Postfix Multiple Instances

Running multiple instances of Postfix on a single host is a straight forward process. This is useful for creating a filtered inbound system and a responsive outbound system, on one host.

Instance Configurations

For Postfix to have multiple instances simply create a new configuration and spool directory. Update the configurations for each, and start them. In the example below we will create three instances of Postfix each for a different purpose. Mail will be for moderately filtered inbound, Gate adds heavy filtering and SMTP is for outbound only.

Before starting it's a good idea to have a core postfix system running in the desired fashion. i.e. Use one instance for everything, features, etc. desired then split it later.

Here the main instance of postfix was configured with SASL and the user accounts are in btree files like virtual_mailbox and such. The reference system here supports multiple domains, i.e. ISP type configuration.

cp -a /etc/postfix /etc/postfix.gate
cp -a /etc/postfix /etc/postfix.mail
cp -a /etc/postfix /etc/postfix.smtp

Each of these directores will hold the instance specific configuration.

In each of the Postfix main.cf files some settings need to be modified to differentiate between instances. Specifically the alternate_config_directories, inet_interfaces, queue_directory. These changes will not modify the behaviour of the Postfix, only seperate the instances. Instance specific configuration, where available, is below. Don't let multiple instances use the same queue_directory, it will only create frustration.

This shows the relevant lines in the instance specific main.cf settings

alternate_config_directories = /etc/postfix.mail /etc/postfix.smtp
inet_interfaces =
queue_directory = /var/spool/postfix.gate

alternate_config_directories = /etc/postfix.gate /etc/postfix.smtp
inet_interfaces =
queue_directory = /var/spool/postfix.mail

alternate_config_directories = /etc/postfix.gate /etc/postfix.mail
inet_interfaces =
queue_directory = /var/spool/postfix.smtp

Use Postfix to create the proper structure in those directories.

for f in /etc/postfix.*; do
	mkdir "/var/spool/${f##*/}";
	postfix -c $f check

Tune Each Instance

Each instance should be tuned for it's specific purpose. Below is show the Mail and SMTP configuration, there is another document for the Gateway configuration.

Postfix Mail Instance

In this example Mail is supposed to have minimal filtering inbound from the outside world. This is also the instance responsible for final delivery to maildir. It's configuration, in part, is like so. Notice it's still using the database file from the core instance in /etc/postfix

myhostname = mail.domain.com
mynetworks = btree:/etc/postfix/mynetworks

virtual_alias_maps = btree:/etc/postfix/virtual_alias
virtual_gid_maps = static:407
virtual_uid_maps = static:1000
virtual_mailbox_base = /var/spool/nuntius
virtual_mailbox_domains = btree:/etc/postfix/virtual_domains
virtual_mailbox_maps = btree:/etc/postfix/virtual_mailbox

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =

This system accepts mail, with relatively light filtering, and drops it into the mail directory. It's suitable for hosted clients who need to accept mail from some mis-configured system. What's not visible above is passing the message through SpamAssassin filter.

Postfix SMTP Instance

This accepts messages from the hosting clients, or any SASL enabled account and relay's to the outside world. Other hosts on the network (listed in /etc/postfix/mynetworks table) can also send using this outbound-only instance.

message_size_limit = 33554432

myhostname = smtp.domain.com
mynetworks = btree:/etc/postfix/mynetworks

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = domain.com
strict_rfc821_envelopes = yes

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject

Init Script Copies

Copy the init scripts to specific instances, then you may need to edit. The patch below is what was used on the Gentoo Distribution to enable multiple instances from symlinked init.d scripts. The main part is where it determines the CONF_DIR and CONF_OPT parameters from the script name to determine the configuration file to use.

cd /etc/init.d/
ln -s postfix postfix.gate
ln -s postfix postfix.mail
ln -s postfix postfix.smtp

Loading Comments from Disqus...