OK, Postfix is the main tool that I use to run my email services. The goal/hope is to be able to be low on the list of people that are hacked, unlike those that are part of the aggregation services such as gmail, outlook, and yahoo. Yahoo BTW had all their billion plus users hacked and didn’t disclose that to us promptly. It would have remained hidden if it weren’t for the sale.
Postfix is a tool that allows you to run an email service right out of the box, but obviously there are things that must be done to make your email known to the rest of the world. If you don’t let your server be known well, no mail will ever get to you.
How do we let it be known? You buy a domain name, then add a record in the DNS to point to your mail server. That’s pretty easy. Just buy your domain from any registrar. Typically $8 to $15 a year. Renewed every year. Then when you set it up, you tell the registrar what your public IP is. your public IP is like the street address. DNS is like the phone book where you look up the phone number and street address. You have to do this or no one will know about you and having a domain name without letting anyone know is pointless. Might as well not have a domain name.
Once you get the domain name and you create a record in the dns telling everyone what your public IP is you then create an MX record. Doing so basically say, this domain has a mail exchange record and it is this IP address.
When people go to send you mail, their email system looks at the DNS, finds the MX record and then the mail is routed to it.
That’s very easy, believe it or not. Far less complex then writing formulas in a spreadsheet or setting up fields in a datatabase. Even filling out to get a debit card is more complex than adding those records to your DNS. And, btw, if things change you just update the DNS to point to your new IP and you are good to go.
So, buy a domain name, set an MX record, and then get a server set up that runs postfix with the intent of sending and receiving email AND blocking all thos guys you don’t want sending you email. Postfix is the tool and it as associated utilities that assist in the matter. That’s what this post is about.
Under postfix there are various tools/utilities which do things such as determine if certain email addresses, domains, and IP addresses are to be blocked. The utilities also manage what happens when a virus comes in. It can reject it. It can look at the headers of the message and block certain scam emails, such as those saying that you are infected with a virus. It can look at the subject of the email and see that it has the words “virus alert” and block that email by rejecting it back to the host telling t hem that scam and/or spam is not appreciated. If you keep getting emails from people you told not to, such as marketers. I personally would rather not have to be bothered with some emails. Marketers are just annoying.
The problem is that using these tools can be confusing. Which tool? Which config file? Where’s it located? For which distribution? Those are the types of things that I want to address here.
Sender_access. This file is located in /etc/postfix folder and its name is sender_access. It’s a text file that can be edited with any text editor. In this file you have the email addresses or domain names that you want to allow or reject. Mostly reject.
header_checks. This is also located in /etc/postfix and it is also a text file that can be edited in the same way. Here you can use regex expressions to locate and block emails that contain some phrase in the subject or maybe you want to block all the emails coming from the .ru top level domain. I have no reason to receive emails from the .ru domain. Nor do I have a need technically to receive an email from anyone but those in the US. In this file is where you would put that information to reject all emails from those places.
sender_access and header_checks serve similar purposes but operate on different data. sender_access looks at the email address and header_checks looks at the whole of the header and can evaluate regular expressions in order to reject email. They are similar in that the header_checks allows you to reject top level domains and others and sender_access basically says you can allow or reject from domains.
This is unclear in most of the documentation that I receive. It is quite disheartening when you are looking for something to help you understand this whole process and all you get are people linking back to the equivalent of a man page. If you want to know why I would use a specific one vs the other or if you want to use your own (which I don’t recommend) good luck figuring that out. Reading those man pages is like reading some arcane script in a language you don’t know and trying to do something with it.
The idea behind postfix is that it is flexible in that it allows you to configure it in many different ways. If you don’t want to have external email, you can just use it as an internal mail system. If you want external and want imap in addition to pop3 you can. Dovecot handles that well. If you want virus scanning but not anti-spam you can do that too. If you want to configure it so that your users can configure spam for their account that’s an option also.
My goal here was to differential between header_checks and sender_access. To point out the difference and commonalities and to better get you to understand how to choose which one you want to use.