Postfix Multiple Instances
Running multiple instances of Postfix on a single host is a straight forward process. This is useful for creating a filtered inbound system and a responsive outbound system, on one host.
Instance Configurations
For Postfix to have multiple instances simply create a new configuration and spool directory. Update the configurations for each, and start them. In the example below we will create three instances of Postfix each for a different purpose. Mail will be for moderately filtered inbound, Gate adds heavy filtering and SMTP is for outbound only.
Before starting it's a good idea to have a core postfix system running in the desired fashion. i.e. Use one instance for everything, features, etc. desired then split it later.
Here the main instance of postfix was configured with SASL and the user accounts are in btree files like virtual_mailbox and such.
The reference system here supports multiple domains, i.e. ISP type configuration.
cp -a /etc/postfix /etc/postfix.gate cp -a /etc/postfix /etc/postfix.mail cp -a /etc/postfix /etc/postfix.smtp
Each of these directores will hold the instance specific configuration.
In each of the Postfix main.cf files some settings need to be modified to differentiate between instances.
Specifically the alternate_config_directories, inet_interfaces, queue_directory.
These changes will not modify the behaviour of the Postfix, only seperate the instances.
Instance specific configuration, where available, is below.
Don't let multiple instances use the same queue_directory, it will only create frustration.
This shows the relevant lines if the instance specific main.cf settings
/etc/postfix.gate/main.cf alternate_config_directories = /etc/postfix.mail /etc/postfix.smtp inet_interfaces = 172.21.122.71 queue_directory = /var/spool/postfix.gate /etc/postfix.mail/main.cf alternate_config_directories = /etc/postfix.gate /etc/postfix.smtp inet_interfaces = 172.21.122.72 queue_directory = /var/spool/postfix.mail /etc/postfix.smtp/main.cf alternate_config_directories = /etc/postfix.gate /etc/postfix.mail inet_interfaces = 172.21.122.73 queue_directory = /var/spool/postfix.smtp
Use Postfix to create the proper structure in those directories.
for f in /etc/postfix.*; do
mkdir "/var/spool/${f##*/}";
postfix -c $f check
done
Tune Each Instance
Each instance should be tuned for it's specific purpose. Below is show the Mail and SMTP configuration, there is another document for the Gateway configuration.
Postfix Mail Instance
In this example Mail is supposed to have minimal filtering inbound from the outside world. This is also the instance responsible for final delivery to maildir. It's configuration, in part, is like so. Notice it's still using the database file from the core instance in /etc/postfixmyhostname = mail.domain.com mynetworks = btree:/etc/postfix/mynetworks virtual_alias_maps = btree:/etc/postfix/virtual_alias virtual_gid_maps = static:407 virtual_uid_maps = static:1000 virtual_mailbox_base = /var/spool/nuntius virtual_mailbox_domains = btree:/etc/postfix/virtual_domains virtual_mailbox_maps = btree:/etc/postfix/virtual_mailbox smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient reject_unauth_destination reject_unauth_pipelining reject_unknown_sender_domain reject_unknown_recipient_domain permit
This system accepts mail, with relatively light filtering, and drops it into the mail directory. It's suitable for hosted clients who need to accept mail from some mis-configured system. What's not visible above is passing the message through SpamAssassin filter.
Postfix SMTP Instance
This accepts messages from the hosting clients, or any SASL enabled account and relay's to the outside world. Other hosts on the network (listed in /etc/postifx/mynetworks table) can also send using this outbound-only instance.
message_size_limit = 33554432 myhostname = smtp.domain.com mynetworks = btree:/etc/postfix/mynetworks smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = domain.com strict_rfc821_envelopes = yes smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
Init Script Patch
This simple patch is needed for Gentoo, I'm hoping they adopt. It makes the Postfix init script work like the OpenVPN init script. To use make a symlink to the core script
cd /etc/init.d/ ln -s postfix postfix.gate ln -s postfix postfix.mail ln -s postfix postfix.smtp
--- postfix.dist 2007-02-11 15:25:01.000000000 -0800
+++ postfix 2007-02-11 23:17:33.000000000 -0800
@@ -3,27 +3,39 @@
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/postfix.rc6.2.2.9,v 1.1 2006/03/07 21:07:20 ferdy Exp $
+CONF_DIR="/etc/postfix"
+CONF_OPT="${SVCNAME##*.}"
+if [[ -n ${CONF_OPT} && ${SVCNAME} != "postfix" ]]; then
+ CONF_DIR="${CONF_DIR}.${CONF_OPT}"
+fi
+
opts="${opts} reload"
depend() {
use logger dns ypbind amavisd mysql postgresql antivirus postfix_greylist net saslauthd
- provide mta
+ if [ "${SVCNAME}" == "postfix" ]; then
+ provide mta
+ fi
}
start() {
- ebegin "Starting postfix"
- /usr/sbin/postfix start &>/dev/null
+ ebegin "Starting postfix (${CONF_DIR})"
+ if [ ! -d ${CONF_DIR} ]; then
+ eend 1 "${CONF_DIR} does not exist"
+ return 1
+ fi
+ /usr/sbin/postfix -c ${CONF_DIR} start &>/dev/null
eend $?
}
stop() {
- ebegin "Stopping postfix"
- /usr/sbin/postfix stop &>/dev/null
+ ebegin "Stopping postfix (${CONF_DIR})"
+ /usr/sbin/postfix -c ${CONF_DIR} stop &>/dev/null
eend $?
}
reload() {
- ebegin "Reloading postfix"
- /usr/sbin/postfix reload &>/dev/null
+ ebegin "Reloading postfix (${CONF_DIR})"
+ /usr/sbin/postfix -c ${CONF_DIR} reload &>/dev/null
eend $?
}