Setting up a postfix email server

ubuntu postfix email-server

When I set up an email server using postfix on ubuntu server, how do I make sure that it won't be an open relay??


Being an open relay means that you are accepting mail from unauthenticated users for domains that are not the domains you manage.

Postfix has some very simple config options to help: mynetworks and mynetworks_style between them dictate from which network addresses messages to any destination will be accepted. mydestination is used to specify which domains are domains that you manage (ie that you should accept messages for because they're yours).

So the very simplest setup looks like:

mydomain = yourexampledomain.com
mydestination = $myhostname, $mydomain
mynetworks = 127.0.0.1/32
smtpd_recipient_restrictions = 
    permit_mynetworks,
    reject_unauth_destination

This will accept mail only:

  1. for myexampledomain.com and for the hostname of the host itself, from any machine that can reach your mail server
  2. from any client on the mail server (127.0.0.1/32), for any host, anywhere.

and will reject anything else.

That is the most basic setup I can come up with. You need to read the entries for mydomain, mydestination, mynetworks{_style} in postconf(5).

If you need to be able to accept mail from clients by any other criterion than network, such as say username and password or kerberos ticket, you need to read about SMTP_AUTH.


I believe you'll need to set the mynetworks_style, mynetworks, and relay_domains settings in the Postfix configuration file. Basically the first two control which servers Postfix will accept mail from, and the last one controls which servers it will forward mail to. The exact settings depend on how you want your mail server configured (i.e. who is authorized to send emails through the server), but in general relay_domains should be set to only the hostnames of the mail server itself (same as mydestinations) and mynetworks_style can be set to host which means only accept emails from the local host itself.

There are some tests listed at http://articles.slicehost.com/2008/8/7/postfix-checking-for-an-open-relay that you can use to check whether your server is running an open relay. (Some of the links may be dead but I'm pretty sure at least one still works... don't remember which though)

Here's an excerpt from my server's Postfix config:

luser_relay =
mydestination = $myhostname, $mydomain, localhost, localhost.$mydomain
mynetworks = 127.0.0.1/32 [server's IP address]/32
mynetworks_style = host
myorigin = $mydomain
relay_domains = $mydestination
smtpd_helo_restrictions = permit_mynetworks,
        reject_non_fqdn_hostname,
        reject_invalid_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        check_policy_service unix:private/postgrey,
        check_policy_service unix:private/policyd-spf,
        reject_rbl_client sbl-xbl.spamhaus.org

Give this website this website a try. It will allow you to check that you've configured your mail server properly

Updated as the first website no longer works

Related

Setup default page for Apache Virtual Hosts
What is your experience with Google Apps Premier edition?
What is the purpose of "source" (.) as a shell command?
How does AuthzSVNAccessFile work?
FirewallD : Allow connections only from certain IP addresses [duplicate]
Execute program on remote computer using PowerShell
Phpmyadmin location for nginx
php-fpm status page: what are the "queue" items in this report?
Ec2: Setup mail to send emails
How to properly shutdown ESXi cluster after power outage?
How to change a VM from split across multiple .vmdk files to a single one or two?
How to tweak Gnome user elevation in RHEL/CentOS