After some interesting experiences using a less than stellar communications
(I didn't appreciate just how lucky I am to live in a big city until this
trip) I have managed to get things setup and working.
Because of the poor communications I decided to use the families server as
a guinea pig.
I reconfigured it to be fairly close to the eventual target system as possible.
I made the changes that Noel suggested and it appears to be working.
The original problem with DKIM ... seem to be resolved.
Before I attempt to modify the eventual target system can someone take a
look at the attached main and master postconf outputs. My main concern is
that I have left something important out, not that I will not appreciate
suggestions for improvement.
On 3 February, 2016 1:40:10 PM Noel Jones <njo...@megan.vbhcs.org> wrote:
On 2/2/2016 5:53 PM, John A @ KLaM wrote:
If I might ask another peripheraly related and most probably very
dumb question - is it possible to the have the inverse of
"permit_authenticated_users"?
The rules for this outfit are - imap for picking up you mail,
submission (port 587) for sending. So if somebody who can
authenticate themselves turns up on port 25, they are in the wrong
place.
This is commonly handled by not offering AUTH on port 25. Users who
end up there find sending mail doesn't work, and usually recheck
their settings before calling.
Take all the sasl statements out of main.cf, and add them as -o
options to the "submission" service in master.cf.
Something like:
# main.cf
smtpd_sasl_auth_enable = no
# master.cf
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
... other stuff you like ...
-- Noel Jones
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_exclude_ciphers = EXPORT, LOW, IDEA, 3DES, MD5, SRP, PSK, aDSS, kECDH,
kDH, SEED, IDEA, RC2, RC5
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_destination, check_recipient_access
pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access
hash:/etc/postfix/maps/recipient_checks, check_helo_access
pcre:/etc/postfix/maps/helo_checks.pcre, check_sender_access
hash:/etc/postfix/maps/sender_checks, check_policy_service
inet:127.0.0.1:10023, reject_rbl_client zen.spamhaus.org, reject_rbl_client
bl.spamcop.net
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions =
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = EXPORT, LOW, IDEA, 3DES, MD5, SRP, PSK, aDSS, kECDH,
kDH, SEED, IDEA, RC2, RC5
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
vacation_destination_recipient_limit = 1
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtp inet n - n - - smtpd
-o cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup
-o cleanup_service_name=pre-cleanup
submission inet n - n - 30 smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/dovecot-auth
-o smtpd_sasl_local_domain=$mydomain
-o broken_sasl_auth_clients=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_connection_count_limit=15
-o smtpd_client_connection_rate_limit=80
-o smtpd_delay_reject=yes
-o cleanup_service_name=pre-cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
-o smtp_bind_address=74.116.186.178
-o smtp_bind_address6=2606:6d00:100:4301::1:200
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
smtp-amavis unix - - n - 4 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o mynetworks=127.0.0.0/8
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o smtpd_tls_security_level=none
-o local_recipient_maps=
-o relay_recipient_maps=
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
cleanup unix n - n - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o header_checks=
-o body_checks=
vacation unix - n n - - pipe flags=DRhu
user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} --
${recipient}
