On Sat, Aug 07, 2021 at 11:51:33AM +0000, [email protected] wrote:
> At the moment, I need to know what in this configuration could be
> causing the mail to bounce back to me. At the moment, only local mail is
> delivered.
Can you also explain the consistent failure to be helped by posting the
relevant logs? :-(
> I simply need the mail to exit my server after it is sent without being
> refused. All relevant ports are open on the endpoint I want to send to.
That may make sense to you, but out of context, and without logs, it way
too vague for any actionable help.
> On 8/6/21 7:23 PM, Viktor Dukhovni wrote:
> >
> > And what question did you want to ask in relation to this configuration,
> > and where are the relevant logs? Post your reply to the postfix-users
> > *list*, not to my personal email address.
Did you happen to read the above carefully?
> >> ###BEGIN OUTPUT###
> >> relayhost = [mx.krowverse.services]
> >> smtp_tcp_port = submission
This pair of settings is unwise. Instead leave "smtp_tcp_port" at its
default value (drop it from main.cf) and append ":587" to "$relayhost":
relayhost = [mx.krowverse.services]:587
> >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
And in "/etc/postfix/sasl_passwd" (presumably for auth to the relay) use
the verbatim relayhost as the lookup key:
[mx.krowverse.services]:587 user:passwd
Also, your configuration shows no attempt to use outbound TLS with the
relay. With all outbound mail going to the relay you can set the TLS
policy in main.cf:
smtp_tls_security_level = secure
smtp_tls_CAfile = ... CA file with Let's Encrypt Root CA ...
The current relay certificate chain is:
subject=CN = mx.krowverse.services
issuer=C = US, O = Let's Encrypt, CN = R3
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
So the CAfile should include at least the self self-signed ISRG Root CA
cert (the the ISRG root CA also has a "cross cert" issued by DST, but
most relying parties construct a shorter chain to the self-signed ISRG
root):
C = US, O = Internet Security Research Group, CN = ISRG Root X1
See: https://letsencrypt.org/certificates/
ISRG Root X1: https://letsencrypt.org/certs/isrgrootx1.pem
and optionally also the issuer of the cross cert, which expires on Sep
30th, and so is only useful for at most two months, and typically not
needed if the ISRG root is configured.
O = Digital Signature Trust Co., CN = DST Root CA X3
https://letsencrypt.org/certs/trustid-x3-root.pem.txt
--
Viktor.
