Postfix Frequently Asked Questions Postfix Frequently Asked Questions
This assumes that your organization has set up multiple internal MX hosts for the local domain.
If your intranet does not use MX records internally, you have to specify the gateway host itself:
This assumes that your organization has set up multiple internal MX hosts for the local domain.
If your intranet does not use MX records internally, you have to specify the gateway host itself:
Specify dbm:/etc/postfix/transport if your system uses dbm files instead of db.
How to set up Postfix on the firewall machine so that it relays mail for my.domain to a gateway machine on the inside, and so that it refuses mail for *.my.domain? The problem is that the standard relay_domains mail relaying restriction allows mail to *.my.domain when you specify my.domain.
Specify dbm:/etc/postfix/virtual if your system uses dbm files instead of db.
Unfortunately, the solution cannot use the transport table, because that table is ignored for destinations that match $mydestination. That's an implementation error, and it will be removed.
Postfix supports the maildir mailbox format. Edit main.cf and specify a line with: home_mailbox = Maildir/ (any relative pathname that ends in / will do).
The maildir format is also supported for delivery from aliases or .forward files. Specify /file/name/ as destination. The trailing / turns on maildir delivery.
Do not use any shell meta characters or built-ins such as IFS or &&, because they force Postfix to run an expensive shell process.
With a distributed mail system such as Postfix, this is difficult to implement. Postfix does not run any mail delivery process under control by a user. Instead, mail delivery is done by daemon processes that have no parental relationship with user processes. This eliminates a large variety of potential security exploits with environment variables, signal handlers, and with other process attributes that UNIX passes on from parent to child.
In addition, Postfix uses multiple processes in order to insulate subsystems from each other. Making the delivery agents talk directly to user processes would defeat a lot of the effort that went into making Postfix more secure than ordinary mailers.
With the Postfix architecture, Delivered-To: is required to prevent mail forwarding loops. Fortunately, many mail user agents have per-user or even system-wide configuration files that can be set up to suppress specific message headers (for example ~/.mailrc and /usr/lib/Mail.rc).
With mailing lists, Delivered-To: can get in the way when the list exploder uses a "secret" alias that should not be shown in outbound mail. The recommended solution is to use a regular expression-based filter at the SMTP port:
POSIX regular expression support (regexp) is enabled by default on modern UNIX systems. Perl-compatible regular expression support (pcre) is optional; see the PCRE_README file in the top-level Postfix source directory.
See also the FAQ item for problems with the majordomo approve command.
Currently, the workaround is to edit the approve script to strip any header lines that match:
Yes, this assumes that the moderator knows what she is doing.
This causes all mail for the some.domain (and subdomains thereof) to be sent via UUCP to the host uucp-host.
uucp unix - n n - - pipe
flags=F user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
This runs the uux command, and substitutes the next-hop hostname (uucp-host) and the recipients before executing the command. The uux command is executed without assistance from the shell, so there are no problems with shell meta characters.
Specify dbm instead of hash if your system has no db support.
uucp unix - n n - - pipe
flags=F user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
This runs the uux command, and substitutes the next-hop
hostname (uucp-gateway, or whatever you specified) and the
recipients before executing the command. The uux command
is executed without assistance from the shell, so there are no
problems with shell meta characters.
Over here we are using the scheme
In master.cf:
In the transports map:
Note: be sure to not advertise fax.your.domain in the DNS...
However, when you see mail deliveries fail consistently, you may
have a different problem: broken path MTU discovery.
A little background is in order. With the SMTP protocol, the HELO,
MAIL FROM and RCPT TO commands and responses are relatively short.
When you're talking to sendmail, every command and every response
is sent as a separate packet, because sendmail cannot implement
ESMTP command pipelining.
The message content, however, is sent as a few datagrams, each
datagram typically a kbyte large or even bigger, depending on your
local network MTU.
When mail fails consistently due to a timeout, I suspect that the
sending machine runs a modern UNIX which implements path MTU
discovery. That causes the machine to send packets as large as it
would send over the LAN, with the IP DONT'T FRAGMENT bit set,
preventing intermediate routers from fragmenting the packets that
are too big for their networks.
Depending on what network path a message follows, some router on
the way responds with an ICMP MUST FRAGMENT message saying the
packet is too big. Normally, the sending machine will re-send the
data after chopping it up into smaller pieces.
However, things break when some router closer to the sending system
is dropping such ICMP feedback messages, in a mistaken attempt to
protect systems against certain attacks. In that case, the ICMP
feedback message never reaches the sending machine, and the connection
times out.
This is the same configuration problem that causes trouble with
web servers behind a misconfigured packet filter: small images/files
are sent intact, large images/files time out because the server
does not see the MUST FRAGMENT ICMP feedback messages.
Workaround: disable path MTU discovery at the sending machine. Mail
will get out, but of course everyone else will still suffer. How
to disable path MTU discovery? It depends. Solaris has an ndd
command; other systems use different means such as sysctl
to control kernel parameters on a running system.
Fix: find the router that drops the ICMP MUST FRAGMENT messages,
and convince the person responsible for it to fix the configuration.
Answer: you're mixing BIND version 8 include files with a
different version of the resolver library.
Fix: use the right include files. For example:
In order to build Postfix with db support on UNIX systems
that do not have db support out of the box, you need the
db-1.85 release, or the current
version which has a db-1.85 compatible interface.
Use the following commands in the Postfix top-level directory.
The LD_LIBRARY_PATH unsets may be required to avoid linking in the
wrong libraries.
Of course you will have to specify the actual location of the
include directory and of the object library.
One problem: older DB versions install a file /usr/include/ndbm.h
that is incompatible with the one in /usr/include. Be sure
to get rid of the bogus file, or the linker will fail to find
dbm_dirfno.
fax unix - n n - - pipe
flags= user=fax argv=/usr/bin/faxmail -d -n ${user}
fax.your.domain fax:localhost
Mail fails with timeout or lost connection
Occasionally, mail fails with "timed out while sending end of data
-- message may be sent more than once", or with: "lost connection after DATA".
Network outages happen, systems crash. There isn't much you can
do about it.
Undefined symbols: ___dn_expand, ___res_init etc.
Question: When I build Postfix I get the following errors:
ld: Undefined symbol
___dn_expand
___res_init
___res_search
*** Error code 1
make makefiles CCARGS="-I/usr/include".
Using DB libraries on Solaris etc.
The old dbm UNIX database has severe limitations when you
try to store lots of information. It breaks when the number of hash
collisions becomes so large that the entries no longer fit together
in a single disk block. The more modern db database does
not suffer these limitations. It is standard on 4.4BSD and Linux
systems.
Up one level | Postfix FAQ