Hi, The biggest question I have left is about your permit_sasl_authenticated comments below.
>> smtpd_sender_restrictions = permit_sasl_authenticated, >> permit_mynetworks, >> reject_non_fqdn_sender, >> reject_unknown_sender_domain, >> permit > > Restrictions are always done in order, so this is what was rejecting > the mail. When you added the client IP to mynetworks, the > permit_mynetworks above "protected" the client from this > reject_unknown_sender_domain check. Yes, got it. > I was speaking specifically about the whitelist tables. Since > restrictions are executed in the order you specify, it should be > obvious that whitelist "permit" rules must come before "reject" rules. > > The reject_unauth_destination rule is a special case -- that's your > open relay protection. Putting whitelists above it can make you an > open relay. > http://www.postfix.org/SMTPD_ACCESS_README.html#danger > > With postfix 2.10 and newer this is clearer since relay protection > should be in smtpd_relay_restrictions, and > smtpd_recipient_restrictions can concentrate on anti-spam. Yes, I've read this. >> I've made these changes and included my new postconf below. Should I >> have reject instead of permit at the end of >> smtpd_recipient_restrictions? > > Using reject turns you into a private mail server -- only clients > specifically permitted can send you mail. You don't want that for a > general-purpose MTA. Okay, got it. I think I was confusing it with the REJECT that's at the bottom of my check_recipient_access file to reject non-existent users. >> delay_warning_time = 10d > > Yikes! 10 days?? Seriously? Yeah, some time ago the server was disconnected from the Internet for many days, and I didn't want it to come back online and immediately delete the messages that were in the queue, and never changed it back. Doing that now. >> disable_vrfy_command = yes >> fallback_relay = >> header_checks = pcre:/etc/postfix/header_checks.pcre >> pcre:/etc/postfix/header_checks-jimsun.pcre > > Are the jimsum checks still effective? I thought these were years > old, and I wouldn't expect them to do much good. Not really. I just use it to outright reject .com and .exe files. Your name is in there, attributed with writing a few of those rules years ago. >> postscreen_dnsbl_action = enforce >> postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2 b.barracudacentral.org*1 >> postscreen_dnsbl_threshold = 2 > > Looking at the scores you've set, you might as well remove > barracudacentral unless you just like to see it in the logs. Or > maybe you were intending to add a couple other 1-point RBL's? Ah, I see. I believe I previously had the surriel RBL and someone else mentioned I should remove it. I'll remove barracuda too. >> relay_domains = $mydestination, $transport_maps > > relay_domains is for domains you're the MX for, but are delivered > elsewhere, such as a downstream mail store. > > transport_maps does not belong here; if you add a transport for eg. > hotmail.com, you've made yourself an open relay to that destination. > > Typically this should be set explicitly empty > # main.cf > relay_domains = This server's entire purpose is to relay mail. I have a few transport_maps for the eventual destination of the mail this server processes. >> smtp_use_tls = yes > > Old syntax. Prefer to use: > smtp_tls_security_level = may It looks like I had both. >> smtpd_recipient_restrictions = reject_non_fqdn_recipient, >> reject_non_fqdn_sender, reject_unlisted_recipient, >> permit_mynetworks, reject_unauth_destination, >> check_client_access hash:/etc/postfix/client_checks, >> check_sender_access hash:/etc/postfix/sender_checks, > > Ok. I notice you don't have permit_sasl_authenticated here, which > forces sasl users to use the submission port. That's fine. So I could continue to have the user's use port 25 with TLS? I hadn't realized that. I like that option a lot better. I bet this also explains why using the account test option when creating a new account using Thunderbird fails when I try to force it to use 993 for imaps with TLS, but succeeds using 143 and TLS. Would I set this option immediately after the permit_mynetworks? >> reject_unknown_recipient_domain, > > After reject_unauth_destination, the only recipient domain left is > your own. You should either remove this, or move it up higher. Okay, I'll remove it. After reading the postconf page again, it appears to encompass reject_unknown_recipient_domain. > You might as well move reject_unknown_sender_domain to > smtpd_recipient_restrictions and just empty this section. It's okay to add this after the permits and check_client/sender_access? smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_recipient_domain, reject_unknown_sender_domain, .... Thanks so much. Best, Alex
