On 1/22/2011 2:58 AM, Walter Pinto wrote:
This is the config for my SMTP server, anything stand out?
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = /var/www/html/postfix
initial_destination_concurrency = 5
local_destination_concurrency_limit = 5
local_transport = error:local mail delivery disabled
maximal_backoff_time = 90m
message_size_limit = 14500000
mydomain = smtp1.example.net
myhostname = smtp1.example.net
mynetworks = 127.0.0.0/8
myorigin = example.net
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relocated_maps = hash:/etc/postfix/relocated
smtp_connect_timeout = 45s
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_error_sleep_time = 0
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_unauth_destination
reject_non_fqdn_recipient reject_non_fqdn_sender
reject_unlisted_recipient reject_invalid_hostname
reject_unknown_sender_domain reject_unknown_recipient_domain
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sender_login_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf
smtpd_sender_restrictions = permit_sasl_authenticated
check_policy_service inet:127.0.0.1:10031 reject_sender_login_mismatch
reject_unauth_destination reject_non_fqdn_recipient
reject_non_fqdn_sender reject_unlisted_recipient
reject_invalid_hostname reject_unknown_sender_domain
reject_unknown_recipient_domain
I would usually expect reject_sender_login_mismatch to be
before permit_sasl_authenticated. Remember, authenticated
clients won't trigger any tests below
permit_sasl_authenticated. Ditto for the policy service if
it's a quota check or something else that should run on all
mail. They are OK as-is if they are doing what you expect.
When reject_unknown_recipient_domain is after
reject_unauth_destination, the only things it can possibly
reject are:
- invalid subdomains of your domains.
- your own domain when your DNS hiccups.
Make sure it's doing what you want.
smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/postfix/certs/smtp1.example.net.cert
smtpd_tls_key_file = /etc/postfix/certs/smtp1.example.net.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 7200s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/domains/localhost
hash:/etc/postfix/domains/example.com
hash:/etc/postfix/domains/example.net
hash:/etc/postfix/domains/example.org
OK.
-- Noel Jones
