![Page 1: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/1.jpg)
Email Architecture
with sendmail and postfix
dr. C. P. J. Koymans
Informatics Institute
Universiteit van Amsterdam
November 27, 2007
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 1 / 40
![Page 2: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/2.jpg)
Organisation
Say O is an example organisation
A is an autonomous suborganisation
M is a managed suborganisation
a is an autonomous part of M
m is a managed part of M
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 2 / 40
![Page 3: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/3.jpg)
Structure of the organisation
O
A
M
a
m
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 3 / 40
![Page 4: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/4.jpg)
DNS mirrors the structure
Where are the cuts?
O.org.
A.O.org.
M.O.org.
a.M.O.org.
m.M.O.org.
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 4 / 40
![Page 5: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/5.jpg)
Email mirrors the structure
mail.. . . are mail relays and servers
mail.O.org.
mail.A.O.org.
mail.M.O.org.
mail.a.M.O.org.
mail.m.M.O.org.
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 5 / 40
![Page 6: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/6.jpg)
MX records (1)
O.org. MX 0 mail.O.org.
A.O.org. MX 0 mail.A.O.org.
10 mail.O.org.
M.O.org. MX 0 mail.M.O.org.
10 mail.O.org.
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 6 / 40
![Page 7: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/7.jpg)
MX records (2)
a.M.O.org. MX 0 mail.a.M.O.org.
5 mail.M.O.org.
10 mail.O.org.
m.M.O.org. MX 0 mail.m.M.O.org.
5 mail.M.O.org.
10 mail.O.org.
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 7 / 40
![Page 8: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/8.jpg)
Email addresses
Employee “The Boss” working in department “a”
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 8 / 40
![Page 9: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/9.jpg)
Email forwarding
[email protected] is forwarded to
[email protected], which is in turn forwarded to
Forwarding can be
user based (.forward)
system based (alias file or database)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 9 / 40
![Page 10: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/10.jpg)
SMTP flow (inbound) (1)
Directly to mailhost in MX record
[email protected] enters at top
[email protected] enters at leaf
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 10 / 40
![Page 11: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/11.jpg)
SMTP flow (inbound) (2)
Always to mail.O.org.
Requires “split” DNS
Different outside MX record for a.M.O.org., pointing to mail.O.org.
Alternatively block port 25 from the outside
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 11 / 40
![Page 12: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/12.jpg)
SMTP flow (outbound)
Directly to outside world
No “corporate” policy
Needs smart hosts decentrally
Flowing up the tree step by step
Directly to the top of the tree
Last two items use the “smart host” option
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 12 / 40
![Page 13: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/13.jpg)
Mail access
Only leaf mail servers supply mail access
Intermediate servers are relay only
In case you want to deliver higher in the tree
Create an extra child for mail delivery
Separate SMTP relay from local delivery and IMAP access
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 13 / 40
![Page 14: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/14.jpg)
sendmail configuration (Ubuntu 7.10)
Debian specific (based on sendmail 8.14.1)
Has an extensive init script to control sendmail execution
Uses a separate sendmail.conf file to source inside init script
Uses a helper program (sendmailconfig) to generate the main
configuration file sendmail.mc
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 14 / 40
![Page 15: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/15.jpg)
sendmail configuration directory (Ubuntu 7.10)
/etc/mail as configuration directory
sendmail.mc, which is used to generate
sendmail.cf
using the m4 macro processor
local-host-names
aliases
access
. . .
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 15 / 40
![Page 16: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/16.jpg)
m4 macros (Ubuntu 7.10)
Inside /usr/share/sendmail/cf
m4 source files m4/*
cf.m4, cfhead.m4, proto.m4
debian/*, domain/*, feature/*, . . .
hack/*, mailer/*, ostype/*, . . .
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 16 / 40
![Page 17: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/17.jpg)
sendmail.mc
OSTYPE(debian)
DOMAIN(debian-mta)
DAEMON_OPTIONS(. . . )
FEATURE(. . . )
no_default_msa
access_db
. . .
MAILER
local
smtp
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 17 / 40
![Page 18: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/18.jpg)
debian.m4
define(conf. . . )
Lots of configuration parameters, to name a few
confSMTP_LOGIN_MSG
confCW_FILE
confDEF_USER_ID
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 18 / 40
![Page 19: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/19.jpg)
debian-mta.m4
Many more conf. . . options
confMAX_HOP
confDONT_BLAME_SENDMAIL
All kinds of TimeOut(TO)-timers
confTO_MAIL
confTO_QUIT
. . .
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 19 / 40
![Page 20: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/20.jpg)
sendmail.cf macros
Macros
C<class> ($=<class>)
F<class_in_file>
Fw/etc/mail/local-host-names
D<name> ($<name>)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 20 / 40
![Page 21: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/21.jpg)
sendmail.cf hostnames
sendmail -bt -d0.4
Debugging local hostname(s)
$j=$w.$m
What is inside $=w class?
Many “hostnames”, also numeric
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 21 / 40
![Page 22: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/22.jpg)
sendmail.cf map lookup
K<mapname> <type> <detail>
mailertable hash -o /etc/mail/mailertable.db
generics hash -o /etc/mail/genericstable.db
virtuser hash -o /etc/mail/virtusertable.db
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 22 / 40
![Page 23: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/23.jpg)
sendmail.cf options
AliasFile
ForwardPath
DaemonPortOptions (UseMSP)
Timeout
*LA (Queue, Refuse, Delay)
SmtpGreetingMessage
. . .
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 23 / 40
![Page 24: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/24.jpg)
sendmail.cf headers
HReceived:
$?sfrom $s $.$?_($?s$|from $.$_)$.
by $j ($v/$Z)$?r with $r$. id $i
$?u for $u; $|;$.
$b
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 24 / 40
![Page 25: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/25.jpg)
sendmail.cf rulesets
S<name>=<number>
canonify=3 (always first)
parse=0 (resolves <mailer,host,user>)
check_relay (to disable open relaying)
check_mail (checks MAIL FROM:)
check_rcpt (checks RCPT TO:)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 25 / 40
![Page 26: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/26.jpg)
sendmail.cf rules
LHS (Left Hand Side)
$*, $+, $-, $@ (token matching)
$=, $˜(class matching)
RHS (Right Hand Side)
$1, $2, . . . , $:, $@ (substitution; control flow)
$>, $?$|$. (recursion; conditional)
$[. . . $], $(. . . $) (IP lookup; map lookup)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 26 / 40
![Page 27: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/27.jpg)
Sendmail ruleset testing
sendmail -bt
=S<ruleset>, =M
$<m>, $=<c>
/parse <address>
/try <mailer> <address>
/map <map> <lookup>
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 27 / 40
![Page 28: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/28.jpg)
sendmail.cf mailers
M<mailer> <attributes>
local (maybe procmail as MDA)
prog, *file*, *include* (builtin)
smtp, esmtp, smtp8, relay, bsmtp, fido
procmail (as mail filter, called with “-m”)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 28 / 40
![Page 29: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/29.jpg)
Postfix
(Mostly) compatible with sendmail
supplies /usr/{lib,sbin}/sendmail emulation
Good performance
Safe and secure
Modular and flexible
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 29 / 40
![Page 30: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/30.jpg)
General postfix features
Support for multiple transports
Easy virtual domain configuration
Extensive UCE/SPAM control
Rewriting through table lookups
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 30 / 40
![Page 31: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/31.jpg)
Postfix modular setup
One resident master process
compare to inetd super server
Some semi-resident daemons
started via master.cf file
something like inetd.conf
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 31 / 40
![Page 32: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/32.jpg)
Postfix queues
maildrop (local incoming)
incoming (after cleanup)
active (being worked on)
deferred (temporary failure)
hold (needs human intervention)
corrupt (needs human inspection)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 32 / 40
![Page 33: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/33.jpg)
Postfix security
Is not setuid root
Uses chroot environment
Is modular and not monolithic
Filtering of outside information
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 33 / 40
![Page 34: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/34.jpg)
Postfix daemons
pickup (mail from maildrop via postdrop (“sendmail”))
smtpd (remote mail from the Internet)
cleanup (repairs incoming mail)
qmgr (processes mail queues)
local (local delivery)
smtp (remote delivery)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 34 / 40
![Page 35: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/35.jpg)
Postfix assistants
(trivial-)rewrite
canonicalisation (compare “ruleset 3”)
resolving (compare “ruleset 0”)
bounce
error mailer
defer messages
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 35 / 40
![Page 36: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/36.jpg)
Postfix/Sendmail tables
Postfix Sendmail
virtual virtusertable
canonical genericstable
transport mailertable
access access
relocated - (aliases)
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 36 / 40
![Page 37: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/37.jpg)
Postfix architecture inbound
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 37 / 40
![Page 38: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/38.jpg)
Postfix architecture outbound
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 38 / 40
![Page 39: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/39.jpg)
qmail
Who looked at qmail and wants to explain?
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 39 / 40
![Page 40: Email Architecture - with sendmail and postfix · PDF fileEmail Architecture with sendmail and postfix ... No “corporate” policy ... Email Architecture November 27, 2007 12](https://reader030.vdocuments.net/reader030/viewer/2022021501/5abc16547f8b9af27d8d927f/html5/thumbnails/40.jpg)
Exim
Who looked at Exim and wants to explain?
dr. C. P. J. Koymans (UvA) Email Architecture November 27, 2007 40 / 40