Would somebody take a look at my config.
I am a little concerned about the security on submission (587).
This is the family server which I use for experimenting.
Thanks
John A
config_directory = /etc/postfix
biff = no
append_dot_mydomain = no
mydomain = klam.ca
myorigin = $mydomain
myhostname = smtp.$mydomain
mydestination = localhost, localhost.localdomain, localdomain
mynetworks = 127.0.0.0/8, [::1]/128
alias_maps = hash:/etc/aliases
relocated_maps = hash:/etc/postfix/maps/relocated
recipient_delimiter = +
home_mailbox = Maildir/
message_size_limit = 32768000
bounce_size_limit = 65536
header_size_limit = 32768
delay_warning_time = 12h
default_process_limit = 20
smtpd_recipient_limit = 128
smtpd_error_sleep_time = 5s
smtpd_banner = $myhostname ESMTP
mailbox_transport = lmtp:unix:private/dovecot-lmtp
transport_maps = hash:/etc/postfix/maps/transport
vacation_destination_recipient_limit = 1
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_note_starttls_offer = yes
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtp_tls_enforce_peername = no
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp
content_filter = smtp-amavis:[127.0.0.1]:10024
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_etrn_restrictions = reject
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_relay_restrictions =
permit_sasl_authenticated,
reject_unauth_destination
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access
pcre:/etc/postfix/maps/recipient_checks.pcre,
check_recipient_access hash:/etc/postfix/maps/recipient_checks,
check_helo_access pcre:/etc/postfix/maps/helo_checks.pcre,
check_sender_access hash:/etc/postfix/maps/sender_checks,
check_policy_service inet:127.0.0.1:10023,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
smtpd_data_restrictions =
reject_multi_recipient_bounce,
reject_unauth_pipelining
smtp inet n - n - - smtpd -o
cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup -o
cleanup_service_name=pre-cleanup
submission inet n - n - 30 smtpd -o
syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o
smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o
smtpd_client_connection_count_limit=15 -o smtpd_client_connection_rate_limit=80
-o smtpd_delay_reject=yes -o cleanup_service_name=pre-cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp -o
smtp_bind_address=74.116.186.178 -o smtp_bind_address6=2001:470:b183:10::178
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
smtp-amavis unix - - n - 4 smtp -o
smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o
disable_dns_lookups=yes -o smtp_tls_note_starttls_offer=no -o max_use=20
127.0.0.1:10025 inet n - n - - smtpd -o
content_filter= -o mynetworks=127.0.0.0/8 -o smtpd_delay_reject=no -o
smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions=
-o smtpd_sender_restrictions= -o
smtpd_relay_restrictions=permit_mynetworks,reject -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions=reject_unauth_pipelining -o
smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o
smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o
smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o
smtpd_client_connection_rate_limit=0 -o local_header_rewrite_clients= -o
local_recipient_maps= -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o smtpd_tls_security_level=none -o local_recipient_maps= -o
relay_recipient_maps=
pre-cleanup unix n - n - 0 cleanup -o
virtual_alias_maps=
cleanup unix n - n - 0 cleanup -o
mime_header_checks= -o nested_header_checks= -o header_checks= -o body_checks=
vacation unix - n n - - pipe flags=DRhu
user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtp_tls_enforce_peername = no
smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, reject_unauth_destination, check_recipient_access
pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access
hash:/etc/postfix/maps/recipient_checks, check_helo_access
pcre:/etc/postfix/maps/helo_checks.pcre, check_sender_access
hash:/etc/postfix/maps/sender_checks, check_policy_service
inet:127.0.0.1:10023, reject_rbl_client zen.spamhaus.org, reject_rbl_client
bl.spamcop.net
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
vacation_destination_recipient_limit = 1
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp
