On Sat, Jun 18, 2022 at 10:25:03AM -0600, Austin Witmer wrote:
> > - You'll need to disable "sender_bcc" in all but one of the delivery stages
> > via "receive_override_options".
>
> My setup seems to be working not that I have added the
> "-o receive_override_options=no_address_mappingsā to all but one of
> the delivery stages.
While that may resolve the immediate issue, there are additional
improvments you might consider.
> > - You should try to avoid splitting the envelope for different
> > content_filter recipients Of the same message, by using
> > filters that can handle multiple recipients, and transport
> > one input multi-recipient message to one output multi-recipient
> > message.
- Your "gpg" content filter needlessly splits the envelope by recipient
domain.
- You're doing DKIM signing twice.
> > - You can get more recipient deduplication via
> > "enable_original_recipient = no", see the docs for
> > corner-case caveats.
You could more aggressively deduplicate envelope recipients.
On Sat, Jun 18, 2022 at 09:43:02AM -0600, Austin Witmer wrote:
> Here is the output of posfconf -nf
>
> content_filter = amavis:[127.0.0.1]:10024
The explicit nexthop here avoids envelope splits modulo the
recipient concurrency limit, which could be increased for
this transport:
amavis_destination_recipient_limit = 1000
> mailbox_transport = lmtp:unix:private/dovecot-lmtp
Your LMTP delivery is via local(8), which delivers one recipient at a
time (after performing local alias expansion). If you move to
virtual(5) aliases and virtual mailbox domains, your LMTP delivery
will more efficiently support multi-recipient messages.
> mydestination = $myhostname, sunlightmail.net, mail, localhost.localdomain,
> localhost, encryptedmail.info, animaswoodcraft.com, animascreations.com,
> appalachianmeats.com, mcmennonitechurch.org, thefabshop.net, postal22.com,
> rollingpastures.net
Most of these domains could become virtual alias or virtual mailbox
domains. I don't recommend creating a multitude of "local" domains,
they end up giving each user multiple redundant email addresses, even in
domains the user never intends to receive mail for. With virtual alias
and virtual mailbox domains, each domain has a separate user namespace.
Instead migrate to at most one local domain, and rewrite specific
virtual addresses to a local address when what you need is local
delivery (to a pipe, a ":include:" list, .forward file or similar). For
simple LMTP recipients avoid local(8) entirely.
> sender_bcc_maps = hash:/etc/postfix/regexp_sender_bcc
> smtp_destination_concurrency_failed_cohort_limit = 10
> smtp_destination_concurrency_limit = 1
> smtp_destination_rate_delay = 1s
Do you really need this as a global default?
> smtp_tls_cert_file = /etc/letsencrypt/live/mail.sunlightmail.net/fullchain.pem
> smtp_tls_key_file = /etc/letsencrypt/live/mail.sunlightmail.net/privkey.pem
Why do you need a TLS client certificate issued by Let's Encrypt?
What receiving system expects this?
> smtp_tls_security_level = may
> smtp_use_tls = yes
The second is obsolete and redundant.
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
This is silly, just drop it.
> smtpd_milters = inet:localhost:12345
I guess this is opendkim
> smtpd_recipient_restrictions =
> permit_mynetworks,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_non_fqdn_sender,
> reject_rbl_client sbl.spamhaus.org,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> permit_sasl_authenticated,
> reject_unauth_destination,
> check_policy_service inet:[127.0.0.1]:10023,
> check_policy_service unix:private/policy-spf
Why is "permit_sasl_authenticated" after the SBL check?
Why is the SBL check before "reject_unauth_destination",
"reject_unknown_sender_domain" and "reject_unknown_recipient_domain",
those are quick local checks and should generally come before the SBL
check.
Actually, I'd only use "reject_unknown_recipient_domain" for
submission, no reason to defer your own domains just because
of a DNS glitch (reject_unauth_destination will only allow
your own domains).
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> defer_unauth_destination
Change "defer" to reject here. Also, with Postfi 3.6 or later,
consider setting the compatibility level to 3.6, which gives:
smtpd_relay_before_recipient_restrictions =
${{$compatibility_level} <level {3.6} ? {no} : {yes}}
> smtpd_tls_CApath = /etc/ssl/certs
> smtpd_tls_key_file = /etc/letsencrypt/live/mail.sunlightmail.net/privkey.pem
> smtpd_tls_cert_file =
> /etc/letsencrypt/live/mail.sunlightmail.net/fullchain.pem
> smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
> smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
The "512" variant is no longer pertinent.
> smtpd_tls_eecdh_grade = strong
Best to not set this is explicitly. The default is always better.
> smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
Needlessly strict. Accept the default.
> smtpd_tls_security_level = may
> smtpd_use_tls = yes
The second is obsolete and redundant.
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
No longer needed. TLS session tickets are better.
> tls_medium_cipherlist = AES128+EECDH:AES128+EDH
The default would be better IMNSHO.
> And here is the output of postconf -Mf
>
> smtp inet n - - - - smtpd
> -o content_filter=gpgit-pipe
> -o cleanup_service_name=subcleanup
Consider giving the "content_filter" an explicit nexthop:
-o content_filter=gpgit-pipe:local
> submission inet n - n - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
The client restrictions are more strict than the recipient restrictions.
Configure just the latter to the single desired value. Also the
main.cf "relay restrictions" are also in force, consider adding
an override (to empty) here.
> -o content_filter=gpgit-pipe
See above re explicit nexthop.
> -o cleanup_service_name=subcleanup
> -o smtpd_enforce_tls=yes
The "enfoce_tls" is Obsolete and redundant.
> -o sender_bcc_maps=hash:/etc/postfix/regexp_sender_bcc
This has no effect, sender BCC is handled in cleanup(8).
> smtps inet n - - - - smtpd
> -o syslog_name=postfix/smtps
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> -o content_filter=gpgit-pipe
> -o cleanup_service_name=subcleanup
Where is the override of "recipient restrictions" (and relay
restrictions). This should be identical to the submission service
modulo "wrapper mode".
> amavis unix - - - - 2 smtp
> -o smtp_send_xforward_command=yes
> -o smtp_tls_security_level=none
> -o cleanup_service_name=subcleanup
> -o receive_override_options=no_address_mappings
This is a delivery agent, it does not use cleanup or address
mappings. The last two overrides are pointless.
--
Viktor.
