Thisdocument gives an overview of how Postfix can be used forhosting multiple Internet domains, both for final delivery on themachine itself and for the purpose of forwarding to destinationselsewhere.
Most Postfix systems are the final destination for only afew domain names. These include the hostnames and [the IP addresses]of the machine that Postfix runs on, and sometimes also includethe parent domain of the hostname. The remainder of this documentwill refer to these domains as the canonical domains. They areusually implemented with the Postfix local domain address class,as defined in the ADDRESS_CLASS_README file.
Besides the canonical domains, Postfix can be configured to bethe final destination for any number of additional domains.These domains are called hosted, because they are not directlyassociated with the name of the machine itself. Hosted domains areusually implemented with the virtual alias domain address classand/or with the virtual mailbox domain address class, as definedin the ADDRESS_CLASS_README file.
But wait! There is more. Postfix can be configured as a backupMX host for other domains. In this case Postfix is not the finaldestination for those domains. It merely queues the mail whenthe primary MX host is down, and forwards the mail when the primaryMX host becomes available. This function is implemented with therelay domain address class, as defined in the ADDRESS_CLASS_READMEfile.
Finally, Postfix can be configured as a transit host for sendingmail across the internet. Obviously, Postfix is not the final destinationfor such mail. This function is available only for authorizedclients and/or users, and is implemented by the default domainaddress class, as defined in the ADDRESS_CLASS_README file.
See the documentation in LDAP_README, MYSQL_README and PGSQL_READMEfor how to replace local files by databases. The reader is stronglyadvised to make the system work with local files before migratingto network databases, and to use the postmap command to verifythat network database lookups produce the exact same results aslocal file lookup.
The simplest method to host an additional domain is to add thedomain name to the domains listed in the Postfix mydestinationconfiguration parameter, and to add the user names to the UNIXpassword file.
Line 2: the virtual_alias_domains setting tells Postfixthat
example.com is a so-called virtual alias domain. If you omitthis setting then Postfix will reject mail (relay access denied)or will not be able to deliver it (mail for
example.com loops backto myself).
Lines 3-8: the /etc/postfix/virtual file contains the virtualaliases. With the example above, mail for postm...@example.comgoes to the local postmaster, while mail for
in...@example.com goesto the UNIX account joe, and mail for
sa...@example.com goes tothe UNIX account jane. Mail for all other addresses in example.comis rejected with the error message "User unknown".
Line 10: the commented out entry (text after #) shows howone would implement a catch-all virtual alias that receives mailfor every
example.com address not listed in the virtual alias file.This is not without risk. Spammers nowadays try to send mail from(or mail to) every possible name that they can think of. A catch-allmailbox is likely to receive many spam messages, and many bouncesfor spam messages that were sent in the name of
anyt...@example.com.
Virtual aliasing solves one problem: it allows each domain tohave its own info mail address. But there still is one drawback:each virtual address is aliased to a UNIX system account. As youadd more virtual addresses you also add more UNIX system accounts.The next section eliminates this problem.
With the Postfix virtual(8) mailbox delivery agent, everyrecipient address can have its own virtual mailbox. Unlike virtualalias domains, virtual mailbox domains do not need the clumsytranslation from each recipient addresses into a different address,and owners of a virtual mailbox address do not need to have a UNIXsystem account.
The Postfix virtual(8) mailbox delivery agent looks up the usermailbox pathname, uid and gid via separate tables that are searchedwith the recipient's mail address. Maildir style delivery is turnedon by terminating the mailbox pathname with "/".
If you find the idea of multiple tables bothersome, rememberthat you can migrate the information (once it works), to an SQLdatabase. If you take that route, be sure to review the "local files versus databases"section at the top of this document.
Line 2: The virtual_mailbox_domains setting tells Postfixthat
example.com is a so-called virtual mailbox domain. If you omitthis setting then Postfix will reject mail (relay access denied)or will not be able to deliver it (mail for
example.com loops backto myself).
Line 3: The virtual_mailbox_base parameter specifies aprefix for all virtual mailbox pathnames. This is a safety mechanismin case someone makes a mistake. It prevents mail from beingdelivered all over the file system.
Line 5: The virtual_minimum_uid specifies a lower boundon the mailbox or maildir owner's UID. This is a safety mechanismin case someone makes a mistake. It prevents mail from being writtento sensitive files.
Lines 6, 7: The virtual_uid_maps and virtual_gid_mapsparameters specify that all the virtual mailboxes are owned by afixed uid and gid 5000. If this is not what you want, specifylookup tables that are searched by the recipient's mail address.
Line 14: The commented out entry (text after #) shows howone would implement a catch-all virtual mailbox address. Be preparedto receive a lot of spam, as well as bounced spam that was sent inthe name of
anyt...@example.com.
Lines 8, 17, 18: As you see, it is possible to mix virtualaliases with virtual mailboxes. We use this feature to redirectmail for
example.com's postmaster address to the local postmaster.You can use the same mechanism to redirect an address to a remoteaddress.
Line 18: This example assumes that in
main.cf, $myoriginis listed under the mydestination parameter setting. If that isnot the case, specify an explicit domain name on the right-handside of the virtual alias table entries or else mail will go tothe wrong domain.
Note: mail delivery happens with the recipient's UID/GIDprivileges specified with virtual_uid_maps and virtual_gid_maps.Postfix 2.0 and earlier will not create mailDIRs in world-writableparent directories; you must create them in advance before you canuse them. Postfix may be able to create mailBOX files by itself,depending on parent directory write permissions, but it is saferto create mailBOX files ahead of time.
This is a variation on the Postfix virtual mailbox example.Again, every hosted address can have its own mailbox. However, mostparameters that control the virtual(8) delivery agent are no longerapplicable: only virtual_mailbox_domains and virtual_mailbox_mapsstay in effect. These parameters are needed to reject mail forunknown recipients.
While non-Postfix software is being used for final delivery,some Postfix concepts are still needed in order to glue everythingtogether. For additional background on this glue you may want totake a look at the virtual mailbox domain class as defined in theADDRESS_CLASS_README file.
Line 2: With delivery to a non-Postfix mailbox store forhosted domains, the virtual_transport parameter usually specifiesthe Postfix LMTP client, or the name of a
master.cf entry thatexecutes non-Postfix software via the pipe delivery agent. Typicalexamples (use only one):
Line 3: The virtual_mailbox_domains setting tells Postfixthat
example.com is delivered via the virtual_transport that wasdiscussed in the previous paragraph. If you omit thisvirtual_mailbox_domains setting then Postfix will either rejectmail (relay access denied) or will not be able to deliver it (mailfor
example.com loops back to myself).
Lines 4, 7-13: The virtual_mailbox_maps parameter specifiesthe lookup table with all valid recipient addresses. The lookupresult value is ignored by Postfix. In the above example,in...@example.comand
sa...@example.com are listed as valid addresses; other mail
forexample.com is rejected with "User unknown" by the Postfix SMTPserver. It's left up to the non-Postfix delivery agent to rejectnon-existent recipients from local submission or from local aliasexpansion. If you intend touse LDAP, MySQL or PgSQL instead of local files, be sure to reviewthe "local files versus databases"section at the top of this document!
Lines 5, 15, 16: As you see above, it is possible to mixvirtual aliases with virtual mailboxes. We use this feature toredirect mail for
example.com's postmaster address to the localpostmaster. You can use the same mechanism to redirect any addressesto a local or remote address.
Line 16: This example assumes that in
main.cf, $myoriginis listed under the mydestination parameter setting. If that isnot the case, specify an explicit domain name on the right-handside of the virtual alias table entries or else mail will go tothe wrong domain.
Some providers host domains that have no (or only a few) localmailboxes. The main purpose of these domains is to forward mailelsewhere. The following example shows how to set up example.comas a mail forwarding domain:
Line 2: The virtual_alias_domains setting tells Postfixthat
example.com is a so-called virtual alias domain. If you omitthis setting then Postfix will reject mail (relay access denied)or will not be able to deliver it (mail for
example.com loops backto myself).
Lines 3-11: The /etc/postfix/virtual file contains thevirtual aliases. With the example above, mail for postm...@example.comgoes to the local postmaster, while mail for
j...@example.com goesto the remote address joe@somewhere, and mail for ja...@example.comgoes to the remote address jane@somewhere-else. Mail for all otheraddresses in
example.com is rejected with the error message "Userunknown".
Line 10: The commented out entry (text after #) shows howone would implement a catch-all virtual alias that receives mailfor every
example.com address not listed in the virtual alias file.This is not without risk. Spammers nowadays try to send mail from(or mail to) every possible name that they can think of. A catch-allmailbox is likely to receive many spam messages, and many bouncesfor spam messages that were sent in the name of
anyt...@example.com.
3a8082e126