xref: /src/external/ibm-public/postfix/dist/html/STANDARD_CONFIGURATION_README.html

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
        "https://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title>Postfix Standard Configuration Examples</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>

</head>

<body>

<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Standard Configuration Examples</h1>

<hr>

<h2>Purpose of this document</h2>

<p> This document presents a number of typical Postfix configurations.
This document should be reviewed after you have followed the basic
configuration steps as described in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a>
document. In particular, do not proceed here if you don't already
have Postfix working for local mail submission and for local mail
delivery. </p>

<p> The first part of this document presents standard configurations
that each solve one specific problem. </p>

<ul>

<li><a href="#stand_alone">Postfix on a stand-alone Internet host</a>

<li><a href="#null_client">Postfix on a null client</a>

<li><a href="#local_network">Postfix on a local network</a>

<li><a href="#firewall">Postfix email firewall/gateway</a>

</ul>

<p> The second part of this document presents additional configurations
for hosts in specific environments. </p>

<ul>

<li><a href="#some_local">Delivering some but not all accounts locally</a>

<li><a href="#intranet">Running Postfix behind a firewall</a>

<li><a href="#backup">Configuring Postfix as primary or backup MX host for a remote
site</a>

<li><a href="#dialup">Postfix on a dialup machine</a>

<li><a href="#fantasy">Postfix on hosts without a real
Internet hostname</a>

</ul>

<h2><a name="stand_alone">Postfix on a stand-alone Internet host</a></h2>

<p> Postfix should work out of the box without change on a stand-alone
machine that has direct Internet access.  At least, that is how
Postfix installs when you download the Postfix source code via
<a href="https://www.postfix.org/">https://www.postfix.org/</a>. </p>

<p> You can use the command "<b>postconf -n</b>" to find out what
settings are overruled by your <a href="postconf.5.html">main.cf</a>. Besides a few pathname
settings, few parameters should be set on a stand-alone box, beyond
what is covered in the <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> document: </p>

<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    # Optional: send mail as user@domainname instead of user@hostname.
    #<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>

    # Optional: specify NAT/proxy external address.
    #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4

    # Alternative 1: don't relay mail from other hosts.
    <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host
    <a href="postconf.5.html#relay_domains">relay_domains</a> =

    # Alternative 2: relay mail from local clients only.
    # <a href="postconf.5.html#mynetworks">mynetworks</a> = 192.168.1.0/28
    # <a href="postconf.5.html#relay_domains">relay_domains</a> =
</pre>
</blockquote>

<p> See also the section "<a href="#fantasy">Postfix on hosts without
a real Internet hostname</a>" if this is applicable to your configuration.
</p>

<h2><a name="null_client">Postfix on a null client</a></h2>

<p> A null client is a machine that can only send mail. It receives no
mail from the network, and it does not deliver any mail locally. A
null client typically uses POP, IMAP or NFS for mailbox access. </p>

<p> In this example we assume that the Internet domain name is
"example.com" and that the machine is named "hostname.example.com".
As usual, the examples show only parameters that are not left at
their default settings. </p>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     <a href="postconf.5.html#myhostname">myhostname</a> = hostname.example.com
3     <a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
4     <a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
5     <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = loopback-only
6     <a href="postconf.5.html#mydestination">mydestination</a> =
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Line 2: Set <a href="postconf.5.html#myhostname">myhostname</a> to hostname.example.com, in case
the machine name isn't set to a fully-qualified domain name (use
the command "postconf -d <a href="postconf.5.html#myhostname">myhostname</a>" to find out what the machine
name is).  </p>

<li> <p> Line 2: The <a href="postconf.5.html#myhostname">myhostname</a> value also provides the default
value for the <a href="postconf.5.html#mydomain">mydomain</a> parameter (here, "<a href="postconf.5.html#mydomain">mydomain</a> = example.com").
</p>

<li> <p> Line 3: Send mail as "user (a] example.com" (instead of
"user (a] hostname.example.com"), so that nothing ever has a reason
to send mail to "user (a] hostname.example.com". </p>

<li> <p> Line 4: Forward all mail to the mail server that is
responsible for the "example.com" domain. This prevents mail from
getting stuck on the null client if it is turned off while some
remote destination is unreachable. Specify a real hostname
here if your "example.com" domain has no MX record. </p>

<li> <p> Line 5: Do not accept mail from the network. </p>

<li> <p> Line 6: Disable local mail delivery. All mail goes to
the mail server as specified in line 4.  </p>

</ul>

<h2><a name="local_network">Postfix on a local network</a></h2>

<p> This section describes a local area network environment of one
main server and multiple other systems that send and receive email.
As usual we assume that the Internet domain name is "example.com".
All systems are configured to send mail as "user (a] example.com", and
all systems receive mail for "user (a] hostname.example.com".  The main
server also receives mail for "user (a] example.com". We call this
machine by the name of mailhost.example.com. </p>

<p> A drawback of sending mail as "user (a] example.com" is that mail
for "root" and other system accounts is also sent to the central
mailhost. See the section "<a href="#some_local">Delivering some
but not all accounts locally</a>" below for possible solutions.
</p>

<p> As usual, the examples show only parameters that are not left
at their default settings. </p>

<p> First we present the non-mailhost configuration, because it is
the simpler one. This machine sends mail as "user (a] example.com" and
is the final destination for "user (a] hostname.example.com". </p>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     <a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
3     <a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 10.0.0.0/24
4     <a href="postconf.5.html#relay_domains">relay_domains</a> =
5     # Optional: forward all non-local mail to mailhost
6     #<a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Line 2: Send mail as "user (a] example.com". </p>

<li> <p> Line 3: Specify the trusted networks. </p>

<li> <p> Line 4: This host does not relay mail from untrusted networks. </p>

<li> <p> Line 6: This is needed if no direct Internet access is
available.  See also below, "<a href="#firewall">Postfix behind
a firewall</a>". </p>

</ul>

<p> Next we present the mailhost configuration.  This machine sends
mail as "user (a] example.com" and is the final destination for
"user (a] hostname.example.com" as well as "user (a] example.com". </p>

<blockquote>
<pre>
 1 DNS:
 2     example.com    IN    MX  10 mailhost.example.com.
 3 
 4 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 5     <a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
 6     <a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> localhost $<a href="postconf.5.html#mydomain">mydomain</a>
 7     <a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 10.0.0.0/24
 8     <a href="postconf.5.html#relay_domains">relay_domains</a> =
 9     # Optional: forward all non-local mail to firewall
10     #<a href="postconf.5.html#relayhost">relayhost</a> = [firewall.example.com]
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Line 2: Send mail for the domain "example.com" to the
machine mailhost.example.com.  Remember to specify the "." at the
end of the line. </p>

<li> <p> Line 5: Send mail as "user (a] example.com". </p>

<li> <p> Line 6: This host is the final mail destination for the
"example.com" domain, in addition to the names of the machine
itself. </p>

<li> <p> Line 7: Specify the trusted networks. </p>

<li> <p> Line 8: This host does not relay mail from untrusted networks. </p>

<li> <p> Line 10: This is needed only when the mailhost has to
forward non-local mail via a mail server on a firewall.  The
<tt>[]</tt> forces Postfix to do no MX record lookups. </p>

</ul>

<p> In an environment like this, users access their mailbox in one
or more of the following ways:

<ul>

<li> <p> Mailbox access via NFS or equivalent.  </p>

<li> <p> Mailbox access via POP or IMAP. </p>

<li> <p> Mailbox on the user's preferred machine. </p>

</ul>

<p> In the latter case, each user has an alias on the mailhost that
forwards mail to her preferred machine: </p>

<blockquote>
<pre>
/etc/aliases:
    joe:    joe (a] joes.preferred.machine
    jane:   jane (a] janes.preferred.machine
</pre>
</blockquote>

<p> On some systems the alias database is not in /etc/aliases.  To
find out the location for your system, execute the command "<b>postconf
<a href="postconf.5.html#alias_maps">alias_maps</a></b>". </p>

<p> Execute the command "<b>newaliases</b>" whenever you change
the aliases file.  </p>

<h2><a name="firewall">Postfix email firewall/gateway</a></h2>

<p> The idea is to set up a Postfix email firewall/gateway that
forwards mail for "example.com" to an inside gateway machine but
rejects mail for "anything.example.com". There is only one problem:
with "<a href="postconf.5.html#relay_domains">relay_domains</a> = example.com", the firewall normally also
accepts mail for "anything.example.com".  That would not be right.
</p>

<p> Note: this example requires Postfix version 2.0 and later. To find
out what Postfix version you have, execute the command "<b>postconf
<a href="postconf.5.html#mail_version">mail_version</a></b>". </p>

<p> The solution is presented in multiple parts. This first part
gets rid of local mail delivery on the firewall, making the firewall
harder to break. </p>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     <a href="postconf.5.html#myorigin">myorigin</a> = example.com
3     <a href="postconf.5.html#mydestination">mydestination</a> =
4     <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =
5     <a href="postconf.5.html#local_transport">local_transport</a> = <a href="error.8.html">error</a>:local mail delivery is disabled
6 
7 /etc/postfix/<a href="master.5.html">master.cf</a>:
8     Comment out the local delivery agent
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Line 2: Send mail from this machine as "user (a] example.com",
so that no reason exists to send mail to "user (a] firewall.example.com".
</p>

<li> <p> Lines 3-8: Disable local mail delivery on the firewall
machine. </p>

</ul>

<p> For the sake of technical correctness the firewall must be able
to receive mail for postmaster@[firewall ip address]. Reportedly,
some things actually expect this ability to exist. The second part
of the solution therefore adds support for postmaster@[firewall ip
address], and as a bonus we do abuse@[firewall ip address] as well.
All the mail to these two accounts is forwarded to an inside address.
</p>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/virtual
3 
4 /etc/postfix/virtual:
5     postmaster      postmaster (a] example.com
6     abuse           abuse (a] example.com
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Because <a href="postconf.5.html#mydestination">mydestination</a> is empty (see the previous example),
only address literals matching $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>
are deemed local.  So "localpart@[a.d.d.r]" can be matched as simply
"localpart" in <a href="canonical.5.html">canonical(5)</a> and <a href="virtual.5.html">virtual(5)</a>. This avoids the need to
specify firewall IP addresses in Postfix configuration files. </p>

</ul>

<p> The last part of the solution does the email forwarding, which
is the real purpose of the firewall email function. </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     <a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 12.34.56.0/24
 3     <a href="postconf.5.html#relay_domains">relay_domains</a> = example.com
 4     <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> = 
 5         <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> smtpd_access_maps
<br>
 6a    # Postfix 2.10 and later support separate relay control and
 7a    # spam control.
 8a    <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
 9a        <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
10a    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = ...spam blocking rules....
<br>
 6b    # Older configurations combine relay control and spam control. To
 7b    # use this with Postfix &ge; 2.10 specify "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=".
 8b    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
 9b        <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
10b        ...spam blocking rules....
<br>
11     <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/relay_recipients
12     <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/transport
13 
14 /etc/postfix/relay_recipients:
15     user1 (a] example.com   x
16     user2 (a] example.com   x
17      . . .
18 
19 /etc/postfix/transport:
20     example.com   relay:[inside-gateway.example.com]
</pre>
</blockquote>

<p> Translation: </p>

<ul>
 
<li><p> Lines 1-10: Accept mail from local systems in $<a href="postconf.5.html#mynetworks">mynetworks</a>,
and accept mail from outside for "user (a] example.com" but not for
"user (a] anything.example.com". The magic is in lines 4-5. </p>

<li> <p> Lines 11, 13-16: Define the list of valid addresses in the
"example.com" domain that can receive mail from the Internet. This
prevents the mail queue from filling up with undeliverable
MAILER-DAEMON messages. If you can't maintain a list of valid
recipients then you must specify "<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> =" (that
is, an empty value), or you must specify an "@example.com  x"
wild-card in the relay_recipients table. </p>

<li> <p> Lines 12, 19-20: Route mail for "example.com" to the inside
gateway machine. The <tt>[]</tt> forces Postfix to do no MX lookup.
This uses the "relay" delivery transport (a copy of the default
"smtp" delivery transport) to forward inbound mail. This can improve
performance of deliveries to internal domains because they will
compete for SMTP clients from the "relay" delivery transport, instead
of competing with other SMTP deliveries for SMTP clients from the
default "smtp" delivery transport. </p>

</ul>

<p> Instead of <a href="lmdb_table.5.html">lmdb</a>:, some systems use <a href="CDB_README.html">cdb</a>:, <a href="DATABASE_README.html#types">hash</a>:, or <a href="DATABASE_README.html#types">dbm</a>:. </p>

<p> Execute the command "<b>postmap /etc/postfix/virtual</b>"
whenever you change the virtual file, to (re)build a default-type
indexed file. Execute "<b>postmap <i>type</i>:/etc/postfix/virtual</b>"
to specify an explicit type. </p>

<p> The default indexed file type is configured with the
<a href="postconf.5.html#default_database_type">default_database_type</a> parameter. To list available explicit types, 
execute the command "<b>postconf -m</b>".</p>

<p> Execute the command "<b>postmap /etc/postfix/relay_recipients</b>"
whenever you change the relay_recipients file, to (re)build a
default-type indexed file. Execute "<b>postmap
<i>type</i>:/etc/postfix/relay_recipients</b>" to specify an explicit
type.</p>

<p> Execute the command "<b>postmap /etc/postfix/transport</b>"
whenever you change the transport file, to (re)build a default-type
indexed file. Execute "<b>postmap <i>type</i>:/etc/postfix/transport</b>"
to specify an explicit type. </p>

<p> In some installations, there may be separate instances of Postfix
processing inbound and outbound mail on a multi-homed firewall. The
inbound Postfix instance has an SMTP server listening on the external
firewall interface, and the outbound Postfix instance has an SMTP server
listening on the internal interface. In such a configuration it is
tempting to configure $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> in each instance with just the
corresponding interface address. </p>

<p> In most cases, using <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> in this way will not work,
because as documented in the $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> reference manual, the
<a href="smtp.8.html">smtp(8)</a> delivery agent will also use the specified interface address
as the source address for outbound connections and will be unable to
reach hosts on "the other side" of the firewall. The symptoms are that
the firewall is unable to connect to hosts that are in fact up. See the
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> parameter documentation for suggested work-arounds.</p>

<h2><a name="some_local">Delivering some but not all accounts
locally</a></h2>

<p> A drawback of sending mail as "user (a] example.com" (instead of
"user (a] hostname.example.com") is that mail for "root" and other
system accounts is also sent to the central mailhost.  In order to
deliver such accounts locally, you can set up virtual aliases as
follows:  </p>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/virtual
3 
4 /etc/postfix/virtual:
5     root     root@localhost
6     . . .
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Line 5: As described in the <a href="virtual.5.html">virtual(5)</a> manual page, the
bare name "root" matches "root@site" when "site" is equal to
$<a href="postconf.5.html#myorigin">myorigin</a>, when "site" is listed in $<a href="postconf.5.html#mydestination">mydestination</a>, or when it
matches $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. </p>

</ul>

<p> Instead of <a href="lmdb_table.5.html">lmdb</a>:, some systems use <a href="CDB_README.html">cdb</a>:, <a href="DATABASE_README.html#types">hash</a>:, or <a href="DATABASE_README.html#types">dbm</a>:. </p>

<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
editing the virtual file, to (re)build a default-type indexed file.
Execute "<b>postmap <i>type</i>:/etc/postfix/virtual</b>" to specify
an explicit type. </p>

<p> The default indexed file type is configured with the
<a href="postconf.5.html#default_database_type">default_database_type</a> parameter. To list available explicit types, 
execute the command "<b>postconf -m</b>".</p>

<h2><a name="intranet">Running Postfix behind a firewall</a></h2>

<p> The simplest way to set up Postfix on a host behind a firewalled
network is to send all mail to a gateway host, and to let that mail
host take care of internal and external forwarding. Examples of that
are shown in the <a href="#local_network">local area network</a>
section above. A more sophisticated approach is to send only external
mail to the gateway host, and to send intranet mail directly. </p>

<p> Note: this example requires Postfix version 2.0 and later. To find
out what Postfix version you have, execute the command "<b>postconf
<a href="postconf.5.html#mail_version">mail_version</a></b>". </p>

<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
discussed in the first half of this document. </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/transport
 3     <a href="postconf.5.html#relayhost">relayhost</a> =
 4     # Optional for a machine that isn't "always on"
 5     #<a href="postconf.5.html#fallback_relay">fallback_relay</a> = [gateway.example.com]
 6 
 7 /etc/postfix/transport:
 8     # Internal delivery.
 9     example.com      :
10     .example.com     :
11     # External delivery.
12     *                <a href="smtp.8.html">smtp</a>:[gateway.example.com]
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Lines 2, 7-12: Request that intranet mail is delivered
directly, and that external mail is given to a gateway. Obviously,
this example assumes that the organization uses DNS MX records
internally.  The <tt>[]</tt> forces Postfix to do no MX lookup.
</p>

<li> <p> Line 3: IMPORTANT: do not specify a <a href="postconf.5.html#relayhost">relayhost</a> in <a href="postconf.5.html">main.cf</a>.
</p>

<li> <p> Line 5: This prevents mail from being stuck in the queue
when the machine is turned off.  Postfix tries to deliver mail
directly, and gives undeliverable mail to a gateway.  </p>

</ul>

<p> Instead of <a href="lmdb_table.5.html">lmdb</a>:, some systems use <a href="CDB_README.html">cdb</a>:, <a href="DATABASE_README.html#types">hash</a>:, or <a href="DATABASE_README.html#types">dbm</a>:. </p>

<p> Execute the command "<b>postmap /etc/postfix/transport</b>"
whenever you edit the transport file, to (re)build a default-type
indexed file. Execute "<b>postmap <i>type</i>:/etc/postfix/transport</b>"
to specify an explicit type. </p>

<p> The default indexed file type is configured with the
<a href="postconf.5.html#default_database_type">default_database_type</a> parameter. To list available explicit types, 
execute the command "<b>postconf -m</b>".</p>


<h2><a name="backup">Configuring Postfix as primary or backup MX host for a remote site</a></h2>

<p> This section presents additional configuration. You need to
combine this with basic configuration information as discussed in the
first half of this document. </p>

<p> When your system is SECONDARY MX host for a remote site this
is all you need: </p>

<blockquote>
<pre>
 1 DNS:
 2     the.backed-up.domain.tld        IN      MX 100 your.machine.tld.
 3 
 4 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 5     <a href="postconf.5.html#relay_domains">relay_domains</a> = . . . the.backed-up.domain.tld
<br>
 6a    # Postfix 2.10 and later support separate relay control and
 7a    # spam control.
 8a    <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
 9a        <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
10a    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = ...spam blocking rules....
<br>
 6b    # Older configurations combine relay control and spam control. To
 7b    # use this with Postfix &ge; 2.10 specify "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=".
 8b    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
 9b        <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
10b        ...spam blocking rules....
<br>
11     # You must specify your NAT/proxy external address.
12     #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4
13 
14     <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/relay_recipients
15 
16 /etc/postfix/relay_recipients:
17     user1 (a] the.backed-up.domain.tld   x
18     user2 (a] the.backed-up.domain.tld   x
19      . . .
</pre>
</blockquote>

<p> When your system is PRIMARY MX host for a remote site you 
need the above, plus: </p>

<blockquote>
<pre>
20 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
21     <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/transport
22 
23 /etc/postfix/transport:
24     the.backed-up.domain.tld       relay:[their.mail.host.tld]
</pre>
</blockquote>

<p> Important notes:

<ul>

<li><p>Do not list the.backed-up.domain.tld in <a href="postconf.5.html#mydestination">mydestination</a>.</p>

<li><p>Do not list the.backed-up.domain.tld in <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>.</p>

<li><p>Do not list the.backed-up.domain.tld in <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.</p>

<li> <p> Lines 1-9: Forward mail from the Internet for
"the.backed-up.domain.tld" to the primary MX host for that domain.
</p>

<li> <p> Line 12: This is a must if Postfix receives mail via a
NAT relay or proxy that presents a different IP address to the
world than the local machine. </p>

<li> <p> Lines 14-18: Define the list of valid addresses in the
"the.backed-up.domain.tld" domain.  This prevents your mail queue
from filling up with undeliverable MAILER-DAEMON messages. If you
can't maintain a list of valid recipients then you must specify
"<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> =" (that is, an empty value), or you must
specify an "@the.backed-up.domain.tld  x" wild-card in the
relay_recipients table. </p>

<li> <p> Line 24: The <tt>[]</tt> forces Postfix to do no MX lookup. </p>

</ul>

<p> Instead of <a href="lmdb_table.5.html">lmdb</a>:, some systems use <a href="CDB_README.html">cdb</a>:, <a href="DATABASE_README.html#types">hash</a>:, or <a href="DATABASE_README.html#types">dbm</a>:. </p>

<p> Execute the command "<b>postmap /etc/postfix/relay_recipients</b>"
whenever you change the relay_recipients file, to (re)build a
default-type indexed file. Execute "<b>postmap
<i>type</i>:/etc/postfix/relay_recipients</b>" to specify an explicit
type. </p>

<p> The default indexed file type is configured with the
<a href="postconf.5.html#default_database_type">default_database_type</a> parameter. To list available explicit types, 
execute the command "<b>postconf -m</b>".</p>

<p> Execute the command "<b>postmap /etc/postfix/transport</b>"
whenever you change the transport file, to (re)build a default-type
indexed file. Execute "<b>postmap <i>type</i>:/etc/postfix/transport</b>"
to specify an explicit type. </p>

<p> NOTE for Postfix &lt; 2.2: Do not use the <a href="postconf.5.html#fallback_relay">fallback_relay</a> feature
when relaying mail
for a backup or primary MX domain. Mail would loop between the
Postfix MX host and the <a href="postconf.5.html#fallback_relay">fallback_relay</a> host when the final destination
is unavailable. </p>
 
<ul>

<li> In <a href="postconf.5.html">main.cf</a> specify "<tt><a href="postconf.5.html#relay_transport">relay_transport</a> = relay</tt>",

<li> In <a href="master.5.html">master.cf</a> specify "<tt>-o <a href="postconf.5.html#fallback_relay">fallback_relay</a> =</tt>" at the    
end of the <tt>relay</tt> entry.

<li> In transport maps, specify "<tt>relay:<i>nexthop...</i></tt>"
as the right-hand side for backup or primary MX domain entries.

</ul>

<p> These are default settings in Postfix version 2.2 and later.
</p>

<h2><a name="dialup">Postfix on a dialup machine</a></h2>

<p> This section applies to dialup connections that are down most
of the time. For dialup connections that are up 24x7, see the <a
href="#local_network">local area network</a> section above.  </p>

<p> This section presents additional configuration. You need to
combine this with basic configuration information as discussed in the
first half of this document. </p>

<p> If you do not have your own hostname and IP address (usually
with dialup, cable TV or DSL connections) then you should also
study the section on "<a href="#fantasy">Postfix on hosts without
a real Internet hostname</a>".  </p>

<ul>

<li> Route all outgoing mail to your network provider.

<p> If your machine is disconnected most of the time, there isn't
a lot of opportunity for Postfix to deliver mail to hard-to-reach
corners of the Internet. It's better to give the mail to a machine
that is connected all the time. In the example below, the <tt>[]</tt>
prevents Postfix from trying to look up DNS MX records.  </p>

<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#relayhost">relayhost</a> = [smtprelay.someprovider.com]
</pre>

<li> <p><a name="spontaneous_smtp">Disable spontaneous SMTP mail
delivery (if using on-demand dialup IP only).</a> </p>

<p> Normally, Postfix attempts to deliver outbound mail at its convenience.
If your machine uses on-demand dialup IP, this causes your system
to place a telephone call whenever you submit new mail, and whenever
Postfix retries to deliver delayed mail. To prevent such telephone
calls from being placed, disable spontaneous SMTP mail deliveries. </p>

<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#defer_transports">defer_transports</a> = smtp (Only for on-demand dialup IP hosts)
</pre>

<li> <p>Disable SMTP client DNS lookups (dialup LAN only).</p>

<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
    <a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = yes (Only for on-demand dialup IP hosts)
</pre>

<li> Flush the mail queue whenever the Internet link is established.

<p> Put the following command into your PPP or SLIP dialup scripts: </p>

<pre>
/usr/sbin/sendmail -q (whenever the Internet link is up)
</pre>

<p> The exact location of the Postfix sendmail command is system-specific.
Use the command "<b>postconf <a href="postconf.5.html#sendmail_path">sendmail_path</a></b>" to find out where the
Postfix sendmail command is located on your machine. </p>

<p> In order to find out if the mail queue is flushed, use something
like: </p>

<pre>
#!/bin/sh

# Start mail deliveries.
/usr/sbin/sendmail -q

# Allow deliveries to start.
sleep 10

# Loop until all messages have been tried at least once.
while mailq | grep '^[^ ]*\*' &gt;/dev/null
do  
    sleep 10
done
</pre>

<p> If you have disabled <a href="#spontaneous_smtp">spontaneous
SMTP mail delivery</a>, you also need to run the "<b>sendmail -q</b>"
command every now and then while the dialup link is up, so that
newly-posted mail is flushed from the queue. </p>

</ul>

<h2><a name="fantasy">Postfix on hosts without a real Internet
hostname</a></h2>

<p> This section is for hosts that don't have their own Internet
hostname.  Typically these are systems that get a dynamic IP address
via DHCP or via dialup. Postfix will let you send and receive mail
just fine between accounts on a machine with a fantasy name. However,
you cannot use a fantasy hostname in your email address when sending
mail into the Internet, because no-one would be able to reply to
your mail. In fact, more and more sites refuse mail addresses with
non-existent domain names. </p>

<p> Note: the following information is Postfix version dependent.
To find out what Postfix version you have, execute the command
"<b>postconf <a href="postconf.5.html#mail_version">mail_version</a></b>". </p>

<h3>Solution 1: Postfix version 2.2 and later </h3>

<p> Postfix 2.2 uses the <a href="generic.5.html">generic(5)</a> address mapping to replace
local fantasy email addresses by valid Internet addresses.  This
mapping happens ONLY when mail leaves the machine; not when you
send mail between users on the same machine. </p>

<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
discussed in the first half of this document. </p>

<blockquote>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2     <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/generic
3 
4 /etc/postfix/generic:
5     his (a] localdomain.local             hisaccount (a] hisisp.example
6     her (a] localdomain.local             heraccount (a] herisp.example
7     @localdomain.local                hisaccount+local (a] hisisp.example
</pre>
</blockquote>

<p> When mail is sent to a remote host via SMTP: </p>

<ul>

<li> <p> Line 5 replaces <i>his (a] localdomain.local</i> by his ISP
mail address, </p>

<li> <p> Line 6 replaces <i>her (a] localdomain.local</i> by her ISP
mail address, and </p>

<li> <p> Line 7 replaces other local addresses by his ISP account,
with an address extension of +<i>local</i> (this example assumes
that the ISP supports "+" style address extensions). </p>

</ul>

<p> Instead of <a href="lmdb_table.5.html">lmdb</a>:, some systems use <a href="CDB_README.html">cdb</a>:, <a href="DATABASE_README.html#types">hash</a>:, or <a href="DATABASE_README.html#types">dbm</a>:. </p>

<p> Execute the command "<b>postmap /etc/postfix/generic</b>"
whenever you change the generic file, to (re)build a default-type
indexed file. Execute  "<b>postmap <i>type</i>:/etc/postfix/generic</b>"
to specify an explicit type.</p>

<p> The default indexed file type is configured with the
<a href="postconf.5.html#default_database_type">default_database_type</a> parameter. To list available explicit types, 
execute the command "<b>postconf -m</b>".</p>

<h3>Solution 2: Postfix version 2.1 and earlier </h3>

<p> The solution with older Postfix systems is to use valid
Internet addresses where possible, and to let Postfix map valid
Internet addresses to local fantasy addresses. With this, you can
send mail to the Internet and to local fantasy addresses, including
mail to local fantasy addresses that don't have a valid Internet
address of their own.</p>

<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
discussed in the first half of this document. </p>

<blockquote>
<pre>
 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
 2     <a href="postconf.5.html#myhostname">myhostname</a> = hostname.localdomain
 3     <a href="postconf.5.html#mydomain">mydomain</a> = localdomain
 4 
 5     <a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/canonical
 6 
 7     <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="lmdb_table.5.html">lmdb</a>:/etc/postfix/virtual
 8 
 9 /etc/postfix/canonical:
10     your-login-name    your-account (a] your-isp.com
11 
12 /etc/postfix/virtual:
13     your-account (a] your-isp.com       your-login-name
</pre>
</blockquote>

<p> Translation: </p>

<ul>

<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
use a domain name that is already in use by real organizations
on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
names that are guaranteed not to be owned by anyone. </p>

<li> <p> Lines 5, 9, 10: This provides the mapping from
"your-login-name (a] hostname.localdomain" to "your-account (a] your-isp.com".
This part is required. </p>

<li> <p> Lines 7, 12, 13: Deliver mail for "your-account (a] your-isp.com"
locally, instead of sending it to the ISP. This part is not required
but is convenient.

</ul>

<p> Instead of <a href="lmdb_table.5.html">lmdb</a>:, some systems use <a href="CDB_README.html">cdb</a>:, <a href="DATABASE_README.html#types">hash</a>:, or <a href="DATABASE_README.html#types">dbm</a>:. </p>

<p> Execute the command "<b>postmap /etc/postfix/canonical</b>"
whenever you change the canonical file, to (re)build a default-type
indexed file. Execute "<b>postmap <i>type</i>:/etc/postfix/canonical</b>"
to specify an explicit type. </p>

<p> The default indexed file type is configured with the
<a href="postconf.5.html#default_database_type">default_database_type</a> parameter. To list available explicit types, 
execute the command "<b>postconf -m</b>".</p>

<p> Execute the command "<b>postmap /etc/postfix/virtual</b>"
whenever you change the virtual file, to (re)build a default-type
indexed file. Execute "<b>postmap <i>type</i>:/etc/postfix/virtual</b>"
to specify an explicit type. </p>

</body>

</html>