On Mon, Feb 16, 2015 at 09:46:17PM -0500, John Allen wrote:
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
Givent he above, the following are pointless:
> smtp_tls_enforce_peername = no
A Postfix 2.2 parameter Obsoleted by smtp security levels.
Remove from main.cf.
> smtp_tls_note_starttls_offer = yes
Only applicable if you have some sites with a "none" in the
TLS policy table. Remove from main.cf.
> smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
> smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key
Are there any destinations for which you need client certs to gain
access? If not set these empty.
> smtpd_tls_ask_ccert = yes
Why?
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
If using Postfix 2.10 or later with OpenSSL 1.0.0 or later, the
OpenSSL session ticket feature makes a server-side session database
unnecessary.
> smtpd_relay_restrictions =
> permit_sasl_authenticated,
> reject_unauth_destination
Looks fine.
> submission inet n - n - 30 smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_wrappermode=no
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> -o smtpd_client_connection_count_limit=15
> -o smtpd_client_connection_rate_limit=80
> -o smtpd_delay_reject=yes
> -o cleanup_service_name=pre-cleanup
Postfix 3.0? (smtpd_tls_wrappermode is new with 3.0 IIRC, just
implemented a month or two back)
> smtp-amavis unix - - n - 4 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o smtp_tls_note_starttls_offer=no
> -o max_use=20
You don't need "disable_dns_lookups=yes", or max_use=20.
--
Viktor.
