Well, I’ve been on this for days, sometimes I get it right, sometimes not.
I have an OSX server running Postfix+Dovecot+SSL+MySql (LetsEncrypt) based on
two Virtual Websites under Apache.
robert-chalmers.uk
quantum-radio.net
I have it set to prefer ipv6, and fall back to ipv4 if not available.
I upgraded my Postfix to 3.4. It seems to be working ok, but I’m deeply
suspicious that it’s not working properly.
It now seems that it’s mostly right. some mail gets through some doesn’t.
I’m watching it with
log stream --info --predicate 'senderImagePath CONTAINS "postfix"' --style
syslog >> mail2.log
tail -f mail2.log
I wonder if some kind person could peruse my “postconf -n” and see if it’s all
set up according to plan please. It’s not too long, and looks ok to me!
… And tell me what needs fixing. If anything ( hope springs eternal )
Thanks for your help.
Robert
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1, robert-chalmers.uk
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
blocked using $rbl_domain${rbl_reason?; $rbl_reason} - see http://$rbl_domain.
dovecot_destination_recipient_limit = 1
home_mailbox = Mail/Dovecot/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv6, ipv4
mail_owner = _postfix
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /usr/local/etc/postfix
milter_default_action = accept
mydestination = localhost mail.$mydomain, www.$mydomain
mydomain = robert-chalmers.uk
myhostname = www.robert-chalmers.uk
mynetworks = 151.225.136.134, 94.1.23.155, 192.168.0.0/28, 127.0.0.0/8,[::]/10
[2a02:c7f:3a85::]/64 [fe80::]/10 [2a02:c7f:3a85:8b00:c069:e462:ce46:fe91]
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = inet:127.0.0.1:8891
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps =
$smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/usr/local/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*3
b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net
spamtrap.trblspam.com dnsbl.sorbs.net=127.0.0.[2;3;6;7;10] ix.dnsbl.manitu.net
bl.blocklist.de list.dnswl.org=127.0.[0..255].0*-1
list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].[2..3]*-3
iadb.isipp.com=127.0.[0..255].[0..255]*-2 iadb.isipp.com=127.3.100.[6..200]*-2
wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 1h
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = ignore
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
shlib_directory = /usr/local/lib/postfix/${mail_version}
smtp_address_preference = ipv6
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /private/etc/ssl/certs/gd_bundle-g2-g1.crt
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_secure_cert_match = nexthop
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = check_client_access
hash:/usr/local/etc/postfix/access,reject_rbl_client
bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org,reject_rbl_client
cbl.abuseat.org,reject_rbl_client dnsbl.njabl.org,reject_rbl_client
zen.spamhaus.org
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 2
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/usr/local/etc/postfix/helo_access, reject_non_fqdn_hostname,
reject_unknown_helo_hostname, reject_invalid_hostname,
permit_sasl_authenticated, reject_invalid_helo_hostname, permit
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access
hash:/usr/local/etc/postfix/access, check_client_access
hash:/usr/local/etc/postfix/access, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname,
reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client
zen.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo
dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, check_recipient_access
hash:/usr/local/etc/postfix/access, check_policy_service unix:private/policy
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
reject_unknown_sender_domain,permit_sasl_authenticated
smtpd_soft_error_limit = 1
smtpd_tls_CAfile = /private/etc/ssl/certs/gd_bundle-g2-g1.crt
smtpd_tls_cert_file = /etc/letsencrypt/live/robert-chalmers.uk/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/letsencrypt/live/robert-chalmers.uk/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = inline:{[nore...@robert-chalmers.uk]=discard:}
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains =
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps =
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers
