On Tue, Apr 23, 2013 at 11:05:14AM +0200, Juri Grabowski wrote:
> On Mon, Apr 22, 2013 at 02:41:56PM -0400, Wietse Venema wrote:
> address_verify_negative_expire_time = 2m
> address_verify_negative_refresh_time = 1m
A 2 minute timeout seems rather aggressive to me. Try 15 minutes
or more, in practice nobody is legitimately sending mail to an
email address until after it has been communicated to the sender,
so it should valid on the first delivery attempt.
If this is intended to support internal senders involved in requesting
the new mailbox, separate the mail flow so that internal senders are not
subject to address verification.
> relay_domains = mail.domain
You may also want "parent_domain_matches_subdomains = smtp_access_maps"
or just empty.
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Why? I don't see any other TLS settings.
> smtpd_client_restrictions =
> check_client_access hash:/etc/postfix/access
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/access,
I am not a big fan of overloading a single access file for both sender
and recipient checks, you should probably use separate access files for
each check.
> reject_unknown_recipient_domain,
This is mostly harmful *after* reject_unauth_destination, unless you're
trying to allow relay to all subdomains, but only if they exist in DNS.
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
You should probably generate a different key/cert pair.
> smtpd_use_tls = yes
The non-obsolete syntax is:
smtpd_tls_security_level = may
> unverified_recipient_reject_code = 577
> unverified_recipient_reject_reason = 'Mailbox unknown'
577 is not a valid SMTP response code, both of these should be left
at their default values (remove these from main.cf).
--
Viktor.
