Paul Cartwright put forth on 12/9/2010 5:09 AM:
This is exactly why I wanted to see your main.cf. It's a total mess. I'll try
to annotate needed changes.
> then my main.cf:
> cat /etc/postfix/main.cf
Everything from here...
--------------------
> permit_sasl_authenticated, reject_unauth_destination check_client_access
> pcre:/etc/postfix/fqrdns.pcre, reject_rbl_client dnsbl.sorbs.net,
> reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org,
> reject_unknown_sender_domain,reject_unknown_recipient_domain,
> reject_non_fqdn_sender, reject_non_fqdn_recipient, check_client_access
> cidr:/etc/postfix/china.cidr
--------------------
to here
is being ignored by postfix or will cause errors. These all need to be under
an smtpd_foo_restriction heading. You have most it duplicated once, if not
twice, below.
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
> check_client_access cidr:/etc/postfix/china.cidr
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_rbl_client dnsbl.sorbs.net
> reject_rbl_client zen.spamhaus.org
> reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org
The above looks good, although I'd use a tab for indentation instead of a
single space.
> permit_sasl_authenticated, check_recipient_access
> mysql:/etc/postfix/mysql-virtual_recipient.cf,
> reject_unauth_destination, check_policy_service inet:127.0.0.1:60000,
> reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net,
> reject_rbl_client bl.spamcop.net, reject_rbl_client
> combined.rbl.msrbl.net, reject_rbl_client multihop.dsbl.org,
> check_recipient_access regexp:/etc/postfix/spamtrap, permit
Here above you've got more duplication but some needed things that aren't in
your well formatted section. So, let's see if we can clean all of this up so
you've got a functionally correct and easily readable main.cf. FYI dsbl.org is
defunct, has been for some time now, so we'll remove that from your dnsbl list.
Also, many of the dnsbls you have configured have mucho overlap, so let's
remove a few as they're unnecessary and simply slow down inbound mail.
So here's my proposal for your new main.cf Paul. I'm sure others will chime
identifying any mistakes I may have made, or with other helpful suggestions. I
tried to remove all the default parameters you had duplicated, and changed biff
to no since you don't use the biff service on Lenny, nor Pine nor any other
text mode mail reader in an SSH shell, AFAIK. The idea here is to wholesale
replace your current main.cf file with the following:
#######################################################################################################
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
disable_vrfy_command = yes
myhostname = paulandcilla.homelinux.org
mydestination = homelinux.org
myorigin = homelinux.org
inet_protocols = ipv4
inet_interfaces = all
mynetworks = 127.0.0.0/8, , 208.65.91.107, 192.168.10.0/10
proxy_interfaces = 208.65.91.107
relayhost =
mailbox_size_limit = 0
message_size_limit = 30000000
mailbox_command = /usr/lib/dovecot/deliver
append_dot_mydomain = no
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_ unauth_destination
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject_non_fqdn_sender
reject_non_fqdn_recipient
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
(<- is this a white list?)
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
check_client_access cidr:/etc/postfix/china.cidr
check_recipient_access regexp:/etc/postfix/spamtrap
reject_rbl_client zen.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.sorbs.net
check_policy_service inet:127.0.0.1:60000
#######################################################################
# I don't use tls so someone else will need to sanity check these #####
#######################################################################
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = paulandcilla.homelinux.org
########################################################################
#######################################################################################################
Unfortunately you won't know if it's all going to work until you actually
switch your DNS MX pointer to your Lenny box's DNS A record. At that point you
should have an A of mail.pcartwright.com pointing to 208.65.91.107, and an MX
record pointing to mail.pcartwright.com. At that point you'll need to replace
these
myhostname = paulandcilla.homelinux.org
mydestination = homelinux.org
myorigin = homelinux.org
with
myhostname = mail.pcartwright.com
mydestination = pcartwright.com
myorigin = pcartwright.com
for your inbound mail to work correctly. Since you aren't even using Postfix
at all right now, you may as well go ahead and make these changes now.
Hope all of this is helpful.
--
Stan
