1 <!doctype html public
"-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
8 <title> Postfix Basic Configuration
</title>
10 <meta http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
16 <h1><img src=
"postfix-logo.jpg" width=
"203" height=
"98" ALT=
"">Postfix Basic Configuration
</h1>
20 <h2> Introduction
</h2>
22 <p> Postfix has several hundred configuration parameters that are
23 controlled via the main.cf file. Fortunately, all parameters have
24 sensible default values. In many cases, you need to configure only
25 two or three parameters before you can start to play with the mail
26 system. Here's a quick introduction to the syntax:
</p>
30 <li> <p> <a href=
"#syntax">Postfix configuration files
</a></p>
34 <p> The text below assumes that you already have Postfix installed
35 on the system, either by compiling the source code yourself (as
36 described in the INSTALL file) or by installing an already compiled
39 <p> This document covers basic Postfix configuration. Information
40 about how to configure Postfix for specific applications such as
41 mailhub, firewall or dial-up client can be found in the
42 STANDARD_CONFIGURATION_README file. But don't go there until you
43 already have covered the material presented below.
</p>
45 <p> The first parameters of interest specify the machine's identity
46 and role in the network.
</p>
50 <li> <p> <a href=
"#myorigin"> What domain name to use in outbound mail
</a> </p>
52 <li> <p> <a href=
"#mydestination"> What domains to receive mail for
</a> </p>
54 <li> <p> <a href=
"#relay_from"> What clients to relay mail from
</a> </p>
56 <li> <p> <a href=
"#relay_to"> What destinations to relay mail to
</a> </p>
58 <li> <p> <a href=
"#relayhost"> What delivery method: direct or
63 <p> The default values for many other configuration parameters are
64 derived from just these.
</p>
66 <p> The next parameter of interest controls the amount of mail sent
67 to the local postmaster:
</p>
71 <li> <p> <a href=
"#notify"> What trouble to report to the postmaster
76 <p> Be sure to set the following correctly if you're behind a proxy or
77 network address translator, and you are running a backup MX host
78 for some other domain:
</p>
82 <li> <p> <a href=
"#proxy_interfaces"> Proxy/NAT external network
87 <p> Postfix daemon processes run in the background, and log problems
88 and normal activity to the syslog daemon. Here are a few things
89 that you need to be aware of:
</p>
93 <li> <p> <a href=
"#syslog_howto"> What you need to know about
94 Postfix logging
</a> </p>
98 <p> If your machine has unusual security requirements you may
99 want to run Postfix daemon processes inside a chroot environment.
</p>
103 <li> <p> <a href=
"#chroot_setup"> Running Postfix daemon processes
107 <p> If you run Postfix on a virtual network interface, or if your
108 machine runs other mailers on virtual interfaces, you'll have to
109 look at the other parameters listed here as well:
</p>
113 <li> <p> <a href=
"#myhostname"> My own hostname
</a> </p>
115 <li> <p> <a href=
"#mydomain"> My own domain name
</a> </p>
117 <li> <p> <a href=
"#inet_interfaces"> My own network addresses
</a> </p>
121 <h2> <a name=
"syntax">Postfix configuration files
</a></h2>
123 <p> By default, Postfix configuration files are in /etc/postfix.
124 The two most important files are main.cf and master.cf; these files
125 must be owned by root. Giving someone else write permission to
126 main.cf or master.cf (or to their parent directories) means giving
127 root privileges to that person.
</p>
129 <p> In /etc/postfix/main.cf you will have to set up a minimal number
130 of configuration parameters. Postfix configuration parameters
131 resemble shell variables, with two important differences: the first
132 one is that Postfix does not know about quotes like the UNIX shell
135 <p> You specify a configuration parameter as:
</p>
139 /etc/postfix/main.cf:
144 <p> and you use it by putting a
"$" character in front of its name:
</p>
148 /etc/postfix/main.cf:
149 other_parameter = $parameter
153 <p> You can use $parameter before it is given a value (that is the
154 second main difference with UNIX shell variables). The Postfix
155 configuration language uses lazy evaluation, and does not look at
156 a parameter value until it is needed at runtime.
</p>
158 <p> Postfix uses database files for access control, address rewriting
159 and other purposes. The DATABASE_README file gives an introduction
160 to how Postfix works with Berkeley DB, LDAP or SQL and other types.
161 Here is a common example of how Postfix invokes a database:
</p>
165 /etc/postfix/main.cf:
166 virtual_alias_maps = hash:/etc/postfix/virtual
170 <p> Whenever you make a change to the main.cf or master.cf file,
171 execute the following command as root in order to refresh a running
180 <h2> <a name=
"myorigin"> What domain name to use in outbound mail
</a> </h2>
182 <p> The myorigin parameter specifies the domain that appears in
183 mail that is posted on this machine. The default is to use the
184 local machine name, $myhostname, which defaults to the name of the
185 machine. Unless you are running a really small site, you probably
186 want to change that into $mydomain, which defaults to the parent
187 domain of the machine name.
</p>
189 <p> For the sake of consistency between sender and recipient addresses,
190 myorigin also specifies the domain name that is appended
191 to an unqualified recipient address.
</p>
193 <p> Examples (specify only one of the following):
</p>
197 /etc/postfix/main.cf:
198 myorigin = $myhostname (default: send mail as
"user@$myhostname")
199 myorigin = $mydomain (probably desirable:
"user@$mydomain")
203 <h2><a name=
"mydestination"> What domains to receive mail for
</a>
206 <p> The mydestination parameter specifies what domains this
207 machine will deliver locally, instead of forwarding to another
208 machine. The default is to receive mail for the machine itself.
209 See the VIRTUAL_README file for how to configure Postfix for
212 <p> You can specify zero or more domain names,
"/file/name" patterns
213 and/or
"type:table" lookup tables (such as hash:, btree:, nis:, ldap:,
214 or mysql:), separated by whitespace and/or commas. A
"/file/name"
215 pattern is replaced by its contents;
"type:table" requests that a
216 table lookup is done and merely tests for existence: the lookup
217 result is ignored.
</p>
219 <p> IMPORTANT: If your machine is a mail server for its entire
220 domain, you must list $mydomain as well.
</p>
222 <p> Example
1: default setting.
</p>
226 /etc/postfix/main.cf:
227 mydestination = $myhostname localhost.$mydomain localhost
231 <p> Example
2: domain-wide mail server.
</p>
235 /etc/postfix/main.cf:
236 mydestination = $myhostname localhost.$mydomain localhost $mydomain
240 <p> Example
3: host with multiple DNS A records.
</p>
244 /etc/postfix/main.cf:
245 mydestination = $myhostname localhost.$mydomain localhost
246 www.$mydomain ftp.$mydomain
250 <p> Caution: in order to avoid mail delivery loops, you must list all
251 hostnames of the machine, including $myhostname, and localhost.$mydomain.
</p>
253 <h2> <a name=
"relay_from"> What clients to relay mail from
</a> </h2>
255 <p> By default, Postfix will forward mail from clients in authorized
256 network blocks to any destination. Authorized networks are defined
257 with the mynetworks configuration parameter. The default is to
258 authorize all clients in the IP subnetworks that the local machine
261 <p> IMPORTANT: If your machine is connected to a wide area network
262 then your default mynetworks setting may be too friendly.
</p>
264 <p> Examples (specify only one of the following):
</p>
268 /etc/postfix/main.cf:
269 mynetworks_style = subnet (default: authorize subnetworks)
270 mynetworks_style = host (safe: authorize local machine only)
271 mynetworks =
127.0.0.0/
8 (safe: authorize local machine only)
272 mynetworks =
127.0.0.0/
8 168.100.189.2/
32 (authorize local machine)
276 <p> You can specify the trusted networks in the main.cf file, or
277 you can let Postfix do the work for you. The default is to let
278 Postfix do the work. The result depends on the mynetworks_style
283 <li> <p> Specify
"mynetworks_style = host" when Postfix should
284 forward mail from only the local machine.
</p>
286 <li> <p> Specify
"mynetworks_style = subnet" (the default) when
287 Postfix should forward mail from SMTP clients in the same IP
288 subnetworks as the local machine. On Linux, this works correctly
289 only with interfaces specified with the
"ifconfig" command.
</p>
291 <li> <p> Specify
"mynetworks_style = class" when Postfix should
292 forward mail from SMTP clients in the same IP class A/B/C networks
293 as the local machine. Don't do this with a dialup site - it would
294 cause Postfix to
"trust" your entire provider's network. Instead,
295 specify an explicit mynetworks list by hand, as described below.
300 <p> Alternatively, you can specify the mynetworks list by hand,
301 in which case Postfix ignores the mynetworks_style setting.
302 To specify the list of trusted networks by hand, specify network
303 blocks in CIDR (network/mask) notation, for example:
</p>
307 /etc/postfix/main.cf:
308 mynetworks =
168.100.189.0/
28,
127.0.0.0/
8
312 <p> You can also specify the absolute pathname of a pattern file instead
313 of listing the patterns in the main.cf file.
</p>
315 <h2> <a name=
"relay_to"> What destinations to relay mail to
</a> </h2>
317 <p> By default, Postfix will forward mail from strangers (clients outside
318 authorized networks) to authorized remote destinations only.
320 destinations are defined with the relay_domains configuration
321 parameter. The default is to authorize all domains (and subdomains)
322 of the domains listed with the mydestination parameter.
</p>
324 <p> Examples (specify only one of the following):
</p>
328 /etc/postfix/main.cf:
329 relay_domains = $mydestination (default)
330 relay_domains = (safe: never forward mail from strangers)
331 relay_domains = $mydomain (forward mail to my domain and subdomains)
335 <h2> <a name=
"relayhost"> What delivery method: direct or
338 <p> By default, Postfix tries to deliver mail directly to the
339 Internet. Depending on your local conditions this may not be possible
340 or desirable. For example, your system may be turned off outside
341 office hours, it may be behind a firewall, or it may be connected
342 via a provider who does not allow direct mail to the Internet. In
343 those cases you need to configure Postfix to deliver mail indirectly
344 via a relay host.
</p>
346 <p> Examples (specify only one of the following):
</p>
350 /etc/postfix/main.cf:
351 relayhost = (default: direct delivery to Internet)
352 relayhost = $mydomain (deliver via local mailhub)
353 relayhost = [mail.$mydomain] (deliver via local mailhub)
354 relayhost = [mail.isp.tld] (deliver via provider mailhub)
358 <p> The form enclosed with
<tt>[]
</tt> eliminates DNS MX lookups.
359 Don't worry if you don't know what that means. Just be sure to
360 specify the
<tt>[]
</tt> around the mailhub hostname that your ISP
361 gave to you, otherwise mail may be mis-delivered.
</p>
363 <p> The STANDARD_CONFIGURATION_README file has more hints and tips
364 for firewalled and/or dial-up networks.
</p>
366 <h2> <a name=
"notify"> What trouble to report to the postmaster
</a> </h2>
368 <p> You should set up a postmaster alias in the aliases(
5) table
369 that directs mail to a human person. The postmaster address is
370 required to exist, so that people can report mail delivery problems.
371 While you're updating the aliases(
5) table, be sure to direct mail
372 for the super-user to a human person too.
</p>
382 <p> Execute the command
"newaliases" after changing the aliases
383 file. Instead of /etc/aliases, your alias file may be located
384 elsewhere. Use the command
"postconf alias_maps" to find out.
</p>
386 <p> The Postfix system reports problems to the postmaster alias.
387 You may not be interested in all types of trouble reports, so this
388 reporting mechanism is configurable. The default is to report only
389 serious problems (resource, software) to postmaster:
</p>
391 <p> Default setting:
</p>
395 /etc/postfix/main.cf:
396 notify_classes = resource, software
400 <p> The meaning of the classes is as follows:
</p>
406 <dt> bounce
</dt> <dd> Inform the postmaster of undeliverable
407 mail. Either send the postmaster a copy of undeliverable mail that
408 is returned to the sender, or send a transcript of the SMTP session
409 when Postfix rejected mail. For privacy reasons, the postmaster
410 copy of undeliverable mail is truncated after the original message
411 headers. This implies
"2bounce" (see below). See also the
412 luser_relay feature. The notification is sent to the address
413 specified with the bounce_notice_recipient configuration parameter
414 (default: postmaster).
</dd>
416 <dt> 2bounce
</dt> <dd> When Postfix is unable to return undeliverable
417 mail to the sender, send it to the postmaster instead (without
418 truncating the message after the primary headers). The notification
419 is sent to the address specified with the
2bounce_notice_recipient
420 configuration parameter (default: postmaster).
</dd>
422 <dt> delay
</dt> <dd> Inform the postmaster of delayed mail. In
423 this case, the postmaster receives message headers only. The
424 notification is sent to the address specified with the
425 delay_notice_recipient configuration parameter (default: postmaster).
428 <dt> policy
</dt> <dd> Inform the postmaster of client requests
429 that were rejected because of (UCE) policy restrictions. The
430 postmaster receives a transcript of the SMTP session. The notification
431 is sent to the address specified with the error_notice_recipient
432 configuration parameter (default: postmaster).
</dd>
434 <dt> protocol
</dt> <dd> Inform the postmaster of protocol errors
435 (client or server side) or attempts by a client to execute
436 unimplemented commands. The postmaster receives a transcript of
437 the SMTP session. The notification is sent to the address specified
438 with the error_notice_recipient configuration parameter (default:
441 <dt> resource
</dt> <dd> Inform the postmaster of mail not delivered
442 due to resource problems (for example, queue file write errors).
443 The notification is sent to the address specified with the
444 error_notice_recipient configuration parameter (default: postmaster).
447 <dt> software
</dt> <dd> Inform the postmaster of mail not delivered
448 due to software problems. The notification is sent to the address
449 specified with the error_notice_recipient configuration parameter
450 (default: postmaster).
</dd>
456 <h2><a name=
"proxy_interfaces"> Proxy/NAT external network
459 <p> Some mail servers are connected to the Internet via a network
460 address translator (NAT) or proxy. This means that systems on the
461 Internet connect to the address of the NAT or proxy, instead of
462 connecting to the network address of the mail server. The NAT or
463 proxy forwards the connection to the network address of the mail
464 server, but Postfix does not know this.
</p>
466 <p> If you run a Postfix server behind a proxy or NAT, you need to
467 configure the proxy_interfaces parameter and specify all the external
468 proxy or NAT addresses that Postfix receives mail on. You may
469 specify symbolic hostnames instead of network addresses.
</p>
471 <p> IMPORTANT: You must specify your proxy/NAT external addresses
472 when your system is a backup MX host for other domains, otherwise
473 mail delivery loops will happen when the primary MX host is down.
476 <p> Example: host behind NAT box running a backup MX host.
</p>
480 /etc/postfix/main.cf:
481 proxy_interfaces =
1.2.3.4 (the proxy/NAT external network address)
485 <h2> <a name=
"syslog_howto"> What you need to know about
486 Postfix logging
</a> </h2>
488 <p> Postfix daemon processes run in the background, and log problems
489 and normal activity to the syslog daemon. The syslogd process sorts
490 events by class and severity, and appends them to logfiles. The
491 logging classes, levels and logfile names are usually specified in
492 /etc/syslog.conf. At the very least you need something like:
</p>
497 mail.err /dev/console
498 mail.debug /var/log/maillog
502 <p> After changing the syslog.conf file, send a
"HUP" signal to
503 the syslogd process.
</p>
505 <p> IMPORTANT: many syslogd implementations will not create files.
506 You must create files before (re)starting syslogd.
</p>
508 <p> IMPORTANT: on Linux you need to put a
"-" character before the
509 pathname, e.g., -/var/log/maillog, otherwise the syslogd process
510 will use more system resources than Postfix.
</p>
512 <p> Hopefully, the number of problems will be small, but it is a good
513 idea to run every night before the syslog files are rotated:
</p>
518 # egrep '(reject|warning|error|fatal|panic):' /some/log/file
524 <li> <p> The first line (postfix check) causes Postfix to report
525 file permission/ownership discrepancies.
</p>
527 <li> <p> The second line looks for problem reports from the mail
528 software, and reports how effective the relay and junk mail access
529 blocks are. This may produce a lot of output. You will want to
530 apply some postprocessing to eliminate uninteresting information.
535 <p> The
<a href=
"DEBUG_README.html#logging"> DEBUG_README
</a>
536 document describes the meaning of the
"warning" etc. labels in
537 Postfix logging.
</p>
539 <h2> <a name=
"chroot_setup"> Running Postfix daemon processes
542 <p> Postfix daemon processes can be configured (via the master.cf
543 file) to run in a chroot jail. The processes run at a fixed low
544 privilege and with file system access limited to the Postfix queue
545 directories (/var/spool/postfix). This provides a significant
546 barrier against intrusion. The barrier is not impenetrable (chroot
547 limits file system access only), but every little bit helps.
</p>
549 <p>With the exception of Postfix daemons that deliver mail locally
550 and/or that execute non-Postfix commands, every Postfix daemon can
553 <p>Sites with high security requirements should consider to chroot
554 all daemons that talk to the network: the smtp(
8) and smtpd(
8)
555 processes, and perhaps also the lmtp(
8) client. The author's own
556 porcupine.org mail server runs all daemons chrooted that can be
559 <p>The default /etc/postfix/master.cf file specifies that no Postfix
560 daemon runs chrooted. In order to enable chroot operation, edit
561 the file /etc/postfix/master.cf, and follow instructions in the
562 file. When you're finished, execute
"postfix reload" to make the
563 change effective.
</p>
565 <p>Note that a chrooted daemon resolves all filenames relative to
566 the Postfix queue directory (/var/spool/postfix). For successful
567 use of a chroot jail, most UNIX systems require you to bring in
568 some files or device nodes. The examples/chroot-setup directory in
569 the source code distribution has a collection of scripts that help
570 you set up Postfix chroot environments on different operating
573 <p> Additionally, you almost certainly need to configure syslogd
574 so that it listens on a socket inside the Postfix queue directory.
575 Examples of syslogd command line options that achieve this for
576 specific systems:
</p>
578 <p> FreeBSD:
<tt>syslogd -l /var/spool/postfix/var/run/log
</tt> </p>
580 <p> Linux, OpenBSD:
<tt>syslogd -a /var/spool/postfix/dev/log
</tt> </p>
582 <h2><a name=
"myhostname"> My own hostname
</a> </h2>
584 <p> The myhostname parameter specifies the fully-qualified domain
585 name of the machine running the Postfix system. $myhostname
586 appears as the default value in many other Postfix configuration
589 <p> By default, myhostname is set to the local machine name. If
590 your local machine name is not in fully-qualified domain name form,
591 or if you run Postfix on a virtual interface, you will have to
592 specify the fully-qualified domain name that the mail system should
595 <p> Alternatively, if you specify mydomain in main.cf, then Postfix
596 will use its value to generate a fully-qualified default value
597 for the myhostname parameter.
</p>
599 <p> Examples (specify only one of the following):
</p>
603 /etc/postfix/main.cf:
604 myhostname = host.local.domain (machine name is not FQDN)
605 myhostname = host.virtual.domain (virtual interface)
606 myhostname = virtual.domain (virtual interface)
610 <h2><a name=
"mydomain"> My own domain name
</a> </h2>
612 <p> The mydomain parameter specifies the parent domain of
613 $myhostname. By default, it is derived from $myhostname
614 by stripping off the first part (unless the result would be a
615 top-level domain).
</p>
617 <p> Conversely, if you specify mydomain in main.cf, then Postfix
618 will use its value to generate a fully-qualified default value
619 for the myhostname parameter.
</p>
621 <p> Examples (specify only one of the following):
</p>
625 /etc/postfix/main.cf:
626 mydomain = local.domain
627 mydomain = virtual.domain (virtual interface)
631 <h2><a name=
"inet_interfaces">My own network addresses
</a> </h2>
633 <p>The inet_interfaces parameter specifies all network interface
634 addresses that the Postfix system should listen on; mail addressed
635 to
"user@[network address]" will be delivered locally,
636 as if it is addressed to a domain listed in $mydestination.
</p>
638 <p> You can override the inet_interfaces setting in the Postfix
639 master.cf file by prepending an IP address to a server name.
</p>
641 <p> The default is to listen on all active interfaces. If you run
642 mailers on virtual interfaces, you will have to specify what
643 interfaces to listen on.
</p>
645 <p> IMPORTANT: If you run MTAs on virtual interfaces you must
646 specify explicit inet_interfaces values for the MTA that receives
647 mail for the machine itself: this MTA should never listen on the
648 virtual interfaces or you would have a mailer loop when a virtual
651 <p> Example: default setting.
</p>
655 /etc/postfix/main.cf:
656 inet_interfaces = all
660 <p> Example: host running one or more virtual mailers. For
661 each Postfix instance, specify only one of the following.
</p>
665 /etc/postfix/main.cf:
666 inet_interfaces = virtual.host.tld (virtual Postfix)
667 inet_interfaces = $myhostname localhost... (non-virtual Postfix)
671 <p> Note: you need to stop and start Postfix after changing this