Thanks so much for your suggestions. See my comments below. > On Jun 18, 2022, at 11:46 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > On Sat, Jun 18, 2022 at 10:25:03AM -0600, Austin Witmer wrote: > >>> - You'll need to disable "sender_bcc" in all but one of the delivery stages >>> via "receive_override_options". >> >> My setup seems to be working not that I have added the >> "-o receive_override_options=no_address_mappings” to all but one of >> the delivery stages. > > While that may resolve the immediate issue, there are additional > improvments you might consider. > >>> - You should try to avoid splitting the envelope for different >>> content_filter recipients Of the same message, by using >>> filters that can handle multiple recipients, and transport >>> one input multi-recipient message to one output multi-recipient >>> message. > > - Your "gpg" content filter needlessly splits the envelope by recipient > domain. > > - You're doing DKIM signing twice.
This is only happening for one user on my server, so I’m not that worried about it. > >>> - You can get more recipient deduplication via >>> "enable_original_recipient = no", see the docs for >>> corner-case caveats. > > You could more aggressively deduplicate envelope recipients. I’ll have to check into this. > > On Sat, Jun 18, 2022 at 09:43:02AM -0600, Austin Witmer wrote: > >> Here is the output of posfconf -nf >> >> content_filter = amavis:[127.0.0.1]:10024 > > The explicit nexthop here avoids envelope splits modulo the > recipient concurrency limit, which could be increased for > this transport: > > amavis_destination_recipient_limit = 1000 > >> mailbox_transport = lmtp:unix:private/dovecot-lmtp > > Your LMTP delivery is via local(8), which delivers one recipient at a > time (after performing local alias expansion). If you move to > virtual(5) aliases and virtual mailbox domains, your LMTP delivery > will more efficiently support multi-recipient messages. > >> mydestination = $myhostname, sunlightmail.net, mail, localhost.localdomain, >> localhost, encryptedmail.info, animaswoodcraft.com, animascreations.com, >> appalachianmeats.com, mcmennonitechurch.org, thefabshop.net, postal22.com, >> rollingpastures.net > I am using virtual users in a postgresql database, so how do I properly setup virtual domains instead of listing them after mydestination? When I added "virtual_mailbox_domains = example.com <http://example.com/>” instead of listing the domain after mydestination, incoming emails to users in that domain were rejected. How can I use virtual_mailbox_domains in conjunction with the users in my postgre database? > Most of these domains could become virtual alias or virtual mailbox > domains. I don't recommend creating a multitude of "local" domains, > they end up giving each user multiple redundant email addresses, even in > domains the user never intends to receive mail for. With virtual alias > and virtual mailbox domains, each domain has a separate user namespace. > > Instead migrate to at most one local domain, and rewrite specific > virtual addresses to a local address when what you need is local > delivery (to a pipe, a ":include:" list, .forward file or similar). For > simple LMTP recipients avoid local(8) entirely. > >> sender_bcc_maps = hash:/etc/postfix/regexp_sender_bcc >> smtp_destination_concurrency_failed_cohort_limit = 10 >> smtp_destination_concurrency_limit = 1 >> smtp_destination_rate_delay = 1s A friend of mine advised me to use the final three lines to avoid problems when sending to yahoo accounts. > > Do you really need this as a global default? > >> smtp_tls_cert_file = >> /etc/letsencrypt/live/mail.sunlightmail.net/fullchain.pem >> smtp_tls_key_file = /etc/letsencrypt/live/mail.sunlightmail.net/privkey.pem > > Why do you need a TLS client certificate issued by Let's Encrypt? > What receiving system expects this? I have no idea! I put this in when following some tutorial. > >> smtp_tls_security_level = may >> smtp_use_tls = yes > > The second is obsolete and redundant. Ok, I removed the second line. > >> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) > > This is silly, just drop it. Will do. > >> smtpd_milters = inet:localhost:12345 > > I guess this is opendkim > Yes, it is. >> smtpd_recipient_restrictions = >> permit_mynetworks, >> reject_invalid_hostname, >> reject_non_fqdn_hostname, >> reject_non_fqdn_sender, >> reject_rbl_client sbl.spamhaus.org, >> reject_unknown_sender_domain, >> reject_unknown_recipient_domain, >> permit_sasl_authenticated, >> reject_unauth_destination, >> check_policy_service inet:[127.0.0.1]:10023, >> check_policy_service unix:private/policy-spf > > Why is "permit_sasl_authenticated" after the SBL check? > I have no idea. I never before thought about the importance of the order of these lines. Good to know! > Why is the SBL check before "reject_unauth_destination", > "reject_unknown_sender_domain" and "reject_unknown_recipient_domain", > those are quick local checks and should generally come before the SBL > check. > > Actually, I'd only use "reject_unknown_recipient_domain" for > submission, no reason to defer your own domains just because > of a DNS glitch (reject_unauth_destination will only allow > your own domains). > > >> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, >> defer_unauth_destination > Change "defer" to reject here. Also, with Postfi 3.6 or later, > consider setting the compatibility level to 3.6, which gives: > Done. > smtpd_relay_before_recipient_restrictions = > ${{$compatibility_level} <level {3.6} ? {no} : {yes}} > >> smtpd_tls_CApath = /etc/ssl/certs >> smtpd_tls_key_file = /etc/letsencrypt/live/mail.sunlightmail.net/privkey.pem >> smtpd_tls_cert_file = >> /etc/letsencrypt/live/mail.sunlightmail.net/fullchain.pem >> smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem >> smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem > > The "512" variant is no longer pertinent. > Ok, I removed this line. >> smtpd_tls_eecdh_grade = strong > > Best to not set this is explicitly. The default is always better. > Probably got this from a tutorial somewhere. I will trust your judgment on this since I am newbie. >> smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > > Needlessly strict. Accept the default. Probably got this from a tutorial somewhere. Again, I will trust your judgment on this since I am newbie. > >> smtpd_tls_security_level = may >> smtpd_use_tls = yes > > The second is obsolete and redundant. That makes sense. > >> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > > No longer needed. TLS session tickets are better. > Ok >> tls_medium_cipherlist = AES128+EECDH:AES128+EDH > > The default would be better IMNSHO. > Ok >> And here is the output of postconf -Mf >> >> smtp inet n - - - - smtpd >> -o content_filter=gpgit-pipe >> -o cleanup_service_name=subcleanup > > Consider giving the "content_filter" an explicit nexthop: > > -o content_filter=gpgit-pipe:local > Ok, I added the :local wherever this occurs. >> submission inet n - n - - smtpd >> -o syslog_name=postfix/submission >> -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o >> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > The client restrictions are more strict than the recipient restrictions. > Configure just the latter to the single desired value. Also the > main.cf "relay restrictions" are also in force, consider adding > an override (to empty) here. > >> -o content_filter=gpgit-pipe > > See above re explicit nexthop. > >> -o cleanup_service_name=subcleanup >> -o smtpd_enforce_tls=yes > > The "enfoce_tls" is Obsolete and redundant. > I removed this line. >> -o sender_bcc_maps=hash:/etc/postfix/regexp_sender_bcc > > This has no effect, sender BCC is handled in cleanup(8). > Ok >> smtps inet n - - - - smtpd >> -o syslog_name=postfix/smtps >> -o smtpd_tls_wrappermode=yes >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> -o milter_macro_daemon_name=ORIGINATING >> -o content_filter=gpgit-pipe >> -o cleanup_service_name=subcleanup > > Where is the override of "recipient restrictions" (and relay > restrictions). This should be identical to the submission service > modulo "wrapper mode". > Are you saying I should add the following line to the submission service? -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject >> amavis unix - - - - 2 smtp >> -o smtp_send_xforward_command=yes >> -o smtp_tls_security_level=none >> -o cleanup_service_name=subcleanup >> -o receive_override_options=no_address_mappings > > This is a delivery agent, it does not use cleanup or address > mappings. The last two overrides are pointless. Ok > > -- > Viktor. Thanks again for your help and suggestions! I really appreciate it! Austin Witmer
