#               Send one copy  of  the  message  to  the  specified
#               recipient.
# 
#               If  multiple  BCC  actions are specified within the
#               same SMTP MAIL transaction, only  the  last  action
#               will be used.
# 
#               This  feature  is  not  part  of the stable Postfix
#               release.
# 
#        DISCARD optional text...
#               Claim successful delivery and silently discard  the
#               message.   Log the optional text if specified, oth-
#               erwise log a generic message.
# 
#               Note: this action currently affects all  recipients
#               of  the  message.   To  discard  only one recipient
#               without discarding  the  entire  message,  use  the
#               transport(5) table to direct mail to the discard(8)
#               service.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        DUNNO  Pretend  that  the  lookup  key was not found. This
#               prevents Postfix  from  trying  substrings  of  the
#               lookup  key (such as a subdomain name, or a network
#               address subnetwork).
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        FILTER transport:destination
#               After  the  message is queued, send the entire mes-
#               sage through the specified external content filter.
#               The  transport:destination  syntax  is described in
#               the transport(5)  manual  page.   More  information
#               about  external  content  filters is in the Postfix
#               FILTER_README file.
# 
#               Note: this action overrides the content_filter set-
#               ting,  and  currently affects all recipients of the
#               message.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        HOLD optional text...
#               Place  the message on the hold queue, where it will
#               sit until someone either deletes it or releases  it
#               for  delivery.  Log the optional text if specified,
#               otherwise log a generic message.
# 
#               Mail that is placed on hold can  be  examined  with
#               the  postcat(1)  command,  and  can be destroyed or
#               released with the postsuper(1) command.
# 
#               Note: use "postsuper -r" to release mail  that  was
#               kept  on  hold for a significant fraction of $maxi-
#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
#               longer.  Use "postsuper -H" only for mail that will
#               not expire within a few delivery attempts.
# 
#               Note: this action currently affects all  recipients
#               of the message.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        PREPEND headername: headervalue
#               Prepend the specified message header  to  the  mes-
#               sage.   When more than one PREPEND action executes,
#               the first prepended header appears before the  sec-
#               ond etc. prepended header.
# 
#               Note:  this  action must execute before the message
#               content is received; it cannot execute in the  con-
#               text of smtpd_end_of_data_restrictions.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        REDIRECT user@domain
#               After the message is queued, send  the  message  to
#               the  specified  address  instead  of  the  intended
#               recipient(s).
# 
#               Note: this action overrides the FILTER action,  and
#               currently affects all recipients of the message.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        WARN optional text...
#               Log a warning with the optional text, together with
#               client  information  and  if  available, with helo,
#               sender, recipient and protocol information.
# 
#               This feature is available in Postfix 2.1 and later.
# 
# ENHANCED STATUS CODES
#        Postfix  version  2.3  and  later  support enhanced status
#        codes as defined in RFC 3463.   When  an  enhanced  status
#        code  is  specified  in  an access table, it is subject to
#        modification. The  following  transformations  are  needed
#        when  the  same  access  table  is  used for client, helo,
#        sender, or  recipient  access  restrictions;  they  happen
#        regardless of whether Postfix replies to a MAIL FROM, RCPT
#        TO or other SMTP command.
# 
#        o      When a sender address matches a REJECT action,  the
#               Postfix  SMTP server will transform a recipient DSN
#               status (e.g., 4.1.1-4.1.6) into  the  corresponding
#               sender DSN status, and vice versa.
# 
#        o      When   non-address  information  matches  a  REJECT
#               action (such as the HELO command  argument  or  the
#               client  hostname/address),  the Postfix SMTP server
#               will transform a sender  or  recipient  DSN  status
#               into   a  generic  non-address  DSN  status  (e.g.,
#               4.0.0).
# 
# REGULAR EXPRESSION TABLES
#        This section describes how the table lookups  change  when
#        the table is given in the form of regular expressions. For
#        a description of regular expression lookup  table  syntax,
#        see regexp_table(5) or pcre_table(5).
# 
#        Each  pattern  is  a regular expression that is applied to
#        the entire string being looked up. Depending on the appli-
#        cation,  that  string  is  an  entire  client hostname, an
#        entire client IP address, or an entire mail address. Thus,
#        no  parent  domain  or  parent  network  search  is  done,
#        user@domain mail addresses are not broken  up  into  their
#        user@ and domain constituent parts, nor is user+foo broken
#        up into user and foo.
# 
#        Patterns are applied in the order as specified in the  ta-
#        ble,  until  a  pattern  is  found that matches the search
#        string.
# 
#        Actions are the same as with indexed  file  lookups,  with
#        the  additional feature that parenthesized substrings from
#        the pattern can be interpolated as $1, $2 and so on.
# 
# TCP-BASED TABLES
#        This section describes how the table lookups  change  when
#        lookups are directed to a TCP-based server. For a descrip-
#        tion of the TCP client/server lookup protocol, see tcp_ta-
#        ble(5).  This feature is not available up to and including
#        Postfix version 2.4.
# 
#        Each lookup operation uses the entire query  string  once.
#        Depending  on  the  application,  that string is an entire
#        client hostname, an entire client IP address, or an entire
#        mail  address.   Thus,  no parent domain or parent network
#        search is done, user@domain mail addresses are not  broken
#        up  into  their user@ and domain constituent parts, nor is
#        user+foo broken up into user and foo.
# 
#        Actions are the same as with indexed file lookups.
# 
# EXAMPLE
#        The following example uses an indexed file,  so  that  the
#        order  of  table entries does not matter. The example per-
#        mits access by the client at address 1.2.3.4  but  rejects
#        all  other  clients  in 1.2.3.0/24. Instead of hash lookup
#        tables, some systems use dbm.  Use the  command  "postconf
#        -m"  to  find  out  what lookup tables Postfix supports on
#        your system.
# 
#        /etc/postfix/main.cf:
#            smtpd_client_restrictions =
#                check_client_access hash:/etc/postfix/access
# 
#        /etc/postfix/access:
#            1.2.3   REJECT
#            1.2.3.4 OK
# 
#        Execute the command  "postmap  /etc/postfix/access"  after
#        editing the file.
# 
# BUGS
#        The  table format does not understand quoting conventions.
# 
# SEE ALSO
#        postmap(1), Postfix lookup table manager
#        smtpd(8), SMTP server
#        postconf(5), configuration parameters
#        transport(5), transport:nexthop syntax
# 
# README FILES
#        Use "postconf readme_directory" or  "postconf  html_direc-
#        tory" to locate this information.
#        SMTPD_ACCESS_README, built-in SMTP server access control
#        DATABASE_README, Postfix lookup table overview
# 
# LICENSE
#        The  Secure  Mailer  license must be distributed with this
#        software.
# 
# AUTHOR(S)
#        Wietse Venema
#        IBM T.J. Watson Research
#        P.O. Box 704
#        Yorktown Heights, NY 10598, USA
# 
#                                                                      ACCESS(5)

Wir editieren nun aber nicht diese Vorlage- und Musterdateien, sondern legen uns für die einzelnen Anwendungsfälle eigene Dateien an, auch wenn diese eventuell erst einmal ohne Inhalt sind. Wir haben so später kein Problem mehr, wenn wir ad hoc auf eine Anforderung schnell reagieren müssen.

Access-Aktionen

Bei den einzelnen folgenden Access-Tabellen stehen uns folgende Access-Aktionen zur Verfügung:

Steuerwort Ergebnis
OK Die Anfrage wird zugelassen
BCCuser@domäne.tld Sendet die empfangene eMail an einen gesonderten Empfänger als Blindcopy bcc
DEFER_IF_REJECT Wenn ein nachfolgender Test einen fatalen REJECT liefern würde, wird an den Client ein temporärer Fehler (4xx) signalisiert.
DEFER_IF_PERMIT Signalisiert an den Client einen temporären Fehler (4xx), obwohl die eMail sonst angenommen worden wäre.
DISCARD Die eMail wird für alle Empfänger verworfen, sobald nur ein einzelner Empfänger diesen DISCARD auslöst! Dem einliefernden Client wird eine erfolgreiche Zustellung signalisiert.
DUNNO Die Anfrage wird nicht abgelehnt, liefert jedoch auch kein ausdrückliches OK zurück. Die Access-Prüfung wird beendet - weitere Prüfungen können jedoch nich erfolgen.
FILTERnexthop Routet die eMail an nexthop und überschreibt dabei die Einstellung content_Filter
HOLD Nimmt die eMail entgegen und stellt diese in die hold-Queue
PREPENDMailheader:Wert Fügt in den Mailheader der eMail den Mailheader:Wert ein.
REDIRECTuser@domäne.tld Leitet die eMail an die neue eMail-Adresse um und verwirft dabei alle anderen angegebenen Empfänger!
REJECT Die Anfrage wird mit einem fatalen Fehlercode 5xx abgelehnt
REJECTHinweistext Die Anfrage wird abgelehnt und der Text Hinweistext ausgegeben
4xxHinweistext Die Anfrage wird mit einem temporären Fehlercode 4xx und dem Text Hinweistext abgelehnt
5xxHinweistext Die Anfrage wird mit einem fatalen Fehlercode 5xx und dem Text Hinweistext abgelehnt
WARNHinweistext Im Maillog des Mailservers wird ein Logeintrag mit den Informationen:
- Absender
- Empfänger
- HELO
- etc.
zusammen mit dem Hinweistext eingefügt.

Access-Dateien

  • check_client_access
    access_client
    Access-Tabelle zum Black- und Whitelisten einzelner Hosts auf Basis ihrer IP-Adresse. Damit wir auch Netzbereiche in der Form 10.0.10.1/28, also mit IP-Adressen mit einer Netzmaske versehen, nutzen können, dürfen wir hier nicht btree als Datenbankformat verwenden! Wir greifen hier auf cidr-Maps zurück!
     # vim /etc/postfix/access_client
    /etc/postfix/access_client
    # Django : 2012-02-06
    # Kapitel 5.2.7 access-Tabelle: Wer darf, wer darf nicht?
    # Tabelle zum black- und whitelisten einzelner Hosts auf Basis ihrer IP-Adressen 
    # nach dem Ändern und/oder Erweitern der Tabelle, muß ein laufender Postfix über die Änderungen
    # mit einem reload informiert werden. Es muss hier keine Datenbank mit postmap erzeugt werden, da 
    # Postfix die ASCII-Konfigurationsdatei direkt auswertet!
    #


  • check_helo_access
    access_helo Access-Tabelle zum Black- und Whitelisten einzelner Hosts auf Grund seines HELO-Namens.
    access_helo.db Datenbankfile zur access_helo-Datei.
     # vim /etc/postfix/access_helo
    /etc/postfix/access_helo
    # Django : 2012-02-06
    # Kapitel 5.2.7 access-Tabelle: Wer darf, wer darf nicht?
    # Tabelle zum black- und whitelisten einzelner Hosts auf Grund seines HELO-Namens
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/access_helo
    # die zugehörige Datenbank erzeugt werden.
    #


  • check_recipient_access-rfc
    access_recipient-rfc Access-Tabelle zum Black- und Whitelisten einzelner aufgaben- oder funktionsgebundener E-Mail-Adressen (Role-Accounts).
    access_recipient-rfc.db Datenbankfile zur access_recipient-rfc-Datei.
     # vim /etc/postfix/access_recipient-rfc
    /etc/postfix/access_recipient-rfc
    # Django : 2012-02-06
    # Postmaster, abuse und andere aufgaben- oder funktionsgebundene E-Mail-Adressen (Role-Accounts) whitelisten.
    # Nach dem Ändern und/oder Erweiterrn der Tabelle, muß noch mittels  $ postmap /etc/postfix/access_recipient-rfc
    # die zugehörige Datenbank erzeugt werden.
    abuse@          OK
    postmaster@     OK


  • check_recipient_access
    access_recipient
    Access-Tabelle zum Black- und Whitelisten einzelner Hosts auf Grund der Empfänger-eMailadresse.
    access_recipient.db Datenbankfile zur access_recipient-Datei.
     # vim /etc/postfix/access_recipient
    /etc/postfix/access_recipient
    # Django : 2012-02-06
    # Kapitel 5.2.7 access-Tabelle: Wer darf, wer darf nicht?
    # Tabelle zum black- und whitelisten einzelne Empfänger auf Basis ihrer eMail-Adresse
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/access_recipient
    # die zugehörige Datenbank erzeugt werden.
    #


  • check_sender_access
    access_sender
    Access-Tabelle zum Black- und Whitelisten einzelner Absender auf Grund der Absender-eMailadresse.
    access_sender.db Datenbankfile zur access_sender-Datei.
     # vim /etc/postfix/access_sender
    /etc/postfix/access_sender
    # Django : 2012-02-06
    # Kapitel 5.2.7 access-Tabelle: Wer darf, wer darf nicht?
    # Tabelle zum black- und whitelisten einzelner Absender auf Basis ihrer eMail-Adresse
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/access_sender
    # die zugehörige Datenbank erzeugt werden.
    #


Permit-Regeln

  • permit
    Liefert generell ein OK und beendet die Prüfung an der Stelle.
  • permit_mynetworks
    Akzeptiert eine eingelieferte eMail, sofern der Client aus einem vertrauenswürdigem Netz kommt. Die Defintion welches IP-Netz vertrauenswürdig ist, erfolgt über die beiden Parameter $mynetworks und $mynetworks_style.
  • permit_sasl_authenticated
    Akzeptiert eine eingelieferte eMail, sofern sich der Client erfolgreich mit SMTP-Auth authentifiziert hat.
  • permit_tls_clientcerts
    Akzeptiert eine eingelieferte eMail, sofern der Fingerprint des SSL/TLS-Client-Zertifikates in $relay_clientcerts gefunden wurde.
  • permit_mx_backup
    Akzeptiert eine eingelieferte eMail, sofern ein MX-Record der Empfängerdomäne auf unseren Mailserver zeigt und unser Mailserver damit ein nachrangiger, also ein MX-Record mit numerisch höherer Priorität, Mailserver ist.

Reject-Regeln

  • reject
    Liefert generell ein REJECT und beendet die Prüfung an der Stelle. Dem einliefernden Client wird ein fataler Fehler (5xx) signalisiert.
  • reject_non_fqdn_sender
    Blockiert die eMail, sofern die Absender-Adresse keinen FQDN1) besitzt, dies ist dann der Fall, wenn die Adresse nur aus einem Hostnamen aber keiner Domäne besteht.
  • reject_non_fqdn_recipient
    Blockiert die eMail, sofern die Empfänger-Adresse keinen FQDN2) besitzt, dies ist dann der Fall, wenn die Adresse nur aus einem Hostnamen aber keiner Domäne besteht.
  • reject_unauth_destination
    Es wird solange ein REJECT geliefert, solange nicht:
    • die Zieladresse in der Tabelle $relay_domains gelistet ist, oder
    • unser Mailserver für diese Domäne Final Destination ist. Die Domäne muss dabei entweder in $mydestination, $virtual_alias_domains oder in $inet_interfaces vorkommen.
  • reject_unknown_sender_domain
    Blockiert die eMail, sofern die Absendseradresse im DNS weder ein gültiger A- noch MX-Record verfügbar ist.
  • reject_unknown_recipient_domain
    Blockiert die eMail, sofern die Empfängeradresse im DNS weder ein gültiger A- noch MX-Record verfügbar ist.
  • reject_rbl_client
    Blockiert die eMail, sofern die Client-IP-Adresse in der jeweils genannten rbl_domain(RBL)3) geblacklistet ist.
    • reject_rbl_client zen.spamhaus.org Blockiert die eMail, wenn die Client-IP-Adresse bei zen.spamhaus.org geblacklistet ist.
    • reject_rbl_client ix.dnsbl.manitu.net Blockiert die eMail, wenn die Client-IP-Adresse bei ix.dnsbl.manitu.net geblacklistet ist.
    • reject_rbl_client bl.spamcop.net Blockiert die eMail, wenn die Client-IP-Adresse bei bl.spamcop.net geblacklistet ist.
    • reject_rbl_client dnsbl.njabl.org Blockiert die eMail, wenn die Client-IP-Adresse bei dnsbl.njabl.org geblacklistet ist.
  • reject_rhsbl_client multi.uribl.com
    Blockiert die eMail, sofern der Client-Hostname in der verwendeten rhsbl_domain(RHSBL)4) gelistet ist.

Lookup-Tabellen

Zur Nutzung der nachfolgenden Lookup-Tabellen ergänzen wir nun die Konfigurationsdatei main.cf unseres Postfix-Mailservers.

 # vim /etc/postfix/main.cf
# Django : 2012-02-06
# Lookup-Tabelle zum Umschreibungen von Absender eMail-Adressen im SMTP-Envelop und im Header der eMail
sender_canonical_maps = btree:/etc/postfix/sender_canonical_maps
#
# Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail
recipient_canonical_maps = btree:/etc/postfix/recipient_canonical_maps
#
# Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail
# das Umschreiben erfolgt beim Verlassen des Systems via LMTP
lmtp_generic_maps = btree:/etc/postfix/lmtp_generic_maps
#
# Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail
# das Umschreiben erfolgt beim Verlassen des Systems via SMTP
smtp_generic_maps = btree:/etc/postfix/smtp_generic_maps
#
# Lookup-Tabelle zum Aktivieren einer alternativen Mailrouting bei der Zustellung an einen weiteren Mailserver
transport_maps = btree:/etc/postfix/transport_maps
#
# Lookup-Tabelle zum Aktivieren von "Bounce-Nachrichten" an den Absender einer eMail über nicht existierende
# eMailadressen mit Angabe der neu zu nutzenden eMailadresse des Empfängers
relocated_maps = btree:/etc/postfix/relocated_maps
# 
# Lookup-Tabelle zum Verwalten der virtuellen Domains
virtual_alias_domains = btree:/etc/postfix/virtual_alias_domains
#
# Lookup-Tabelle zum Verwalten der virtuellen eMail-Adressen
virtual_alias_maps = btree:/etc/postfix/virtual_alias_maps


  • access
    Die access-Tabellen wurden bereits im ersten Teil dieses Dokumentes beschrieben.
  • aliases
    Mit Hilfe der aliases-Tabelle lassen sich lokale eMailadressen umschreiben und so die Nachrichten an andere Postfacher umleiten. Die Alias-Tabelle aliases und die zugehörige Datenbankdatei aliases.db befinden sich aus historischen Gründen nicht im Postfix-Konfigirationspfad /etc/postfix sondern im Verzeichnis /etc.
    aliases.db Datenbankfile zur aliases-Datei.
     # vim /etc/aliases
    /etc/aliases
    #
    #  Aliases in this file will NOT be expanded in the header from
    #  Mail, but WILL be visible over networks or from /bin/mail.
    #
    #	>>>>>>>>>>	The program "newaliases" must be run after
    #	>> NOTE >>	this file is updated for any changes to
    #	>>>>>>>>>>	show through to sendmail.
    #
     
    # Basic system aliases -- these MUST be present.
    mailer-daemon:	postmaster
    postmaster:	root
     
    # General redirections for pseudo accounts.
    bin:		root
    daemon:		root
    adm:		root
    lp:		root
    sync:		root
    shutdown:	root
    halt:		root
    mail:		root
    news:		root
    uucp:		root
    operator:	root
    games:		root
    gopher:		root
    ftp:		root
    nobody:		root
    radiusd:	root
    nut:		root
    dbus:		root
    vcsa:		root
    canna:		root
    wnn:		root
    rpm:		root
    nscd:		root
    pcap:		root
    apache:		root
    webalizer:	root
    dovecot:	root
    fax:		root
    quagga:		root
    radvd:		root
    pvm:		root
    amanda:		root
    privoxy:	root
    ident:		root
    named:		root
    xfs:		root
    gdm:		root
    mailnull:	root
    postgres:	root
    sshd:		root
    smmsp:		root
    postfix:	root
    netdump:	root
    ldap:		root
    squid:		root
    ntp:		root
    mysql:		root
    desktop:	root
    rpcuser:	root
    rpc:		root
    nfsnobody:	root
     
    ingres:		root
    system:		root
    toor:		root
    manager:	root
    dumper:		root
    abuse:		root
     
    newsadm:	news
    newsadmin:	news
    usenet:		news
    ftpadm:		ftp
    ftpadmin:	ftp
    ftp-adm:	ftp
    ftp-admin:	ftp
    www:		webmaster
    webmaster:	root
    noc:		root
    security:	root
    hostmaster:	root
    info:		postmaster
    marketing:	postmaster
    sales:		postmaster
    support:	postmaster
     
     
    # trap decode to catch security attacks
    decode:		root
     
    # Person who should get root's mail
    #root:		marc

Achtung: Die aliases-Tabelle wird nur vom Postfix-Modul local ausgewertet, wenn diese lokal zugestellt werden. Erfolgt die Zustellung mit Hilfe von LMTP oder SMTP oder anderen Transportmethoden, wird die aliases-Tabelle ignoriert!

  • canonical
    Lookup-Tabelle zum Umschreibungen von Absender und/oder Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail. Die Manpage zu den canonical-maps gindet man im Komfigurationsverteichnis von Postfix.
    # less /etc/postfix/canonical
    /etc/postfix/canonical
    # CANONICAL(5)                                                      CANONICAL(5)
    # 
    # NAME
    #        canonical - Postfix canonical table format
    # 
    # SYNOPSIS
    #        postmap /etc/postfix/canonical
    # 
    #        postmap -q "string" /etc/postfix/canonical
    # 
    #        postmap -q - /etc/postfix/canonical <inputfile
    # 
    # DESCRIPTION
    #        The  optional canonical(5) table specifies an address map-
    #        ping for local and non-local  addresses.  The  mapping  is
    #        used  by the cleanup(8) daemon, before mail is stored into
    #        the queue.  The address mapping is recursive.
    # 
    #        Normally, the canonical(5) table is specified  as  a  text
    #        file  that serves as input to the postmap(1) command.  The
    #        result, an indexed file in dbm or db format, is  used  for
    #        fast  searching  by  the  mail system. Execute the command
    #        "postmap /etc/postfix/canonical"  to  rebuild  an  indexed
    #        file after changing the corresponding text file.
    # 
    #        When  the  table  is provided via other means such as NIS,
    #        LDAP or SQL, the same lookups are  done  as  for  ordinary
    #        indexed files.
    # 
    #        Alternatively,  the  table  can  be provided as a regular-
    #        expression map where patterns are given as regular expres-
    #        sions,  or lookups can be directed to TCP-based server. In
    #        those cases, the lookups are done in a slightly  different
    #        way  as  described below under "REGULAR EXPRESSION TABLES"
    #        or "TCP-BASED TABLES".
    # 
    #        By default the canonical(5) mapping affects  both  message
    #        header  addresses  (i.e. addresses that appear inside mes-
    #        sages) and message envelope addresses  (for  example,  the
    #        addresses  that  are used in SMTP protocol commands). This
    #        is controlled with the canonical_classes parameter.
    # 
    #        NOTE: Postfix versions 2.2 and later rewrite message head-
    #        ers  from  remote  SMTP clients only if the client matches
    #        the  local_header_rewrite_clients  parameter,  or  if  the
    #        remote_header_rewrite_domain configuration parameter spec-
    #        ifies a non-empty value. To get the behavior before  Post-
    #        fix    2.2,    specify   "local_header_rewrite_clients   =
    #        static:all".
    # 
    #        Typically, one would use the canonical(5) table to replace
    #        login   names   by  Firstname.Lastname,  or  to  clean  up
    #        addresses produced by legacy mail systems.
    # 
    #        The canonical(5) mapping is not to be confused  with  vir-
    #        tual  alias  support or with local aliasing. To change the
    #        destination but not the headers,  use  the  virtual(5)  or
    #        aliases(5) map instead.
    # 
    # CASE FOLDING
    #        The  search  string is folded to lowercase before database
    #        lookup. As of Postfix 2.3, the search string is  not  case
    #        folded  with database types such as regexp: or pcre: whose
    #        lookup fields can match both upper and lower case.
    # 
    # TABLE FORMAT
    #        The input format for the postmap(1) command is as follows:
    # 
    #        pattern result
    #               When  pattern matches a mail address, replace it by
    #               the corresponding result.
    # 
    #        blank lines and comments
    #               Empty lines and whitespace-only lines are  ignored,
    #               as  are  lines whose first non-whitespace character
    #               is a `#'.
    # 
    #        multi-line text
    #               A logical line starts with non-whitespace  text.  A
    #               line  that starts with whitespace continues a logi-
    #               cal line.
    # 
    # TABLE SEARCH ORDER
    #        With lookups from indexed files such as DB or DBM, or from
    #        networked  tables  such  as NIS, LDAP or SQL, patterns are
    #        tried in the order as listed below:
    # 
    #        user@domain address
    #               Replace user@domain by address. This form  has  the
    #               highest precedence.
    # 
    #               This  is  useful  to clean up addresses produced by
    #               legacy mail systems.  It can also be used  to  pro-
    #               duce  Firstname.Lastname  style  addresses, but see
    #               below for a simpler solution.
    # 
    #        user address
    #               Replace user@site by address when site is equal  to
    #               $myorigin,  when  site is listed in $mydestination,
    #               or  when  it  is  listed  in  $inet_interfaces   or
    #               $proxy_interfaces.
    # 
    #               This  form  is  useful for replacing login names by
    #               Firstname.Lastname.
    # 
    #        @domain address
    #               Replace other addresses in domain by address.  This
    #               form has the lowest precedence.
    # 
    #               Note:  @domain  is  a  wild-card. When this form is
    #               applied to recipient addresses,  the  Postfix  SMTP
    #               server  accepts  mail  for any recipient in domain,
    #               regardless of whether that recipient exists.   This
    #               may  turn  your  mail  system  into  a  backscatter
    #               source: Postfix first accepts mail for non-existent
    #               recipients  and  then  tries to return that mail as
    #               "undeliverable" to the often forged sender address.
    # 
    # RESULT ADDRESS REWRITING
    #        The lookup result is subject to address rewriting:
    # 
    #        o      When  the  result  has  the  form @otherdomain, the
    #               result becomes the same user in otherdomain.
    # 
    #        o      When "append_at_myorigin=yes", append  "@$myorigin"
    #               to addresses without "@domain".
    # 
    #        o      When "append_dot_mydomain=yes", append ".$mydomain"
    #               to addresses without ".domain".
    # 
    # ADDRESS EXTENSION
    #        When a mail address localpart contains the optional recip-
    #        ient  delimiter  (e.g., user+foo@domain), the lookup order
    #        becomes: user+foo@domain, user@domain, user+foo, user, and
    #        @domain.
    # 
    #        The   propagate_unmatched_extensions   parameter  controls
    #        whether an unmatched address extension  (+foo)  is  propa-
    #        gated to the result of table lookup.
    # 
    # REGULAR EXPRESSION TABLES
    #        This  section  describes how the table lookups change when
    #        the table is given in the form of regular expressions. For
    #        a  description  of regular expression lookup table syntax,
    #        see regexp_table(5) or pcre_table(5).
    # 
    #        Each pattern is a regular expression that  is  applied  to
    #        the entire address being looked up. Thus, user@domain mail
    #        addresses are not broken up into their  user  and  @domain
    #        constituent parts, nor is user+foo broken up into user and
    #        foo.
    # 
    #        Patterns are applied in the order as specified in the  ta-
    #        ble,  until  a  pattern  is  found that matches the search
    #        string.
    # 
    #        Results are the same as with indexed  file  lookups,  with
    #        the  additional feature that parenthesized substrings from
    #        the pattern can be interpolated as $1, $2 and so on.
    # 
    # TCP-BASED TABLES
    #        This section describes how the table lookups  change  when
    #        lookups are directed to a TCP-based server. For a descrip-
    #        tion of the TCP client/server lookup protocol, see tcp_ta-
    #        ble(5).  This feature is not available up to and including
    #        Postfix version 2.4.
    # 
    #        Each lookup operation uses the entire address once.  Thus,
    #        user@domain  mail  addresses  are not broken up into their
    #        user and @domain constituent parts, nor is user+foo broken
    #        up into user and foo.
    # 
    #        Results are the same as with indexed file lookups.
    # 
    # BUGS
    #        The  table format does not understand quoting conventions.
    # 
    # CONFIGURATION PARAMETERS
    #        The following main.cf parameters are especially  relevant.
    #        The  text  below  provides  only  a parameter summary. See
    #        postconf(5) for more details including examples.
    # 
    #        canonical_classes
    #               What addresses are  subject  to  canonical  address
    #               mapping.
    # 
    #        canonical_maps
    #               List of canonical mapping tables.
    # 
    #        recipient_canonical_maps
    #               Address  mapping  lookup  table  for  envelope  and
    #               header recipient addresses.
    # 
    #        sender_canonical_maps
    #               Address  mapping  lookup  table  for  envelope  and
    #               header sender addresses.
    # 
    #        propagate_unmatched_extensions
    #               A  list  of  address rewriting or forwarding mecha-
    #               nisms that propagate an address extension from  the
    #               original  address  to  the result.  Specify zero or
    #               more  of  canonical,   virtual,   alias,   forward,
    #               include, or generic.
    # 
    #        Other parameters of interest:
    # 
    #        inet_interfaces
    #               The  network  interface  addresses that this system
    #               receives mail on.  You need to stop and start Post-
    #               fix when this parameter changes.
    # 
    #        local_header_rewrite_clients
    #               Rewrite message header addresses in mail from these
    #               clients and update incomplete  addresses  with  the
    #               domain name in $myorigin or $mydomain; either don't
    #               rewrite message headers from other clients at  all,
    #               or  rewrite  message  headers and update incomplete
    #               addresses  with  the  domain   specified   in   the
    #               remote_header_rewrite_domain parameter.
    # 
    #        proxy_interfaces
    #               Other interfaces that this machine receives mail on
    #               by way of a proxy agent or network address transla-
    #               tor.
    # 
    #        masquerade_classes
    #               List  of  address  classes subject to masquerading:
    #               zero or more of  envelope_sender,  envelope_recipi-
    #               ent, header_sender, header_recipient.
    # 
    #        masquerade_domains
    #               List  of  domains  that hide their subdomain struc-
    #               ture.
    # 
    #        masquerade_exceptions
    #               List of user names that are not subject to  address
    #               masquerading.
    # 
    #        mydestination
    #               List  of  domains  that  this mail system considers
    #               local.
    # 
    #        myorigin
    #               The domain that is appended to locally-posted mail.
    # 
    #        owner_request_special
    #               Give special treatment to owner-xxx and xxx-request
    #               addresses.
    # 
    #        remote_header_rewrite_domain
    #               Don't rewrite message headers from  remote  clients
    #               at all when this parameter is empty; otherwise, re-
    #               write message  headers  and  append  the  specified
    #               domain name to incomplete addresses.
    # 
    # SEE ALSO
    #        cleanup(8), canonicalize and enqueue mail
    #        postmap(1), Postfix lookup table manager
    #        postconf(5), configuration parameters
    #        virtual(5), virtual aliasing
    # 
    # README FILES
    #        Use  "postconf  readme_directory" or "postconf html_direc-
    #        tory" to locate this information.
    #        DATABASE_README, Postfix lookup table overview
    #        ADDRESS_REWRITING_README, address rewriting guide
    # 
    # LICENSE
    #        The Secure Mailer license must be  distributed  with  this
    #        software.
    # 
    # AUTHOR(S)
    #        Wietse Venema
    #        IBM T.J. Watson Research
    #        P.O. Box 704
    #        Yorktown Heights, NY 10598, USA
    # 
    #                                                                   CANONICAL(5)

    sender_canonical_maps Lookup-Tabelle zum Umschreibungen von Absender eMail-Adressen im SMTP-Envelop und im Header der eMail.
    sender_canonical_maps.db Datenbankfile zur sender_canonical_maps-Datei.

     # vim /etc/postfix/sender_canonical_maps
    /etc/postfix/sender_canonical_maps
    # Django : 2012-02-06
    # Kapitel 5.2.3 canonical-Tabelle: Ich versteck' mich
    # Lookup-Tabelle zum Umschreibungen von Absender eMail-Adressen im SMTP-Envelop und im Header der eMail.
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/sender_canonical_maps
    # die zugehörige Datenbank erzeugt werden.
    #
    # catch all
    @pml100200.intra.nausch.org             @nausch.org
    #
    # einzelnen Nutzer umschreiben
    weather                                 news@wetterstation-pliening.info
    #
    # genau eine Adresse umschreiben
    admin@pml100201.intra.nausch.org        webmaster@nausch.org

    recipient_canonical_maps Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail.
    recipient_canonical_maps.db Datenbankfile zur recipient_canonical_maps-Datei.

     # vim /etc/postfix/recipient_canonical_maps
    /etc/postfix/recipient_canonical_maps
    # Django : 2012-02-06
    # Kapitel 5.2.3 canonical-Tabelle: Ich versteck' mich
    # Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail.
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/sender_canonical_maps
    # die zugehörige Datenbank erzeugt werden.
    #
    # catch all
    @omni128.de             @nausch.org
    #
    # genau eine Adresse umschreiben
    swat@nausch.org        abuse@nausch.org
  • generic
    Tabelle zum Umschreiben von eMailadressen. Im Gegensatz zu den beiden canonical-Maps, die die Adresse beim Empfang umschreibt, wird bei der generic-Tbelle die Adresse beim Versenden umgeschrieben. Die Manpage zu den generic-maps findet man im Konfigurationsverzeichnis von Postfix.
    # less /etc/postfix/generic
    /etc/postfix/generic
    # GENERIC(5)                                                          GENERIC(5)
    # 
    # NAME
    #        generic - Postfix generic table format
    # 
    # SYNOPSIS
    #        postmap /etc/postfix/generic
    # 
    #        postmap -q "string" /etc/postfix/generic
    # 
    #        postmap -q - /etc/postfix/generic <inputfile
    # 
    # DESCRIPTION
    #        The optional generic(5) table specifies an address mapping
    #        that applies when mail is delivered. This is the  opposite
    #        of  canonical(5)  mapping,  which  applies  when  mail  is
    #        received.
    # 
    #        Typically, one would use the generic(5) table on a  system
    #        that  does  not have a valid Internet domain name and that
    #        uses  something  like  localdomain.local   instead.    The
    #        generic(5)  table  is  then  used by the smtp(8) client to
    #        transform local mail addresses into  valid  Internet  mail
    #        addresses  when  mail  has to be sent across the Internet.
    #        See the EXAMPLE section at the end of this document.
    # 
    #        The  generic(5)  mapping  affects  both   message   header
    #        addresses (i.e. addresses that appear inside messages) and
    #        message envelope addresses  (for  example,  the  addresses
    #        that are used in SMTP protocol commands).
    # 
    #        Normally, the generic(5) table is specified as a text file
    #        that serves as  input  to  the  postmap(1)  command.   The
    #        result,  an  indexed file in dbm or db format, is used for
    #        fast searching by the mail  system.  Execute  the  command
    #        "postmap  /etc/postfix/generic" to rebuild an indexed file
    #        after changing the corresponding text file.
    # 
    #        When the table is provided via other means  such  as  NIS,
    #        LDAP  or  SQL,  the  same lookups are done as for ordinary
    #        indexed files.
    # 
    #        Alternatively, the table can be  provided  as  a  regular-
    #        expression map where patterns are given as regular expres-
    #        sions, or lookups can be directed to TCP-based server.  In
    #        those  case,  the lookups are done in a slightly different
    #        way as described below under "REGULAR  EXPRESSION  TABLES"
    #        or "TCP-BASED TABLES".
    # 
    # CASE FOLDING
    #        The  search  string is folded to lowercase before database
    #        lookup. As of Postfix 2.3, the search string is  not  case
    #        folded  with database types such as regexp: or pcre: whose
    #        lookup fields can match both upper and lower case.
    # 
    # TABLE FORMAT
    #        The input format for the postmap(1) command is as follows:
    # 
    #        pattern result
    #               When  pattern matches a mail address, replace it by
    #               the corresponding result.
    # 
    #        blank lines and comments
    #               Empty lines and whitespace-only lines are  ignored,
    #               as  are  lines whose first non-whitespace character
    #               is a `#'.
    # 
    #        multi-line text
    #               A logical line starts with non-whitespace  text.  A
    #               line  that starts with whitespace continues a logi-
    #               cal line.
    # 
    # TABLE SEARCH ORDER
    #        With lookups from indexed files such as DB or DBM, or from
    #        networked  tables  such  as NIS, LDAP or SQL, patterns are
    #        tried in the order as listed below:
    # 
    #        user@domain address
    #               Replace user@domain by address. This form  has  the
    #               highest precedence.
    # 
    #        user address
    #               Replace  user@site by address when site is equal to
    #               $myorigin, when site is listed  in  $mydestination,
    #               or   when  it  is  listed  in  $inet_interfaces  or
    #               $proxy_interfaces.
    # 
    #        @domain address
    #               Replace other addresses in domain by address.  This
    #               form has the lowest precedence.
    # 
    # RESULT ADDRESS REWRITING
    #        The lookup result is subject to address rewriting:
    # 
    #        o      When  the  result  has  the  form @otherdomain, the
    #               result becomes the same user in otherdomain.
    # 
    #        o      When "append_at_myorigin=yes", append  "@$myorigin"
    #               to addresses without "@domain".
    # 
    #        o      When "append_dot_mydomain=yes", append ".$mydomain"
    #               to addresses without ".domain".
    # 
    # ADDRESS EXTENSION
    #        When a mail address localpart contains the optional recip-
    #        ient  delimiter  (e.g., user+foo@domain), the lookup order
    #        becomes: user+foo@domain, user@domain, user+foo, user, and
    #        @domain.
    # 
    #        The   propagate_unmatched_extensions   parameter  controls
    #        whether an unmatched address extension  (+foo)  is  propa-
    #        gated to the result of table lookup.
    # 
    # REGULAR EXPRESSION TABLES
    #        This  section  describes how the table lookups change when
    #        the table is given in the form of regular expressions. For
    #        a  description  of regular expression lookup table syntax,
    #        see regexp_table(5) or pcre_table(5).
    # 
    #        Each pattern is a regular expression that  is  applied  to
    #        the entire address being looked up. Thus, user@domain mail
    #        addresses are not broken up into their  user  and  @domain
    #        constituent parts, nor is user+foo broken up into user and
    #        foo.
    # 
    #        Patterns are applied in the order as specified in the  ta-
    #        ble,  until  a  pattern  is  found that matches the search
    #        string.
    # 
    #        Results are the same as with indexed  file  lookups,  with
    #        the  additional feature that parenthesized substrings from
    #        the pattern can be interpolated as $1, $2 and so on.
    # 
    # TCP-BASED TABLES
    #        This section describes how the table lookups  change  when
    #        lookups are directed to a TCP-based server. For a descrip-
    #        tion of the TCP client/server lookup protocol, see tcp_ta-
    #        ble(5).  This feature is not available up to and including
    #        Postfix version 2.4.
    # 
    #        Each lookup operation uses the entire address once.  Thus,
    #        user@domain  mail  addresses  are not broken up into their
    #        user and @domain constituent parts, nor is user+foo broken
    #        up into user and foo.
    # 
    #        Results are the same as with indexed file lookups.
    # 
    # EXAMPLE
    #        The  following  shows  a  generic  mapping with an indexed
    #        file.  When mail is sent to a remote host via  SMTP,  this
    #        replaces  his@localdomain.local  by  his ISP mail address,
    #        replaces her@localdomain.local by her  ISP  mail  address,
    #        and  replaces  other  local  addresses by his ISP account,
    #        with an address extension of +local (this example  assumes
    #        that the ISP supports "+" style address extensions).
    # 
    #        /etc/postfix/main.cf:
    #            smtp_generic_maps = hash:/etc/postfix/generic
    # 
    #        /etc/postfix/generic:
    #            his@localdomain.local   hisaccount@hisisp.example
    #            her@localdomain.local   heraccount@herisp.example
    #            @localdomain.local      hisaccount+local@hisisp.example
    # 
    #        Execute  the  command "postmap /etc/postfix/generic" when-
    #        ever the table is changed.  Instead of hash, some  systems
    #        use  dbm database files. To find out what tables your sys-
    #        tem supports use the command "postconf -m".
    # 
    # BUGS
    #        The table format does not understand quoting  conventions.
    # 
    # CONFIGURATION PARAMETERS
    #        The  following main.cf parameters are especially relevant.
    #        The text below provides  only  a  parameter  summary.  See
    #        postconf(5) for more details including examples.
    # 
    #        smtp_generic_maps
    #               Address  mapping  lookup  table  for  envelope  and
    #               header sender and recipient addresses while  deliv-
    #               ering mail via SMTP.
    # 
    #        propagate_unmatched_extensions
    #               A  list  of  address rewriting or forwarding mecha-
    #               nisms that propagate an address extension from  the
    #               original  address  to  the result.  Specify zero or
    #               more  of  canonical,   virtual,   alias,   forward,
    #               include, or generic.
    # 
    #        Other parameters of interest:
    # 
    #        inet_interfaces
    #               The  network  interface  addresses that this system
    #               receives mail on.  You need to stop and start Post-
    #               fix when this parameter changes.
    # 
    #        proxy_interfaces
    #               Other interfaces that this machine receives mail on
    #               by way of a proxy agent or network address transla-
    #               tor.
    # 
    #        mydestination
    #               List  of  domains  that  this mail system considers
    #               local.
    # 
    #        myorigin
    #               The domain that is appended to locally-posted mail.
    # 
    #        owner_request_special
    #               Give special treatment to owner-xxx and xxx-request
    #               addresses.
    # 
    # SEE ALSO
    #        postmap(1), Postfix lookup table manager
    #        postconf(5), configuration parameters
    #        smtp(8), Postfix SMTP client
    # 
    # README FILES
    #        Use "postconf readme_directory" or  "postconf  html_direc-
    #        tory" to locate this information.
    #        ADDRESS_REWRITING_README, address rewriting guide
    #        DATABASE_README, Postfix lookup table overview
    #        STANDARD_CONFIGURATION_README, configuration examples
    # 
    # LICENSE
    #        The  Secure  Mailer  license must be distributed with this
    #        software.
    # 
    # HISTORY
    #        A genericstable feature appears in the Sendmail MTA.
    # 
    #        This feature is available in Postfix 2.2 and later.
    # 
    # AUTHOR(S)
    #        Wietse Venema
    #        IBM T.J. Watson Research
    #        P.O. Box 704
    #        Yorktown Heights, NY 10598, USA
    # 
    #                                                                     GENERIC(5)

    lmtp_generic_maps Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail. Das Umschreiben erfolgt beim Verlassen des Systems via LMTP.
    lmtp_generic_maps.db Datenbankfile zur lmtp_generic_maps-Datei.

     # vim /etc/postfix/lmtp_generic_maps
    /etc/postfix/lmtp_generic_maps
    # Kapitel 5.2.4 generic-Tabelle: Umschreiben bei ausgehenden eMails
    # Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail.
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/lmtp_generic_maps
    # die zugehörige Datenbank erzeugt werden.
    #
    # catch all
    @omni128.de             @nausch.org
    #
    # genau eine Adresse umschreiben
    swat@nausch.org        abuse@nausch.org

    smtp_generic_maps Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail. Das Umschreiben erfolgt beim Verlassen des Systems via SMTP.
    smtp_generic_maps.db Datenbankfile zur smtp_generic_maps-Datei.

     # vim /etc/postfix/smtp_generic_maps
    /etc/postfix/smtp_generic_maps
    # Kapitel 5.2.4 generic-Tabelle: Umschreiben bei ausgehenden eMails
    # Lookup-Tabelle zum Umschreibungen von Empfänger eMail-Adressen im SMTP-Envelop und im Header der eMail.
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/smtp_generic_maps
    # die zugehörige Datenbank erzeugt werden.
    #
    # catch all
    @omni128.de             @nausch.org
    #
    # genau eine Adresse umschreiben
    swat@nausch.org        abuse@nausch.org
  • transport
    Lookup-Tabelle zum Aktivieren einer alternativen Mailrouting bei der Zustellung an einen weiteren Mailserver. Die Manpage zu den transport-maps findet man im Konfigurationsverzeichnis von Postfix.
    # less /etc/postfix/transport
    /etc/postfix/transport
    # TRANSPORT(5)                                                      TRANSPORT(5)
    # 
    # NAME
    #        transport - Postfix transport table format
    # 
    # SYNOPSIS
    #        postmap /etc/postfix/transport
    # 
    #        postmap -q "string" /etc/postfix/transport
    # 
    #        postmap -q - /etc/postfix/transport <inputfile
    # 
    # DESCRIPTION
    #        The  optional  transport(5) table specifies a mapping from
    #        email addresses to message delivery transports  and  next-
    #        hop  destinations.   Message  delivery  transports such as
    #        local or smtp are defined in the master.cf file, and next-
    #        hop  destinations are typically hosts or domain names. The
    #        table is searched by the trivial-rewrite(8) daemon.
    # 
    #        This  mapping  overrides  the  default   transport:nexthop
    #        selection that is built into Postfix:
    # 
    #        local_transport (default: local:$myhostname)
    #               This  is  the default for final delivery to domains
    #               listed with mydestination, and for [ipaddress] des-
    #               tinations    that    match    $inet_interfaces   or
    #               $proxy_interfaces. The default nexthop  destination
    #               is the MTA hostname.
    # 
    #        virtual_transport (default: virtual:)
    #               This  is  the default for final delivery to domains
    #               listed with  virtual_mailbox_domains.  The  default
    #               nexthop destination is the recipient domain.
    # 
    #        relay_transport (default: relay:)
    #               This  is the default for remote delivery to domains
    #               listed with relay_domains. In order  of  decreasing
    #               precedence,  the  nexthop destination is taken from
    #               relay_transport,   sender_dependent_relayhost_maps,
    #               relayhost, or from the recipient domain.
    # 
    #        default_transport (default: smtp:)
    #               This  is  the  default for remote delivery to other
    #               destinations.  In order of  decreasing  precedence,
    #               the    nexthop    destination    is    taken   from
    #               default_transport, sender_dependent_relayhost_maps,
    #               relayhost, or from the recipient domain.
    # 
    #        Normally,  the  transport(5)  table is specified as a text
    #        file that serves as input to the postmap(1) command.   The
    #        result,  an  indexed file in dbm or db format, is used for
    #        fast searching by the mail  system.  Execute  the  command
    #        "postmap  /etc/postfix/transport"  to  rebuild  an indexed
    #        file after changing the corresponding transport table.
    # 
    #        When the table is provided via other means  such  as  NIS,
    #        LDAP  or  SQL,  the  same lookups are done as for ordinary
    #        indexed files.
    # 
    #        Alternatively, the table can be  provided  as  a  regular-
    #        expression map where patterns are given as regular expres-
    #        sions, or lookups can be directed to TCP-based server.  In
    #        those  case,  the lookups are done in a slightly different
    #        way as described below under "REGULAR  EXPRESSION  TABLES"
    #        or "TCP-BASED TABLES".
    # 
    # CASE FOLDING
    #        The  search  string is folded to lowercase before database
    #        lookup. As of Postfix 2.3, the search string is  not  case
    #        folded  with database types such as regexp: or pcre: whose
    #        lookup fields can match both upper and lower case.
    # 
    # TABLE FORMAT
    #        The input format for the postmap(1) command is as follows:
    # 
    #        pattern result
    #               When  pattern  matches  the  recipient  address  or
    #               domain, use the corresponding result.
    # 
    #        blank lines and comments
    #               Empty lines and whitespace-only lines are  ignored,
    #               as  are  lines whose first non-whitespace character
    #               is a `#'.
    # 
    #        multi-line text
    #               A logical line starts with non-whitespace  text.  A
    #               line  that starts with whitespace continues a logi-
    #               cal line.
    # 
    #        The pattern specifies an email address, a domain name,  or
    #        a  domain  name  hierarchy, as described in section "TABLE
    #        LOOKUP".
    # 
    #        The result is of the form transport:nexthop and  specifies
    #        how or where to deliver mail. This is described in section
    #        "RESULT FORMAT".
    # 
    # TABLE SEARCH ORDER
    #        With lookups from indexed files such as DB or DBM, or from
    #        networked  tables  such  as NIS, LDAP or SQL, patterns are
    #        tried in the order as listed below:
    # 
    #        user+extension@domain transport:nexthop
    #               Deliver  mail  for  user+extension@domain   through
    #               transport to nexthop.
    # 
    #        user@domain transport:nexthop
    #               Deliver  mail  for user@domain through transport to
    #               nexthop.
    # 
    #        domain transport:nexthop
    #               Deliver mail for domain through transport  to  nex-
    #               thop.
    # 
    #        .domain transport:nexthop
    #               Deliver  mail  for  any subdomain of domain through
    #               transport to nexthop. This applies  only  when  the
    #               string  transport_maps  is  not  listed in the par-
    #               ent_domain_matches_subdomains  configuration   set-
    #               ting.   Otherwise, a domain name matches itself and
    #               its subdomains.
    # 
    #        * transport:nexthop
    #               The special pattern * represents any address  (i.e.
    #               it  functions  as  the  wild-card  pattern,  and is
    #               unique to Postfix transport tables).
    # 
    #        Note 1:  the  null  recipient  address  is  looked  up  as
    #        $empty_address_recipient@$myhostname (default: mailer-dae-
    #        mon@hostname).
    # 
    #        Note 2: user@domain  or  user+extension@domain  lookup  is
    #        available in Postfix 2.0 and later.
    # 
    # RESULT FORMAT
    #        The  lookup  result is of the form transport:nexthop.  The
    #        transport field specifies a mail delivery  transport  such
    #        as  smtp  or  local. The nexthop field specifies where and
    #        how to deliver mail.
    # 
    #        The transport field specifies the name of a mail  delivery
    #        transport (the first name of a mail delivery service entry
    #        in the Postfix master.cf file).
    # 
    #        The interpretation  of  the  nexthop  field  is  transport
    #        dependent.  In  the  case  of SMTP, specify a service on a
    #        non-default port as host:service,  and  disable  MX  (mail
    #        exchanger)  DNS lookups with [host] or [host]:port. The []
    #        form is required when you specify an IP address instead of
    #        a hostname.
    # 
    #        A  null  transport  and  null nexthop result means "do not
    #        change": use the delivery transport and  nexthop  informa-
    #        tion  that  would  be used when the entire transport table
    #        did not exist.
    # 
    #        A non-null transport  field  with  a  null  nexthop  field
    #        resets the nexthop information to the recipient domain.
    # 
    #        A  null  transport  field with non-null nexthop field does
    #        not modify the transport information.
    # 
    # EXAMPLES
    #        In order to deliver internal mail directly, while using  a
    #        mail  relay  for  all other mail, specify a null entry for
    #        internal destinations (do not change the  delivery  trans-
    #        port  or  the  nexthop information) and specify a wildcard
    #        for all other destinations.
    # 
    #             my.domain    :
    #             .my.domain   :
    #             *            smtp:outbound-relay.my.domain
    # 
    #        In order to send mail for example.com and  its  subdomains
    #        via the uucp transport to the UUCP host named example:
    # 
    #             example.com      uucp:example
    #             .example.com     uucp:example
    # 
    #        When  no  nexthop  host name is specified, the destination
    #        domain name is used instead. For  example,  the  following
    #        directs  mail  for user@example.com via the slow transport
    #        to a mail exchanger for example.com.  The  slow  transport
    #        could be configured to run at most one delivery process at
    #        a time:
    # 
    #             example.com      slow:
    # 
    #        When no transport is specified, Postfix uses the transport
    #        that  matches  the  address  domain class (see DESCRIPTION
    #        above).  The following sends all mail for example.com  and
    #        its subdomains to host gateway.example.com:
    # 
    #             example.com      :[gateway.example.com]
    #             .example.com     :[gateway.example.com]
    # 
    #        In  the  above  example, the [] suppress MX lookups.  This
    #        prevents mail routing loops when your machine  is  primary
    #        MX host for example.com.
    # 
    #        In  the  case  of delivery via SMTP, one may specify host-
    #        name:service instead of just a host:
    # 
    #             example.com      smtp:bar.example:2025
    # 
    #        This directs mail for user@example.com to host bar.example
    #        port 2025. Instead of a numerical port a symbolic name may
    #        be used. Specify [] around the hostname if MX lookups must
    #        be disabled.
    # 
    #        The error mailer can be used to bounce mail:
    # 
    #             .example.com     error:mail for *.example.com is not deliverable
    # 
    #        This  causes  all mail for user@anything.example.com to be
    #        bounced.
    # 
    # REGULAR EXPRESSION TABLES
    #        This section describes how the table lookups  change  when
    #        the table is given in the form of regular expressions. For
    #        a description of regular expression lookup  table  syntax,
    #        see regexp_table(5) or pcre_table(5).
    # 
    #        Each  pattern  is  a regular expression that is applied to
    #        the   entire    address    being    looked    up.    Thus,
    #        some.domain.hierarchy  is  not  looked  up  via its parent
    #        domains, nor is user+foo@domain looked up as  user@domain.
    # 
    #        Patterns  are applied in the order as specified in the ta-
    #        ble, until a pattern is  found  that  matches  the  search
    #        string.
    # 
    #        The trivial-rewrite(8) server disallows regular expression
    #        substitution of  $1  etc.  in  regular  expression  lookup
    #        tables,  because  that could open a security hole (Postfix
    #        version 2.3 and later).
    # 
    # TCP-BASED TABLES
    #        This section describes how the table lookups  change  when
    #        lookups are directed to a TCP-based server. For a descrip-
    #        tion of the TCP client/server lookup protocol, see tcp_ta-
    #        ble(5).  This feature is not available up to and including
    #        Postfix version 2.4.
    # 
    #        Each lookup operation uses the  entire  recipient  address
    #        once.   Thus,  some.domain.hierarchy  is not looked up via
    #        its parent domains, nor is user+foo@domain  looked  up  as
    #        user@domain.
    # 
    #        Results are the same as with indexed file lookups.
    # 
    # CONFIGURATION PARAMETERS
    #        The  following main.cf parameters are especially relevant.
    #        The text below provides  only  a  parameter  summary.  See
    #        postconf(5) for more details including examples.
    # 
    #        empty_address_recipient
    #               The  address  that is looked up instead of the null
    #               sender address.
    # 
    #        parent_domain_matches_subdomains
    #               List of Postfix features that use  domain.tld  pat-
    #               terns   to  match  sub.domain.tld  (as  opposed  to
    #               requiring .domain.tld patterns).
    # 
    #        transport_maps
    #               List of transport lookup tables.
    # 
    # SEE ALSO
    #        trivial-rewrite(8), rewrite and resolve addresses
    #        master(5), master.cf file format
    #        postconf(5), configuration parameters
    #        postmap(1), Postfix lookup table manager
    # 
    # README FILES
    #        Use "postconf readme_directory" or  "postconf  html_direc-
    #        tory" to locate this information.
    #        ADDRESS_REWRITING_README, address rewriting guide
    #        DATABASE_README, Postfix lookup table overview
    #        FILTER_README, external content filter
    # 
    # LICENSE
    #        The  Secure  Mailer  license must be distributed with this
    #        software.
    # 
    # AUTHOR(S)
    #        Wietse Venema
    #        IBM T.J. Watson Research
    #        P.O. Box 704
    #        Yorktown Heights, NY 10598, USA
    # 
    #                                                                   TRANSPORT(5)

    transport_maps Lookup-Tabelle zum Aktivieren einer alternativen Mailrouting bei der Zustellung an einen weiteren Mailserver.
    transport_maps.db Datenbankfile zur transport_maps-Datei.

     # vim /etc/postfix/transport_maps
    /etc/postfix/transport_maps
    # Kapitel 5.2.5 transport-Tabelle: Abweichende Zustellung
    # Lookup-Tabelle zum Aktivieren einer alternativen Mailrouting bei der Zustellung an einen weiteren Mailserver
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/transport_maps
    # die zugehörige Datenbank erzeugt werden.
    #
    # Alle eMails, die an Subdomains von nausch.org gerichtet sind ("." am Anfang der Zeile!)
    # werden an den/die Mailserver von intra.nausch.org (MX-Records) weitergeleitet. (keine "["-Klammern!)
    .nausch.org                             smtp:intra.nausch.org
     
    # Mails an backup.nausch.org werden an den Mailserver auf Port 25 mit Namen mail.intra.nausch.org geschickt.
    backup.nausch.org                       smtp:[mail.intra.nausch.org]:25
  • relocated
    Lookup-Tabelle zum Aktivieren von „Bounce-Nachrichten“ an den Absender einer eMail über nicht existierende eMailadressen mit Angabe der neu zu nutzenden eMailadresse des Empfängers. Die Manpage zu den relocated-maps findet man im Konfigurationsverzeichnis von Postfix.
    # less /etc/postfix/relocated
    /etc/postfix/relocated
    # RELOCATED(5)                                                      RELOCATED(5)
    # 
    # NAME
    #        relocated - Postfix relocated table format
    # 
    # SYNOPSIS
    #        postmap /etc/postfix/relocated
    # 
    # DESCRIPTION
    #        The  optional  relocated(5) table provides the information
    #        that is used in "user has moved  to  new_location"  bounce
    #        messages.
    # 
    #        Normally,  the  relocated(5)  table is specified as a text
    #        file that serves as input to the postmap(1) command.   The
    #        result,  an  indexed file in dbm or db format, is used for
    #        fast searching by the mail  system.  Execute  the  command
    #        "postmap  /etc/postfix/relocated"  to  rebuild  an indexed
    #        file after changing the corresponding relocated table.
    # 
    #        When the table is provided via other means  such  as  NIS,
    #        LDAP  or  SQL,  the  same lookups are done as for ordinary
    #        indexed files.
    # 
    #        Alternatively, the table can be  provided  as  a  regular-
    #        expression map where patterns are given as regular expres-
    #        sions, or lookups can be directed to TCP-based server.  In
    #        those  case,  the lookups are done in a slightly different
    #        way as described below under "REGULAR  EXPRESSION  TABLES"
    #        or "TCP-BASED TABLES".
    # 
    #        Table lookups are case insensitive.
    # 
    # CASE FOLDING
    #        The  search  string is folded to lowercase before database
    #        lookup. As of Postfix 2.3, the search string is  not  case
    #        folded  with database types such as regexp: or pcre: whose
    #        lookup fields can match both upper and lower case.
    # 
    # TABLE FORMAT
    #        The input format for the postmap(1) command is as follows:
    # 
    #        o      An entry has one of the following form:
    # 
    #                    pattern      new_location
    # 
    #               Where  new_location  specifies  contact information
    #               such as an  email  address,  or  perhaps  a  street
    #               address or telephone number.
    # 
    #        o      Empty  lines and whitespace-only lines are ignored,
    #               as are lines whose first  non-whitespace  character
    #               is a `#'.
    # 
    #        o      A  logical  line starts with non-whitespace text. A
    #               line that starts with whitespace continues a  logi-
    #               cal line.
    # 
    # TABLE SEARCH ORDER
    #        With lookups from indexed files such as DB or DBM, or from
    #        networked tables such as NIS, LDAP or  SQL,  patterns  are
    #        tried in the order as listed below:
    # 
    #        user@domain
    #               Matches  user@domain. This form has precedence over
    #               all other forms.
    # 
    #        user   Matches user@site when site is $myorigin, when site
    #               is listed in $mydestination, or when site is listed
    #               in $inet_interfaces or $proxy_interfaces.
    # 
    #        @domain
    #               Matches other addresses in domain.  This  form  has
    #               the lowest precedence.
    # 
    # ADDRESS EXTENSION
    #        When a mail address localpart contains the optional recip-
    #        ient delimiter (e.g., user+foo@domain), the  lookup  order
    #        becomes: user+foo@domain, user@domain, user+foo, user, and
    #        @domain.
    # 
    # REGULAR EXPRESSION TABLES
    #        This section describes how the table lookups  change  when
    #        the  table  is given in the form of regular expressions or
    #        when lookups are directed to a  TCP-based  server.  For  a
    #        description of regular expression lookup table syntax, see
    #        regexp_table(5) or pcre_table(5). For a description of the
    #        TCP client/server table lookup protocol, see tcp_table(5).
    #        This feature is not available up to and including  Postfix
    #        version 2.4.
    # 
    #        Each  pattern  is  a regular expression that is applied to
    #        the entire address being looked up. Thus, user@domain mail
    #        addresses  are  not  broken up into their user and @domain
    #        constituent parts, nor is user+foo broken up into user and
    #        foo.
    # 
    #        Patterns  are applied in the order as specified in the ta-
    #        ble, until a pattern is  found  that  matches  the  search
    #        string.
    # 
    #        Results  are  the  same as with indexed file lookups, with
    #        the additional feature that parenthesized substrings  from
    #        the pattern can be interpolated as $1, $2 and so on.
    # 
    # TCP-BASED TABLES
    #        This  section  describes how the table lookups change when
    #        lookups are directed to a TCP-based server. For a descrip-
    #        tion of the TCP client/server lookup protocol, see tcp_ta-
    #        ble(5).  This feature is not available up to and including
    #        Postfix version 2.4.
    # 
    #        Each lookup operation uses the entire address once.  Thus,
    #        user@domain mail addresses are not broken  up  into  their
    #        user and @domain constituent parts, nor is user+foo broken
    #        up into user and foo.
    # 
    #        Results are the same as with indexed file lookups.
    # 
    # BUGS
    #        The table format does not understand quoting  conventions.
    # 
    # CONFIGURATION PARAMETERS
    #        The  following main.cf parameters are especially relevant.
    #        The text below provides  only  a  parameter  summary.  See
    #        postconf(5) for more details including examples.
    # 
    #        relocated_maps
    #               List of lookup tables for relocated users or sites.
    # 
    #        Other parameters of interest:
    # 
    #        inet_interfaces
    #               The network interface addresses  that  this  system
    #               receives mail on.  You need to stop and start Post-
    #               fix when this parameter changes.
    # 
    #        mydestination
    #               List of domains that  this  mail  system  considers
    #               local.
    # 
    #        myorigin
    #               The domain that is appended to locally-posted mail.
    # 
    #        proxy_interfaces
    #               Other interfaces that this machine receives mail on
    #               by way of a proxy agent or network address transla-
    #               tor.
    # 
    # SEE ALSO
    #        trivial-rewrite(8), address resolver
    #        postmap(1), Postfix lookup table manager
    #        postconf(5), configuration parameters
    # 
    # README FILES
    #        Use "postconf readme_directory" or  "postconf  html_direc-
    #        tory" to locate this information.
    #        DATABASE_README, Postfix lookup table overview
    #        ADDRESS_REWRITING_README, address rewriting guide
    # 
    # LICENSE
    #        The  Secure  Mailer  license must be distributed with this
    #        software.
    # 
    # AUTHOR(S)
    #        Wietse Venema
    #        IBM T.J. Watson Research
    #        P.O. Box 704
    #        Yorktown Heights, NY 10598, USA
    # 
    #                                                                   RELOCATED(5)

    relocated_maps Lookup-Tabelle zum Aktivieren von „Bounce-Nachrichten“ an den Absender einer eMail über nicht existierende eMailadressen mit Angabe der neu zu nutzenden eMailadresse des Empfängers.
    relocated_maps.db Datenbankfile zur relocated_maps-Datei.

     # vim /etc/postfix/relocated_maps
    /etc/postfix/relocated_maps
    # Kapitel 5.2.6 relocated-Tabelle: Empfängrt verzogen
    # Lookup-Tabelle zum Aktivieren von "Bounce-Nachrichten" an den Absender einer eMail über nicht 
    # existierende eMailadressen mit Angabe der neu zu nutzenden eMailadresse des Empfängers.
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/relocated_maps
    # die zugehörige Datenbank erzeugt werden.
    #
    michael.nausch@omni128.de       django@nausch.org
  • virtual
    Lookup-Tabelle zum Verwalten der virtuellen Domains und virtuellen eMail-Adressen. Die Manpage zu den virtual-maps findet man im Konfigurationsverzeichnis von Postfix.
    # less /etc/postfix/virtual
    /etc/postfix/virtual
    # VIRTUAL(5)                                                          VIRTUAL(5)
    # 
    # NAME
    #        virtual - Postfix virtual alias table format
    # 
    # SYNOPSIS
    #        postmap /etc/postfix/virtual
    # 
    #        postmap -q "string" /etc/postfix/virtual
    # 
    #        postmap -q - /etc/postfix/virtual <inputfile
    # 
    # DESCRIPTION
    #        The  optional  virtual(5)  alias  table rewrites recipient
    #        addresses for all local, all virtual, and all remote  mail
    #        destinations.   This  is unlike the aliases(5) table which
    #        is used only for local(8) delivery.  Virtual  aliasing  is
    #        recursive,  and  is  implemented by the Postfix cleanup(8)
    #        daemon before mail is queued.
    # 
    #        The main applications of virtual aliasing are:
    # 
    #        o      To redirect mail for one address  to  one  or  more
    #               addresses.
    # 
    #        o      To   implement  virtual  alias  domains  where  all
    #               addresses  are  aliased  to  addresses   in   other
    #               domains.
    # 
    #               Virtual  alias  domains are not to be confused with
    #               the virtual mailbox domains  that  are  implemented
    #               with  the  Postfix  virtual(8) mail delivery agent.
    #               With  virtual  mailbox  domains,   each   recipient
    #               address can have its own mailbox.
    # 
    #        Virtual  aliasing  is  applied  only to recipient envelope
    #        addresses, and  does  not  affect  message  headers.   Use
    #        canonical(5)   mapping  to  rewrite  header  and  envelope
    #        addresses in general.
    # 
    #        Normally, the virtual(5) alias table  is  specified  as  a
    #        text  file that serves as input to the postmap(1) command.
    #        The result, an indexed file in dbm or db format,  is  used
    #        for fast searching by the mail system. Execute the command
    #        "postmap /etc/postfix/virtual" to rebuild an indexed  file
    #        after changing the corresponding text file.
    # 
    #        When  the  table  is provided via other means such as NIS,
    #        LDAP or SQL, the same lookups are  done  as  for  ordinary
    #        indexed files.
    # 
    #        Alternatively,  the  table  can  be provided as a regular-
    #        expression map where patterns are given as regular expres-
    #        sions,  or lookups can be directed to TCP-based server. In
    #        those case, the lookups are done in a  slightly  different
    #        way  as  described below under "REGULAR EXPRESSION TABLES"
    #        or "TCP-BASED TABLES".
    # 
    # CASE FOLDING
    #        The search string is folded to lowercase  before  database
    #        lookup.  As  of Postfix 2.3, the search string is not case
    #        folded with database types such as regexp: or pcre:  whose
    #        lookup fields can match both upper and lower case.
    # 
    # TABLE FORMAT
    #        The input format for the postmap(1) command is as follows:
    # 
    #        pattern result
    #               When pattern matches a mail address, replace it  by
    #               the corresponding result.
    # 
    #        blank lines and comments
    #               Empty  lines and whitespace-only lines are ignored,
    #               as are lines whose first  non-whitespace  character
    #               is a `#'.
    # 
    #        multi-line text
    #               A  logical  line starts with non-whitespace text. A
    #               line that starts with whitespace continues a  logi-
    #               cal line.
    # 
    # TABLE SEARCH ORDER
    #        With lookups from indexed files such as DB or DBM, or from
    #        networked tables such as NIS, LDAP or  SQL,  patterns  are
    #        tried in the order as listed below:
    # 
    #        user@domain address, address, ...
    #               Redirect  mail  for  user@domain  to address.  This
    #               form has the highest precedence.
    # 
    #        user address, address, ...
    #               Redirect mail for user@site to address when site is
    #               equal  to $myorigin, when site is listed in $mydes-
    #               tination, or when it is listed in  $inet_interfaces
    #               or $proxy_interfaces.
    # 
    #               This  functionality  overlaps with functionality of
    #               the local aliases(5) database.  The  difference  is
    #               that virtual(5) mapping can be applied to non-local
    #               addresses.
    # 
    #        @domain address, address, ...
    #               Redirect mail for other users in domain to address.
    #               This form has the lowest precedence.
    # 
    #               Note:  @domain  is a wild-card. With this form, the
    #               Postfix SMTP server accepts mail for any  recipient
    #               in  domain,  regardless  of  whether that recipient
    #               exists.  This may turn  your  mail  system  into  a
    #               backscatter  source: Postfix first accepts mail for
    #               non-existent recipients and then  tries  to  return
    #               that  mail  as  "undeliverable" to the often forged
    #               sender address.
    # 
    # RESULT ADDRESS REWRITING
    #        The lookup result is subject to address rewriting:
    # 
    #        o      When the result  has  the  form  @otherdomain,  the
    #               result  becomes the same user in otherdomain.  This
    #               works only for the first address in a multi-address
    #               lookup result.
    # 
    #        o      When  "append_at_myorigin=yes", append "@$myorigin"
    #               to addresses without "@domain".
    # 
    #        o      When "append_dot_mydomain=yes", append ".$mydomain"
    #               to addresses without ".domain".
    # 
    # ADDRESS EXTENSION
    #        When a mail address localpart contains the optional recip-
    #        ient delimiter (e.g., user+foo@domain), the  lookup  order
    #        becomes: user+foo@domain, user@domain, user+foo, user, and
    #        @domain.
    # 
    #        The  propagate_unmatched_extensions   parameter   controls
    #        whether  an  unmatched  address extension (+foo) is propa-
    #        gated to the result of table lookup.
    # 
    # VIRTUAL ALIAS DOMAINS
    #        Besides virtual aliases, the virtual alias table can  also
    #        be used to implement virtual alias domains. With a virtual
    #        alias domain,  all  recipient  addresses  are  aliased  to
    #        addresses in other domains.
    # 
    #        Virtual alias domains are not to be confused with the vir-
    #        tual mailbox domains that are implemented with the Postfix
    #        virtual(8)  mail  delivery  agent.  With  virtual  mailbox
    #        domains, each recipient address can have its own  mailbox.
    # 
    #        With  a  virtual  alias domain, the virtual domain has its
    #        own user name space. Local  (i.e.  non-virtual)  usernames
    #        are  not visible in a virtual alias domain. In particular,
    #        local aliases(5) and local mailing lists are  not  visible
    #        as localname@virtual-alias.domain.
    # 
    #        Support for a virtual alias domain looks like:
    # 
    #        /etc/postfix/main.cf:
    #            virtual_alias_maps = hash:/etc/postfix/virtual
    # 
    #        Note: some systems use dbm databases instead of hash.  See
    #        the output  from  "postconf  -m"  for  available  database
    #        types.
    # 
    #        /etc/postfix/virtual:
    #            virtual-alias.domain     anything (right-hand content does not matter)
    #            postmaster@virtual-alias.domain  postmaster
    #            user1@virtual-alias.domain       address1
    #            user2@virtual-alias.domain       address2, address3
    # 
    #        The  virtual-alias.domain anything entry is required for a
    #        virtual alias domain. Without this entry, mail is rejected
    #        with  "relay  access  denied", or bounces with "mail loops
    #        back to myself".
    # 
    #        Do not specify virtual alias domain names in  the  main.cf
    #        mydestination or relay_domains configuration parameters.
    # 
    #        With  a  virtual  alias  domain,  the  Postfix SMTP server
    #        accepts  mail  for  known-user@virtual-alias.domain,   and
    #        rejects   mail  for  unknown-user@virtual-alias.domain  as
    #        undeliverable.
    # 
    #        Instead of specifying the virtual alias  domain  name  via
    #        the  virtual_alias_maps table, you may also specify it via
    #        the main.cf virtual_alias_domains configuration parameter.
    #        This  latter parameter uses the same syntax as the main.cf
    #        mydestination configuration parameter.
    # 
    # REGULAR EXPRESSION TABLES
    #        This section describes how the table lookups  change  when
    #        the table is given in the form of regular expressions. For
    #        a description of regular expression lookup  table  syntax,
    #        see regexp_table(5) or pcre_table(5).
    # 
    #        Each  pattern  is  a regular expression that is applied to
    #        the entire address being looked up. Thus, user@domain mail
    #        addresses  are  not  broken up into their user and @domain
    #        constituent parts, nor is user+foo broken up into user and
    #        foo.
    # 
    #        Patterns  are applied in the order as specified in the ta-
    #        ble, until a pattern is  found  that  matches  the  search
    #        string.
    # 
    #        Results  are  the  same as with indexed file lookups, with
    #        the additional feature that parenthesized substrings  from
    #        the pattern can be interpolated as $1, $2 and so on.
    # 
    # TCP-BASED TABLES
    #        This  section  describes how the table lookups change when
    #        lookups are directed to a TCP-based server. For a descrip-
    #        tion of the TCP client/server lookup protocol, see tcp_ta-
    #        ble(5).  This feature is not available up to and including
    #        Postfix version 2.4.
    # 
    #        Each lookup operation uses the entire address once.  Thus,
    #        user@domain mail addresses are not broken  up  into  their
    #        user and @domain constituent parts, nor is user+foo broken
    #        up into user and foo.
    # 
    #        Results are the same as with indexed file lookups.
    # 
    # BUGS
    #        The table format does not understand quoting  conventions.
    # 
    # CONFIGURATION PARAMETERS
    #        The  following  main.cf parameters are especially relevant
    #        to this topic. See the Postfix  main.cf  file  for  syntax
    #        details  and  for default values. Use the "postfix reload"
    #        command after a configuration change.
    # 
    #        virtual_alias_maps
    #               List of virtual aliasing tables.
    # 
    #        virtual_alias_domains
    #               List of virtual alias domains. This uses  the  same
    #               syntax as the mydestination parameter.
    # 
    #        propagate_unmatched_extensions
    #               A  list  of  address rewriting or forwarding mecha-
    #               nisms that propagate an address extension from  the
    #               original  address  to  the result.  Specify zero or
    #               more  of  canonical,   virtual,   alias,   forward,
    #               include, or generic.
    # 
    #        Other parameters of interest:
    # 
    #        inet_interfaces
    #               The  network  interface  addresses that this system
    #               receives mail on.  You need to stop and start Post-
    #               fix when this parameter changes.
    # 
    #        mydestination
    #               List  of  domains  that  this mail system considers
    #               local.
    # 
    #        myorigin
    #               The domain that is appended  to  any  address  that
    #               does not have a domain.
    # 
    #        owner_request_special
    #               Give special treatment to owner-xxx and xxx-request
    #               addresses.
    # 
    #        proxy_interfaces
    #               Other interfaces that this machine receives mail on
    #               by way of a proxy agent or network address transla-
    #               tor.
    # 
    # SEE ALSO
    #        cleanup(8), canonicalize and enqueue mail
    #        postmap(1), Postfix lookup table manager
    #        postconf(5), configuration parameters
    #        canonical(5), canonical address mapping
    # 
    # README FILES
    #        Use "postconf readme_directory" or  "postconf  html_direc-
    #        tory" to locate this information.
    #        ADDRESS_REWRITING_README, address rewriting guide
    #        DATABASE_README, Postfix lookup table overview
    #        VIRTUAL_README, domain hosting guide
    # 
    # LICENSE
    #        The  Secure  Mailer  license must be distributed with this
    #        software.
    # 
    # AUTHOR(S)
    #        Wietse Venema
    #        IBM T.J. Watson Research
    #        P.O. Box 704
    #        Yorktown Heights, NY 10598, USA
    # 
    #                                                                     VIRTUAL(5)

    virtual_alias_domains Lookup-Tabelle zum Verwalten der virtuellen Domains.
    virtual_alias_domains.db Datenbankfile zur virtual_alias_domains-Datei.

     # vim /etc/postfix/virtual_alias_domains
    /etc/postfix/virtual_alias_domains
    # Kapitel 5.2.2 virtual: Weiterleitung und virtuelle Mailadressen
    # Lookup-Tabelle zum Verwalten der virtuellen Domains.
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/virtual_alias_domains
    # die zugehörige Datenbank erzeugt werden.
    #
    nausch.org                      meine_Hauptdomäne
    wetter.nausch.org               blaablubb
    omni128.de                      meine_erste_Domain
    wetterstation-pliening.info     erste_Info_Domain
    ebersberger-liedersammlung.de   Piraten

    virtual_alias_maps Lookup-Tabelle zum Verwalten der virtuellen eMail-Adressen.
    virtual_alias_maps.db Datenbankfile zur virtual_alias_maps-Datei.

     # vim /etc/postfix/virtual_alias_maps
    /etc/postfix/virtual_alias_maps
    # Kapitel 5.2.2 virtual: Weiterleitung und virtuelle Mailadressen
    # Lookup-Tabelle zum Verwalten der virtuellen eMailadressen.
    # Nach dem Ändern und/oder Erweitern der Tabelle, muß noch mittels  $ postmap /etc/postfix/virtual_alias_maps
    # die zugehörige Datenbank erzeugt werden.
    #
    # catch all - Sämtliche eMailadressen werden 1:1 umgeschrieben. Aus webmaster@wetter.nausch.org wird webmaster@nausch.org.
    @wetter.nausch.org                      @nausch.org
     
    # eine einzelne Adresse gezielt umschreiben. Alle Nachrichten die an admin@wetterstation-pliening.info 
    # addressiert sind, gehen an michael@nausch.org.
    admin@wetterstation-pliening.info       michael@nausch.org

Da wir ja nicht nur englischsprachige Nutzer haben, die bei unserem MX Post abliefern dürfen, möchten wir unter Umständen auch individuelle Bouncemessages verwenden.

Download

Hierzu laden wir uns erst einmal mustergültiges Nachrichtentemplate von den beiden Spezialisten Patrick Koetter und Ralf Hildebrandt aus dem Web herunter.

 # cd /etc/postfix
 # wget http://postfix.state-of-mind.de/bounce-templates/bounce.de-DE.cf

Konfiguration

Anschließend erweitern wir unsere Postfixkonfiguration entsprechend.

 # vim /etc/postfix/main.cf
 # Django : 2012-02-06
# Benutzerdefinierte Bounce Messages mit deutsch- und englischsprachigen Texten aktiviert
bounce_template_file = /etc/postfix/bounce.de-DE.cf

Zum Aktivieren starten wir unseren Postfix einmal durch.

 # service postfix restart

Test

Zum Schluß überprüfen wir noch, ob die Variablen in dem Templatefile zu unseren Postfixvariablendefinitionen passen.

 postconf -b /etc/postfix/bounce.de-DE.cf
expanded_failure_text = <<EOF
Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes.
Dieser Dienst wird auf dem Server vml000080.dmz.nausch.org betrieben und teilt Ihnen
folgendes mit:


    Ihre Nachricht konnte an einen oder mehrere Empfaenger nicht zugestellt
    werden. Ein Problem-Bericht, sowie Ihre uspruengliche Nachricht wurden an
    das Ende dieser Nachricht angehaengt.


Fuer weitere Hilfe kontaktieren Sie bitte den fuer Sie zustaendigen
<postmaster>.

Senden Sie dazu den an diese E-Mail angefuegten Problem-Bericht mit.
Den Inhalt Ihrer urspruenglichen Nachricht koennen Sie - zum Schutz Ihrer
Privatsphaere - entfernen; er ist fuer eine Fehler-Diagnose nicht zwingend
notwendig.

                   Der Postfix E-Mail-Dienst

                        INTERNATIONAL VERSION

This is the Postfix program at host vml000080.dmz.nausch.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

EOF

expanded_delay_text = <<EOF
Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes.
Dieser Dienst wird auf dem Server vml000080.dmz.nausch.org betrieben und teilt Ihnen
folgendes mit:


    Eine von Ihnen gesendete Nachricht konnte seit 0
    Stunden nicht zugestellt werden.
    
    Sie muessen die Nachricht nicht noch einmal senden. Der Postfix
    E-Mail-Dienst wird so lange versuchen Ihre Nachricht zuzustellen,
    bis sie 5 Tage alt ist.

    Sollte eine Zustellung bis in 5 Tagen nicht
    gelingen, wird der Postfix E-Mail-Dienst die Zustellung abbrechen und
    Sie davon in Kenntnis setzen.


Fuer weitere Hilfe kontaktieren Sie bitte den fuer Sie zustaendigen
<postmaster>.

Senden Sie dazu den, in dieser E-Mail angefuegten, Problem-Bericht mit.
Den Inhalt Ihrer urspruenglichen Nachricht koennen Sie, zum Schutz Ihrer
Privatsphaere, entfernen; er ist fuer eine Fehler-Diagnose nicht zwingend
notwendig.

                   Der Postfix E-Mail-Dienst


                        INTERNATIONAL VERSION

This is the Postfix program at host vml000080.dmz.nausch.org.

####################################################################
# THIS IS A WARNING ONLY.  YOU DO NOT NEED TO RESEND YOUR MESSAGE. #
####################################################################

Your message could not be delivered for 0 hour(s).
It will be retried until it is 5 day(s) old.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The Postfix program
EOF

expanded_success_text = <<EOF
Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes.
Dieser Dienst wird auf dem Server vml000080.dmz.nausch.org betrieben und teilt Ihnen
folgendes mit:


    Ihre Nachricht wurde erfolgreich an die E-Mail-Server der am Ende dieser
    E-Mail aufgelisteten Empfaenger ausgeliefert.

    Falls Sie eine Zustellbericht angefordet haben und der empfangende
    E-Mail-Server diese Funktionalitaet unterstuetzt erhalten Sie
    auch von diesem E-Mail-Server eine entsprechende Benachrichtigung.


                   Der Postfix E-Mail-Dienst


                        INTERNATIONAL VERSION

This is the Postfix program at host vml000080.dmz.nausch.org.

Your message was successfully delivered to the destination(s)
listed below. If the message was delivered to mailbox you will
receive no further notifications. Otherwise you may still receive
notifications of mail delivery errors from other systems.

                   The Postfix program
EOF

expanded_verify_text = <<EOF
Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes.
Dieser Dienst wird auf dem Server vml000080.dmz.nausch.org betrieben und teilt Ihnen
folgendes mit:


    Sie haben einen Empfaenger-Adressen-Bericht angefordert. Der Bericht wurde
    an diese Nachricht angehaengt.


                   Der Postfix E-Mail-Dienst


                        INTERNATIONAL VERSION

This is the Postfix program at host vml000080.dmz.nausch.org.

Enclosed is the mail delivery report that you requested.

                   The Postfix program
EOF

DSN5) zu verbergen, kann ein wünschenswerter Zustand sein. Was geht schon einem externen der interne Aufbau unserer eMail-Infrastruktur an.

Wir erlauben also beim abgehenden Verkehr die Möglichkeit für unsere eigenen User, nach außen schotten wir uns jedoch ab. Dazu tragen wir in unserer /etc/postfix/main.cf folgende Zeile nach.

  # vim /etc/postfix/main.cf
# DSN selectiv aktivieren, bzw. sperren                 (Kapitel 13.11.2 DSN verbieten)
# Eingetragen am 21.11.2008
smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access

Die zugehörige cidr-Tabelle mit den Netzdefinitionen legen wir anschließend auch noch an.

 # vim /etc/postfix/esmtp_access
/etc/postfix/esmtp_access
# DSN selectiv aktivieren, bzw. sperren                 (Kapitel 13.11.2 DSN verbieten)
# DSN requests werden nur aus dem eignen Netz erlaubt
10.100.10.0/24 silent-discard
10.10.100.0/24 silent-discard
0.0.0.0/0       silent-discard, dsn

Abschließend starten wir den MX einmal durch.

 # service postfix restart

Bei Änderungen an der Datei ist lediglich ein service postfix reload notwendig.

Damit wir später die einfache Möglichkeiten haben, basierend auf bestimmte Inhalte im Mailheader bzw. Mailbody, Nachrichten zu bewerten oder gar zu manipulieren, werden wir nun noch unsere Postfix-Hauptkonfigurationsdatei main.cf erweitern.

 # vim /etc/postfix/main.cf 
# Django : 2012-02-06
# Lookup-Tabelle zum Verwalten der Routinen zur inhaltliche Prüfung der eMail-Header
header_checks = pcre:/etc/postfix/header_check_maps
#
# Lookup-Tabelle zum Verwalten der Routinen zur inhaltliche Prüfung der eMail-Bodies
body_checks = pcre:/etc/postfix/body_check_maps

Voraussetzung hierzu (Perl Compatible Regular Expressions) ist natürlich die Unterstützung des installierten Postfix. Mit folgender Abfrage können wir überprüfen, ob pcre unterstützt wird.

 # postconf -m | grep pcre
 pcre

Die pcre-Unterstützung beim Postfix unter CentOS 6.x ist also bereits vorhanden!

Trifft das gewählte Suchmuster bei unseren PRCE zu, so haben wir unter anderem folgene Möglichkeiten:

  • REJECT Nachricht mit einem fatalen Fehler 5xx ablehnen
  • REJECT MSG Nachricht mit dem Text MSG ablehnen
  • DISCARD Die Nachricht wird verworfen und zwar an alle Empfänger, sobald einer der Empfänger via DISCARD abgelehnt wird. Dem Einliefernden client wir eine erfolgreiche Zustellung mittels 250 OK vorgegaukelt.

Im Konfigurationsverzeichnis von Postfix finden wir für weitere Beschreibungen die Manpage für den Einsatz und die Verwendung der body- und header-checks.

 # vim /etc/postfix/header_checks
/etc/postfix/header_checks
# HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
# 
# NAME
#        header_checks - Postfix built-in content inspection
# 
# SYNOPSIS
#        header_checks = pcre:/etc/postfix/header_checks
#        mime_header_checks = pcre:/etc/postfix/mime_header_checks
#        nested_header_checks = pcre:/etc/postfix/nested_header_checks
#        body_checks = pcre:/etc/postfix/body_checks
# 
#        postmap -q "string" pcre:/etc/postfix/filename
#        postmap -q - pcre:/etc/postfix/filename <inputfile
# 
# DESCRIPTION
#        This  document  describes access control on the content of
#        message headers and message body lines; it is  implemented
#        by  the  Postfix  cleanup(8) server before mail is queued.
#        See access(5) for access control  on  remote  SMTP  client
#        information.
# 
#        Each  message  header  or  message  body  line is compared
#        against a list of patterns.  When a  match  is  found  the
#        corresponding action is executed, and the matching process
#        is repeated for the next message header  or  message  body
#        line.
# 
#        For  examples, see the EXAMPLES section at the end of this
#        manual page.
# 
#        Postfix header or body_checks are designed to stop a flood
#        of  mail from worms or viruses; they do not decode attach-
#        ments, and they do not unzip archives. See  the  documents
#        referenced  below  in the README FILES section if you need
#        more sophisticated content analysis.
# 
#        Postfix supports four built-in content inspection classes:
# 
#        header_checks
#               These   are  applied  to  initial  message  headers
#               (except for the headers  that  are  processed  with
#               mime_header_checks).
# 
#        mime_header_checks (default: $header_checks)
#               These  are  applied to MIME related message headers
#               only.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        nested_header_checks (default: $header_checks)
#               These  are  applied  to message headers of attached
#               email messages (except for  the  headers  that  are
#               processed with mime_header_checks).
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        body_checks
#               These are applied to all other  content,  including
#               multi-part message boundaries.
# 
#               With Postfix versions before 2.0, all content after
#               the initial message headers is treated as body con-
#               tent.
# 
#        Note: message headers are examined one logical header at a
#        time, even when a message  header  spans  multiple  lines.
#        Body lines are always examined one line at a time.
# 
# COMPATIBILITY
#        With Postfix version 2.2 and earlier specify "postmap -fq"
#        to query a table that contains case sensitive patterns. By
#        default,  regexp: and pcre: patterns are case insensitive.
# 
# TABLE FORMAT
#        This document assumes that header  and  body_checks  rules
#        are  specified  in  the form of Postfix regular expression
#        lookup tables. Usually the best  performance  is  obtained
#        with pcre (Perl Compatible Regular Expression) tables, but
#        the slower regexp (POSIX regular expressions)  support  is
#        more  widely  available.  Use the command "postconf -m" to
#        find out what lookup table types your Postfix system  sup-
#        ports.
# 
#        The general format of Postfix regular expression tables is
#        given below.  For a  discussion  of  specific  pattern  or
#        flags   syntax,   see  pcre_table(5)  or  regexp_table(5),
#        respectively.
# 
#        /pattern/flags action
#               When /pattern/ matches the  input  string,  execute
#               the  corresponding  action. See below for a list of
#               possible actions.
# 
#        !/pattern/flags action
#               When /pattern/ does not  match  the  input  string,
#               execute the corresponding action.
# 
#        if /pattern/flags
# 
#        endif  Match the input string against the patterns between
#               if and endif, if and only if the same input  string
#               also matches /pattern/. The if..endif can nest.
# 
#               Note:  do not prepend whitespace to patterns inside
#               if..endif.
# 
#        if !/pattern/flags
# 
#        endif  Match the input string against the patterns between
#               if  and endif, if and only if the same input string
#               does not match /pattern/. The if..endif can nest.
# 
#        blank lines and comments
#               Empty lines and whitespace-only lines are  ignored,
#               as  are  lines whose first non-whitespace character
#               is a `#'.
# 
#        multi-line text
#               A pattern/action line  starts  with  non-whitespace
#               text.  A line that starts with whitespace continues
#               a logical line.
# 
# TABLE SEARCH ORDER
#        For each line of message input, the patterns  are  applied
#        in  the order as specified in the table. When a pattern is
#        found that  matches  the  input  line,  the  corresponding
#        action  is  executed  and  then  the  next  input  line is
#        inspected.
# 
# TEXT SUBSTITUTION
#        Substitution of substrings  from  the  matched  expression
#        into  the action string is possible using the conventional
#        Perl syntax ($1, $2, etc.).   The  macros  in  the  result
#        string  may  need  to  be  written as ${n} or $(n) if they
#        aren't followed by whitespace.
# 
#        Note: since negated patterns (those preceded by !)  return
#        a result when the expression does not match, substitutions
#        are not available for negated patterns.
# 
# ACTIONS
#        Action names are case insensitive. They are shown in upper
#        case for consistency with other Postfix documentation.
# 
#        DISCARD optional text...
#               Claim  successful delivery and silently discard the
#               message.  Log the optional text if specified,  oth-
#               erwise log a generic message.
# 
#               Note:   this  action  disables  further  header  or
#               body_checks inspection of the current  message  and
#               affects all recipients.  To discard only one recip-
#               ient without discarding the entire message, use the
#               transport(5) table to direct mail to the discard(8)
#               service.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        DUNNO  Pretend  that the input line did not match any pat-
#               tern, and inspect the next input line. This  action
#               can be used to shorten the table search.
# 
#               For  backwards  compatibility reasons, Postfix also
#               accepts OK but it is (and always has been)  treated
#               as DUNNO.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        FILTER transport:destination
#               Write a content filter request to the  queue  file,
#               and  inspect  the  next input line.  After the com-
#               plete message is received it will be  sent  through
#               the specified external content filter.  More infor-
#               mation about external content  filters  is  in  the
#               Postfix FILTER_README file.
# 
#               Note: this action overrides the content_filter set-
#               ting, and affects all recipients of the message. In
#               the  case  that  multiple FILTER actions fire, only
#               the last one is executed.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        HOLD optional text...
#               Arrange  for  the  message to be placed on the hold
#               queue, and inspect the next input line.   The  mes-
#               sage  remains  on hold until someone either deletes
#               it or releases it for delivery.  Log  the  optional
#               text if specified, otherwise log a generic message.
# 
#               Mail that is placed on hold can  be  examined  with
#               the  postcat(1)  command,  and  can be destroyed or
#               released with the postsuper(1) command.
# 
#               Note: use "postsuper -r" to release mail  that  was
#               kept  on  hold for a significant fraction of $maxi-
#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
#               longer.  Use "postsuper -H" only for mail that will
#               not expire within a few delivery attempts.
# 
#               Note: this action affects  all  recipients  of  the
#               message.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        IGNORE Delete the current line from the input, and inspect
#               the next input line.
# 
#        PREPEND text...
#               Prepend  one  line  with  the  specified  text, and
#               inspect the next input line.
# 
#               Notes:
# 
#               o      The prepended text is output on  a  separate
#                      line,  immediately  before  the  input  that
#                      triggered the PREPEND action.
# 
#               o      The prepended text is not considered part of
#                      the  input  stream:  it  is  not  subject to
#                      header/body checks or address rewriting, and
#                      it does not affect the way that Postfix adds
#                      missing message headers.
# 
#               o      When prepending text before a message header
#                      line,  the  prepended text must begin with a
#                      valid message header label.
# 
#               o      This action cannot be used to prepend multi-
#                      line text.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        REDIRECT user@domain
#               Write a message redirection request  to  the  queue
#               file,  and  inspect  the next input line. After the
#               message is queued, it will be sent to the specified
#               address instead of the intended recipient(s).
# 
#               Note:  this action overrides the FILTER action, and
#               affects all recipients of the message. If  multiple
#               REDIRECT  actions  fire,  only the last one is exe-
#               cuted.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        REPLACE text...
#               Replace  the  current line with the specified text,
#               and inspect the next input line.
# 
#               This feature is available in Postfix 2.2 and later.
#               The  description below applies to Postfix 2.2.2 and
#               later.
# 
#               Notes:
# 
#               o      When replacing a message  header  line,  the
#                      replacement  text  must  begin  with a valid
#                      header label.
# 
#               o      The replaced text remains part of the  input
#                      stream.  Unlike  the result from the PREPEND
#                      action, a replaced  message  header  may  be
#                      subject  to address rewriting and may affect
#                      the way that Postfix  adds  missing  message
#                      headers.
# 
#        REJECT optional text...
#               Reject  the  entire  message.  Reply  with optional
#               text... when the optional text is specified, other-
#               wise reply with a generic error message.
# 
#               Note:   this  action  disables  further  header  or
#               body_checks inspection of the current  message  and
#               affects all recipients.
# 
#               Postfix version 2.3 and later support enhanced sta-
#               tus codes.  When no code is specified at the begin-
#               ning of optional text..., Postfix inserts a default
#               enhanced status code of "5.7.1".
# 
#        WARN optional text...
#               Log a warning with the optional text... (or  log  a
#               generic  message), and inspect the next input line.
#               This action is useful for debugging and for testing
#               a pattern before applying more drastic actions.
# 
# BUGS
#        Empty lines never match, because some map types mis-behave
#        when given a zero-length search string.   This  limitation
#        may  be  removed for regular expression tables in a future
#        release.
# 
#        Many people overlook the main limitations  of  header  and
#        body_checks rules.
# 
#        o      These  rules  operate on one logical message header
#               or one body line at a time. A decision made for one
#               line is not carried over to the next line.
# 
#        o      If  text  in the message body is encoded (RFC 2045)
#               then the rules need to be specified for the encoded
#               form.
# 
#        o      Likewise,  when  message  headers  are encoded (RFC
#               2047) then the rules need to be specified  for  the
#               encoded form.
# 
#        Message  headers added by the cleanup(8) daemon itself are
#        excluded from inspection. Examples of such message headers
#        are From:, To:, Message-ID:, Date:.
# 
#        Message  headers  deleted by the cleanup(8) daemon will be
#        examined before they are deleted. Examples are: Bcc:, Con-
#        tent-Length:, Return-Path:.
# 
# CONFIGURATION PARAMETERS
#        body_checks
#               Lookup tables with content filter rules for message
#               body lines.  These filters see one physical line at
#               a  time,  in  chunks  of at most $line_length_limit
#               bytes.
# 
#        body_checks_size_limit
#               The amount of  content  per  message  body  segment
#               (attachment) that is subjected to $body_checks fil-
#               tering.
# 
#        header_checks
# 
#        mime_header_checks (default: $header_checks)
# 
#        nested_header_checks (default: $header_checks)
#               Lookup tables with content filter rules for message
#               header  lines:  respectively,  these are applied to
#               the initial message  headers  (not  including  MIME
#               headers),  to the MIME headers anywhere in the mes-
#               sage, and to the initial headers of  attached  mes-
#               sages.
# 
#               Note:  these filters see one logical message header
#               at a time, even when a message header spans  multi-
#               ple  lines.  Message  headers  that are longer than
#               $header_size_limit characters are truncated.
# 
#        disable_mime_input_processing
#               While receiving mail, give no special treatment  to
#               MIME  related  message  headers; all text after the
#               initial message headers is considered to be part of
#               the  message body. This means that header_checks is
#               applied to all the  initial  message  headers,  and
#               that body_checks is applied to the remainder of the
#               message.
# 
#               Note: when used in this  manner,  body_checks  will
#               process  a  multi-line message header one line at a
#               time.
# 
# EXAMPLES
#        Header pattern to block attachments  with  bad  file  name
#        extensions.   For  convenience, the PCRE /x flag is speci-
#        fied, so that there is no need  to  collapse  the  pattern
#        into   a   single  line  of  text.   The  purpose  of  the
#        [[:xdigit:]] sub-expressions is to recognize Windows CLSID
#        strings.
# 
#        /etc/postfix/main.cf:
#            header_checks = pcre:/etc/postfix/header_checks.pcre
# 
#        /etc/postfix/header_checks.pcre:
#            /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
#              ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
#              hlp|ht[at]|
#              inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
#              \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
#              ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
#              vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
#                REJECT Attachment name "$2" may not end with ".$4"
# 
#        Body pattern to stop a specific HTML browser vulnerability
#        exploit.
# 
#        /etc/postfix/main.cf:
#            body_checks = regexp:/etc/postfix/body_checks
# 
#        /etc/postfix/body_checks:
#            /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
#                REJECT IFRAME vulnerability exploit
# 
# SEE ALSO
#        cleanup(8), canonicalize and enqueue Postfix message
#        pcre_table(5), format of PCRE lookup tables
#        regexp_table(5), format of POSIX regular expression tables
#        postconf(1), Postfix configuration utility
#        postmap(1), Postfix lookup table management
#        postsuper(1), Postfix janitor
#        postcat(1), show Postfix queue file contents
#        RFC 2045, base64 and quoted-printable encoding rules
#        RFC 2047, message header encoding for non-ASCII text
# 
# README FILES
#        Use "postconf readme_directory" or  "postconf  html_direc-
#        tory" to locate this information.
#        DATABASE_README, Postfix lookup table overview
#        CONTENT_INSPECTION_README, Postfix content inspection overview
#        BUILTIN_FILTER_README, Postfix built-in content inspection
#        BACKSCATTER_README, blocking returned forged mail
# 
# LICENSE
#        The  Secure  Mailer  license must be distributed with this
#        software.
# 
# AUTHOR(S)
#        Wietse Venema
#        IBM T.J. Watson Research
#        P.O. Box 704
#        Yorktown Heights, NY 10598, USA
# 
#                                                               HEADER_CHECKS(5)

Headerchecks

Wollen wir nun Nachrichten von bestimmten Absendern oder anderen Einträgen in den Headerzeilen generell blocken, so legen wir uns folgende Konfigurationsdatei /etc/postfix/header_check_maps an.

 # vim /etc/postfix/header_check_maps
/etc/postfix/header_check_maps
# Django : 2012-02-06
# Kapitel 13.5 Filtern von eMails nach Inhalt
# In der Postfix-Konfigurationsdatei /etc/postfix/main.cf muss
# body_checks = pcre:/etc/postfix/header_check_maps gesetzt sein!
#
# Nach dem Ändern der Datei ist ein service postfix reload durchzuführen!
#
# Die Nummern hinter dem REJECT tauchen später als SMTP-Error und auch im Mailserver-Log auf.
# Die auslösende Filter-Regel, die den Block ausgeloest hat, ist somit leicht quwieder zu finden.
#
 
# Ausnahmeregelung für den sicheren IT-/Mailbetrieb im heimischen Netzwerk
#
# Domeus hat bis heute nicht den Unterschied zwischen Mailheader-To und
# SMTP-Envelope-To verstanden und fabriziert seit nunmehr über sieben Jahren in
# schöner Regelmäßigkeit Mailschleifen im vier/fünfstelligen Bereich.
#
/^Received:.*domeus\.com/       REJECT Domeus baut Mailschleifen und hat wichtige RFCs nicht verstanden
#
# Dauerhaft genutzte Regelungen:
# ===============================================
# [Immer mit aufsteiger Nummer sauber eintragen!]
#
If /^Subject:/i
/^Subject:.*Webcam Luder.*/                             REJECT Header-Subject-Spamschutzregel Subj-1002
/^Subject:.*Potenzprobleme.*/                           REJECT Header-Subject-Spamschutzregel Subj-1001
/^Subject:.*RedBull fur Ihr bestes Stueck/              REJECT Header-Subject-Spamschutzregel Subj-1000
Endif
#
# und das Ganze nach Header-From
# ==============================
#
If /^From:/i
/^From: .*Royal Club Casino.*/                          REJECT Header-From-Spamschutzregel From-1002
/^From: .*Euro Dice Casino.*/                           REJECT Header-From-Spamschutzregel From-1001
/^From:.*happydigits.de/                                REJECT Header-From-Spamschutzregel From-1000
Endif
#
# generelle Filerregelungen nach den üblichen Verdächtigen
# ========================================================
#
/^Date: .* 200[0-7]/                                    REJECT Your email has a date from the past. Fix your system clock and try again.
/^Date: .* 19[0-9][0-9]/                                REJECT Your email has a date from the past. Fix your system clock and try again.
If /^X-Mailer:/i
/^X-Mailer: 0001/                                       REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Avalanche/                                  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Crescent Internet Tool/                     REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: DiffondiCool/                               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: E-Mail Delivery Agent/                      REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Emailer Platinum/                           REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Entity/                                     REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Extractor/                                  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: Floodgate/                                  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: GOTO Software Sarbacane/                    REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: MailWorkz/                                  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: MassE-Mail/                                 REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: MaxBulk.Mailer/                             REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: News Breaker Pro/                           REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: SmartMailer/                                REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: StormPort/                                  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
/^X-Mailer: SuperMail-2/                                REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.
Endif

Damit Postfix das neue Regelwerk auch verwenden kann, ost ein reload des laufenden Daemon durchzuführen.

  # service postfix reload
 Reloading postfix:                                         [  OK  ]

Bodychecks

Wollen wir nun Nachrichten von bestimmten Absendern oder anderen Einträgen in den Headerzeilen generell blocken, so legen wir uns folgende Konfigurationsdatei /etc/postfix/body_check_maps an.

 # vim /etc/postfix/body_check_maps
/etc/postfix/body_check_maps
# Django : 2012-02-06
# Kapitel 13.5 Filtern von eMails nach Inhalt
# In der Postfix-Konfigurationsdatei /etc/postfix/main.cf muss
# body_checks = pcre:/etc/postfix/body_check_maps gesetzt sein!
#
# Nach dem Ändern der Datei ist ein service postfix reload durchzuführen!
#
# Die Nummern hinter dem REJECT tauchen später als SMTP-Error und auch im Mailserver-Log auf.
# Die auslösende Filter-Regel, die den Block ausgeloest hat, ist somit leicht wieder zu finden.
#
 
/.*http:\/\/www.csu.de:80\/.*/                  REJECT Body_Check_Rule_4_Dummies: 0002
/.*was@qualys.com.*/                            REJECT Body_Check_Rule_4_Dummies: 0001

Damit Postfix das neue Regelwerk auch verwenden kann, ost ein reload des laufenden Daemon durchzuführen.

  # service postfix reload
 Reloading postfix:                                         [  OK  ]

Über die nachfolgenden Parameter können wir definieren, wie groß einzelne eMails, einzelne MailDir-Files und wieviel wir bei einem Bounce, wenn er denn nötig werden sollte, zurück an den Absender schicken wollen. All diese Festlegungen werden pber die main.cf vorgenommen.

 # vim /etc/postfix/main.cf
# Django : 2012-02-06
# Maximale Nachrichtengröße einer Nachricht incl. der Headerinformationen: 50MB 
# ( 52428800 = 50*1024*1024 ), darüber verweigert Postfix die Annahme. 
# default: message_size_limit = 10240000
message_size_limit = 52428800
 
# Django : 2012-02-06
# Maximale Mailboxgröße einer einzelnen Mailbox bzw. Maildir-Fiels. Darf nicht kleiner 
# als die maximale Nachrichtengröße (message_size_limit) sein
# default: mailbox_size_limit = 10240000
mailbox_size_limit = 52428800
 
# Django : 2012-02-06
# Anteil der Originalnachricht (Größe) die bei einem Bounce zurück an den Absender geschickt wird.
# default : bounce_size_limit = 50000
bounce_size_limit = 8192

Anschließend starten wir unseren Postfix einmal durch.

 # service postfix restart

Mit Hilfe des Moduls anvil ist Postfix in der Lage, basierend auf den Verbindungsstatistiken, eine Trafficlimitierung vorzunehmen. In der Konfigurationsdatei master.cf ist hierzu folgende Zeile notwendig, die bereits eingetragen und auch schon aktiviert ist.

  # grep anvil /etc/postfix/master.cf 
 anvil     unix  -       -       n       -       1       anvil

In der Konfigurationsdatei main.cf tragen wir nun beu Bedarf folgende Parameter ein:

 # vim /etc/postfix/main.cf
# Django : 2012-02-06
# maximale Zustellungen limitieren                        (Kapitel 13.14 Rate-Limiting gegenüber Clients durchsetzen)
# (DOS-Attacken verhindern)
#
# Basiszeiteinheit für die Kalkulation der rate-limits
anvil_rate_time_unit = 60s
#
# maximale Anzahl gleichzeitiger Verbindungen pro einliefernenden Host
# default : smtpd_client_connection_count_limit = 50 
smtpd_client_connection_count_limit = 20
#
# maximale Anzahl von Verbindungsversuchen je definierter Zeiteinheit 
# (anvil_rate_time_unit) pro einliefernden Host
smtpd_client_connection_rate_limit = 20
#
# maximale Anzahl von erlaubten Empfänger Adressen je definierter Zeiteinheit 
# (anvil_rate_time_unit) pro einliefernden Host
smtpd_client_recipient_rate_limit = 50
#
# maximale Anzahl von erlaubten Anzahl von eMails je definierter Zeiteinheit 
# (anvil_rate_time_unit) pro einliefernden Host
smtpd_client_message_rate_limit = 50

Zur Aktivierung starten wir unseren Mailserver einmal durch.

 # service postfix restart

Mit Hilfe des SMTP-Befehles VRFY ist es möglich, ohne die Verwendung des SMTP-Befehles MAIL FROM die Existenz eines Postfachs abzuprüfen. Will man diese Abfragemöglichkeit unterbinden, so trägt man in die Konfigurationsdatei folgende Zeilen ein.

 # vim /etc/postfix/main.cf
# Django : 2012-02-06 
# SMTP vrfy sperren                                     (Kapitel 2.1 SMTP richtig sprechen)
disable_vrfy_command=yes

Anschließend starten wir den Mailserver zur Aktivierung einmal durch.

 # service postfix restart

Mit unter ist es wünschenswert, die Zeitspanne für die Dauer unserer Zustellversuche bei anderen Mailservern anzupassen. Standardmäßig würde Postfix versuchen 7 Tage lang die Nachricht abzusetzen. In der main.cf tragen wir hierzu folgende Zeilen ein.

 # vim /etc/postfix/main.cf
# Django : 2012-02-06
# lifetime auf drei Tage runtersetzen
maximal_queue_lifetime_days = 3d                        # Defininiert die maximale Zeit, die der 
                                                        # MX versuchen darf, eine Nachricht zuzustellen
delay_warning_time_hours = 0h                           # Legt fest, wieviel Zeit vergehen muss, bevor 
                                                        # eine Warnung versendet wird

Zum Aktivieren der Option starten wir den Mailserver einmal durch.

 # service postfix restart

Links


1) , 2)
Full Qualified Domain Name
3)
Realtime Blackhole List
4)
Right-Hand Sided Blacklist
5)
Delivery Status Notification
Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/mail_c6/mta_3.txt
  • Zuletzt geändert: 22.07.2019 15:08.
  • (Externe Bearbeitung)