postfix-null-client

Postfix Null Client

Install and configure postfix for send-only email from host to a relay, optionally using SSL/TLS. This is commonly called an email null client.

2022-08-03 Ubuntu 20.04-22.04, Raspbian buster-bullseye, macOS 10.13-12.5

The example used is based upon:

Local host: ironbark.home.arpa
Local system user: graham
Mail domain: geddy.au
Mail domain target for local system user: fred.nerk@geddy.au

Installation

macOS installation

macOS has postfix pre-installed. Although it is an old version, it is usable and need not be installed from macports.

After every macOS update, this has to be re-reconfigured. It helps to save a copy of /etc/postfix and just overwrite the provided one each time.

Ubuntu installation

graham:~ sudo apt install postfix mailutils bsd-mailx libsasl2-modules

Select Satellite site in popup configuration, though it matters not what option is selected – it is about to be completely overwritten.

Configuration

graham:~ sudo systemctl stop postfix # stop postfix for updating graham:~ cd /etc/postfix graham:/etc/postfix sudo vi main.cf

/etc/postfix/main.cf replace all content

# Basic Null (send only) Postfix - ironbark.home.arpa
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# A safety net that causes Postfix to run with
# backwards-compatible default settings after an upgrade to a newer Postfix
# version. See http://www.postfix.org/COMPATIBILITY_README.html.
#
# new installs: set to 2
compatibility_level = 2

# The UNIX system account that owns the Postfix queue and most Postfix daemon
# processes. Specify the name of an unprivileged user account that does not
# share a user or group ID with other accounts, and that owns no other files
# or processes on the system. In particular, don't specify nobody or daemon.
# PLEASE USE A DEDICATED USER ID AND GROUP ID.
#
# debian: default, leave un-commented
#mail_owner = postfix
# macos: uncomment
#mail_owner = _postfix

# The group ownership of set-gid Postfix commands and of group-writable
# Postfix directories.
#
# debian: default, leave commented-out
#setgid_group = postdrop
# macos: uncomment
#setgid_group = _postdrop

##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
## MTA Identification
##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

# The internet hostname of this mail system.
#
myhostname = ironbark.home.arpa

# The domain name that locally-posted mail appears to come from, and
# that locally posted mail is delivered to.
#
# debian: default, leave commented-out
#myorigin = /etc/mailname
# macos: default, leave commented-out
#myorigin = $hostname

# The list of domains that are delivered via the $local_transport mail
# delivery transport.
#
mydestination = ironbark.$mydomain ironbark localhost.$mydomain localhost

# The list of "trusted" remote SMTP clients that have more privileges
# than "strangers".  In particular, "trusted" SMTP clients are allowed
# to relay mail through Postfix.
#
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
## LOCAL RECEIVE
##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

## SENDMAIL(1) :::::::::::::::::::::::::::::::::::::::::::::::::::::::

##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
## LOCAL DELIVERY
##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

## LOCAL(8) - LOCAL MAIL DELIVERY ::::::::::::::::::::::::::::::::::::

## Compatability

# Whether or not to use the local biff service.
#
biff = no

## Delivery Method

# The alias databases that are used for local(8) delivery.
#
alias_maps = hash:/etc/aliases

# The alias databases for local(8) delivery that are updated  with
# "newaliases" or with "sendmail -bi".
#
alias_database = hash:/etc/aliases

# The  set  of  characters  that can separate a user name from its
# extension (example: user+foo), or a .forward file name from  its
# extension (example: .forward+foo).
#
recipient_delimiter = +

## Resource Controls

# The  maximal  size of any local(8) individual mailbox or maildir
# file, or zero (no limit).
#
mailbox_size_limit = 0

## TRIVIAL-REWRITE(8) ::::::::::::::::::::::::::::::::::::::::::::::::

## Address Rewriting Rules

# With locally submitted mail, append the string ".$mydomain" to
# addresses that have no ".domain" information.
#
append_dot_mydomain = no

##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
## NETWORK RECEIVE
##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

# The network interface addresses that this mail system receives mail on.
# The parameter also controls delivery of mail to user@[ip.address]. 
#
inet_interfaces = loopback-only

# The Internet protocols Postfix will attempt to use when making or
# accepting connections.
#
inet_protocols = ipv4, ipv6

##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
## NETWORK DELIVERY
##::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

# The   next-hop  destination(s)  for  non-local  mail;  overrides
# non-local domains in recipient addresses.
#
# debian (except buster):
relayhost = smtp.geddy.au, mail.isp.com.au
# buster: uncomment one
#relayhost = smtp.geddy.au
#relayhost = mail.isp.com.au
# macos: requires :port, uncomment one
#relayhost = smtp.geddy.au:587
#relayhost = mail.isp.com.au:25

## SMTP(8) - SMTP/LMTP CLIENT ::::::::::::::::::::::::::::::::::::::::

# Optional lookup tables that perform  address  rewriting  in  the
# Postfix  SMTP  client,  typically  to  transform a locally valid
# address into a globally valid address when sending  mail  across
# the Internet.
# i.e. convert local (internal) domain to external domain
#
smtp_generic_maps = hash:/etc/postfix/generic

## SASL

# Enable SASL authentication in the Postfix SMTP client.
#
smtp_sasl_auth_enable = yes

# Optional  Postfix  SMTP  client  lookup  tables  with  one user-
# name:password entry per  sender,  remote  hostname  or  next-hop
# domain.
#
# ensure 'relayhost=' value in sasl maps
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

# Postfix SMTP client SASL security options; as of Postfix 2.3 the
# list of available features depends on the SASL client  implemen-
# tation that is selected with smtp_sasl_type.
#
smtp_sasl_security_options = noanonymous

## SSL or STARTTLS

# The default SMTP TLS security level for the Postfix SMTP client;
# when a non-empty value is specified, this overrides the obsolete
# parameters       smtp_use_tls,       smtp_enforce_tls,       and
# smtp_tls_enforce_peername.
#
# select one (except macos; STARTTLS only)
# STARTTLS
smtp_tls_security_level = may
# SSL/TLS
#smtp_tls_security_level = encrypt

# The  external  entropy source for the in-memory tlsmgr(8) pseudo
# random number generator (PRNG) pool.
#
#tls_random_source = dev:/dev/urandom

graham:/etc/postfix sudo vi sasl_password

/etc/postfix/sasl_password new file

# passwords to SMTP servers

smtp.geddy.au    robot@geddy.au:robot's password
mail.isp.com.au  isp-username:isp-password

Ensure the relay hosts in sasl_password match the relayhosts in main.cf by name, and by ports if any.
Example presumes the domain mail server has an account robot for automated connections. Some other account might be more suitable for that server.
The file contains clear text passwords so be wary of its perms.

graham:/etc/postfix sudo chmod 600 sasl_password graham:/etc/postfix sudo postmap sasl_passwd graham:/etc/postfix sudo vi /etc/aliases

/etc/aliases replace all content

# local delivery address aliases
  
postmaster:   root
admin:        root
root:         root@geddy.au
graham:       fred.nerk@geddy.au
nobody:       /dev/null

Ensure root forwarded to reliable destination.
Add local system accounts (e.g. graham) if they exchange email.

graham:/etc/postfix sudo newaliases graham:/etc/postfix sudo vi generic

/etc/postfix/generic replace all content

# rewrite local address headers inside message that is being sent.
# the delivery address has already been formulated, probably as an alias

# local address have been configured using local domain
root@ironbark.home.arpa    root+ironbark@geddy.au
graham@ironbark.home.arpa  fred.nerk+ironbark@geddy.au

# catch all
@ironbark.home.arpa        root+ironbark@geddy.au

Add rewrites for any email-active local system users, such as graham@localhost → fred.nerk@geddy.au above.

graham:/etc/postfix sudo postmap generic graham:/etc/postfix sudo vi master.cf

/etc/postfix/master.cf add highlighted lines

relay     unix  -       -       y       -       -       smtp
# macos: comment out -o syslog_name
        -o syslog_name=postfix/$service_name
# macos: add -o smtp_fallback_relay

scache    unix  -       -       y       -       1       scache
# macos: comment out postlog (datagram not supported)
postlog   unix-dgram n  -       n       -       1       postlogd

graham:/etc/postfix sudo systemctl start postfix # start postfix again graham:/etc/postfix sudo systemctl status postfix

Confirm postfix started without errors.

graham:/etc/postfix sudo postsuper -d ALL # purge outgoing mail queue graham:/etc/postfix mailx -s test root < /dev/null graham:/etc/postfix mailq

Testing: confirm outgoing queue empty and message arrived where root mail is redirected.