> On Dec 22, 2018, at 4:13 AM, Philippe - Forums <for...@mehl-family.fr> wrote:
>
> smtpd_tls_cert_file=/path/to/certs/fullchain.pem
> smtpd_tls_key_file=/path/to/certs/privkey.pem
Fine, but if Let's Encrypt creates a single file with both the key
and the certificate use that instead.
> smtpd_tls_CAfile=/path/to/certs/chain.pem
This is not needed.
> smtpd_use_tls=yes
This is obsolete, you already have the preferred "smtpd_tls_security_level =
may".
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
As of Postfix 2.11 and later supporting TLS session tickets, this is no
longer needed.
> smtpd_tls_security_level = may
Good. But see your master.cf file, where you should have the submission
service enabled, with "-o smtpd_tls_security_level=encrypt" and other
necessary settings.
> smtp_tls_cert_file=/path/to/certs/fullchain.pem
> smtp_tls_key_file=/path/to/certs/privkey.pem
> smtp_tls_CAfile=/path/to/certs/chain.pem
These are not needed and should be removed.
> smtp_use_tls=yes
This should be "smtp_tls_security_level = may".
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
This is fine.
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
These make smtpd(8) capable of SASL auth via Dovecot,
they're fine, but:
> smtp_sasl_auth_enable = yes
> smtp_sasl_security_options = noanonymous
> smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
these are SMTP client (smtp(8)) settings, so SASL is still
not enabled for the SMTP server (smtpd(8)). That's actually
normal, because it is best to leave SASL off on port 25, and
configure it on only for port 587 (submission) via master.cf.
You've not posted your master.cf configuration (output of
postconf -Mf), so perhaps you don't have SASL enabled.
> smtpd_client_restrictions =
> permit_mynetworks,
> reject_unknown_client_hostname,
> permit
The "reject_unknown_client_hostname" restriction is
generally too strict.
> smtpd_sender_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> permit
>
> smtpd_relay_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> defer_unauth_destination
Replace "defer_unauth_destination" with "reject_unauth_destination".
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination,
These first three are redundant, given the "relay" restrictions.
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org
>
> But with this configuration I can't send an email from my smartphone (reject).
The real story is in master.cf and your logs.
http://www.postfix.org/DEBUG_README.html#mail
--
Viktor.
