Re: main.cf sanity check request

Thu, 28 Oct 2010 10:01:02 -0700 

On 10/28/2010 06:04 PM, Robert Fantini wrote:

Hello
this is not urgent.  our postfix system runs great using open-vz and
debian lenny.

However I've been using postfix for a long time, and know that I am
far from an expert on postfix.

We send and receive mail for our local network.  In addition I've
recently setup secure smtp so that we can use thunderbird at home and
send mails using fantinibakery.com

What I'd like is comments on how to improve our config. here is
main.cf and master.cf   . I am certain that this can be improved:


You could use TLS instead of the (deprecated) SMTPS.
SMTPS is only required for incoherent clients such as MS Outook.

Thunderbird fully supports submission with STARTTLS and SASL authentication.


postconf -n :
alias_database = hash:/etc/postfix/Aliases/aliases
alias_maps = 
hash:/etc/postfix/Aliases/aliases,hash:/etc/postfix/Aliases/aliases-fbc,hash:/etc/postfix/Aliases/aliases-distributors
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_warning_time = 1h
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail   -a "$EXTENSION"
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
myhostname = fantinibakery.com
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = no
require_home_directory = yes
sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = permit_mynetworks


Superfluous, as you're already requiring it in _recipient_.


smtpd_data_restrictions = reject_unauth_pipelining,            permit
smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_recipient_restrictions =
             permit_mynetworks,
             permit_sasl_authenticated,
You need to swap those two to be able to send authenticated mail from outside your network. 


             reject_invalid_hostname,
             reject_non_fqdn_sender,
             reject_non_fqdn_recipient,
             reject_unknown_sender_domain,
             reject_unknown_recipient_domain,
             reject_unauth_destination,
             check_sender_access    hash:/etc/postfix/sender_access ,
             check_recipient_access hash:/etc/postfix/recipient_checks,
             check_client_access    hash:/etc/postfix/client_checks,
             check_client_access    pcre:/etc/postfix/fqrdns.pcre,
             check_policy_service   inet:127.0.0.1:60000,
             reject_rbl_client      b.barracudacentral.org,
             reject_rbl_client      zen.spamhaus.org,
             check_recipient_access regexp:/etc/postfix/ext-access.regexp,
     permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks

And then permit ?
That makes no sense - you don't need this.

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes


master.cf:
smtp      inet  n       -       n       -       -       smtpd
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
         -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
# 2010-10-16 for offsite mail send this works.
smtps   inet    n       -       -       -        -      smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
#
Add a dedicated submission listener for authenticated user submission on port 587. 
The docs will have details.


--
J.

Reply via email to