Re: Sanity check

[John]

On 2/16/2015 10:29 PM, Viktor Dukhovni wrote:

On Mon, Feb 16, 2015 at 09:46:17PM -0500, John Allen wrote:

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

Givent he above, the following are pointless:

smtp_tls_enforce_peername = no

     A Postfix 2.2 parameter Obsoleted by smtp security levels.
     Remove from main.cf.

smtp_tls_note_starttls_offer = yes

     Only applicable if you have some sites with a "none" in the
     TLS policy table.  Remove from main.cf.

smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key

Are there any destinations for which you need client certs to gain
access?  If not set these empty.

smtpd_tls_ask_ccert = yes

Why?

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

If using Postfix 2.10 or later with OpenSSL 1.0.0 or later, the
OpenSSL session ticket feature makes a server-side session database
unnecessary.

Most of the above obsolete and redundant settings are left overs from from the initial install, and did not get removed because I was erring on the side of caution, was too busy or just missed them. That is why an occasional check by a second pair of eyes is always a good idea.

smtpd_relay_restrictions =
                permit_sasl_authenticated,
                reject_unauth_destination

Looks fine.

I have noticed that some of the "how to" write ups are specifying /defer_unauth_destination/ instead of /reject_unauth_destination/. My personal inclination is to reject, but is there any particular reason to use defer?

submission inet  n       -       n       -       30      smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_connection_count_limit=15
  -o smtpd_client_connection_rate_limit=80
  -o smtpd_delay_reject=yes
  -o cleanup_service_name=pre-cleanup

Postfix 3.0? (smtpd_tls_wrappermode is new with 3.0 IIRC, just
implemented a month or two back)

I thought this had been around since 2.4+, I specify it to ensure that /smtpd_//tls_security_level/ does not get over ridden no matter what the distributions default maybe..

smtp-amavis unix -       -       n       -       4       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o smtp_tls_note_starttls_offer=no
   -o max_use=20

You don't need "disable_dns_lookups=yes", or max_use=20.

Again left overs I suspect.

Thanks for the input Viktor,

--
John Allen
KLaM
------------------------------------------
OK, so what is the speed of dark?

smime.p7s
Description: S/MIME Cryptographic Signature