On 4/7/04 3:28 PM, chris at [EMAIL PROTECTED] wrote: > I'd love to hear what others have used or moved to that fit my 3 > requirements (content filter, multiple domains, free/ultra cheap), and > how well they do each of them.
I've been playing with Postfix on my new iMac for a few weeks and will cut over from SIMS this Friday. With a couple of tools to help you, it's been a relatively pain-free transition so far. If you have a system running Panther (10.3), I suggest checking it out. Since I had an e-mail from a subscirber to this list asking me how to go about setting up Postfix, here goes: First off, download a "contribution-ware" tool called Postfix Enabler <http://www.roadstead.com/weblog/Tutorials/PostfixEnabler.html>. This will do 90% of what is needed to get Postfix up and running. What it won't do is any anti-spam stuff. For that, I suggest Jim Seymour's Postfix Anti-UCE Cheat Sheet <http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt>, a great description of how to configure anti-spam stuff in Postfix. Also useful are the Postfix home page <http://www.postfix.org/> and its UCE controls page <http://www.postfix.org/uce.html>. After you run Postfix Enabler, go into Terminal and take a look at /etc/postfix/main.cf, the Postfix config files. At the bottom, Postfix Enabler will have added some stuff and then included a section marked off by ###Start Custom Config### and ###End Custom Config###. What's in that section is what's in Postfix Enabler's "Custom Postfix Settings" under the "Mail Server" tab. Here's what's in my main.cf (lines starting with # (but not ###) are comments I've added for this e-mail only): ###Start PostfixEnabler### # All of this is done by Postfix Enabler based on what you fill in alias_maps=hash:/etc/postfix/aliases alias_database=hash:/etc/postfix/aliases #aliases maps one e-mail address to another. Done in SIMS in the router inet_interfaces=all mynetworks_style=subnet # hosts in mynetworks can relay. When set to subnet, all hosts in the subnet can relay (read the comments in main.cf for other settings) message_size_limit=0 # unlimited mydomain=grant.stonejongleux.com myhostname=grant.stonejongleux.com # who we are and what to send mail as smtpd_sasl_auth_enable=yes smtpd_use_pw_server=yes enable_server_options=yes smtpd_pw_server_security_options=plain, login smtpd_sasl_security_options=noanonymous broken_sasl_auth_clients=yes # all of the above deals with SMTP AUTH smtpd_recipient_restrictions=permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination # ignore as we're going to redefine it below smtpd_sasl_local_domain=$mydomain # not sure what this does ###End PostfixEnabler### ###Start Custom Config### smtpd_recipient_restrictions= # ignore that it says 'recipient', the checks get done as appropriate reject_non_fqdn_sender, # read these pretty much as they say, for this first one, reject the message if the sender is not a Fully-Qualified Domain Name reject_non_fqdn_recipient, reject_unknown_sender_domain, # We know this from SIMS as Verify Return Paths reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, # this and the next check the HELO claimed host - put after permit_mynetworks or you'll end up rejecting most MS mail clients reject_non_fqdn_hostname, reject_unauth_destination, check_recipient_access regexp:/etc/postfix/recipient_checks.regexp, # see below for my recipient_checks.regexp. Most importantly, this where we can whitehole recipients such as postmaster and abuse check_helo_access hash:/etc/postfix/helo_checks, # perform some checks on the HELO message. Particularly, reject anyone claiming to be us. reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client socks.dnsbl.sorbs.net, reject_rbl_client misc.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client korea.services.net, reject_rbl_client cn-kt.blackholes.us, # Let's do out RBL checks. Unfortunately, Postfix doesn't allow us to be selective about the "address" returned. If it doesn't return NXDOMAIN (non-existent domain), it's rejected. permit # Not required but a useful reminder that if the message has made it past all the above, we accept it (it's from outside for our domain). mynetworks = 192.168.1.0/24, 66.92.131.28/32, 66.92.131.105/32 # this overrides the mynetworks_style above by explicitly listing what addresses are "mynetworks" mailbox_command = /usr/bin/procmail # I want Procmail used as the local delivery agent. Works just fine if the user has no .procmailrc but makes it easier for them to use Procmail. ###End Custom Config### Recipient_checks.regexp: # Postfix doesn't relay by default. But it may *appear* to do so # to some testers. The first two statements below remove all # doubt. /^\@/ 550 Invalid address format. /[EMAIL PROTECTED]@/ 550 This server disallows weird address syntax. # Let email to the following destinations bypass all the remaining # "reject" and "check" tests. We always want to let email for these # recipients in. /^postmaster\@/ OK /^hostmaster\@/ OK /^abuse\@/ OK # Note: The "OK"s above, for postmaster, etc., will *not* # bypass header and body checks. There is currently no way # to do so with Postfix :( helo_checks: # This file has to be "compiled" with "postmap" (postmap hash:helo_checks) # Reject anybody that HELO's as being in our domain(s) stonejongleux.com REJECT You are not in stonejongleux.com albion.stonejongleux.com REJECT You are not in albion.stonejongleux.com grant.stonejongleux.com REJECT You are not in grant.stonejongleux.com # Reject somebody HELO'ing with out IP address 66.92.131.28 REJECT You are not 66.92.131.28 66.92.131.105 REJECT You are not 66.92.131.105 # Reject somebody HELO'ing as localhost localhost REJECT You are not me A few final comments. Unlike SIMS (unless I'm missing something), Postfix will use the system's user database. Meaning each mail user needs to be set up with an account from System Preferences/Accounts subpanel. OTOH, want to access your mail from outside without POP? Enable SSH or Telnet, log into your Mac, and use the shell's mail command or for regular use, download and install Pine or another popular Unix mail client. <http://www.osxgnu.org/> is from where I downloaded Pine. Please feel free to ask me questions, either privately or on list. Even after I cut over, I'll stick around for awhile. -- Larry Stone [EMAIL PROTECTED] http://www.stonejongleux.com/ ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
