https://wiki.archlinux.org/api.php?action=feedcontributions&user=Ciubix8513&feedformat=atomArchWiki - User contributions [en]2024-03-29T04:50:21ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Postfix&diff=755071Postfix2022-10-29T00:23:49Z<p>Ciubix8513: Added #</p>
<hr />
<div>[[Category:Mail server]]<br />
[[es:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
[[Wikipedia:Postfix (software)|Postfix]] is a [[mail transfer agent]] that according to [http://www.postfix.org/ its website]:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
This article builds upon [[Mail server]]. The goal of this article is to setup Postfix and explain what the basic configuration files do. There are instructions for setting up local system user-only delivery and a link to a guide for virtual user delivery.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|postfix}} package.<br />
<br />
== Configuration ==<br />
<br />
See [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration]. Configuration files are in {{ic|/etc/postfix}} by default. The two most important files are:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled and how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, the main configuration file, see {{man|5|postconf}}<br />
<br />
Configuration changes need a {{ic|postfix.service}} [[reload]] in order to take effect.<br />
<br />
=== Aliases ===<br />
<br />
See {{man|5|aliases|pkg=postfix}}.<br />
<br />
You can specify aliases (also known as forwarders) in {{ic|/etc/postfix/aliases}}.<br />
<br />
You should map all mail addressed to ''root'' to another account since it is not a good idea to read mail as root. <br />
<br />
Uncomment the following line, and change {{ic|you}} to a real account.<br />
root: you<br />
<br />
Once you have finished editing {{ic|/etc/postfix/aliases}} you must run the postalias command:<br />
# postalias /etc/postfix/aliases<br />
For later changes you can use:<br />
# newaliases<br />
<br />
{{Tip|Alternatively you can create the file {{ic|~/.forward}}, e.g. {{ic|/root/.forward}} for root. Specify the user to whom root mail should be forwarded, e.g. ''user@localhost''.<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, localhost<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
See [[Virtual user mail system with Postfix, Dovecot and Roundcube]] for a comprehensive guide how to set it up.<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a configuration file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for Postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== TLS ==<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
By default, Postfix will not accept secure mail.<br />
<br />
You need to [[obtain a certificate]]. Point Postfix to your TLS certificates by adding the following lines to {{ic|main.cf}}:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_use_tls = yes<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
There are two ways to accept secure mail. STARTTLS over SMTP (port 587) and SMTPS (port 465). The latter was previously deprecated but was reinstated by [[RFC:8314]].<br />
<br />
To enable STARTTLS over SMTP (port 587), uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_relay_restrictions=<br />
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
To enable SMTPS (port 465), uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
smtps inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_recipient_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Hide the sender's IP and user agent in the Received header ===<br />
<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [https://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Make sure resolv.conf is owned by root:<br />
chown root /var/spool/postfix/etc/resolv.conf<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And do not forget to [[reload]] Postfix.<br />
<br />
=== DANE (DNSSEC) ===<br />
<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
}}<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[https://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting (email)|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done by [[extend the unit|extending the unit]] {{ic|postgrey.service}}.<br />
<br />
==== Whitelisting ====<br />
<br />
To add automatic whitelisting (successful deliveries are whitelisted and do not have to wait any more), add the {{ic|1=--auto-whitelist-clients=''N''}} option and replace {{ic|''N''}} by a suitably small number (or leave it at its default of 5).<br />
<br />
{{hc|/etc/systemd/system/postgrey.service.d/override.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
}}<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/postgrey_whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
Alternately, if you do not want to use virtual transports you can use the<br />
[http://www.postfix.org/postconf.5.html#mailbox_command mailbox_command]. This runs <br />
with the local user and group, whereas the pipe runs with with the specified user using the {{ic|user}} setting.<br />
<br />
mailbox_command = /usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugin.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
=== Rule-based mail processing ===<br />
<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and policyd ({{AUR|policyd-mysql}}, {{AUR|policyd-pgsql}} or {{AUR|policyd-sqlite}}) provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
}}<br />
<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, you can [[install]] {{AUR|python-spf-engine}}, {{AUR|python-postfix-policyd-spf}} or {{AUR|postfix-policyd-spf-perl}}.<br />
<br />
==== With spf-engine or python-postfix-policyd-spf ====<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In {{ic|main.cf}} file, add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
Now reload the {{ic|postfix}} service.<br />
<br />
You can test your setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
==== With postfix-policyd-spf-perl ====<br />
<br />
Do the same process with postfix as [[#With spf-engine or python-postfix-policyd-spf|with python-postfix-policyd-spf]], but with the following differences:<br />
<br />
Timeout for the policyd in {{ic|main.cf}} file:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy_time_limit = 3600<br />
}}<br />
<br />
Transport:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy unix - n n - 0 spawn<br />
user=nobody argv=/usr/lib/postfix/postfix-policyd-spf-perl<br />
}}<br />
<br />
Add the policyd to the {{ic|smtpd_recipient_restrictions}}:<br />
{{Warning|Specify {{ic|check_policy_service}} after {{ic|reject_unauth_destination}} or else your system can become an open relay.}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy<br />
...<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd|2=<br />
SRS_DOMAIN=yourdomain.tld<br />
SRS_EXCLUDE_DOMAINS=yourotherdomain.tld,yet.anotherdomain.tld<br />
SRS_SEPARATOR==<br />
SRS_SECRET=/etc/postsrsd/postsrsd.secret<br />
SRS_FORWARD_PORT=10001<br />
SRS_REVERSE_PORT=10002<br />
RUN_AS=postsrsd<br />
CHROOT=/usr/lib/postsrsd<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = tcp:localhost:10001<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = tcp:localhost:10002<br />
recipient_canonical_classes= envelope_recipient,header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with [[journalctl]]:<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
Then you can fix it by using these commands, depending on the messages you get:<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
And [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Host or domain name not found. Name service error for name=... ===<br />
<br />
If you get the following warning with ''journalctl'':<br />
<br />
Host or domain name not found. Name service error for name=...<br />
<br />
It could be that you are running Postfix in a {{ic|chroot}} and {{ic|/etc/resolv.conf}} is missing. If so, you can fix this by:<br />
<br />
mkdir -p /var/spool/postfix/etc<br />
cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf<br />
<br />
And [[restart]] {{ic|postfix.service}}.<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]</div>Ciubix8513https://wiki.archlinux.org/index.php?title=Network_bridge&diff=747168Network bridge2022-09-17T20:20:49Z<p>Ciubix8513: Fixed ip link set command</p>
<hr />
<div>[[Category:Networking]]<br />
[[ja:ネットワークブリッジ]]<br />
{{Related articles start}}<br />
{{Related|Bridge with netctl}}<br />
{{Related|Network configuration#Bonding or LAG}}<br />
{{Related articles end}}<br />
A bridge is a piece of software used to unite two or more network segments. A bridge behaves like a virtual network switch, working transparently (the other machines do not need to know about its existence). Any real devices (e.g. {{ic|eth0}}) and virtual devices (e.g. {{ic|tap0}}) can be connected to it.<br />
<br />
This article explains how to create a bridge that contains at least an ethernet device. This is useful for things like the bridge mode of [[QEMU]], setting a software based access point, etc.<br />
<br />
== Creating a bridge ==<br />
<br />
There are a number of ways to create a bridge.<br />
<br />
=== With iproute2 ===<br />
<br />
This section describes the management of a network bridge using the ''ip'' tool from the {{Pkg|iproute2}} package, which is required by the {{Pkg|base}} [[meta package]].<br />
<br />
Create a new bridge and change its state to up:<br />
<br />
# ip link add name ''bridge_name'' type bridge<br />
# ip link set dev ''bridge_name'' up<br />
<br />
To add an interface (e.g. eth0) into the bridge, its state must be up:<br />
<br />
# ip link set eth0 up<br />
<br />
Adding the interface into the bridge is done by setting its master to {{ic|''bridge_name''}}:<br />
<br />
# ip link set eth0 master ''bridge_name''<br />
<br />
To show the existing bridges and associated interfaces, use the ''bridge'' utility (also part of {{Pkg|iproute2}}). See {{man|8|bridge}} for details.<br />
<br />
# bridge link<br />
<br />
This is how to remove an interface from a bridge:<br />
<br />
# ip link set eth0 nomaster<br />
<br />
The interface will still be up, so you may also want to bring it down:<br />
<br />
# ip link set eth0 down<br />
<br />
To delete a bridge issue the following command:<br />
<br />
# ip link delete ''bridge_name'' type bridge<br />
<br />
This will automatically remove all interfaces from the bridge. The slave interfaces will still be up, though, so you may also want to bring them down after.<br />
<br />
=== With bridge-utils ===<br />
<br />
This section describes the management of a network bridge using the legacy ''brctl'' tool from the {{Pkg|bridge-utils}} package, which is available in the [[official repositories]]. See {{man|8|brctl}} for full listing of options.<br />
<br />
{{Note|The use of ''brctl'' is deprecated and is considered obsolete. See the Notes section in {{man|8|brctl|NOTES}} for details.}}<br />
<br />
Create a new bridge:<br />
<br />
# brctl addbr ''bridge_name''<br />
<br />
Add a device to a bridge, for example {{ic|eth0}}:<br />
<br />
{{Note|Adding an interface to a bridge will cause the interface to lose its existing IP address. If you are connected remotely via the interface you intend to add to the bridge, you will lose your connection. This problem can be worked around by scripting the bridge to be created at system startup.}}<br />
<br />
# brctl addif ''bridge_name'' eth0<br />
<br />
Show current bridges and what interfaces they are connected to:<br />
<br />
$ brctl show<br />
<br />
Set the bridge device up:<br />
<br />
# ip link set dev ''bridge_name'' up<br />
<br />
Delete a bridge, you need to first set it to ''down'':<br />
<br />
# ip link set dev ''bridge_name'' down<br />
# brctl delbr ''bridge_name''<br />
<br />
{{Note|To enable the [http://ebtables.netfilter.org/documentation/bridge-nf.html bridge-netfilter] functionality, you need to manually load the {{ic|br_netfilter}} module:<br />
<br />
# modprobe br_netfilter<br />
<br />
See also [[Kernel modules#Automatic module loading with systemd]].<br />
}}<br />
<br />
=== With netctl ===<br />
<br />
See [[Bridge with netctl]].<br />
<br />
=== With systemd-networkd ===<br />
<br />
See [[systemd-networkd#Bridge interface]].<br />
<br />
=== With NetworkManager ===<br />
<br />
[[GNOME]]'s Network settings can create bridges, but currently will not auto-connect to them or slave/attached interfaces. Open Network Settings, add a new interface of type Bridge, add a new bridged connection, and select the MAC address of the device to attach to the bridge.<br />
<br />
[[KDE]]'s {{Pkg|plasma-nm}} can create bridges. In order to view, create and modify bridge interfaces open the Connections window either by right clicking the Networks applet in the system tray and selecting ''Configure Network Connections...'' or from ''System Settings > Connections''. Click the ''Configuration'' button in the lower left corner of the module and enable "Show virtual connections". A session restart will be necessary to use the enabled functionality.<br />
<br />
{{Pkg|nm-connection-editor}} can create bridges in the same manner as GNOME's Network settings.<br />
<br />
{{ic|nmcli}} from {{Pkg|networkmanager}} can create bridges. Creating a bridge with [[Wikipedia:Spanning Tree Protocol|STP]] disabled (to avoid the bridge being advertised on the network):<br />
<br />
$ nmcli connection add type bridge ifname br0 stp no<br />
<br />
Making interface {{ic|enp30s0}} a slave to the bridge:<br />
<br />
$ nmcli connection add type bridge-slave ifname enp30s0 master br0<br />
<br />
Setting the existing connection as down (you can get it with {{ic|nmcli connection show --active}}):<br />
<br />
$ nmcli connection down ''Connection''<br />
<br />
Setting the new bridge as up:<br />
<br />
$ nmcli connection up bridge-br0<br />
$ nmcli connection up bridge-slave-enp30s0<br />
<br />
If NetworkManager's default interface for the device you added to the bridge connects automatically, you may want to disable that by clicking the gear next to it in Network Settings, and unchecking "Connect automatically" under "Identity."<br />
<br />
== Assigning an IP address ==<br />
<br />
{{Expansion|This section needs to be connected to the link-level part described in [[QEMU#Tap networking with QEMU]]. For now, see the instructions given there.}}<br />
<br />
When the bridge is fully set up, it can be assigned an IP address:<br />
<br />
=== With iproute2 ===<br />
<br />
# ip address add dev ''bridge_name'' 192.168.66.66/24<br />
<br />
=== With NetworkManager ===<br />
<br />
Give it the desired address:<br />
<br />
# nmcli connection modify ''Connection'' ipv4.addresses ''desired_IP''<br />
<br />
Set up a DNS server (this will also avoid not being able to load any pages after you apply the changes):<br />
<br />
# nmcli connection modify ''Connection'' ipv4.dns ''DNS_server''<br />
<br />
Set the IP address to static:<br />
<br />
# nmcli connection modify ''Connection'' ipv4.method manual<br />
<br />
Apply the changes:<br />
<br />
# nmcli connection up ''Connection''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Wireless interface on a bridge ===<br />
<br />
To add a wireless interface to a bridge, you first have to assign the wireless interface to an access point or start an access point with [[Software access point|hostapd]]. Otherwise the wireless interface will not be added to the bridge.<br />
<br />
See also [[Debian:BridgeNetworkConnections#Bridging with a wireless NIC]].<br />
<br />
=== Speeding up traffic destinated to the bridge itself ===<br />
<br />
In some situations the bridge not only serves as a bridge box, but also talks to other hosts. Packets that arrive on a bridge port and that are destinated to the bridge box itself will by default enter the iptables INPUT chain with the logical bridge port as input device. These packets will be queued twice by the network code, the first time they are queued after they are received by the network device. The second time after the bridge code examined the destination MAC address and determined it was a locally destinated packet and therefore decided to pass the frame up to the higher protocol stack.[http://ebtables.netfilter.org/examples/basic.html#ex_speed]<br />
<br />
The way to let locally destinated packets be queued only once is by brouting them in the BROUTING chain of the broute table. Suppose br0 has an IP address and that br0's bridge ports do not have an IP address. Using the following rule should make all locally directed traffic be queued only once: <br />
<br />
# ebtables -t broute -A BROUTING -d $MAC_OF_BR0 -p ipv4 -j redirect --redirect-target DROP<br />
<br />
The replies from the bridge will be sent out through the br0 device (assuming your routing table is correct and sends all traffic through br0), so everything keeps working neatly, without the performance loss caused by the packet being queued twice. <br />
<br />
The redirect target is needed because the MAC address of the bridge port is not necessarily equal to the MAC address of the bridge device. The packets destinated to the bridge box will have a destination MAC address equal to that of the bridge br0, so that destination address must be changed to that of the bridge port.<br />
<br />
== Troubleshooting ==<br />
<br />
=== No networking after bridge configuration ===<br />
<br />
{{Style|This problem is pointed out as a note in [[#With bridge-utils]]. It should be made clear in all other sections and running a DHCP client should be added to [[#Assigning an IP address]].}}<br />
<br />
It may help to remove all IP addresses and routes from the interface (e.g. {{ic|eth0}}) that was added to the bridge and configure these parameters for the bridge instead.<br />
<br />
First of all, make sure there is no [[dhcpcd]] instance running for {{ic|eth0}}, otherwise the deleted addresses may be reassigned.<br />
<br />
Remove address and route from the {{ic|eth0}} interface:<br />
<br />
# ip addr del ''address'' dev eth0<br />
# ip route del ''address'' dev eth0<br />
<br />
Now IP address and route for the earlier configured bridge must be set. This is usually done by starting a DHCP client for this interface. Otherwise, consult [[Network configuration]] for manual configuration.<br />
<br />
=== No networking on hosted servers after bridge configuration ===<br />
<br />
{{Style|"Hosted server" is not a generally obvious term.}}<br />
<br />
As the MAC address of the bridge is not necessarily equal to the MAC address of the networking card usually used by the server, the server provider might drop traffic coming out from the bridge, resulting in a loss of connectivity when bridging e.g. the server ethernet interface. Configuring the bridge to clone the mac address of the ethernet interface might therefore be needed for hosted servers.<br />
<br />
== See also ==<br />
<br />
* [https://www.linuxfoundation.org/collaborate/workgroups/networking/bridge Official documentation for bridge-utils]<br />
* [https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 Official documentation for iproute2]<br />
* [http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html ebtables/iptables interaction on a Linux-based bridge]</div>Ciubix8513