Läuft auf

Ansicht:

Debian 13 (Trixie)

Gleich auf:

Andere Versionen:

Debian 10 (Buster) Debian 11 (Bullseye) Debian 12 (Bookworm) Debian 9 (Stretch) CentOS Stream 9 Red Hat Enterprise Linux 8 (Ootpa) Red Hat Enterprise Linux 9 (Plow) Ubuntu 18.04 LTS (Bionic Beaver) Ubuntu 20.04 LTS (Focal Fossa) Ubuntu 22.04 LTS (Jammy Jellyfish) Ubuntu 24.04 LTS (Noble Numbat)

Details

Größe: 85 Zeilen
MD5: 9f5642be48b1f6aa33e7e3c511a60d7a
SHA256: 956ad871586f04750ae6c4ae95db63c192b71baf50d8318b2a2752681306d978

/etc/systemd/postfix.service

[Unit]
Description=Postfix Mail Transport Agent (main/default instance)
Documentation=man:postfix(1)
After=network.target nss-lookup.target
# network-online.target is a semi-working work-around for specific
# network_interfaces, https://bugs.debian.org/854475#126
# Please add local override wanting network-online.target or
# systemd-networkd-wait-online@INTERFACE:no-carrier.service
#After=network-online.target
#Wants=network-online.target
ConditionPathExists=/etc/postfix/main.cf
# pre-3.9.1-7 multi-instance setup:
Conflicts=postfix@-.service

[Service]
Type=forking
# Force operations on single default instance, do not run postmulti wrapper
Environment=MAIL_CONFIG=/etc/postfix
# perform 2-stage startup
ExecStartPre=+postfix check
ExecStart=postfix debian-systemd-start
ExecStop=postfix stop
ExecReload=postfix reload

# Postfix consists of multiple processes run by a master(8) orchestrator,
# each of them having different requirements.  From the whole set, local(8)
# (the Postfix local delivery agent) is the most demanding one, because it
# runs things as user, and a user needs to be able to run suid/sgid programs
# (if not only to be able to deliver mail to /var/spool/postfix/postdrop).
# Individual Postfix daemons are started as root, optionally perform chroot
# into the queue directory, and drop privileges voluntary

# listen(2) on privileged ports (smtp)
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# chroot into queue dir
CapabilityBoundingSet=CAP_SYS_CHROOT
# drop root privs, run as user when delivering local mail
CapabilityBoundingSet=CAP_SETGID CAP_SETUID
# processes access protected files in non-root-owned dirs (acl root:rwx);
CapabilityBoundingSet=CAP_DAC_OVERRIDE
# https://bugs.debian.org/1099891 :
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# chown(2) is needed for procmal &Co to create /var/mail/$USER
CapabilityBoundingSet=CAP_CHOWN

# users might run suid/sgid programs from ~/.forward:
RestrictSUIDSGID=no
# for the same reason, NoNewPrivileges can not be set to yes
NoNewPrivileges=no

# if you don't use procmail for delivery to /var/mail/$USER,
# CAP_CHOWN can be removed.
# if you don't use local(8) at all, only doing local delivery over LMTP
# or using virtual(8), you can also set
#RestrictSUIDSGID=yes
#NoNewPrivileges=yes
# Also, CAP_DAC_OVERRIDE can be eliminated by adding root user to ACL to
# postfix-owned dis in spool: public, private; and whatever maps in protected
# subdirs you use, relying on cap_dac_override

LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectControlGroups=yes
ProtectClock=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
# ProtectProc is not usable with User=root:
#ProtectProc=noaccess
ProcSubset=pid
# ProtectSystem can be "yes" if rw maps are in /etc, or "full"
# Alternative would be "strict" +ReadWritePaths=/var
ProtectSystem=full
# Need to write to ~/Maildir/ etc:
ProtectHome=no
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes

SystemCallFilter=@system-service @setuid chroot

[Install]
WantedBy=multi-user.target

Kopieren & Einfügen

curl:

curl https://exampleconfig.com/api/v1/config/original/9f5642be48b1f6aa33e7e3c511a60d7a?hint=postfix.service

wget:

wget -O postfix.service https://exampleconfig.com/api/v1/config/original/9f5642be48b1f6aa33e7e3c511a60d7a?hint=postfix.service

Für KI-Agenten

<prompt><role>DevOps agent</role><source url='https://exampleconfig.com/api/v1/config/original/9f5642be48b1f6aa33e7e3c511a60d7a?hint=postfix.service' /><config><app>Postfix</app><os>Debian 13 (Trixie)</os><location>/etc/systemd/postfix.service</location><lines>85</lines><md5>9f5642be48b1f6aa33e7e3c511a60d7a</md5><sha256>956ad871586f04750ae6c4ae95db63c192b71baf50d8318b2a2752681306d978</sha256></config></prompt>

Füge es in Claude, ChatGPT oder einen anderen KI-Assistenten ein.

Postfix installieren

Alpine Linux

sudo apk add postfix

Debian

sudo apt update && sudo apt install postfix

Red Hat Enterprise Linux

sudo yum install postfix

Ubuntu

sudo apt update && sudo apt install postfix

Ablageort

Pfad

/etc/systemd/postfix.service

Verzeichnis

/etc/systemd/

Bedeutung

Systemweites Konfig-Verzeichnis

Beschreibung

In /etc/ liegen systemweite Einstellungen, die alle Benutzer betreffen.

FAQ

Wann sollte ich postfix.service verwenden?

Nutze sie, um eine fehlende Default-Datei wiederherzustellen, zu prüfen, was ausgeliefert wurde, oder sie gegen deine aktuelle Postfix-Config zu diffen.

Wie stelle ich die Defaults von Postfix wieder her?

Lad die Datei runter, sichere die aktuelle in /etc/systemd/postfix.service, ersetze sie und lade Postfix neu oder starte es neu.

Ist postfix.service für den produktiven Einsatz geeignet?

Das ist der Hersteller-Default für Debian 13 (Trixie). Nimm sie als Basis und prüf Security- und Performance-Einstellungen, bevor du sie produktiv nutzt.

Wie unterscheidet sich das von anderen OS-Versionen?

Defaults variieren je nach Distro und Version. Diese Version passt zu Debian 13 (Trixie).

Kann ich das fürs Troubleshooting von Postfix nutzen?

Ja. Diff es gegen deine Version, finde Abweichungen und stell nur die Teile wieder her, die du brauchst.

Postfix /etc/systemd/postfix.service