Skip to main content


Showing posts with the label Postfix

How to change default system email for root@hostname for Postfix in CentOS 7?

By default, any system email is generated by system is sent to root@hostname or system-user@hostname . So critical server errors, log errors, corn jobs alerts etc. all are sent to this default email address. Most likely you want to receive all the emails from different daemons and system components not to the user ‘root ’ but in another user that has access to emails.  To change it to different appropriate email id, we can do this by two ways.  Step 1: To do this, open /etc/aliases with your favourite editor and navigate to the end of the file. You will find something like this: # vi /etc/aliases root: To add multiple email ids, we can simply separate them by comma. root:, Run the aliases command, to compile aliases file. # newaliases # service postfix restart Step 2: We can simply create .forward file to the folder root and add email address there. # vi /root/.forward serveradmin@awsmo

How to Secure Postfix/Dovecot on CWP Email Server on CentOS 7?

At first I would like thank to CWP team for their great effort at $11.99. It has corporate mail features better than Cpanel and others. BTW It's my personal opinion. CWP team has changes many options on Postfix and Dovecot Configuration. It is very important to secure Postfix & Dovecot for Production server that will never expose your internal office or user home network. I did some little research and studies a lot to learn Postfix & Dovecot configuration. Lets Explain my scenario:  I have a VPS and it has two IPs. Both IP has valid PTR records . You must configure a valid FQDN for your IPs. My Details are below:  My Primary Domain:  Server FQDN :  ---  (IP for Shared Hosting) Sub-Domain   :  ---  (IP for sending Outgoing Email) Now build your Mail Server with the following options that mentioned in below snapshot You can follow the link to Build your own CWP Mail Server How to Bu

How to remove exim mail server from VestaCP on Ubuntu ?

Of all MTAs we’re reviewing, Postfix has the strongest emphasis on security. The likely reason is that it was created by Wietse Zweitze Venema , a prolific freeware security specialist. Sendmail cannot be considered a secure MTA. Moreover, Postfix was originally designed to mitigate the vulnerabilities associated with Sendmail. Exim is quite secure for most cases but loses to Postfix. A proper configuration of your Postfix MTA provides improved defenses against spam, abuse, and leakage of sensitive data. So i don't want to use EXIM as a MTA with VestaCP on Ubuntu. I want to remove exim  completely from my VestaCP control panel. I want to use Postfix/Dovecot RSPAMD as a AntiSPAM solutions . I will publish details in next tutorials  Check Exim Status # systemctl status exim # systemctl status exim4 Remove Frozen mail # exim -bp # exim -bpc # exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash Remove Completely  # sudo apt remove --auto-remove exim4 #

How to Produce Postfix MTA logfile summary using Pflogsumm on CWP?

Pflogsumm is a log analyzer/summarizer for the Postfix MTA. It is designed to provide an over-view of Postfix activity, with just enough detail to give the administrator a "heads up" for potential trouble spots. Pflogsumm generates summaries and, in some cases, detailed reports of mail server traffic volumes, rejected and bounced email, and server warnings, errors and panics. CentOS 7 & Ubuntu 16: # yum -y install postfix-perl-scripts # sudo apt install pflogsumm [ For Ubuntu ] Generate Log Summary # perl /usr/sbin/pflogsumm -d yesterday /var/log/maillog # perl /usr/sbin/pflogsumm -d today /var/log/maillog Generate Log Once a Day and Received via Mail # crontab -e 0 0 * * * perl /usr/sbin/pflogsumm -e -d yesterday /var/log/mail.log | mail -s 'Logwatch for Postfix' Generate More Details CentOS sudo pflogsumm /var/log/maillog [Weekly] sudo pflogsumm -d today /var/log/maillog --problems_first sudo pflogsumm -d today /var/log/maillog --rej_ad

How to Configure Postfix SMTP Relay on CWP CentOS 7 with Relay Provider ?

If you are using Google Cloud, Then you are not able to send email directly using SMTP 25 port. So You can configure your Postfix  to send email via relay using SASL authentication. Simple Authentication and Security Layer (SASL) is a standard authentication framework supported by many services including Postfix.  CASE A: I am using a VM on Google Cloud which is my Application server where multiple domain is hosted. I want to send email from specific domain using specific relay. You can use multiple relay for multiple domain. Another Domain will not able send email directly because GCP block SMTP 25 port for outgoing. Make sure the SASL authentication framework, and mailx are all installed # yum -y install cyrus-sasl-plain mailx In /etc/postfix/ , Add the following lines #Relay smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_m

How to Remove Sensitive Data and Internal Network Information from Postfix Headers ?

E-mail header contain some sensitive information. I’ll show you how to remove that information from the Postfix headers. note: some email clients will mark your email as spam if your header doesn’t contain an IP address. It is also very important to keep header details for your analysis. If any user started to spamming or compromised , then we must need header for analysis. So we will remove only our client private network details. We are assuming that postfix is already up and running and will make below changes. Step:1 Edit ‘/etc/postfix/’ file header_checks = regexp:/etc/postfix/header_checks Step:2 Append the below line in ‘/etc/postfix/header_checks’ [at the bottom] /^Received:/ IGNORE Step:3 Run postmap to apply the new configuration in /etc/postfix/header_checks [root@server1 ~]# postmap /etc/postfix/header_checks Step:4 Restart or Reload the postfix server [root@server1 ~]# systemctl restart postfix [root@server1 ~]# postfix reload Actually this

How to Block (Virus) Extensions on Postfix Mail Server ?

It's very important to block virus extension on Postfix mail server. Using  mime_header_checks directive on Postfix , we can block some specific extension to protection our mail server from spamming. So we are going to block some dangerous extension for Postfix users . Login as the root, enter: # vi /etc/postfix/ Use mime_header_checks postfix config directive, enter: mime_header_checks = regexp:/etc/postfix/block_attachments Save and close the file. Open /etc/postfix/block_attachments file and append code as follows: /name=[^>]*\.(bat|com|dll|vbs|exe|pdf|zip)/ REJECT Save and close the file. You must restart or reload postfix: # /etc/init.d/postfix reload Watch log file:  You should see rejected mail log in /var/log/maillog file: # tail -f /var/log/maillog But There is a issues on that setting , That setting will also block dmarc report with attachment thats coming Google, MicroSoft etc. Use the following setting to work perfectly  # vi /etc/postfix/mime_

How to Build Postfix + Dovecot Mail Server with Anti-Spam Solutions on CWP Server ?

By Default CWP server comes with Postfix + Dovecot + AntiSpam Solutions. We need to do some modifications on Postfix + Dovecot , for better security and high performance. In this series tutorials , We will learn how to build Postfix + Dovecot with AntiSpam Solutions . Build CWP Mail Server 1. At first, We must have a valid FQDN with DNS Records (A & PTR). To generate new FQDN , Go to Server Settings >> Change Hostname . We will 2048 key Size which is default or you can use 4096 key Size which is slower than 2048 key Size . 2. Build Postfix mail Server with AntiSpam/AntiVirus and  DKIM & SPF . Go to Email >> Mail Server Manager . Provide the FQDN and Domain then click on "Rebuild Mail Server" 3. Enable SPF & DKIM for parent Domain: Go to Email >> DKIM Manager  Check also below the directory:    TruestedHosts File Location: /etc/opendkim/TrustedHosts    SigningTable File Location: /etc/opendkim/SigningTable    KeyTable File L

How to Configure autodiscover information for mail clients to setup pop/imap/smtp settings automatically on CentOS WebPanel?

Some mail clients will use a system called "Autodiscover" to figure out which settings to use for the pop/imap/smtp settings. You can set this up if you'd like, it basically requires a subdomain and a SRV record. You can add the SRV record into any domain you want to use these settings for. If you've got a global SSL certificate in Postfix/dovecot for your hostname, this would be a good way to ensure clients use the correct value, so they don't get SSL certificate errors. Let's assume you're going to have your clients with  connect to for both IMAP and SMTP. So we have a subdomain called to store the XML, where is a Server FQDN .  1. Setup a SRV record in the DNS zone: 3600 IN SRV 10 10 443 2. Next, Creat a file named autodiscover.php on  /usr/local/apache/htdocs/ # vi /usr/local/apache/htdocs/autodiscover.php N

How to Secure CWP Postfix and Dovecot with Lets Encrypt SSL Certificate ?

Postfix architecture is modular and contains different daemons each specifically handling only a few tasks. The most important daemons are the following: master is the main daemon that starts all the other daemons. smtpd is the SMTP server daemon handling incoming connections to receive emails from another mail server or client. smtp is the SMTP client handling outgoing connections to send email out to another mail server. local is the local delivery agent responsible for delivering email to the local server. qmgr processes and controls all messages in the mail queue. Maps are used in postfix to control email routing. Such maps are used to accept or reject email, inform postfix about local recipients and more. The main configuration files are which is the global configuration for all daemons and the which defines the runtime environment for the daemons. The configuration thereby overrides the configuration options from the Lets Secure

How to Enable logging of Email’s Subject Line in Postfix Maillog ?

By default Postfix MTA only capture ‘From’ and ‘To’ details in the log file (/var/log/maillog). There are some scenarios where we want that email’s subject should be capture in the maillog. This will very useful for email administrators when performing troubleshooting of problems related with email. There are simple steps to enable logging of the email subject in postfix maillog. We are assuming that postfix is already up and running and will make below changes. Step:1 Edit ‘/etc/postfix/’ file & uncomment below line: #header_checks = regexp:/etc/postfix/header_checks Step:2 Append the below line in ‘/etc/postfix/header_checks’ [at the bottom] /^Subject:/ WARN Step:3 Run postmap to apply the new configuration in /etc/postfix/header_checks [root@server1 ~]# postmap /etc/postfix/header_checks Step:4 Restart or Reload the postfix server [root@server1 ~]# systemctl restart postfix [root@server1 ~]# postfix reload Step:5  Login to your Roundcube webmail and

Setting Postfix to encrypt all traffic when talking to other mailservers

The biggest German email providers are currently running a big marketing campaign and promise secure email. They are using the same technique described on this page. After checking my logs, I can confirm that GMX-emails were delivered unencrypted on Aug 5, but arrived encrypted on Aug 6. Thanks to Mr. Snowden, we know two important facts about the world of security and email: First, most governments in the world will eavesdrop and store your communication, if they get the chance. They don't have a specific reason and the benefits are highly disputed. Second, your users can't/won't use PGP or S/MIME to encrypt their email. The job is left to admins. We need to maximize usability and compatibility, while ensuring that user data stays confidential. If you are running Postfix, I'd like to draw your attention to some useful settings that will protect your user's email in transit. If emails stay on the same server or the other server is secured as well, there is lit