On 1/6/2012 8:35 PM, Eric Lemings wrote: > Current 'postconf -n' output: > > command_directory = /usr/sbin
This is likely your default. Check with 'postconf -d command_directory' and remove this line if it is. Don't re-specify default values in main.cf. It simply clutters things up making sleuthing more difficult than need be. > config_directory = /etc/postfix Same as above. > daemon_directory = /usr/libexec/postfix Possibly here as well. On Debian it's /usr/lib/postfix but on OSX it may be libexec. If the default is libexec, remove this line. > debug_peer_level = 2 This is the default value. Remove this line. Unless of course Apple changed the default to another value, which they should not have. > enable_server_options = yes This doesn't seem to be a valid main.cf parameter. An Apple add-on I assume. > imap_submit_cred_file = /private/etc/postfix/submit.cred Same here. > inet_interfaces = all Again, default. Remove this line. > local_recipient_maps = proxy:unix:passwd.byname $alias_maps Default. Remove. > mail_owner = _postfix Default. Remove. > mailq_path = /usr/bin/mailq Default. Remove. > manpage_directory = /usr/share/man Default. Remove. > maps_rbl_domains = Deprecated parameter. Remove. > mydestination = $myhostname, localhost.$mydomain, localhost, myhost, > $mydomain, mail Are you sure you need all 6 of these? > mydomain_fallback = localhost Another Apple add on, seems useless. > newaliases_path = /usr/bin/newaliases Default. Remove. > postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org > bl.spamcop.net Again, MAPS is a paid service. If you don't have a subscription remove. > readme_directory = /usr/share/doc/postfix Default. Remove. > relayhost = Default. Remove. > sendmail_path = /usr/sbin/sendmail Default. Remove. > smtp_sasl_auth_enable = no > smtp_sasl_password_maps = > smtpd_enforce_tls = no All 3 are defaults. Remove them. > smtpd_helo_restrictions = permit_mynetworks, check_helo_access > hash:/etc/postfix/helo_access, reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, permit Consolidate your helo restrictions into recipient restrictions. > smtpd_pw_server_security_options = cram-md5,gssapi,login,plain Yet another Apple add on... > smtpd_recipient_restrictions = reject_unauth_pipelining, > reject_non_fqdn_recipient, reject_unknown_recipient_domain, > permit_mynetworks, permit_sasl_authenticated, > reject_unauth_destination, reject_rhsbl_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, > reject_rbl_client zen.spamhaus.org, reject_rbl_client > rbl-plus.mail-abuse.org, reject_rbl_client bl.spamcop.net, > check_policy_service unix:private/policy, permit You may want to move these first 3 after reject_unauth_destination. Also, there's no need for an explicit permit at the end as that is the default behavior. > smtpd_use_pw_server = yes Yet another Apple add on. > tls_random_source = dev:/dev/urandom Default. Remove. > unknown_local_recipient_reject_code = 550 Default. Remove. > use_sacl_cache = yes Another Apple add on. > virtual_alias_maps = $virtual_maps Default. Remove. I'm guessing a lot of the redundant default junk in your main.cf was inserted by Apple (IIRC the CentOS/Red Hat people are horrible about this as well). Thus your next package upgrade may put them right back in. > Still quite a bit of spam getting through. The spam making it in is probably not related to some of the changes you should make above. Post the "connect from:" lines in your mail log of a dozen or so of these spam connections so we can identify the sources and recommend tools/methods to put a dent in it. -- Stan
