Postfix is an easy to configure MTA, the main (default) configuration files are:
access
Access - Contains a list of IP addresses and / or hostnames allowed / denied access to the server.
aliases
Aliases - contains a list of alias addresses
canonical
Canonical - replaces one address with another (an oversimplified explanation)
header_checks
header_checks - examines header content of email, and can be used to explicitly deny (or permit) header content
main.cf
main.cf - contains the majority of postfix directives, mostly used to override feafult settings.
master.cf
master.cf - contains configuration parameters specific to the Postfix deamons, such as the SMTPD daemon and the queue manager - it is usually not necessary to make any changes to this file.
relocated
relocated - contains changed / moved addresses.
transport
transport - smtp relay servers.
virtual
virtual - maps one address to another for redirection.
Additional configuration files:
body_checks
body_checks - contains strings of text you wish to reject if contained in the body of an email
freemail_access
freemail_access - domains contained here (usually freemail domains such as hotmail etc.)
freemail_hosts
freemail_hosts - ditto
helo_checks
helo_checks - validates incoming SMTP helo statements
recipient_checks
recipient_checks - a list of recipients bypassing filtering
reject_freemail
reject_freemail - used with freemail access above.
sender_checks
sender_checks - whitelists for source addresses. - not to be confused with recipient_checks above, which is a whitelist for *recipients*
Here is a breakdown of the common directives in main.cf
smtpd_client_restrictions =
reject_unknown_sender_domain, reject if sender domain (in given sender email address) does not exist.# had to move this to smtpd_client_restrictions
reject_unknown_recipient_domain, # not sure about this one - had to move this to smtpd_client_restrictions
permit_mynetworks, permit our networks
# permit must be a global permit here.
smtpd_recipient_restrictions =
permit_mynetworks, permit our networks
reject_unauth_destination, prevent relay attempts - this has to be here, or else everything in access gets relay permission.......
check_recipient_access hash:/etc/postfix/recipient_checks, permit any address in this file to bypass all checks. (except body and header)
check_client_access hash:/etc/postfix/access, any hosts in this file can be rejected / accepted depending on entry.
# warn_if_reject, for testing - will cause rejects to provide a warning message only.
reject_non_fqdn_sender, reject if sender does not supply FQDN in email address
reject_non_fqdn_recipient, reject if sender does not supply fully qualified recipient address.
reject_unknown_sender_domain, reject if sender domain (in given sender email address) does not exist. - had to move this to smtpd_client_restrictions
reject_unknown_recipient_domain, not sure about this one - had to move this to smtpd_client_restrictions
# check_relay_domains, - deprecated -
check_helo_access hash:/etc/postfix/helo_checks, check helo command issued by server - if helo = yourdomain.com (set in the helo_checks file) (or one of our other domains or localhost) mail is rejected.
check_sender_access hash:/etc/postfix/sender_checks, put addresses in here to reject or bypass blacklists.
check_sender_access hash:/etc/postfix/freemail_access, ensure designated domains - hotmail.com etc. - are being sent from their respective servers.
reject_unauth_pipelining, prevent pipelining abuse
reject_invalid_hostname, this checks for illegal characters in the hostname. ^% etc.
reject_non_fqdn_hostname, reject hostname is FQDN not supplied.
reject_rbl_client list.dsbl.org, RBL
reject_rbl_client multihop.dsbl.org, RBL
reject_rbl_client relays.ordb.org,RBL
reject_rbl_client cbl.abuseat.org, RBL
reject_rbl_client dun.dnsrbl.net, RBL
reject_rbl_client spam.dnsrbl.net, RBL
reject_rbl_client dnsbl.ahbl.org, RBL
reject_rbl_client dnsbl.sorbs.net, RBL
reject_rbl_client dul.dnsbl.sorbs.net, RBL
reject_rhsbl_sender dsn.rfc-ignorant.org, RBL
reject_rhsbl_sender rhsbl.ahbl.org, RBL
permit Permit any other
A sanitised version of my Postfix configuration can be downloaded from the downloads section.
The main.cf and master.cf may need some 'tweaking' for later (post 2.1) versions of Postfix.