介绍 (Introduction)

Postfix is a mail transfer agent (MTA), an application used to send and receive email. It can be configured so that it can be used to send emails by local application only. This is useful in situations when you need to regularly send email notifications from your apps or have a lot of outbound traffic that a third-party email service provider won’t allow. It’s also a lighter alternative to running a full-blown SMTP server, while retaining the required functionality.

Postfix是一个邮件传输代理 (MTA)，一种用于发送和接收电子邮件的应用程序。 可以对其进行配置，使其仅可用于通过本地应用程序发送电子邮件。 当您需要定期从应用程序发送电子邮件通知或第三方电子邮件服务提供商不允许的大量出站流量时，这很有用。 它是运行成熟的SMTP服务器的较轻的替代方案，同时保留了所需的功能。

In this tutorial, you’ll install and configure Postfix as a send-only SMTP server. You’ll also request free TLS certificates from Let’s Encrypt for your domain and encrypt the outbound emails using them.

在本教程中，您将安装Postfix并将其配置为仅发送SMTP服务器。 您还将向我们的域的Let's Encrypt请求免费的TLS证书，并使用它们对出站电子邮件进行加密。

先决条件 (Prerequisites)

• One Ubuntu 20.04 server set up with the Initial Server Setup with Ubuntu 20.04, including creating a sudo non-root user.

  一台使用Ubuntu 20.04进行初始服务器设置的Ubuntu 20.04服务器 ，包括创建sudo非root用户。

• A fully registered domain name. This tutorial will use your_domain throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.

  完全注册的域名。 本教程将整个使用your_domain 。 你可以购买一个域名Namecheap ，免费获得一个在Freenom ，或使用你选择的域名注册商。

• An A DNS record with your_domain pointing to your server’s public IP address. You can follow this introduction to DigitalOcean DNS for details on how to add them.

  一个A DNS记录与your_domain指向您的服务器的公网IP地址。 您可以按照DigitalOcean DNS简介进行操作，以获取有关如何添加它们的详细信息。

Note: Your server’s hostname and your Droplet’s name must match your_domain, because DigitalOcean automatically sets PTR records for the Droplet’s IP address according to its name.

注意：服务器的主机名和Droplet的名称必须匹配your_domain ，因为DigitalOcean会根据其名称自动为Droplet的IP地址设置PTR记录。

You can verify the server’s hostname by typing hostname at the command prompt. The output should match the name you gave the Droplet when it was being created.

您可以通过在命令提示符下键入hostname来验证服务器的主机hostname 。 输出应与您在创建Droplet时提供的名称匹配。

第1步-安装Postfix (Step 1 — Installing Postfix)

In this step, you’ll install Postfix. The fastest way is to install the mailutils package, which bundles Postfix with a few supplementary programs that you’ll use to test sending email.

在此步骤中，您将安装Postfix。 最快的方法是安装mailutils软件包，该软件包将Postfix与一些补充程序捆绑在一起，您将使用这些补充程序来测试发送电子邮件。

First, update the package database:

首先，更新软件包数据库：

Then, install Postfix by running the following command:

然后，通过运行以下命令来安装Postfix：

Near the end of the installation process, you will be presented with the Postfix configuration window:

在安装过程快要结束时，将显示“ Postfix配置”窗口：

The default option is Internet Site. That’s the recommended option for your use case, so press TAB, and then ENTER. If you only see the description text, press TAB to select OK, then ENTER.

默认选项是“ Internet Site 。 对于您的用例，这是推荐的选项，因此按TAB ，然后按ENTER 。 如果仅看到描述文本，请按TAB键选择OK ，然后按ENTER 。

If it does not show up automatically, run the following command to start it:

如果它没有自动显示，请运行以下命令将其启动：

After that, you’ll get another configuration prompt regarding the System mail name:

之后，您将收到另一个有关系统邮件名称的配置提示：

The System mail name must be the same as the name you assigned to your server when you were creating it. When you’ve finished, press TAB, followed by ENTER.

系统邮件名称必须与创建服务器时分配给服务器的名称相同。 完成后，按TAB ENTER ，然后按ENTER 。

You have now installed Postfix and are ready to start configuring it.

现在，您已经安装了Postfix，并准备开始配置它。

第2步-配置Postfix (Step 2 — Configuring Postfix)

In this step, you’ll configure Postfix to send and receive emails only from the server on which it is running—that is, from localhost.

在此步骤中，您将配置Postfix仅从运行它的服务器(即，从localhost发送和接收电子邮件。

For that to happen, you need to configure Postfix to listen only on the loopback interface, the virtual network interface that the server uses to communicate internally. To make the changes, you’ll need to edit the main Postfix configuration file called main.cf, stored under etc/postfix.

为此，您需要将Postfix配置为仅在回送接口 (服务器用于内部通信的虚拟网络接口)上侦听。 要进行更改，您需要编辑存储在etc/postfix下的名为main.cf的主要Postfix配置文件。

Open it for editing using your favorite text editor:

使用您喜欢的文本编辑器将其打开以进行编辑：

Find the following lines:

找到以下几行：

. . .
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
. . .

Set the value of the inet_interfaces setting to loopback-only:

将inet_interfaces设置的值设置为loopback-only ：

. . .
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
. . .

Another directive you’ll need to modify is mydestination, which specifies the list of domains that are delivered via the local_transport mail delivery transport. By default, the values are similar to these:

您需要修改的另一个指令是mydestination ，它指定通过local_transport邮件传递传输传递的域的列表。 默认情况下，这些值类似于以下内容：

. . .
mydestination = $myhostname, your_domain, localhost.com, , localhost
. . .

Change the line to look like this:

将行更改为如下所示：

. . .
mydestination = localhost.$mydomain, localhost, $myhostname
. . .

If your domain is actually a subdomain and you want the email messages to look as if they were sent from the main domain, you can add the following line to the end of main.cf:

如果您的域实际上是子域，并且您希望电子邮件看起来像是从主域发送的，则可以在main.cf的末尾添加以下行：

...
masquerade_domains = your_main_domain

The optional masquerade_domains setting specifies the domains for which the subdomain will be stripped off in the email address.

可选的masquerade_domains设置指定将在电子邮件地址中剥离其子域的域。

When you are done, save and close the file.

完成后，保存并关闭文件。

Note: If you’re hosting multiple domains on a single server, the other domains can also be passed to Postfix using the mydestination directive.

注意：如果要在一台服务器上托管多个域，则其他域也可以使用mydestination指令传递给Postfix。

Then, restart Postfix by running the following command:

然后，通过运行以下命令重新启动Postfix：

You’ve configured Postfix to only send emails from your server. You’ll now test it by sending an example message to an email address.

您已将Postfix配置为仅从服务器发送电子邮件。 现在，您将通过向电子邮件地址发送示例消息来对其进行测试。

第3步-测试SMTP服务器 (Step 3 — Testing the SMTP Server)

In this step, you’ll test whether Postfix can send emails to an external email account using the mail command, which is part of the mailutils package that you installed in the first step.

在此步骤中，您将测试Postfix是否可以使用mail命令将电子邮件发送到外部电子邮件帐户，该命令是第一步中安装的mailutils软件包的一部分。

To send a test email, run the following command:

要发送测试电子邮件，请运行以下命令：

You can change the body and the subject of the email to your liking. Remember to replace your_email_address with a valid email address that you can access.

您可以根据自己的喜好更改电子邮件的正文和主题。 请记住用您可以访问的有效电子邮件地址替换your_email_address 。

Now, check the email address to which you sent this message. You should see the message in your inbox. If it’s not there, check your spam folder. At this point, all emails you send are unencrypted, which makes service providers think it’s likely spam. You’ll set up encryption later, in step 5.

现在，检查发送此消息的电子邮件地址。 您应该在收件箱中看到该消息。 如果不存在，请检查您的垃圾邮件文件夹。 此时，您发送的所有电子邮件都是未加密的，这使得服务提供商认为这很可能是垃圾邮件。 您稍后将在步骤5中设置加密。

If you receive an error from the mail command, or you haven’t received a message after a prolonged period of time, check that the Postfix configuration you edited is valid and that your server’s name and hostname are set to your domain.

如果您从mail命令收到错误消息，或者很长一段时间没有收到消息，请检查您编辑的Postfix配置是否有效，以及服务器的名称和主机名是否设置为您的域。

Note that with this configuration, the address in the From field for the test emails you send will be in the form of your_user_name@your_domain, where your_user_name is the username of the server user you ran the command as.

请注意，使用此配置，您发送的测试电子邮件的“ From字段中的地址将采用your_user_name @ your_domain的形式，其中your_user_name是您运行命令所使用的服务器用户的用户名。

You have now sent an email from your server and verified that it’s successfully received. In the next step, you’ll set up email forwarding for root.

现在，您已经从服务器发送了一封电子邮件，并确认已成功收到该电子邮件。 在下一步中，您将为root设置电子邮件转发。

步骤4 —转发系统邮件 (Step 4 — Forwarding System Mail)

In this step, you’ll set up email forwarding for user root, so that system-generated messages sent to it on your server get forwarded to an external email address.

在此步骤中，您将为用户root设置电子邮件转发，以便将服务器上发送给它的系统生成的消息转发到外部电子邮件地址。

The /etc/aliases file contains a list of alternate names for email recipients. Open it for editing:

/etc/aliases文件包含电子邮件收件人的备用名称列表。 打开它进行编辑：

In its default state, it looks like this:

在其默认状态下，它看起来像这样：

# See man 5 aliases for format
postmaster:    root

The only directive present specifies that system-generated emails are sent to root.

存在的唯一指令指定将系统生成的电子邮件发送到root 。

Add the following line to the end of the file:

将以下行添加到文件末尾：

...
root:          your_email_address

With this line, you specify that emails sent to root end up being forwarded to an email address. Remember to replace your_email_address with your personal email address. When you are done, save and close the file.

在此行中，您指定发送给root的电子邮件最终将转发到一个电子邮件地址。 请记住用您的个人电子邮件地址替换your_email_address 。 完成后，保存并关闭文件。

For the change to take effect, run the following command:

为了使更改生效，请运行以下命令：

Running newaliases will build up a database of aliases that the mail command uses, which are taken from the config file you just edited.

运行newaliases将建立mail命令使用的别名数据库，该数据库取自刚编辑的配置文件。

Test that sending emails to root works by running:

通过运行以下命令，测试将电子邮件发送到root可行：

You should receive the email at your email address. If it’s not there, check your spam folder.

您应该在您的电子邮件地址收到电子邮件。 如果不存在，请检查您的垃圾邮件文件夹。

In this step, you set up forwarding system-generated messages to your email address. You’ll now enable message encryption, so that all emails your server sends are immune to tampering in transit and will be viewed as more legitimate.

在此步骤中，您将系统生成的邮件转发到您的电子邮件地址。 现在，您将启用消息加密，以便服务器发送的所有电子邮件都不会被篡改，并且将被视为更合法。

步骤5 —启用SMTP加密 (Step 5 — Enabling SMTP Encryption)

You’ll now enable SMTP encryption by requesting a free TLS certificate from Let’s Encrypt for your domain (using Certbot) and configuring Postfix to use it when sending messages.

现在，您将通过从域的Let's Encrypt请求免费的TLS证书(使用Certbot )，并配置Postfix在发送邮件时使用它来启用SMTP加密。

Ubuntu includes Certbot in their default package repositories, so you can install it by running the following command:

Ubuntu在其默认软件包存储库中包含Certbot，因此您可以通过运行以下命令来安装它：

When asked for confirmation, type Y and press ENTER.

当要求确认时，键入Y并按ENTER 。

As part of the initial server setup in the prerequisites, you installed ufw, the uncomplicated firewall. You’ll need to configure it to allow the HTTP port 80, so that domain verification can be completed. Run the following command to enable it:

在先决条件中初始服务器设置的一部分，您安装了ufw (简单的防火墙)。 您需要将其配置为允许HTTP端口80 ，以便完成域验证。 运行以下命令将其启用：

The output will look like this:

输出将如下所示：

   

    Output
   
Rule added
Rule added (v6)

Now that the port is open, run Certbot to get a certificate:

现在端口已打开，运行Certbot以获得证书：

This command orders Certbot to issue certificates with an RSA key size of 4096 bits, to run a temporary standalone web server (--standalone) for verification, and to check via port 80 (--preferred-challenges http). Remember to replace your_domain with your domain before running the command, and enter your email address when prompted.

此命令命令Certbot发行RSA密钥大小为4096位的证书，运行临时的独立Web服务器( --standalone )进行验证，并通过端口80 (-- --preferred-challenges http )进行检查。 运行命令之前，请记住用您的域替换your_domain ，并在出现提示时输入您的电子邮件地址。

The output will be similar to this:

输出将类似于以下内容：

   

    Output
   
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for `your_domain`
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/your_domain/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/your_domain/privkey.pem
 Your cert will expire on 2020-07-11. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew *all* of your certificates, run
 "certbot renew"
- If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

As written in the notes, your certificate and private key file were saved under /etc/letsencrypt/live/your_domain.

如注释中所述，您的证书和私钥文件保存在/etc/letsencrypt/live/ your_domain 。

Now that you have your certificate, open main.cf for editing:

有了证书后，打开main.cf进行编辑：

Find the following section:

查找以下部分：

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Modify it to look like this, replacing your_domain with your domain where necessary. This will update your TLS settings for Postfix:

对其进行修改，使其看起来像这样，必要时用您的域替换your_domain 。 这将更新您的Postfix TLS设置：

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/your_domain/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/your_domain/privkey.pem
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Once you’re done, save and close the file.

完成后，保存并关闭文件。

Apply the changes by restarting Postfix:

通过重新启动Postfix应用更改：

Now, try sending an email again:

现在，尝试再次发送电子邮件：

Then, check the email address you provided. It’s possible that you’ll see the message in your inbox immediately, because email providers are much more likely to mark unencrypted messages as spam.

然后，检查您提供的电子邮件地址。 您可能会立即在收件箱中看到该邮件，因为电子邮件提供商更有可能将未加密的邮件标记为垃圾邮件。

You can check the technical info about the email message in your client to see that the message is indeed encrypted.

您可以在客户端中查看有关电子邮件的技术信息，以确保该消息确实已加密。

结论 (Conclusion)

You now have a send-only email server, powered by Postfix. Encrypting all outgoing messages is an effective first step to email providers not marking your messages as spam outright. If you are doing this in a development scenario, then this measure should be enough.

您现在拥有由Postfix驱动的仅发送电子邮件服务器。 加密所有传出邮件是电子邮件提供商不要将您的邮件直接标记为垃圾邮件的有效第一步。 如果您是在开发场景中执行此操作，那么此措施就足够了。

However, if your use case is to send emails to potential site users (such as confirmation emails for a message board sign-up), look into setting up SPF records, so that your server’s emails are even more likely to be seen as legitimate.

但是，如果您的用例是将电子邮件发送给潜在的站点用户(例如，用于留言板注册的确认电子邮件)，请考虑设置SPF记录 ，以使服务器的电子邮件更有可能被视为合法。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-20-04