I've inherited a relatively large Postfix installation. Servers have a range
of Postfix versions from 2.1.1 to 2.6.5. Master.cf and main.cf are included
below.
The inbound mail gateways are connected to the internet behind a load-balancing
switch. The majority of the inbound mail traffic is routed to a set of
internal mail servers, also behind a load-balancing switch. The inbound mail
servers are doing a lot of filtering via procmail. We're experiencing
significant delay during peak traffic times.
How can we optimize mail flow from the inbound server to the internal mailbox
servers? One thing we are in the midst of doing is upgrading all the hardware
and software versions to current levels. Based on the config below, what can
we do to increase our throughput?
#
readme_directory = /usr/share/doc/postfix/README_FILES
html_directory = /usr/share/doc/postfix/html
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/share/man
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
queue_directory = /var/spool/postfix
mail_owner = postfix
# User configurable parameters
mydomain = xxx.xxx
myorigin = $mydomain
mydestination = $mydomain, mail.$mydomain, spam.$mydomain,
hash:/etc/postfix/mydomains
mynetworks = 192.168.0.0/16, 127.0.0.0/8
inet_interfaces = all
inet_interfaces = all
smtpd_banner = *l10********************************ESMTP
smtp_helo_name = xxx
# Databases and look up maps
transport_maps = hash:/etc/postfix/transport
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
canonical_maps = hash:/etc/postfix/canonical
access_database = hash:/etc/postfix/access
virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
# Keep trying to deliver mail for 20 days.
maximal_queue_lifetime = 20
smtpd_recipient_limit = 50
smtpd_client_restrictions = reject_unauth_destination, reject_unauth_pipelining
smtpd_recipient_restrictions = reject_unauth_destination,
reject_unauth_pipelining, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_non_fqdn_sender,
reject_unknown_recipient_domain, permit_mynetworks,
check_recipient_access hash:/etc/postfix/recipient_access,
check_recipient_access hash:/etc/postfix/recipient_limited,
check_recipient_access pcre:/etc/postfix/recipient_checks_pcre,
check_recipient_access hash:/etc/postfix/norblcheck,
check_sender_access hash:/etc/postfix/sender_blacklist,
check_sender_access hash:/etc/postfix/sender_access,
check_sender_access hash:/etc/postfix/access,
check_sender_access hash:/etc/postfix/blacklist,
check_sender_access pcre:/etc/postfix/sender_checks_pcre,
check_sender_access hash:/etc/postfix/rblbypass,
check_sender_access pcre:/etc/postfix/sender_throttle_pcre,
check_sender_mx_access cidr:/etc/postfix/mx_access.cidr
check_client_access hash:/etc/postfix/access,
check_client_access hash:/etc/postfix/blacklist,
check_client_access cidr:/etc/postfix/networks.cidr,
check_client_access pcre:/etc/postfix/helo_checks_pcre,
check_client_access hash:/etc/postfix/rblbypass,
check_helo_access hash:/etc/postfix/blacklist,
check_helo_access hash:/etc/postfix/access,
check_helo_access pcre:/etc/postfix/helo_checks_pcre,
reject_rbl_client rbl.clearnetwork.com,
reject_rbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:10031,
smtpd_sender_restrictions =
smtpd_helo_restrictions =
header_checks = pcre:/etc/postfix/header_checks_pcre
body_checks = pcre:/etc/postfix/body_checks_pcre,
pcre:/etc/postfix/urirbl_blacklist
smtpd_discard_ehlo_keywords = silent-discard, dsn
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
line_length_limit = 998
disable_vrfy_command = yes
allow_percent_hack = no
append_dot_mydomain = no
#TLS Configuration
smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 2
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_ask_ccert = no
smtpd_tls_req_ccert = no
tls_random_source = dev:/dev/urandom
# Emergency Response Section
in_flow_delay = 1s
#minimal_backoff_time = 120s
smtp_helo_timeout = 300s
smtpd_helo_required = yes
smtpd_timeout = 60s
disable_verp_bounces = yes
smtpd_hard_error_limit = 5
smtpd_error_sleep_time = 0
smtpd_soft_error_limit = 5
#strict_rfc821_envelopes = yes
#smtpd_junk_command_limit = 5
procmail_destination_recipient_limit = 15
#default_destination_concurrency_limit = 30
#local_destination_concurrency_limit = 2
#minimal_backoff_time = 30s
#maximal_backoff_time = 240s
#smtp_always_send_ehlo = no
#smtp_connection_cache_on_demand = no
# Message Restrictons
message_size_limit = 10240000000
mailbox_size_limit = 20480000000
# Custom Reject Codes
unknown_address_reject_code = 550
reject_code = 550
relay_domains_reject_code = 550
maps_rbl_reject_code = 550
access_map_reject_code = 554
local_recipient_maps =
#smtpd_sasl_path = /etc/postfix/sasl:/usr/lib64/sasl2
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - 125 smtpd -o
content_filter=procmail
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - y 60 1 pickup
-o content_filter=
-o receive_override_options=
cleanup unix n - y - 0 cleanup
qmgr fifo n - y 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - y - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
procmail unix - n n - 25 pipe flags=R
user=filter argv=/usr/bin/procmail -m /etc/mail/procmail/procmailrc ${sender}
${recipient}
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=nobody argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
# Please See the Postfix CYRUS_README file for details
# deliver interface (deprecated), to use this also use
# postconf -e cyrus-deliver_destination_recipient_limit=1
cyrus-deliver unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension}
${user}
#
# for default cyrus socket placement
cyrus unix - n n - - lmtp
-o lmtp_cache_connection=yes
#
# if you configure cyrus socket in the chroot jail
cyrus-chroot unix - - y - - lmtp
-o lmtp_cache_connection=yes
#
# for lmtp to cyrus via tcp
cyrus-inet unix - - y - - lmtp
-o lmtp_cache_connection=yes
-o lmtp_sasl_auth_enable=yes
-o lmtp_sasl_password_maps=hash:/etc/postfix/cyrus_lmtp_sasl_pass
-o lmtp_sasl_security_options=noanonymous
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# ====================================================================
#
# Other external delivery methods.
# These are not distributed with Mandrivalinux
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
#
##### START OF CONTENT FILTER CUSTOMIZATIONS #####
# Please see the Postfix FILTER_README for details.
# These sample entries expect your content filter to
# listen on port 10025 and to inject mail back into
# postfix on port 10026.
#
# to enable such content filter run the command
# postconf -e content_filter=smtp-filter:127.0.0.1:10025
# postconf -e smtp-filter_destination_concurrency_limit=2
# or
# postconf -e content_filter=lmtp-filter:127.0.0.1:10025
# postconf -e lmtp-filter_destination_concurrency_limit=2
# and the command
# postconf -e receive_override_options=no_address_mappings
#
# adjust the value of ?mtp-filter_destination_concurrency_limit
# to match the maximum number of process your content filter
# will spawn.
#
127.0.0.1:10026 inet n - y - - smtpd
-o content_filter=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_end_of_data_restrictions=
-o smtpd_etrn_restrictions=
-o smtpd_data_restrictions=
-o smtpd_delay_reject=no
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
#
lmtp-filter unix - - y - - lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o lmtp_cache_connection=no
-o max_use=20
#
smtp-filter unix - - y - - smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o max_use=20
