Mysql failover in Postfix

Tested in Debian 8 / Postfix 2.11

In a environment with Postfix and Mysql as backend, if you have several mysql servers in replication mode (cluster, master-master, master-slave …), you can configure postfix to connect to these servers, so if one of them falls, postfix will try to connect the next available one.

This is made in the configuration file of the mysql connection, in the hosts parameter:

~ $ cd /etc/postfix
~ $ cat mysql-users.cf
user = mysql-user
password = mysql-password
dbname = mysql-db
table = users
hosts = server1 server2 server3
query = select maildir from users where username='%s'

If you have configuration files for alias, domains, or more, you will have to make changes in these files too.

Postfix + OpenDMARC

OpenDMARC is a spam control mechanism that complements SPF and DKIM checks, including reporting policies. In Debian/Ubuntu you can install opendmarc from repositories:

~ $ apt-get install opendmarc

On Debian wheezy you have to add backports to sources.list file before:

~ $ echo 'deb http://ftp.debian.org/debian wheezy-backports main contrib' >> /etc/apt/sources.list
~ $ apt-get update
~ $ apt-get install opendmarc

Change configuration en /etc/opendmarc.conf, take this as example:

AuthservID mail.server.com
PidFile /var/run/opendmarc.pid
RejectFailures false
Syslog true
TrustedAuthservIDs mail.server.com,mail2.server.com,mail3.server.com
UMask 0002
UserID opendmarc:opendmarc
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat
SoftwareHeader true

Add hosts to /etc/opendmarc/ignore.hosts:

~ $ mkdir /etc/opendmarc
~ $ vim /etc/opendmarc/ignore.hosts
localhost
192.168.1.0/24

Configure port in /etc/default/opendmarc:

SOCKET="inet:83682@localhost"

And restart opendmarc:

~ $ /etc/init.d/opendmarc restart

Now configure postfix, add milters to existent milters (dkim) in /etc/postfix/main.cf:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:1234,inet:localhost:83682
non_smtpd_milters = inet:localhost:1234,inet:localhost:83682

Then restart:

~ $ /etc/init.d/postfix restart

Finally add _dmarc TXT dns record to your domain, example:

"v=DMARC1; p=none; pct=100; rua=mailto:postmaster@server.com; ruf=mailto:postmaster@server.com; fo=0; adkim=r; aspf=r"

Where:

v=DMARC1: dmarc version
p=none: means do nothing if dmarc check fails, is good for testing. You can use “p=quarantine” or “p=reject” instead.
pct=0: defines the percentage of mail to which policies are applied (0-100)
rua: address for sending reports
ruf: address for sending forensic reports
fo: reporting options, 0 generate a report if both SPF and DKIM checks failed
adkim: DKIM restrictive level (s=strict, r=relaxed)
aspf: SPF restrictive level (s=strict, r=relaxed)

Wait for the TTL refresh time and test if the record was created successfully:

~ $ dig +short txt _dmarc.server.com
"v=DMARC1\; p=none\; rua=mailto:postmaster@server.com\; ruf=mailto:postmaster@server.com\; fo=0\; adkim=r\; aspf=r"

Show subject in postfix logs

To show the subject of the emails in the postfix log you can use the header_checks parameter.

In the main.cf file add:

header_checks = regexp:/etc/postfix/header_checks

And in the file /etc/postfix/header_checks add:

/^Subject:/ WARN

Then restart postfix:

~ $ /etc/init.d/postfix restart