Postfix ist ein leistungsstarker und sicherer Mail Transfer Agent (MTA). Er ist der Standard-Mailserver vieler Linux-Distributionen und wird für den E-Mail-Versand und -Empfang eingesetzt.
Installation
Debian/Ubuntu
apt update
apt install postfix
# Bei der Installation:
# → Internet Site
# → Mail name: example.comCentOS/RHEL
dnf install postfix
systemctl enable --now postfixGrundkonfiguration
Hauptkonfiguration
# /etc/postfix/main.cf
# Grundeinstellungen
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
# Netzwerk
inet_interfaces = all
inet_protocols = ipv4
# Lokale Zustellung
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8, 192.168.1.0/24
# Mailbox
home_mailbox = Maildir/
# Oder: mailbox_command = /usr/bin/procmail
# Relay
relayhost =
# Limits
message_size_limit = 52428800
mailbox_size_limit = 0Konfiguration prüfen
postconf -n # Nicht-Standard-Werte
postfix check
systemctl reload postfixTLS/SSL einrichten
Zertifikate
# Let's Encrypt
certbot certonly --standalone -d mail.example.comTLS-Konfiguration
# /etc/postfix/main.cf
# TLS für eingehende Verbindungen
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
# TLS für ausgehende Verbindungen
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# Moderne TLS-Einstellungen
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = mediumSubmission-Port (587)
# /etc/postfix/master.cf
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATINGSASL-Authentifizierung
Dovecot SASL
apt install dovecot-core# /etc/postfix/main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname# /etc/dovecot/conf.d/10-master.conf
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}Spam-Schutz
Basis-Einschränkungen
# /etc/postfix/main.cf
# HELO-Prüfung
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname
# Sender-Prüfung
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
# Empfänger-Prüfung
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.netGreylisting
apt install postgrey# /etc/postfix/main.cf
smtpd_recipient_restrictions =
...
check_policy_service inet:127.0.0.1:10023SPF-Prüfung
apt install postfix-policyd-spf-python# /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
# /etc/postfix/main.cf
smtpd_recipient_restrictions =
...
check_policy_service unix:private/policyd-spfVirtuelle Domains
Konfiguration
# /etc/postfix/main.cf
virtual_mailbox_domains = example.com, example.org
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000Mailboxen
# /etc/postfix/vmailbox
info@example.com example.com/info/
sales@example.com example.com/sales/
user@example.org example.org/user/postmap /etc/postfix/vmailboxAliase
# /etc/postfix/virtual
postmaster@example.com admin@example.com
abuse@example.com admin@example.com
webmaster@example.com admin@example.compostmap /etc/postfix/virtualBenutzer erstellen
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail/vhosts -s /sbin/nologin
mkdir -p /var/mail/vhosts/example.com
chown -R vmail:vmail /var/mail/vhostsRelay-Host
Über Provider senden
# /etc/postfix/main.cf
relayhost = [smtp.provider.de]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt# /etc/postfix/sasl_passwd
[smtp.provider.de]:587 username:passwordpostmap /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd*Header-Modifikation
Ausgehende Header bereinigen
# /etc/postfix/main.cf
smtp_header_checks = regexp:/etc/postfix/header_checks# /etc/postfix/header_checks
/^Received:.*with ESMTPSA/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNOREMail-Queue
Queue anzeigen
# Queue-Status
postqueue -p
mailq
# Queue-Statistik
qshapeQueue verwalten
# Alle Mails zustellen
postqueue -f
# Bestimmte Mail zustellen
postqueue -i QUEUE_ID
# Mail löschen
postsuper -d QUEUE_ID
# Alle löschen
postsuper -d ALL
# Alle deferred löschen
postsuper -d ALL deferredLogging
Logs prüfen
tail -f /var/log/mail.log
journalctl -u postfix -fLog-Analyse
# pflogsumm installieren
apt install pflogsumm
# Tagesbericht
pflogsumm /var/log/mail.log
# Detailliert
pflogsumm -d today /var/log/mail.logDNS-Einträge
Erforderliche DNS-Records
# MX-Record
example.com. IN MX 10 mail.example.com.
# A-Record
mail.example.com. IN A 192.168.1.10
# PTR-Record (Reverse DNS)
10.1.168.192.in-addr.arpa. IN PTR mail.example.com.
# SPF
example.com. IN TXT "v=spf1 mx ip4:192.168.1.10 -all"
# DMARC
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@example.com"DKIM einrichten
OpenDKIM installieren
apt install opendkim opendkim-toolsKonfiguration
# /etc/opendkim.conf
Syslog yes
UMask 007
Domain example.com
Selector mail
KeyFile /etc/opendkim/keys/example.com/mail.private
Socket local:/var/spool/postfix/opendkim/opendkim.sockSchlüssel generieren
mkdir -p /etc/opendkim/keys/example.com
opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s mail
chown -R opendkim:opendkim /etc/opendkimPostfix-Integration
# /etc/postfix/main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sockDNS-Eintrag
cat /etc/opendkim/keys/example.com/mail.txt
# → DNS TXT-Record erstellenTroubleshooting
Verbindungstest
# Telnet
telnet mail.example.com 25
# OpenSSL (TLS)
openssl s_client -connect mail.example.com:587 -starttls smtpMail-Test
# Testmail senden
echo "Test" | mail -s "Test" user@example.com
# Mit Details
sendmail -v user@example.com < testmail.txtHäufige Probleme
# Relay access denied
# → mynetworks oder SASL-Auth prüfen
# Connection refused
# → Firewall, inet_interfaces prüfen
# TLS-Fehler
# → Zertifikate prüfen: postfix tlsZusammenfassung
| Befehl | Funktion | |--------|----------| | postfix check | Konfiguration prüfen | | postfix reload | Konfiguration neu laden | | postqueue -p | Queue anzeigen | | postqueue -f | Queue verarbeiten | | postsuper -d ID | Mail löschen | | postconf -n | Konfiguration anzeigen |
| Datei | Beschreibung | |-------|--------------| | /etc/postfix/main.cf | Hauptkonfiguration | | /etc/postfix/master.cf | Service-Konfiguration | | /etc/aliases | Lokale Aliase | | /var/log/mail.log | Log-Datei |
Fazit
Postfix ist ein leistungsstarker und sicherer MTA. Die Basis-Konfiguration ist unkompliziert, aber ein vollständiger Mailserver erfordert zusätzliche Komponenten wie Dovecot (IMAP), Spam-Filter und DKIM. Für Produktivsysteme empfiehlt sich eine Komplettlösung wie iRedMail oder Mailcow, die alle Komponenten integriert.
