Hi
CentOS 6.10
Virtualmin GPL
I am trying to build an smtp relay server using postfix on one linux box.
I confirmed that the virtual host domain was added well.
I changed some settings to set the smtp relay server.
In the current state, the email relay works well, but adding the virtual host domain causes the following error.
Failed to create virtual server: No virtual domains file (virtual_alias_maps) was found in your Postfix configuration!
So I added the following line to /etc/postfix/main.cf to add the virtual host domain, and I get the following error in smtp relay.
virtual_alias_maps = hash:/etc/postfix/virtual
… sending failed: SMTP command rcpt to: ooo@oooooo.com failed: 550 5.1.1 ooo@oooooo.com: Recipient address rejected: User unknown in virtual alias table, line 5.
Anyone, please resolve this issue.
Thank you.
below is /etc/postfix/main.cf
myhostname = mail.(mydomain.com)
mydomain = (mydomain.com)
myorigin = $mydomain
home_mailbox = mail/
home_mailbox = Maildir/
mynetworks = 127.0.0.0/8, (my webserver IP)
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
virtual_alias_maps = hash:/etc/postfix/virtual
below is /etc/postfix/master.cf
Postfix master process configuration file. For details on the format
of the file, see the master(5) manual page (command: “man 5 master”).
Do not forget to execute “postfix reload” after editing this file.
==========================================================================
service type private unpriv chroot wakeup maxproc command + args
(yes) (yes) (yes) (never) (100)
==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
-o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
====================================================================
Interfaces to non-Postfix software. Be sure to examine the manual
pages of the non-Postfix software to find out what options it wants.
Many of the following services use the Postfix pipe(8) delivery
agent. See the pipe(8) man page for information about ${recipient}
and other message envelope options.
====================================================================
maildrop. See the Postfix MAILDROP_README file for details.
Also specify in main.cf: maildrop_destination_recipient_limit=1
#maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
====================================================================
The Cyrus deliver program has changed incompatibly, multiple times.
#old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
====================================================================
Cyrus 2.1.5 (Amos Gouaux)
Also specify in main.cf: cyrus_destination_recipient_limit=1
#cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
====================================================================
See the Postfix UUCP_README file for configuration details.
#uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
====================================================================
Other external delivery methods.
#ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
#mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
below is /etc/dovecot/conf.d/10-mail.conf
Mailbox locations and namespaces
Location for users’ mailboxes. The default is empty, which means that Dovecot
tries to find the mailboxes automatically. This won’t work if the user
doesn’t yet have any mail, so you should explicitly tell Dovecot the full
location.
If you’re using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
isn’t enough. You’ll also need to tell Dovecot where the other mmespaces ailboxes are
kept. This is called the “root mail directory”, and it must be the first
path given in the mail_location setting.
There are a few special variables you can use, eg.:
%u - username
%n - user part in user@domain, same as %u if there’s no domain
%d - domain part in user@domain, empty if there’s no domain
%h - home directory
See doc/wiki/Variables.txt for full list. Some examples:
mail_location = maildir:~/Maildir
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
<doc/wiki/MailLocation.txt>
#mail_location =
mail_location = maildir:~/Maildir:INDEX=/var/lib/dovecot-virtualmin/index/%u:CONTROL=/var/lib/dovecot-virtualmin/control/%u
If you need to set multiple mailbox locations or want to change default
namespace settings, you can do it by defining namespace sections.
You can have private, shared and public namespaces. Private namespaces
are for user’s personal mails. Shared namespaces are for accessing other
users’ mmespaces ailboxes that have been shared. Public namespaces are for shared
mailboxes that are managed by sysadmin. If you create any shared or public
namespaces you’ll typically want to enable ACL plugin also, otherwise all
users can access all the shared mailboxes, assuming they have permissions
on filesystem level to do so.
REMEMBER: If you add any namespaces, the default namespace must be added
explicitly, ie. mail_location does nothing unless you have a namespace
without a location setting. Default namespace is simply done by having a
namespace with empty prefix.
#namespace {
Namespace type: private, shared or public
#type = private
Hierarchy separator to use. You should use the same separator for all
namespaces or some clients get confused. ‘/’ is usually a good one.
The default however depends on the underlying mail storage format.
#separator =
Prefix required to access this namespace. This needs to be different for
all namespaces. For example “Public/”.
#prefix =
Physical location of the mailbox. This is in same format as
mail_location, which is also the default for it.
#location =
There can be only one INBOX, and this setting defines which namespace
has it.
#inbox = no
If namespace is hidden, it’s not advertised to clients via NAMESPACE
extension. You’ll most likely also want to set list=no. This is mostly
useful when converting from another server with different namespaces which
you want to deprecate but still keep working. For example you can create
hidden namespaces with prefixes “~/mail/”, “~%u/mail/” and “mail/”.
#hidden = no
Show the mailboxes under this namespace with LIST command. This makes the
namespace visible for clients that don’t support NAMESPACE extension.
“children” value lists child mailboxes, but hides the namespace prefix.
#list = yes
Namespace handles its own subscriptions. If set to “no”, the parent
namespace handles them (empty prefix should always have this as “yes”)
#subscriptions = yes
#}
Example shared namespace configuration
#namespace {
#type = shared
#separator = /
Mailboxes are visible under “shared/user@domain/”
%%n, %%d and %%u are expanded to the destination user.
#prefix = shared/%%u/
Mail location for other users’ mailboxes. Note that %variables and ~/
expands to the logged in user’s data. %%n, %%d, %%u and %%h expand to the
destination user’s data.
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
Use the default namespace for saving subscriptions.
#subscriptions = no
List the shared/ namespace only if there are visible shared mailboxes.
#list = children
#}
System user and group used to access mails. If you use multiple, userdb
can override these by returning uid or gid fields. You can use either numbers
or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =
Group to enable temporarily for privileged operations. Currently this is
used only with INBOX when either its initial creation or dotlocking fails.
Typically this is set to “mail” to give access to /var/mail.
#mail_privileged_group =
Grant access to these supplementary groups for mail processes. Typically
these are used to set up access to shared mailboxes. Note that it may be
dangerous to set these if users can create symlinks (e.g. if “mail” group is
set here, ln -s /var/mail ~/mail/var could allow a user to delete others’
mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =
Allow full filesystem access to clients. There’s no access checks other than
what the operating system does for the active UID/GID. It works with both
maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
or ~user/.
#mail_full_filesystem_access = no
Mail processes
Don’t use mmap() at all. This is required if you store indexes to shared
filesystems (NFS or clustered filesystem).
#mmap_disable = no
Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes
When to use fsync() or fdatasync() calls:
optimized (default): Whenever necessary to avoid losing important data
always: Useful with e.g. NFS when write()s are delayed
never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
whenever needed. If you’re using only a single mail server this isn’t needed.
#mail_nfs_storage = no
Mail index files also exist in NFS. Setting this to yes requires
mmap_disable=yes and fsync_disable=no.
#mail_nfs_index = no
Locking method for index files. Alternatives are fcntl, flock and dotlock.
Dotlocking uses some tricks which may create more disk I/O than other locking
methods. NFS users: flock doesn’t work, remember to change mmap_disable.
#lock_method = fcntl
Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
#mail_temp_dir = /tmp
Valid UID range for users, defaults to 500 and above. This is mostly
to make sure that users can’t log in as daemons or other system users.
Note that denying root logins is hardcoded to dovecot binary and can’t
be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0
Valid GID range for users, defaults to non-root/wheel. Users having
non-valid GID as primary group ID aren’t allowed to log in. If user
belongs to supplementary groups with non-valid GIDs, those groups are
not set.
#first_valid_gid = 1
#last_valid_gid = 0
Maximum allowed length for mail keyword name. It’s only forced when trying
to create new keywords.
#mail_max_keyword_length = 50
‘:’ separated list of directories under which chrooting is allowed for mail
processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
This setting doesn’t affect login_chroot, mail_chroot or auth chroot
settings. If this setting is empty, “/./” in home dirs are ignored.
WARNING: Never add directories here which local users can modify, that
may lead to root exploit. Usually this should be done only if you don’t
allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs =
Default chroot directory for mail processes. This can be overridden for
specific users in user database by giving /./ in user’s home directory
(eg. /home/./user chroots into /home). Note that usually there is no real
need to do chrooting, Dovecot doesn’t allow users to access files outside
their mail directory anyway. If your home directories are prefixed with
the chroot directory, append “/.” to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot =
UNIX socket path to master authentication server to find users.
This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb
Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot
Space separated list of plugins to load for all services. Plugins specific to
IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins =
Mailbox handling optimizations
The minimum number of mails in a mailbox before updates are done to cache
file. This allows optimizing Dovecot’s behavior to do less disk writes at
the cost of more disk reads.
#mail_cache_min_mail_count = 0
When IDLE command is running, mailbox is checked once in a while to see if
there are any new mails or other changes. This setting defines the minimum
time to wait between those checks. Dovecot can also use dnotify, inotify and
kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
Save mails with CR+LF instead of plain LF. This makes sending those mails
take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
But it also creates a bit more disk I/O which may just make it slower.
Also note that if other software reads the mboxes/maildirs, they may handle
the extra CRs wrong and cause problems.
#mail_save_crlf = no
Maildir-specific settings
By default LIST command returns all entries in maildir beginning with a dot.
Enabling this option makes Dovecot return only entries which are directories.
This is done by stat()ing each entry, so it causes more disk I/O.
(For systems setting struct dirent->d_type, this check is free and it’s
done always regardless of this setting)
#maildir_stat_dirs = no
When copying a message, do it with hard links whenever possible. This makes
the performance much better, and it’s unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes
Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
when its mtime changes unexpectedly or when we can’t find the mail otherwise.
#maildir_very_dirty_syncs = no
mbox-specific settings
Which locking methods to use for locking mbox. There are four available:
dotlock: Create .lock file. This is the oldest and most NFS-safe
solution. If you want to use /var/mail/ like directory, the users
will need write access to that directory.
dotlock_try: Same as dotlock, but if it fails because of permissions or
because there isn’t enough disk space, just skip it.
fcntl : Use this if possible. Works with NFS too if lockd is used.
flock : May not exist in all systems. Doesn’t work with NFS.
lockf : May not exist in all systems. Doesn’t work with NFS.
You can use multiple locking methods; if you do the order they’re declared
in is important to avoid deadlocks if other MTAs/MUAs are using multiple
locking methods as well. Some operating systems don’t allow using some of
them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
mbox_write_locks = fcntl
Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
If dotlock exists but the mailbox isn’t modified in any way, override the
lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins
When mbox changes unexpectedly we have to fully read it to find out what
changed. If the mbox is large this can take a long time. Since the change
is usually just a newly appended mail, it’d be faster to simply read the
new mails. If this setting is enabled, Dovecot does this but still safely
fallbacks to re-reading the whole mbox file whenever something in mbox isn’t
how it’s expected to be. The only real downside to this setting is that if
some other MUA changes message flags, Dovecot doesn’t notice it immediately.
Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
commands.
#mbox_dirty_syncs = yes
Like mbox_dirty_syncs, but don’t do full syncs even with SELECT, EXAMINE,
EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no
Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
commands and when closing the mailbox). This is especially useful for POP3
where clients often delete all mails. The downside is that our changes
aren’t immediately visible to other MUAs.
#mbox_lazy_writes = yes
If mbox size is smaller than this (e.g. 100k), don’t write index files.
If an index file already exists it’s still read, just not updated.
#mbox_min_index_size = 0
mdbox-specific settings
Maximum dbox file size until it’s rotated.
#mdbox_rotate_size = 2M
Maximum dbox file age until it’s rotated. Typically in days. Day begins
from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 1d
When creating new mdbox files, immediately preallocate their size to
mdbox_rotate_size. This setting currently works only in Linux with some
filesystems (ext4, xfs).
#mdbox_preallocate_space = no
Mail attachments
sdbox and mdbox support saving mail attachments to external files, which
also allows single instance storage for them. Other backends don’t support
this for now.
WARNING: This feature hasn’t been tested much yet. Use at your own risk.
Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =
Attachments smaller than this aren’t saved externally. It’s also possible to
write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k
Filesystem backend to use for saving attachments:
posix : No SiS done by Dovecot (but this might help FS’s own deduplication)
sis posix : SiS with immediate byte-by-byte comparison during saving
sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix
Hash format to use in attachment filenames. You can add any text and
variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}
below is /etc/dovecot/conf.d/10-auth.conf
Authentication processes
Disable LOGIN command and all other plaintext authentications unless
SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
matches the local IP (ie. you’re connecting from the same computer), the
connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes
disable_plaintext_auth = no
Authentication cache size (e.g. 10M). 0 means it’s disabled. Note that
bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
Time to live for cached data. After TTL expires the cached record is no
longer used, except if the main database lookup returns internal failure.
We also try to handle password changes automatically: If user’s previous
authentication was successful, but this one wasn’t, the cache isn’t used.
For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
TTL for negative hits (user not found, password mismatch).
0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
Space separated list of realms for SASL authentication mechanisms that need
them. You can leave it empty if you don’t want to support multiple realms.
Many clients simply use the first one listed here, so keep the default realm
first.
#auth_realms =
Default realm/domain to use if none was specified. This is used for both
SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
List of allowed characters in username. If the user-given username contains
a character not listed in here, the login automatically fails. This is just
an extra check to make sure user can’t exploit any potential quote escaping
vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
Username character translations before it’s looked up from databases. The
value contains series of from -> to characters. For example “#@/@” means
that ‘#’ and ‘/’ characters are translated to ‘@’.
#auth_username_translation =
Username formatting before it’s looked up from databases. You can use
the standard variables here, eg. %Lu would lowercase the username, %n would
drop away the domain if it was given, or “%n-AT-%d” would change the ‘@’ into
“-AT-”. This translation is done after auth_username_translation changes.
auth_username_format = %Ln
If you want to allow master users to log in by specifying the master
username within the normal username string (ie. not using SASL mechanism’s
support for it), you can specify the separator character here. The format
is then . UW-IMAP uses “*” as the
separator, so that could be a good choice.
#auth_master_user_separator =
Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
Maximum number of dovecot-auth worker processes. They’re used to execute
blocking passdb and userdb queries (eg. MySQL and PAM). They’re
automatically created and destroyed as needed.
#auth_worker_max_count = 30
Host name to use in GSSAPI principal names. The default is to use the
name returned by gethostname(). Use “$ALL” to allow all keytab entries.
#auth_gssapi_hostname =
Kerberos keytab to use for the GSSAPI mechanism. Will use the system
default (usually /etc/krb5.keytab) if not specified.
#auth_krb5_keytab =
Do NTLM and GSS-SPNEGO authentication using Samba’s winbind daemon and
ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no
Path for Samba’s ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth
Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs
Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
Take the username from client’s SSL certificate, using
X509_NAME_get_text_by_NID() which returns the subject’s DN’s
CommonName.
#auth_ssl_username_from_cert = no
Space separated list of wanted authentication mechanisms:
plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
gss-spnego
NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
Password and user databases
Password database is used to verify user’s password (and nothing more).
You can have multiple passdbs and userdbs. This is useful if you want to
allow both system users (/etc/passwd) and virtual users to login without
duplicating the system users into virtual database.
<doc/wiki/PasswordDatabase.txt>
User database specifies where mails are located and what user/group IDs
own them. For single-UID configuration use “static” userdb.
<doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext