On Wed, Nov 11, 2020 at 10:57:12PM -0500, Alex wrote:
> /etc/postfix-117/main.cf
Input instance.
> default_process_limit = 100
I'd go higher, inbound connections are cheap.
> delay_warning_time = 4d
If this is inbound mail from outside, I generally don't enable delay
warnings back outside senders.
> maximal_queue_lifetime = 3d
Because all mail is destined for the filter, and should never fail to
get through, I actually set this higher (100 days is the maximum allowed
IIRC), and monitor that the limit is never reached.
> mynetworks = 127.0.0.0/8, 209.216.99.0/24
Is this handling inbound or outbound mail? If inbound,
why is mynetworks not just 127.0.0.0/8? If both, why
not separate instances for inbound/outbound?
> relay_transport = $default_transport
> relay_domains = mycompany.com, $mydestination
Fine, but I don't see a "relay_recipient_maps" for recipient validation,
which is quite important to avoid backscatter.
> smtp_tls_CAfile = /etc/letsencrypt/chain.pem
> smtp_use_tls = yes
> smtp_tls_security_level = may
There's no need to enable TLS for an internal hop via Amavis, and
"smtp_use_tls" is obsolete. Just 'smtp_tls_security_level = none'.
> smtpd_tls_auth_only = yes
Generally not needed for inbound mail.
> smtpd_tls_session_cache_database =
> btree:/var/lib/postfix/smtpd_tls_session_cache
Session tickets make this mostly unnecessary.
> /etc/postfix-out/main.cf:
>
> recipient_delimiter = +
Once you're doing recipient validation, you'll generally also want this
on the input side.
> smtp_tls_CAfile = /etc/letsencrypt/chain.pem
You probably don't need this, I saw no hint that you're using "verify"
or "secure" for any onward SMTP deliveries.
--
Viktor.
