MTA – Postfix

Zur Abwechselung mal keine Installationsanleitung sondern
Schnipsel einer Beispielkonfig für einen Postfix mit TLS/SSL
und Authentifizierung. Versand von mail, als User, über einen
solchen Postfix, wie hier beschrieben, geht dann auch nur via
SMTP-Auth. Sowie ausgiebiger Benutzung von Restriktionen
und Blacklisten. – Behandelt/Benutzt wird die Version >2.2.0


HP: http://www.postfix.org/

Ohne Umschweife zum Thema:
Die Konfig ist für Gewöhnlich unter /etc/postfix oder /usr/local/etc zu finden.
Die Pfade müssen halt angepasst werden. 🙂

main.cf:

# Nobody needs to know my version
smtpd_banner = $myhostname ESMTP $mail_name

# I only trust myself
mynetworks = 127.0.0.0/8

# Bind postfix to only one IP
smtp_bind_address = 123.123.123.123

# Don’t want to let someone to harvest email addresses
disable_vrfy_command = yes

# Relay mails over sepecific hosts based on the sender address
sender_dependent_relayhost_maps = /etc/postfix/relayhosts

# Restrictions
# Answer to client SMTP connection request
smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, permit_sasl_authenticated, reject_unknown_client, reject_rbl_client relays.ordb.org, reject_rbl_client dynablock.easynet.nl, reject_rbl_client sbl.schlund.de, reject_rbl_client rhsbl.sorbs.net, reject_rbl_client virbl.dnsbl.bit.nl, reject_unauth_pipelining
# Answer to SMTP HELO
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/access, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, reject_unauth_pipelining
# Answer to MAIL FROM
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access, check_sender_mx_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining
# Answer to RCPT TO
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_auth_destination, reject
# Other headers
header_checks = regexp:/etc/postfix/header_checks

# Need HELO
smtpd_helo_required = yes

# RFC821 compliant envelopes only
strict_rfc821_envelopes = yes

# TLS/SSL
smtp_use_tls = yes
smtp_tls_CAfile = /etc/postfix/certificate.pem
smtp_tls_cert_file = /etc/postfix/certificate.pem
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/certificate.pem
smtpd_tls_cert_file = /etc/postfix/certificate.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_use_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600
tls_random_source = /dev/urandom

# Enable SMTP-Auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_authenticated_header = yes

# Ratelimits and Errorlimits
anvil_rate_time_unit = 60
anvil_status_update_time = 300
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 60
smtpd_client_message_rate_limit = 60
smtpd_client_recipient_rate_limit = 60
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_error_sleep_time = 5

master.cf:

# Enable TSL
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
#
# For TLS
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Zur Erklärung der einzelnen Konfigparameter hilft diese Seite
doch sehr weiter.