On Tue, Dec 31, 2024 at 09:51:01PM +0100, Gerd Hoerst via Postfix-users wrote:
So here also the right sender address
Yes its the file.... if i change only the file postfix croaks that
/etc/aliases is newer then /etc/aliases.db (after i ran postalias
/etc/aliases it has an older timestamp
Well, now you need to post the outputs of:
$ postconf -Mf unix/local
$ postmap -q g $(postconf -xh alias_maps)
$ postmap -q g unix:passwd.byname
And fresh logging of a delivery failure, now that (perhaps) the desired
aliases entry is in place.
postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
Fine. Presumably the default_database_type is "hash".
debug_peer_level = 10
I doubt you want anything higher than 2 here, though for now it does not
matter given debug_peer_list is empty.
mailbox_command = procmail -a "$EXTENSION"
Handles local users with shell accounts, after alias expansion.
masquerade_domains = hoerst.net
Best avoided, breaks recipient validation by wildcarding subdomains.
mydestination = $myhostname, smtp.hoerst.net virgo.hoerst.net,
localhost.hoerst.net, localhost, $mydomain
mydomain = hoerst.net
myorigin = $mydomain
As expected.
qmgr_message_active_limit = 150
qmgr_message_recipient_limit = 150
That's remarkably small, but if you never have more than a handful of
messages in the queue, fine...
relay_domains = hoerst.net
relay_recipient_maps = hash:/etc/postfix/relay_recipients
Just set these empty instead. This is a local domain.
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP,
3DES,eNULL,
aNULL, ADH-AES256-GCM-SHA384
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP,
3DES,eNULL,
aNULL, ADH-AES256-GCM-SHA384
The "eNULL" and "ADH-AES256-GCM-SHA384" exclusions are redundant.
No idea what "PSD" is supposed to be (perhaps "PSK", which along
with "SRP" are merely "cosmetic" exclusions, because these require
additional configuration before they're actually usable).
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1, !TLSv1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1, !TLSv1
The preferred syntax is ">=TLSv1.2" (no space or "," after ">=").[
smtpd_sasl_auth_enable = yes
Best in master.cf only for the submission services, and not enabled
on port 25.
smtpd_tls_eecdh_grade = ultra
This is a obsolete, and now a bad idea. Use the default "auto" instead,
with TLS 1.3 this is ignored, but it limits interoperability and
degrades performance (~17x costlier key exchange relative to P-256) with
TLS 1.2.
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Obsoleted by session tickets, best left empty.
smtpd_use_tls = yes
Obsoleted by "smtpd_tls_security_level".
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
The "eNULL" exclusion is redundant. Unclear why you disable aNULL,
though with TLS not having any anonymous ciphers and TLS 1.2 becoming
increasingly less commmon, it hardly matters.
tls_random_source = dev:/dev/urandom
Best to let this default.
