Basic Postfix Mail Server Configuration

Setting up a reliable and secure mail transfer agent is vital for any organization that needs to send and receive emails. Postfix, known for its modular design, performance, and security focus, is an excellent choice. This guide covers everything from installation to advanced security considerations, combining hands-on examples and best practices.

1. Prerequisites

• Operating System: A modern Linux distribution (Debian, Ubuntu, CentOS, RHEL).
• Root or sudo access: To install packages and modify system files.
• FQDN: A fully qualified domain name (e.g., mail.example.com), with an A record pointing to your server’s IP.
• Open ports: 25 (SMTP), 587 (submission), optionally 465 (SMTPS).
• VPN for Remote Administration (optional): Secure remote management. Use NordVPN, ExpressVPN, or ProtonVPN.

2. Installation

1. Update package index:
   sudo apt update
2. Install Postfix:
   sudo apt install postfix
3. During the Debconf prompt:
• Select Internet Site.
• Set System mail name to your domain (e.g., example.com).
4. Verify installation:
   postfix status

3. Core Configuration Files

3.1 /etc/postfix/main.cf

The main.cf file holds the primary settings. Below is a sample table of recommended directives:

3.2 /etc/postfix/master.cf

The master.cf file defines service interfaces and options. Example to enable submission (port 587):

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

4. Enabling SMTP Authentication (SASL)

1. Install dependencies:
   sudo apt install libsasl2-modules sasl2-bin
2. Edit /etc/postfix/main.cf and add:
   • smtpd_sasl_auth_enable = yes
   • smtpd_sasl_type = dovecot (if using Dovecot)
   • smtpd_sasl_path = private/auth
   • smtpd_sasl_security_options = noanonymous
   • smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
3. Restart Postfix:
   sudo systemctl restart postfix

5. TLS Configuration

• Obtain a certificate: Use Let’s Encrypt or a commercial CA.
• Permissions: Ensure private key is readable only by root/postfix (chmod 600).
• Enable secure ciphers: In main.cf, set tls_preempt_cipherlist = yes and smtp_tls_mandatory_protocols = !SSLv2, !SSLv3.

6. DNS Records (SPF, DKIM, DMARC)

1. SPF:

   example.com. IN TXT v=spf1 mx a ip4:203.0.113.10 -all

2. DKIM:
   • Install opendkim:
     sudo apt install opendkim opendkim-tools
   • Generate keys:
     opendkim-genkey -t -s mail -d example.com
   • Publish the public key in DNS under mail._domainkey.example.com.
3. DMARC:

   _dmarc.example.com. IN TXT v=DMARC1 p=quarantine rua=mailto:postmaster@example.com

7. Anti-Spam Measures

• Greylisting: Temporarily refuse new senders to foil spammers.
• RBLs: Integrate Realtime Blackhole Lists in main.cf via smtpd_recipient_restrictions.
• Content filtering: Use SpamAssassin or ClamAV for virus scanning.

8. Testing Troubleshooting

• Check logs: sudo tail -f /var/log/mail.log
• Send a test email with mail or swaks:

swaks --to user@otherdomain.com --from you@example.com --server mail.example.com

• Verify TLS: openssl s_client -connect mail.example.com:587 -starttls smtp

9. Security Best Practices

1. Keep software up to date: sudo apt upgrade regularly.
2. Restrict access to Postfix ports with a firewall (ufw/iptables).
3. Use strong ciphers and disable old protocols in TLS settings.
4. Monitor logs and set up alerting for anomalous activity.
5. Consider remote administration only over a secure VPN such as NordVPN or ExpressVPN.

Conclusion

By following this guide, you’ll have a robust Postfix installation capable of handling everyday email tasks securely. Fine-tuning with DKIM, DMARC, and advanced anti-spam configurations ensures deliverability and trust. Always monitor performance and adapt your settings to evolving security standards.