for the blackhole lists, etc. take a look ar mxtoolbox.com
postfix should be passing sasl requests to dovecot’s imap process. I use a
tool called ispconfig which sets all of this up along with other tools such as
clamav, rspamd or amavisd along with per user policies.
my $0.02. I like its security way better than cpanel. it’s closer to plesk in
that regard. best of all it’s free.
Sent from my iPhone
> On Jan 24, 2021, at 6:43 AM, Jeff Abrahamson <j...@p27.eu> wrote:
>
>
> I've set up a new postfix instance which more or less duplicates an older
> one. The main change (besides being newer) is that the old one used real
> users with real accounts while this one uses virtual users. Some bits work,
> some don't. I'm a bit confused on how to test it, really, short of
> connecting with a regular email client (mutt, thunderbird, etc.).
>
> But I've a few questions, mostly about auth, which is what has most changed
> and which I've clearly not got going correctly. (And I'm aware that auth may
> be handled by dovecot and so not be appropriate to this list. But I'm not
> yet convinced of that, so I have to ask here first.)
>
> 1. Users need to provide user + password to send (smtps) and receive
> (imaps). I see where I've configured this for dovecot, which is
> /etc/dovecot/passwd.db. That file contains lines like this:
>
> j...@mobilitains.fr:{BLF-CRYPT}$2y$05$c...
>
> I do not see how postfix knows who is allowed to connect, however. Does
> postfix delegate SASL to dovecot? This is the relevant config, I think:
>
> [T] jeff@nantes-m1:log $ postconf -n | grep -i sasl
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions =
> reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
>
> [T] jeff@nantes-m1:log $ postconf -Mf
> smtp inet n - y - - smtpd
> submission inet n - y - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> smtps inet n - y - - smtpd
> -o syslog_name=postfix/smtps
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_reject_unlisted_recipient=no
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> ...
>
> 2. Any suggestions on how to test this (and continue testing it)? First,
> about today, as in, are there good commandline tools to poke at a postfix
> instance?
>
> Second, for later, I'm aware of some very useful online web-based tools
> (mxtoolbox, etc.), but I'd be quite happy to have some process run on another
> host and periodically check that my MX isn't on any blackhole lists, that the
> reasonably foreseeable stuff is all working correctly, etc. I've not found
> that. Any suggestions?
>
> Many thanks for any pointers.
>
> --
> Jeff Abrahamson
> +33 6 24 40 01 57
> +44 7920 594 255
>
> http://p27.eu/jeff/
> http://transport-nantes.com/
