----- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> ---------
Date: Mon, 22 Mar 2021 00:13:00 -0400
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: postfix-users@postfix.org
Subject: Re: upgrade 2.10 - 3.3 config compatibility
To: postfix-users@postfix.org
On Mon, Mar 22, 2021 at 12:32:18PM +1000, Simon Wilson wrote:
I have temporarily set it at 0 after reading
http://www.postfix.org/COMPATIBILITY_README.html to ensure that I pick
up in logging if/when backwards-compatibility is triggered by the
legacy settings as follows (from
http://www.postfix.org/COMPATIBILITY_README.html):
Logged with compatibility_level < 1:
**Using backwards-compatible default setting append_dot_mydomain=yes**
Using backwards-compatible default setting chroot=y
This will only be logged if you have not explicitly set a value
for "append_dot_mydomain".
Logged with compatibility_level < 2:
Using backwards-compatible default setting
"smtpd_relay_restrictions = (empty)"
Using backwards-compatible default setting mynetworks_style=subnet
**Using backwards-compatible default setting
relay_domains=$mydestination**
Using backwards-compatible default setting smtputf8_enable=no
Ditto. My advice is generally to set "relay_domains" empty, or at least
to not include "relay_domains" in "parent_domain_matches_subdomains".
And of course set mynetworks explicitly, which makes "mynetworks_style"
irrelevant, but best to set that to "host".
//Main.cf:
# comment out, compat to 0, and monitor
# append_dot_mydomain = yes
# relay_domains = $mydestination
compatibility_level = 0
//postconf -n:
[root@emp87 log]# postconf -n | grep comp
compatibility_level = 0
[root@emp87 log]# postconf -n | grep append_dot_mydomain
[root@emp87 log]# postconf -n | grep relay_domains
[root@emp87 log]# postconf -n | grep my_networks
[root@emp87 log]# postconf -n | grep "mynetworks ="
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 103.16.129.171
For the smtpd_relay_restrictions, set:
# Typically, there's no SASL on port 25, and for submission,
# you'd should have an explicit override in master.cf
#
smtpd_relay_restrictions =
permit_mynetworks,
reject_unauth_destination
but given that prior to 3.6 the order of relay vs. recipient
restrictions is not as expected, also do the same at the top
of smtpd_recipient_restrictions for now.
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination
... RBLs, ... for inbound mail ...
[root@emp87 log]# postconf -n | grep "smtpd_relay"
smtpd_relay_restrictions =
[root@emp87 log]# postconf -n | grep "smtpd_recip"
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, permit_mynetworks,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_unauth_destination, check_sender_access
hash:/etc/postfix/sender_access, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, check_policy_service
unix:private/policyd-spf permit
Submission port is only accessible on internal network from webmail
host, but has:
# submission port 587 - TLS and SASL
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject
-o cleanup_service_name=auth-cleanup
-o content_filter=amavisfeed:[127.0.0.1]:10026
Complete postconf -n is at the bottom of this email.
With the items I need to watch for (emphasis added ** **) that means I
need it to be less than 1. Once I am confident of the outcome I'll set
to 2.
When you upgrade to Postfix 3.6, and set the compatibility level to 3.6,
you can simplify the recipient restrictions to just the anti-abuse rules
(privided the relay restrictions are all set),
Noted, thank you.
----- End message from Viktor Dukhovni <postfix-us...@dukhovni.org> -----
[root@emp87 log]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/postfix/report_aliases
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
compatibility_level = 0
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 2h
disable_vrfy_command = yes
html_directory = no
inet_protocols = ipv4
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 26214400
mailbox_transport = lmtp:unix:/run/cyrus/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = !system.simonandkate.net, simonandkate.net,
simonandkate.lan
maximal_queue_lifetime = 3d
message_size_limit = 26214400
milter_default_action = accept
mua_client_restrictions =
mua_helo_restrictions =
mua_sender_restrictions =
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain, localhost.localdomain, simonandkate.net,
system.simonandkate.net, simonmwilson.net, domwilson.net,
chiarina.net, benjwilson.net, millikens.net, simonandkate.lan,
howiesue.net, tlchomeandyard.com.au, facetbd.net.au, facetbd.com.au,
facetbuildingdesign.net.au, facetbuildingdesign.com.au
myhostname = mail.simonandkate.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 103.16.129.171
myorigin = simonandkate.net
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*2
b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net
dnsbl.sorbs.net hostkarma.junkemailfilter.com=127.0.0.2
hostkarma.junkemailfilter.com=127.0.0.4
hostkarma.junkemailfilter.com=127.0.1.2 psbl.surriel.com
swl.spamhaus.org*-4 list.dnswl.org=127.0.[2..15].0*-2
list.dnswl.org=127.0.[2..15].1*-3
list.dnswl.org=127.0.[2..15].[2..3]*-4
wl.mailspike.net=127.0.0.[17;18]*-1
wl.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-1
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining permit
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_milters = inet:127.0.0.1:8893
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, permit_mynetworks,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_unauth_destination, check_sender_access
hash:/etc/postfix/sender_access, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, check_policy_service
unix:private/policyd-spf permit
smtpd_relay_restrictions =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/tls/certs/hub.simonandkate.net-chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/hub.simonandkate.net-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/hub.simonandkate.net-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
--
Simon Wilson
M: 0400 12 11 16
