Re: postfix error in spf

Sun, 14 Jul 2019 18:52:31 -0700 


> On 14 Jul 2019, at 17:25, David Mehler <dave.meh...@gmail.com> wrote:
> 
> Hello Viktor,
> 
> Thanks for your reply. Is my configuration overdoing it?
> 
> Here's my submission snipet:
> submission inet n       -       n       -       -       smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
>    -o smtpd_sasl_auth_enable=yes
>    -o smtpd_sasl_type=dovecot
>    -o smtpd_sasl_path=private/auth
>    -o smtpd_sasl_security_options=noanonymous
>    -o smtpd_client_restrictions=$mua_client_restrictions
>    -o smtpd_sender_restrictions=$mua_sender_restrictions
>    -o smtpd_relay_restrictions=$mua_relay_restrictions

> mua_relay_restrictions =
> reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
> mua_sender_restrictions =
> permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
> mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject

You should not have permit_mynetworks anywhere, reject_non_fqdn_sender should 
do absolutely nothing if your system is setup properly. I have opinions on 
reject_sender_login_mismatch, but I don’t know that it would be a problem here.

Submission is used for authenticate users. You already know who that user is, 
you don’t need to check their email address.

> -o tls_preempt_cipherlist=yes

Why?

>    -o 
> smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf

This should not be necessary, dovecot handles the login already.

submission inet  n       -       n       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_path=private/auth
    -o syslog_name=postfix/submit
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_data_restrictions=
    -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
    -o smtpd_helo_restrictions=
    -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject

I removed the milter stuff as it’s not relevant, but if you are running a 
milter (and I’m pretty sure you are), you should consider excluding your known 
users from the milter: 

    -o smtpd_milters=
    -o milter_connect_macros=
    -o milter_macro_daemon_name=ORIGINATING

That is likely where you are going to run into the most issues.



-- 
> I miss the old days. I haven't killed anyone in years.
 
That's sad.























					Reply via email to