2Apr il 2003, 17:00:47 The Complete FreeBSD (mta.mm), page 489
27
Electronic mail:
ser vers
In this chapter:
• Howmail gets
delivered
• Installing postfix
• Rejecting spam
• Running postfix at
boot time
• Downloading mail
from your ISP
• Mailing lists:
majordomo
In this chapter:
• Howmail gets
delivered
• Installing postfix
• Rejecting spam
• Running postfix at
boot time
• Downloading mail
from your ISP
• Mailing lists:
majordomo
In the previous chapter,welooked at email from a user perspective.The other part of a
mail system is the Mail Transfer Agent,orMTA.Asthe name suggests, MTAs perform
the transfer of mail from one system to another.Specifically,theyperform three related
tasks:
• Theysend outgoing mail, in other words mail that originates from their system. If the
destination system is not available, theylook for an alternative system, and if none is
available, theyretry delivery at a later date. Typically an MTAwill retry every 30
minutes for fivedays before giving up.
• Theyreceive incoming mail, possibly for multiple domain names. Theymay be quite
pickyabout howtheyperform this task: since the advent of spam, a number of
techniques have dev eloped. We’ll look at some in the section on postfix
configuration.
• They relay mail. Consider the case where a sending MTAcan’treach the destination
MTAand chooses an alternative.The alternative MTA iscalled a relay,and it must
be prepared to deliverthe mail to the final recipient at a later time. Until a fewyears
ago, MTAs performed relaying by default, but the advent of spam has changed that
radically.
Mail has been around for a long time now, well over25years. In that time, manymail
systems have come and gone. One seems to have been around for ever: the sendmail
MTA. sendmail has an unparalleled reputation. On the one hand, it can do just about
anything, but on the other hand, its configuration file is one of the most arcane evertobe
mta.mm,v v4.15 (2003/04/02 05:01:57) 489
The Complete FreeBSD 490
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 490
seen. Still, it’sholding well against the competition, and it is still actively being
developed.
The definitive book on sendmail,called the ‘‘bat book’’after its cover, was written by
Bryan Costales and others (O’Reilly)—see Appendix A, Bibliography for more details.
It is over1000 pages long. Obviously this book can’tcompete with it.
The good news about sendmail is: it works. It is possible to install sendmail and run it
with no configuration whatsoever. The less good news is that in the past fewyears it has
been constantly changing, and anyinformation I write here is liable to be out of date by
the time you read it. As a result, I recommend:
If sendmail works for you, use it. If you havedifficulties, use
postfix instead.
The following sections showhow toconfigure a mail system using postfix.Ingeneral,
sendmail is quite similar.You’ll find every detail in the bat book, and the original
sendmail distribution, available from ,contains instructions for
experts.
Howmail gets delivered
Ideally,tosend mail, the source MTAcontact the destination MTAand sends the
message. In practice, this doesn’talways work. Here’sthe general method:
• Each time an MTAreceivesamessage not addressed to its system, this MTAcollects
all MX records for the destination that are not higher than its own MX record.
• If the MTAfinds anyMXrecords, it attempts to send to one of them, starting at the
lowest preference.
• If the lowest MX record points to the MTA’ s ownmachine, then there’samail
misconfiguration: the MTAdoesn’tknowwhat to do with it locally,but the MX is
telling it to deliveritlocally.When this happens, the MTAreject the message (‘‘mail
loops back to myself’’).
• If there are no MX records at all (which implies that the MTAdoesn’thav e one
either), most, but not all versions of sendmail will look up an A record for the system
name. If theyfind one, theywill try to deliverthere, and only there.
• If all else fails, the MTArejects the message (‘‘can’tfind the destination’’).
MTAfiles
MTAs use three different kinds of files:
• Configuration files tell the MTAwhat to do. Typical configuration issues include
what name to present to the outside world, and when to accept mail for delivery and
when to reject it. The issue of spam (unsolicited commercial email) makes this quite
mta.mm,v v4.15 (2003/04/02 05:01:57)
491 Chapter 27: Electronic mail: servers
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 491
acomplicated issue. postfix keeps its configuration files in the directory /usr/lo-
cal/etc/postfix,and sendmail keeps them in /etc/mail.
• Outgoing postfix mail is stored in the directory hierarchy /var/spool/postfix,while
sendmail currently stores its mail in the hierarchies /var/spool/mqueue and
/var/spool/clientmqueue.
• Incoming mail is stored in the directory /var/mail.Normally each user gets a file that
corresponds to his user name.
Who gets the mail?
According to RFC 2822, a mail ID is something like looks
very much likeauser ID, the @ sign, and the name of a machine. This similarity is
intended, but it’sstill only a similarity.Consider the system manager of example.org.At
different times he might send mail from freebie.example.org, bumble.example.org,and
wait.example.org.Ifthe mail ID were associated with the machine, he would have three
different mail IDs: , and
makethings a whole lot simpler (and easier to
type) if his mail ID were simply name change is called
masquerading.
One way to do this would be to associate the name example.org as a CNAME with one of
the machines—say wait.example.org.This would work, but it would mean that mail
would always have tocome from and go to wait.example.org.Iffor anyreason that
machine were inaccessible, the mail would not get through. In practice, it’spossible to
run MTAs on more than one machine. DNS solves this problem with a special class of
record, the MX record (mail exchanger). MX records can point to more than one machine,
so if one machine is not accessible, the mail can be sent to another.Wesaw how toadd
them on page 370. MX records are not directly associated with anyparticular machine,
though theypoint to the names of machines that run an MTA.
Installing postfix
postfix is in the Ports Collection, not the base system, so before you can use it, you must
install it. It is an interactive port: at various points in the installation process it asks for
input. The first is a menu offering optional additional configurations, as shown in Figure
27-1. For the configuration in this book, you don’tneed anything in addition to what the
menu suggests; just select OK and continue.
Some time later you get the informational messages:
Added group "postfix".
Added group "maildrop".
Added user "postfix".
You need user "postfix" added to group "mail".
Would you like me to add it [y]? Enter pressed
Done.
mta.mm,v v4.15 (2003/04/02 05:01:57)
Installing postfix 492
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 492
Figure27-1: Postfix configuration menu
The build continues for a while, and finally you get the information:
Installed HTML documentation in /usr/local/share/doc/postfix
===> Generating temporary packing list
Would you like to activate Postfix in /etc/mail/mailer.conf [n]? y
The output goes on to explain which flags to set in your system configuration file
/etc/rc.conf.Inparticular,ittells you to set sendmail_enable and finishes by saying
‘‘This will disable Sendmail completely.’’This may look strange, especially if you don’t
have any sendmail-related entries in /etc/rc.conf.Why should setting sendmail_enable
to YES disable sendmail?Well, it’sasomewhat unfortunate choice of naming, and it’s
possible it will change, but the answer is in the details: sendmail_enable should really
be called something like mail_enable.The other sendmail parameters turn offall
sendmail-related components.
Configuring postfix
postfix requires only one configuration file, /usr/local/etc/postfix/main.cf.This file
contains a large number of comments: with a little experience you can configure it
without anyoutside help. In this section, we’ll look at some of the entries of interest.
#The mail_owner parameter specifies the owner of the Postfix queue
#and of most Postfix daemon processes. Specify the name of a user
#account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
#AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
#particular, don’t specify nobody or daemon. PLEASE USE A DEDICATED
#USER.
#
mta.mm,v v4.15 (2003/04/02 05:01:57)
493 Chapter 27: Electronic mail: servers
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 493
mail_owner = postfix
Older MTAs used to run as root,which made it easier to write exploits transmitted by
mail. Modern MTAs use a dedicated user ID. As we sawabove,the postfix user gets
added to your password files when you install it. sendmail uses another user ID, smmsp.
Don’tchange this entry.
Host and domain names
Asignificant portion of the configuration file defines host names. By default, the variable
myhostname is the fully qualified host name of the system, for example freebie.exam-
ple.org.You should normally leave itlikethat; it’snot identical to the name that will
appear on outgoing mail.
The next variable is mydomain,which defaults to the domain name of the system. Again,
you won’tnormally want to change it.
Then comes the variable myorigin,which is the name that appears on outgoing mail. It
defaults to myhostname,which is probably not a good choice. As suggested above,a
better name would be the domain name, mydomain.Makethe following changes to
main.cf :
#The myorigin parameter specifies the domain that locally-posted
#mail appears to come from. The default is to append $myhostname,
#which is fine for small sites. If you run a domain with multiple
#machines, you should (1) change this to $mydomain and (2) set up
#adomain-wide alias database that aliases each user to
#
#
#myorigin = $myhostname
myorigin = $mydomain
In the original configuration file, the last line is present, but it is ‘‘commented out’’: it
starts with the # character.Just remove this character.
The next variable of interest is mydestination.This is a list of host and domain names
for which the MTAconsiders itself the final destination (in other words, it accepts mail
for final delivery). By default, it accepts mail addressed to the name of the machine
($myhostname in postfix parlance) and also localhost.$mydomain,the local host
name for this domain. In particular,itdoes not accept mail addressed to the domain, so if
you send mail as ,any reply will bounce. To fixthis, add
$mydomain to the list.
Youmight also want to accept mail for other domains. Forexample, if you also wanted
to accept mail for beispiel.org,you would add that name here as well. The result might
look likethis:
#mydestination = $myhostname, localhost.$mydomain
#mydestination = $myhostname, localhost.$mydomain $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain,
beispiel.org
Forthe mail for beispiel.org to actually be delivered to this machine, the lowest priority
mta.mm,v v4.15 (2003/04/02 05:01:57)
Installing postfix 494
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 494
MX record for beispiel.org must point to this host.
Further down, we’ll see a feature called virtual hosting.This is a way to allocate email
addresses to people without a UNIX account on this machine. It works at the user level,
not the domain name level.
Relaying mail
One of the favourite tricks of spammers is to send their mail via another system to give it
the aura of respectability.This is doubly annoying for the ‘‘other’’system: first, it givesit
the reputation of being a spammer,and secondly it often incurs expense, either for data
charges or simply from congestion. postfix has a number of tricks to help. The first
specifies which networks to trust: postfix will relay mail coming from these networks.
Youcould consider this to be ‘‘outgoing’’mail, though the methods postfix uses don’t
makethis assumption. By default, postfix trusts your network and the localhost network
127.0.0.0/8, in other words with a net mask 255.0.0.0. But howdoes it knowthe net
mask for your network? There are twopossibilities: you tell it, or it guesses.
postfix is pretty simplistic when it comes to guessing. It takes the default net mask for
the address class, so if your IP address is, say,61.109.235.17 (a ‘‘class A’’ network), it
will accept mail from anynetwork whose first octet is 61. Iknowofatleast 20 sources of
spam in that range. In almost every case, you should specify the network and mask
explicitly:
mynetworks = 223.147.37.0/24, 127.0.0.0/8
This is a good choice where you knowthe name of the originating networks, for example
systems that expect you to handle the mail connection to the outside world. But what if
you want to accept mail from anywhere addressed to specific domains? Consider this
‘‘incoming’’mail, though again that’snot the way postfix looks at it. Forexample,
maybe you’re a backup MX for beispiel.de,soyou want to accept anymail sent to that
domain. In that case, you want to relay mail to this domain no matter where it comes
from. For this case, use the relay_domains variable, a list of domain names for which
postfix will always relay.You might put this in your main.cf :
relay_domains = $mydestination, $mydomain, beispiel.de
Youcan also use the permit_mx_backup variable to accept mail for anydomain that
lists you as a secondary MX. This is very dangerous: you don’thav e anycontrol over
who lists you as a secondary MX, so anyspammer could takeadvantage of this setting
and use you for a relay.
Aliases revisited
On page 481 we looked at howtoset up individual aliases for use with mutt. postfix and
sendmail also have analias facility,this time at the system level. The system installs a
file called /etc/mail/aliases.It’sthere by default, so there’snoparticular reason to move
it. The default /etc/mail/aliases looks like:
mta.mm,v v4.15 (2003/04/02 05:01:57)