Expand PMF_FN_* macros.
[netbsd-mini2440.git] / external / ibm-public / postfix / dist / proto / VIRTUAL_README.html
blob7139d09348eda477ea58c2b0e9c0679202842eb5
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
4 <html>
6 <head>
8 <title>Postfix Virtual Domain Hosting Howto</title>
10 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
12 </head>
14 <body>
16 <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
17 Virtual Domain Hosting Howto</h1>
19 <hr>
21 <h2>Purpose of this document</h2>
23 <p> This document requires Postfix version 2.0 or later. </p>
25 <p> This document gives an overview of how Postfix can be used for
26 hosting multiple Internet domains, both for final delivery on the
27 machine itself and for the purpose of forwarding to destinations
28 elsewhere. </p>
30 <p> The text not only describes delivery mechanisms that are built
31 into Postfix, but also gives pointers for using non-Postfix mail
32 delivery software. </p>
34 <p> The following topics are covered: </p>
36 <ul>
38 <li> <a href="#canonical">Canonical versus hosted versus other domains</a>
40 <li> <a href="#local_vs_database">Local files versus network databases</a>
42 <li> <a href="#local">As simple as can be: shared domains,
43 UNIX system accounts</a>
45 <li> <a href="#virtual_alias">Postfix virtual ALIAS example:
46 separate domains, UNIX system accounts</a>
48 <li> <a href="#virtual_mailbox">Postfix virtual MAILBOX example:
49 separate domains, non-UNIX accounts</a>
51 <li> <a href="#in_virtual_other">Non-Postfix mailbox store: separate
52 domains, non-UNIX accounts</a>
54 <li> <a href="#forwarding">Mail forwarding domains</a>
56 <li> <a href="#mailing_lists">Mailing lists</a>
58 <li> <a href="#autoreplies">Autoreplies</a>
60 </ul>
62 <h2><a name="canonical">Canonical versus hosted versus
63 other domains</a></h2>
65 <p>Most Postfix systems are <b>final destination</b> for only a
66 few domain names. These include the hostnames and [the IP addresses]
67 of the machine that Postfix runs on, and sometimes also include
68 the parent domain of the hostname. The remainder of this document
69 will refer to these domains as the canonical domains. They are
70 usually implemented with the Postfix local domain address class,
71 as defined in the ADDRESS_CLASS_README file.</p>
73 <p> Besides the canonical domains, Postfix can be configured to be
74 <b>final destination</b> for any number of additional domains.
75 These domains are called hosted, because they are not directly
76 associated with the name of the machine itself. Hosted domains are
77 usually implemented with the virtual alias domain address class
78 and/or with the virtual mailbox domain address class, as defined
79 in the ADDRESS_CLASS_README file. </p>
81 <p> But wait! There is more. Postfix can be configured as a backup
82 MX host for other domains. In this case Postfix is <b>not the final
83 destination</b> for those domains. It merely queues the mail when
84 the primary MX host is down, and forwards the mail when the primary
85 MX host becomes available. This function is implemented with the
86 relay domain address class, as defined in the ADDRESS_CLASS_README
87 file. </p>
89 <p> Finally, Postfix can be configured as a transit host for sending
90 mail across the internet. Obviously, Postfix is not final destination
91 for such mail. This function is available only for authorized
92 clients and/or users, and is implemented by the default domain
93 address class, as defined in the ADDRESS_CLASS_README file. </p>
95 <h2><a name="local_vs_database">Local files versus network databases</a></h2>
97 <p> The examples in this text use table lookups from local files
98 such as DBM or Berkeley DB. These are easy to debug with the
99 <b>postmap</b> command: </p>
101 <blockquote>
102 Example: <tt>postmap -q info@example.com hash:/etc/postfix/virtual</tt>
103 </blockquote>
105 <p> See the documentation in LDAP_README, MYSQL_README and PGSQL_README
106 for how to replace local files by databases. The reader is strongly
107 advised to make the system work with local files before migrating
108 to network databases, and to use the <b>postmap</b> command to verify
109 that network database lookups produce the exact same results as
110 local file lookup. </p>
112 <blockquote>
113 Example: <tt>postmap -q info@example.com ldap:/etc/postfix/virtual.cf</tt>
114 </blockquote>
116 <h2><a name="local">As simple as can be: shared domains, UNIX system
117 accounts</a></h2>
119 <p> The simplest method to host an additional domain is to add the
120 domain name to the domains listed in the Postfix mydestination
121 configuration parameter, and to add the user names to the UNIX
122 password file. </p>
124 <p> This approach makes no distinction between canonical and hosted
125 domains. Each username can receive mail in every domain. </p>
127 <p> In the examples we will use "example.com" as the domain that is
128 being hosted on the local Postfix machine. </p>
130 <blockquote>
131 <pre>
132 /etc/postfix/main.cf:
133 mydestination = $myhostname localhost.$mydomain ... example.com
134 </pre>
135 </blockquote>
137 <p> The limitations of this approach are: </p>
139 <ul>
141 <li>A total lack of separation: mail for info@my.host.name is
142 delivered to the same UNIX system account as mail for info@example.com.
144 <li> With users in the UNIX password file, administration of large
145 numbers of users becomes inconvenient.
147 </ul>
149 <p> The examples that follow provide solutions for both limitations.
150 </p>
152 <h2><a name="virtual_alias">Postfix virtual ALIAS example:
153 separate domains, UNIX system accounts</a></h2>
155 <p> With the approach described in this section, every hosted domain
156 can have its own info etc. email address. However, it still uses
157 UNIX system accounts for local mailbox deliveries. </p>
159 <p> With virtual alias domains, each hosted address is aliased to
160 a local UNIX system account or to a remote address. The example
161 below shows how to use this mechanism for the example.com domain.
162 </p>
164 <blockquote>
165 <pre>
166 1 /etc/postfix/main.cf:
167 2 virtual_alias_domains = example.com ...other hosted domains...
168 3 virtual_alias_maps = hash:/etc/postfix/virtual
170 5 /etc/postfix/virtual:
171 6 postmaster@example.com postmaster
172 7 info@example.com joe
173 8 sales@example.com jane
174 9 # Uncomment entry below to implement a catch-all address
175 10 # @example.com jim
176 11 ...virtual aliases for more domains...
177 </pre>
178 </blockquote>
180 <p> Notes: </p>
182 <ul>
184 <li> <p> Line 2: the virtual_alias_domains setting tells Postfix
185 that example.com is a so-called virtual alias domain. If you omit
186 this setting then Postfix will reject mail (relay access denied)
187 or will not be able to deliver it (mail for example.com loops back
188 to myself). </p>
190 <p> NEVER list a virtual alias domain name as a mydestination
191 domain! </p>
193 <li> <p> Lines 3-8: the /etc/postfix/virtual file contains the virtual
194 aliases. With the example above, mail for postmaster@example.com
195 goes to the local postmaster, while mail for info@example.com goes
196 to the UNIX account joe, and mail for sales@example.com goes to
197 the UNIX account jane. Mail for all other addresses in example.com
198 is rejected with the error message "User unknown". </p>
200 <li> <p> Line 10: the commented out entry (text after #) shows how
201 one would implement a catch-all virtual alias that receives mail
202 for every example.com address not listed in the virtual alias file.
203 This is not without risk. Spammers nowadays try to send mail from
204 (or mail to) every possible name that they can think of. A catch-all
205 mailbox is likely to receive many spam messages, and many bounces
206 for spam messages that were sent in the name of anything@example.com.
207 </p>
209 </ul>
211 <p>Execute the command "<b>postmap /etc/postfix/virtual</b>" after
212 changing the virtual file, and execute the command "<b>postfix
213 reload</b>" after changing the main.cf file. </p>
215 <p> Note: virtual aliases can resolve to a local address or to a
216 remote address, or both. They don't have to resolve to UNIX system
217 accounts on your machine. </p>
219 <p> More details about the virtual alias file are given in the
220 virtual(5) manual page, including multiple addresses on the right-hand
221 side. </p>
223 <p> Virtual aliasing solves one problem: it allows each domain to
224 have its own info mail address. But there still is one drawback:
225 each virtual address is aliased to a UNIX system account. As you
226 add more virtual addresses you also add more UNIX system accounts.
227 The next section eliminates this problem. </p>
229 <h2><a name="virtual_mailbox">Postfix virtual MAILBOX example:
230 separate domains, non-UNIX accounts</a></h2>
232 <p> As a system hosts more and more domains and users, it becomes less
233 desirable to give every user their own UNIX system account.</p>
235 <p> With the Postfix virtual(8) mailbox delivery agent, every
236 recipient address can have its own virtual mailbox. Unlike virtual
237 alias domains, virtual mailbox domains do not need the clumsy
238 translation from each recipient addresses into a different address,
239 and owners of a virtual mailbox address do not need to have a UNIX
240 system account.</p>
242 <p> The Postfix virtual(8) mailbox delivery agent looks up the user
243 mailbox pathname, uid and gid via separate tables that are searched
244 with the recipient's mail address. Maildir style delivery is turned
245 on by terminating the mailbox pathname with "/".</p>
247 <p> If you find the idea of multiple tables bothersome, remember
248 that you can migrate the information (once it works), to an SQL
249 database. If you take that route, be sure to review the <a
250 href="#local_vs_database"> "local files versus databases"</a>
251 section at the top of this document.</p>
253 <p> Here is an example of a virtual mailbox domain "example.com":
254 </p>
256 <blockquote>
257 <pre>
258 1 /etc/postfix/main.cf:
259 2 virtual_mailbox_domains = example.com ...more domains...
260 3 virtual_mailbox_base = /var/mail/vhosts
261 4 virtual_mailbox_maps = hash:/etc/postfix/vmailbox
262 5 virtual_minimum_uid = 100
263 6 virtual_uid_maps = static:5000
264 7 virtual_gid_maps = static:5000
265 8 virtual_alias_maps = hash:/etc/postfix/virtual
267 10 /etc/postfix/vmailbox:
268 11 info@example.com example.com/info
269 12 sales@example.com example.com/sales/
270 13 # Comment out the entry below to implement a catch-all.
271 14 # @example.com example.com/catchall
272 15 ...virtual mailboxes for more domains...
274 17 /etc/postfix/virtual:
275 18 postmaster@example.com postmaster
276 </pre>
277 </blockquote>
279 <p> Notes: </p>
281 <ul>
283 <li> <p> Line 2: The virtual_mailbox_domains setting tells Postfix
284 that example.com is a so-called virtual mailbox domain. If you omit
285 this setting then Postfix will reject mail (relay access denied)
286 or will not be able to deliver it (mail for example.com loops back
287 to myself). </p>
289 <p> NEVER list a virtual MAILBOX domain name as a mydestination
290 domain! </p>
292 <p> NEVER list a virtual MAILBOX domain name as a virtual ALIAS
293 domain! </p>
295 <li> <p> Line 3: The virtual_mailbox_base parameter specifies a
296 prefix for all virtual mailbox pathnames. This is a safety mechanism
297 in case someone makes a mistake. It prevents mail from being
298 delivered all over the file system. </p>
300 <li> <p> Lines 4, 10-15: The virtual_mailbox_maps parameter specifies
301 the lookup table with mailbox (or maildir) pathnames, indexed by
302 the virtual mail address. In this example, mail for info@example.com
303 goes to the mailbox at /var/mail/vhosts/example.com/info while mail
304 for sales@example.com goes to the maildir located at
305 /var/mail/vhosts/example.com/sales/. </p>
307 <li> <p> Line 5: The virtual_minimum_uid specifies a lower bound
308 on the mailbox or maildir owner's UID. This is a safety mechanism
309 in case someone makes a mistake. It prevents mail from being written
310 to sensitive files. </p>
312 <li> <p> Lines 6, 7: The virtual_uid_maps and virtual_gid_maps
313 parameters specify that all the virtual mailboxes are owned by a
314 fixed uid and gid 5000. If this is not what you want, specify
315 lookup tables that are searched by the recipient's mail address.
316 </p>
318 <li> <p> Line 14: The commented out entry (text after #) shows how
319 one would implement a catch-all virtual mailbox address. Be prepared
320 to receive a lot of spam, as well as bounced spam that was sent in
321 the name of anything@example.com. </p>
323 <p> NEVER put a virtual MAILBOX wild-card in the virtual ALIAS
324 file!! </p>
326 <li> <p> Lines 8, 17, 18: As you see, it is possible to mix virtual
327 aliases with virtual mailboxes. We use this feature to redirect
328 mail for example.com's postmaster address to the local postmaster.
329 You can use the same mechanism to redirect an address to a remote
330 address. </p>
332 <li> <p> Line 18: This example assumes that in main.cf, $myorigin
333 is listed under the mydestination parameter setting. If that is
334 not the case, specify an explicit domain name on the right-hand
335 side of the virtual alias table entries or else mail will go to
336 the wrong domain. </p>
338 </ul>
340 <p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
341 changing the virtual file, execute "<b>postmap /etc/postfix/vmailbox</b>"
342 after changing the vmailbox file, and execute the command "<b>postfix
343 reload</b>" after changing the main.cf file. </p>
345 <p> Note: mail delivery happens with the recipient's UID/GID
346 privileges specified with virtual_uid_maps and virtual_gid_maps.
347 Postfix 2.0 and earlier will not create mailDIRs in world-writable
348 parent directories; you must create them in advance before you can
349 use them. Postfix may be able to create mailBOX files by itself,
350 depending on parent directory write permissions, but it is safer
351 to create mailBOX files ahead of time. </p>
353 <p> More details about the virtual mailbox delivery agent are given
354 in the virtual(8) manual page. </p>
356 <h2><a name="in_virtual_other">Non-Postfix mailbox store: separate
357 domains, non-UNIX accounts</a></h2>
359 <p> This is a variation on the Postfix virtual mailbox example.
360 Again, every hosted address can have its own mailbox. </p>
362 <p> While non-Postfix software is being used for final delivery,
363 some Postfix concepts are still needed in order to glue everything
364 together. For additional background on this glue you may want to
365 take a look at the virtual mailbox domain class as defined in the
366 ADDRESS_CLASS_README file. </p>
368 <p> The text in this section describes what things should look like
369 from Postfix's point of view. See CYRUS_README or MAILDROP_README
370 for specific information about Cyrus or about Courier maildrop.
371 </p>
373 <p> Here is an example for a hosted domain example.com that delivers
374 to a non-Postfix delivery agent: </p>
376 <blockquote>
377 <pre>
378 1 /etc/postfix/main.cf:
379 2 virtual_transport = ...see below...
380 3 virtual_mailbox_domains = example.com ...more domains...
381 4 virtual_mailbox_maps = hash:/etc/postfix/vmailbox
382 5 virtual_alias_maps = hash:/etc/postfix/virtual
384 7 /etc/postfix/vmailbox:
385 8 info@example.com whatever
386 9 sales@example.com whatever
387 10 # Comment out the entry below to implement a catch-all.
388 11 # Configure the mailbox store to accept all addresses.
389 12 # @example.com whatever
390 13 ...virtual mailboxes for more domains...
392 15 /etc/postfix/virtual:
393 16 postmaster@example.com postmaster
394 </pre>
395 </blockquote>
397 <p> Notes: </p>
399 <ul>
401 <li> <p> Line 2: With delivery to a non-Postfix mailbox store for
402 hosted domains, the virtual_transport parameter usually specifies
403 the Postfix LMTP client, or the name of a master.cf entry that
404 executes non-Postfix software via the pipe delivery agent. Typical
405 examples (use only one): </p>
407 <blockquote>
408 <pre>
409 virtual_transport = lmtp:unix:/path/name (uses UNIX-domain socket)
410 virtual_transport = lmtp:hostname:port (uses TCP socket)
411 virtual_transport = maildrop: (uses pipe(8) to command)
412 </pre>
413 </blockquote>
415 <p> Postfix comes ready with support for LMTP. And an example
416 maildrop delivery method is already defined in the default Postfix
417 master.cf file. See the MAILDROP_README document for more details.
418 </p>
420 <li> <p> Line 3: The virtual_mailbox_domains setting tells Postfix
421 that example.com is delivered via the virtual_transport that was
422 discussed in the previous paragraph. If you omit this
423 virtual_mailbox_domains setting then Postfix will either reject
424 mail (relay access denied) or will not be able to deliver it (mail
425 for example.com loops back to myself). </p>
427 <p> NEVER list a virtual MAILBOX domain name as a mydestination
428 domain! </p>
430 <p> NEVER list a virtual MAILBOX domain name as a virtual ALIAS
431 domain! </p>
433 <li> <p> Lines 4, 7-13: The virtual_mailbox_maps parameter specifies
434 the lookup table with all valid recipient addresses. The lookup
435 result value is ignored by Postfix. In the above example,
436 info@example.com
437 and sales@example.com are listed as valid addresses; other mail for
438 example.com is rejected with "User unknown" by the Postfix SMTP
439 server. It's left up to the non-Postfix delivery agent to reject
440 non-existent recipients from local submission or from local alias
441 expansion. If you intend to
442 use LDAP, MySQL or PgSQL instead of local files, be sure to review
443 the <a href="#local_vs_database"> "local files versus databases"</a>
444 section at the top of this document! </p>
446 <li> <p> Line 12: The commented out entry (text after #) shows how
447 one would inform Postfix of the existence of a catch-all address.
448 Again, the lookup result is ignored by Postfix. </p>
450 <p> NEVER put a virtual MAILBOX wild-card in the virtual ALIAS
451 file!! </p>
453 <p> Note: if you specify a wildcard in virtual_mailbox_maps, then
454 you still need to configure the non-Postfix mailbox store to receive
455 mail for any address in that domain. </p>
457 <li> <p> Lines 5, 15, 16: As you see above, it is possible to mix
458 virtual aliases with virtual mailboxes. We use this feature to
459 redirect mail for example.com's postmaster address to the local
460 postmaster. You can use the same mechanism to redirect any addresses
461 to a local or remote address. </p>
463 <li> <p> Line 16: This example assumes that in main.cf, $myorigin
464 is listed under the mydestination parameter setting. If that is
465 not the case, specify an explicit domain name on the right-hand
466 side of the virtual alias table entries or else mail will go to
467 the wrong domain. </p>
469 </ul>
471 <p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
472 changing the virtual file, execute "<b>postmap /etc/postfix/vmailbox</b>"
473 after changing the vmailbox file, and execute the command "<b>postfix
474 reload</b>" after changing the main.cf file. </p>
476 <h2><a name="forwarding">Mail forwarding domains</a></h2>
478 <p> Some providers host domains that have no (or only a few) local
479 mailboxes. The main purpose of these domains is to forward mail
480 elsewhere. The following example shows how to set up example.com
481 as a mail forwarding domain: </p>
483 <blockquote>
484 <pre>
485 1 /etc/postfix/main.cf:
486 2 virtual_alias_domains = example.com ...other hosted domains...
487 3 virtual_alias_maps = hash:/etc/postfix/virtual
489 5 /etc/postfix/virtual:
490 6 postmaster@example.com postmaster
491 7 joe@example.com joe@somewhere
492 8 jane@example.com jane@somewhere-else
493 9 # Uncomment entry below to implement a catch-all address
494 10 # @example.com jim@yet-another-site
495 11 ...virtual aliases for more domains...
496 </pre>
497 </blockquote>
499 <p> Notes: </p>
501 <ul>
503 <li> <p> Line 2: The virtual_alias_domains setting tells Postfix
504 that example.com is a so-called virtual alias domain. If you omit
505 this setting then Postfix will reject mail (relay access denied)
506 or will not be able to deliver it (mail for example.com loops back
507 to myself). </p>
509 <p> NEVER list a virtual alias domain name as a mydestination
510 domain! </p>
512 <li> <p> Lines 3-11: The /etc/postfix/virtual file contains the
513 virtual aliases. With the example above, mail for postmaster@example.com
514 goes to the local postmaster, while mail for joe@example.com goes
515 to the remote address joe@somewhere, and mail for jane@example.com
516 goes to the remote address jane@somewhere-else. Mail for all other
517 addresses in example.com is rejected with the error message "User
518 unknown". </p>
520 <li> <p> Line 10: The commented out entry (text after #) shows how
521 one would implement a catch-all virtual alias that receives mail
522 for every example.com address not listed in the virtual alias file.
523 This is not without risk. Spammers nowadays try to send mail from
524 (or mail to) every possible name that they can think of. A catch-all
525 mailbox is likely to receive many spam messages, and many bounces
526 for spam messages that were sent in the name of anything@example.com.
527 </p>
529 </ul>
531 <p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
532 changing the virtual file, and execute the command "<b>postfix
533 reload</b>" after changing the main.cf file. </p>
535 <p> More details about the virtual alias file are given in the
536 virtual(5) manual page, including multiple addresses on the right-hand
537 side. </p>
539 <h2><a name="mailing_lists">Mailing lists</a></h2>
541 <p> The examples that were given above already show how to direct
542 mail for virtual postmaster addresses to a local postmaster. You
543 can use the same method to direct mail for any address to a local
544 or remote address. </p>
546 <p> There is one major limitation: virtual aliases and virtual
547 mailboxes can't directly deliver to mailing list managers such as
548 majordomo. The solution is to set up virtual aliases that direct
549 virtual addresses to the local delivery agent: </p>
551 <blockquote>
552 <pre>
553 /etc/postfix/main.cf:
554 virtual_alias_maps = hash:/etc/postfix/virtual
556 /etc/postfix/virtual:
557 listname-request@example.com listname-request
558 listname@example.com listname
559 owner-listname@example.com owner-listname
561 /etc/aliases:
562 listname: "|/some/where/majordomo/wrapper ..."
563 owner-listname: ...
564 listname-request: ...
565 </pre>
566 </blockquote>
568 <p> This example assumes that in main.cf, $myorigin is listed under
569 the mydestination parameter setting. If that is not the case,
570 specify an explicit domain name on the right-hand side of the
571 virtual alias table entries or else mail will go to the wrong
572 domain. </p>
574 <p> More information about the Postfix local delivery agent can be
575 found in the local(8) manual page. </p>
577 <p> Why does this example use a clumsy virtual alias instead of a
578 more elegant transport mapping? The reason is that mail for the
579 virtual mailing list would be rejected with "User unknown". In
580 order to make the transport mapping work one would still need a
581 bunch of virtual alias or virtual mailbox table entries. </p>
583 <ul>
585 <li> In case of a virtual alias domain, there would need to be one
586 identity mapping from each mailing list address to itself.
588 <li> In case of a virtual mailbox domain, there would need to be
589 a dummy mailbox for each mailing list address.
591 </ul>
593 <h2><a name="autoreplies">Autoreplies</a></h2>
595 <p> In order to set up an autoreply for virtual recipients while
596 still delivering mail as normal, set up a rule in a virtual alias
597 table: </p>
599 <blockquote>
600 <pre>
601 /etc/postfix/main.cf:
602 virtual_alias_maps = hash:/etc/postfix/virtual
604 /etc/postfix/virtual:
605 user@domain.tld user@domain.tld, user@domain.tld@autoreply.mydomain.tld
606 </pre>
607 </blockquote>
609 <p> This delivers mail to the recipient, and sends a copy of the
610 mail to the address that produces automatic replies. The address
611 can be serviced on a different machine, or it can be serviced
612 locally by setting up a transport map entry that pipes all mail
613 for autoreply.mydomain.tld into some script that sends an automatic
614 reply back to the sender. </p>
616 <p> DO NOT list autoreply.mydomain.tld in mydestination! </p>
618 <blockquote>
619 <pre>
620 /etc/postfix/main.cf:
621 transport_maps = hash:/etc/postfix/transport
623 /etc/postfix/transport:
624 autoreply.mydomain.tld autoreply:
626 /etc/postfix/master.cf:
627 # =============================================================
628 # service type private unpriv chroot wakeup maxproc command
629 # (yes) (yes) (yes) (never) (100)
630 # =============================================================
631 autoreply unix - n n - - pipe
632 flags= user=nobody argv=/path/to/autoreply $sender $mailbox
633 </pre>
634 </blockquote>
636 <p> This invokes /path/to/autoreply with the sender address and
637 the user@domain.tld recipient address on the command line. </p>
639 <p> For more information, see the pipe(8) manual page, and the
640 comments in the Postfix master.cf file. </p>
642 </body>
644 </html>