Re: Recommendation for updating msg_panic() to msg_warn() in certain circumstances

2018-01-12 Thread Wietse Venema 
I have sent the poster a message explaining that replacing panic
calls with warnings would be a mistake.

panic is for program errors that Postfix developers must fix
fatal is for Postfix/system configuration errors that users must fix
warning is for non-fatal errors including protol (SMTP, TLS, DNS)

This was the third message with the same suggestion. I have asked
the poster to STOP.

Wietse

Create exception for some senders in header_checks

2018-01-12 Thread Fabio S. Schmidt 
Hi,

I've created the rules to block forged Reply-to and Return-Path using my
domains. I've followed the examples in
http://www.postfix.org/BACKSCATTER_README.html.

This is my rule:

/^(From|Return-Path|Reply-To):.*\b(domain\.com\.br)\b/
discard forged sender address in $1: header: $2

We need to create some exceptions. Would placing the following rule in the
same file work?

/^(Return-Path|Reply-To):.*\b(user1@domain\.com\.br)\b/
dunno

Kind regards.
Fabio

Postfix not delivering mail

2018-01-12 Thread James Moe 
postfix v3.2.0
linux v4.4.103-36-default x86_64

  Postfix has once again decided not to deliver mail. (I do not know why
I have such a hard time keeping postfix sane. I do not recall making any
changes either.) Below is the session log. Lots of "unknown" features.
Not helpful.
  Postfix is the local MDA for system messages.
  I added an excerpt from .
  Telnet connects to postfix with port 126. (126 is used since there is
also an MTA running on the same system.) So I do not understand the
error "unknown service: smtp/tcp".

  How do I resolve the unknown errors?

2018-01-12T12:19:41-0700 sma-server3 postfix/error[25802]: 0D7E52528B5:
to=, orig_to=, relay=none, delay=378386,
delays=378384/1/0/0.01, dsn=4.3.0, status=deferred (unknown mail
transport error)
2018-01-12T12:29:40-0700 sma-server3 postfix/qmgr[17322]: C0D222550D2:
from=, size=937, nrcpt=2 (queue active)
2018-01-12T12:29:40-0700 sma-server3 postfix/qmgr[17322]: BF81B252BF5:
from=<>, size=3264, nrcpt=1 (queue active)
2018-01-12T12:29:40-0700 sma-server3 postfix/smtp[26035]: fatal: unknown
service: smtp/tcp
2018-01-12T12:29:40-0700 sma-server3 postfix/smtp[26036]: fatal: unknown
service: smtp/tcp
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
private/smtp socket: malformed response
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
transport smtp failure -- see a previous warning/fatal/panic logfile
record for the problem description
2018-01-12T12:29:41-0700 sma-server3 postfix/master[17320]: warning:
process /usr/lib/postfix/smtp pid 26035 exit status 1
2018-01-12T12:29:41-0700 sma-server3 postfix/master[17320]: warning:
/usr/lib/postfix/smtp: bad command startup -- throttling
2018-01-12T12:29:41-0700 sma-server3 postfix/master[17320]: warning:
process /usr/lib/postfix/smtp pid 26036 exit status 1
2018-01-12T12:29:41-0700 sma-server3 postfix/error[26037]: C0D222550D2:
to=, relay=none, delay=109779,
delays=109777/1.4/0/0.02, dsn=4.3.0, status=deferred (unknown mail
transport error)
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
private/smtp socket: malformed response
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
transport smtp failure -- see a previous warning/fatal/panic logfile
record for the problem description
2018-01-12T12:29:41-0700 sma-server3 postfix/error[26037]: BF81B252BF5:
to=, orig_to=,
relay=none, delay=374320, delays=374318/1.4/0/0, dsn=4.3.0,
status=deferred (unknown mail transport error)

[ from master.cf ]---
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
smtp:126  inet  n  -   y   --   smtpd
pickup   fifo  n  -   n   60   1   pickup
cleanup  unix  n  -   n   -0   cleanup
qmgr fifo  n  -   n   300  1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
rewrite  unix  -  -   n   --   trivial-rewrite
bounce   unix  -  -   n   -0   bounce
deferunix  -  -   n   -0   bounce
traceunix  -  -   n   -0   bounce
verify   unix  -  -   n   -1   verify
flushunix  n  -   n   1000?0   flush
proxymap unix  -  -   n   --   proxymap
proxywrite unix  --   n   -1   proxymap
smtp unix  -  -   y   --   smtp
relayunix  -  -   y   --   smtp
   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showqunix  n  -   n   --   showq
errorunix  -  -   n   --   error
retryunix  -  -   n   --   error
discard  unix  -  -   n   --   discard
localunix  -  n   n   --   local
virtual  unix  -  n   n   --   virtual
lmtp unix  -  -   n   --   lmtp
anvilunix  -  -   n   -1   anvil

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.



signature.asc
Description: OpenPGP digital signature

Re: Postfix not delivering mail

2018-01-12 Thread etech3 

On 01/12/2018 03:13 PM, James Moe wrote:

postfix v3.2.0
linux v4.4.103-36-default x86_64

   Postfix has once again decided not to deliver mail. (I do not know why
I have such a hard time keeping postfix sane. I do not recall making any
changes either.) Below is the session log. Lots of "unknown" features.
Not helpful.
   Postfix is the local MDA for system messages.
   I added an excerpt from .
   Telnet connects to postfix with port 126. (126 is used since there is
also an MTA running on the same system.) So I do not understand the
error "unknown service: smtp/tcp".

   How do I resolve the unknown errors?

2018-01-12T12:19:41-0700 sma-server3 postfix/error[25802]: 0D7E52528B5:
to=, orig_to=, relay=none, delay=378386,
delays=378384/1/0/0.01, dsn=4.3.0, status=deferred (unknown mail
transport error)
2018-01-12T12:29:40-0700 sma-server3 postfix/qmgr[17322]: C0D222550D2:
from=, size=937, nrcpt=2 (queue active)
2018-01-12T12:29:40-0700 sma-server3 postfix/qmgr[17322]: BF81B252BF5:
from=<>, size=3264, nrcpt=1 (queue active)
2018-01-12T12:29:40-0700 sma-server3 postfix/smtp[26035]: fatal: unknown
service: smtp/tcp
2018-01-12T12:29:40-0700 sma-server3 postfix/smtp[26036]: fatal: unknown
service: smtp/tcp
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
private/smtp socket: malformed response
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
transport smtp failure -- see a previous warning/fatal/panic logfile
record for the problem description
2018-01-12T12:29:41-0700 sma-server3 postfix/master[17320]: warning:
process /usr/lib/postfix/smtp pid 26035 exit status 1
2018-01-12T12:29:41-0700 sma-server3 postfix/master[17320]: warning:
/usr/lib/postfix/smtp: bad command startup -- throttling
2018-01-12T12:29:41-0700 sma-server3 postfix/master[17320]: warning:
process /usr/lib/postfix/smtp pid 26036 exit status 1
2018-01-12T12:29:41-0700 sma-server3 postfix/error[26037]: C0D222550D2:
to=, relay=none, delay=109779,
delays=109777/1.4/0/0.02, dsn=4.3.0, status=deferred (unknown mail
transport error)
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
private/smtp socket: malformed response
2018-01-12T12:29:41-0700 sma-server3 postfix/qmgr[17322]: warning:
transport smtp failure -- see a previous warning/fatal/panic logfile
record for the problem description
2018-01-12T12:29:41-0700 sma-server3 postfix/error[26037]: BF81B252BF5:
to=, orig_to=,
relay=none, delay=374320, delays=374318/1.4/0/0, dsn=4.3.0,
status=deferred (unknown mail transport error)

[ from master.cf ]---
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
smtp:126  inet  n  -   y   --   smtpd
pickup   fifo  n  -   n   60   1   pickup
cleanup  unix  n  -   n   -0   cleanup
qmgr fifo  n  -   n   300  1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
rewrite  unix  -  -   n   --   trivial-rewrite
bounce   unix  -  -   n   -0   bounce
deferunix  -  -   n   -0   bounce
traceunix  -  -   n   -0   bounce
verify   unix  -  -   n   -1   verify
flushunix  n  -   n   1000?0   flush
proxymap unix  -  -   n   --   proxymap
proxywrite unix  --   n   -1   proxymap
smtp unix  -  -   y   --   smtp
relayunix  -  -   y   --   smtp
-o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showqunix  n  -   n   --   showq
errorunix  -  -   n   --   error
retryunix  -  -   n   --   error
discard  unix  -  -   n   --   discard
localunix  -  n   n   --   local
virtual  unix  -  n   n   --   virtual
lmtp unix  -  -   n   --   lmtp
anvilunix  -  -   n   -1   anvil


maybe provide a copy of your main.cf

Re: Postfix not delivering mail

2018-01-12 Thread Viktor Dukhovni 


> On Jan 12, 2018, at 3:13 PM, James Moe  wrote:
> 
> 2018-01-12T12:29:40-0700 sma-server3 postfix/smtp[26035]: fatal: unknown
> service: smtp/tcp
> 2018-01-12T12:29:40-0700 sma-server3 postfix/smtp[26036]: fatal: unknown
> service: smtp/tcp

Your problem is a misconfigured chroot-jail, or permission issues reading
/etc/services.

-- 
Viktor.

Re: Postfix not delivering mail

2018-01-12 Thread Bill Cole 
On 12 Jan 2018, at 15:13, James Moe wrote:

> smtp:126  inet  n  -   y   --   smtpd

Do not do this...^

OR: put copies of all the needed files into the chroot jail.

Offering STARTTLS in postfix. need help!

2018-01-12 Thread Sean Son 
hello everyone

I hope you all had a wonderful holiday season.


How does one configure an internet facing Postfix SMTP mail relay server,
to offer STARTTLS?  I have been googling around and seeing various
different articles and blog entries, but I cannot figure out what is the
quickest and easiest way to do so.  I am running postfix on RHEL 7.  Any
help is greatly appreciated!


Thanks!!

Sean

Re: Offering STARTTLS in postfix. need help!

2018-01-12 Thread Philip Paeps 

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
How does one configure an internet facing Postfix SMTP mail relay 
server, to offer STARTTLS?  I have been googling around and seeing 
various different articles and blog entries, but I cannot figure out 
what is the quickest and easiest way to do so.  I am running postfix on 
RHEL 7.  Any help is greatly appreciated!


I'm surprised Google couldn't find 
http://www.postfix.org/TLS_README.html


DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Re: Offering STARTTLS in postfix. need help!

2018-01-12 Thread Sean Son 
On Fri, Jan 12, 2018 at 3:48 PM, Philip Paeps  wrote:

> On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
>
>> How does one configure an internet facing Postfix SMTP mail relay server,
>> to offer STARTTLS?  I have been googling around and seeing various
>> different articles and blog entries, but I cannot figure out what is the
>> quickest and easiest way to do so.  I am running postfix on RHEL 7.  Any
>> help is greatly appreciated!
>>
>
> I'm surprised Google couldn't find http://www.postfix.org/TLS_README.html
>
> DuckDuckGo returns it as the first hit for "Postfix TLS".
>
> Philip
>
> --
> Philip Paeps
> Senior Reality Engineer
> Ministry of Information
>

Hello Philip

Thank you for the response. I did see that documentation but it was too
confusing for me to figure it out. But upon further research I found this:


By default, TLS is disabled in the Postfix SMTP server, so no difference to
plain Postfix is visible. Explicitly switch it on with "
smtpd_tls_security_level
 = may".

Example:

/etc/postfix/main.cf :
smtpd_tls_security_level
 =
may

With this, the Postfix SMTP server announces STARTTLS support to remote
SMTP clients, but does not require that clients use TLS encryption.


I think this is the correct solution?   Would this require an SSL cert?


Thanks

RE: Offering STARTTLS in postfix. need help!

2018-01-12 Thread Fazzina, Angelo 
My RHEL7 install but it install Postfix 2.10 and I use a LDAP backend for 
password storage. Not sure it helps you ?
-ALF

RAN vi /etc/postfix/master.cf
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps inet  n   -   n   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
RAN vi /etc/postfix/main.cf
smtpd_relay_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

RAN yum install sssd
RAN yum install pamtester
RAN vi /etc/pam.d/smtp
auth  sufficient pam_unix_auth.so
auth  required   pam_ldap.so use_first_pass
account   sufficient pam_unix_acct.so
account   required   pam_ldap.so
comment out other lines(2)

RAN vi /etc/sssd/sssd.conf
[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=people,dc=uconn,dc=edu
krb5_realm = UCONN.EDU
krb5_server = kerberos.uconn.edu
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.uconn.edu
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_store_password_if_offline = True
krb5_kpasswd = kadmin.uconn.edu
[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]
homedir_substring = /home

[pam]

[autofs]

RAN chmod 600 /etc/sssd/sssd.conf
RAN yum install nss-pam-ldapd
RAN vi /etc/nslcd.conf
uri ldaps://ldap.uconn.edu
base dc=uconn,dc=edu
binddn 
bindpw  
tls_reqcert never
ssl no
tls_cacertdir /etc/openldap/cacerts
RAN yum install pam_ldap
RAN authconfig-tui
In "User information" pick "use LDAP"
In "Authentication" pick Use LDAP Authentication"
RAN yum install cyrus-sasl
RAN systemctl status saslauthd
RAN systemctl enable saslauthd
RAN systemctl start saslauthd
RAN yum install cyrus-sasl-plain
RAN pamtester smtp zzz00036 authenticate


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Philip Paeps
Sent: Friday, January 12, 2018 3:49 PM
To: postfix-users@postfix.org
Subject: Re: Offering STARTTLS in postfix. need help!

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
>How does one configure an internet facing Postfix SMTP mail relay 
>server, to offer STARTTLS?  I have been googling around and seeing 
>various different articles and blog entries, but I cannot figure out 
>what is the quickest and easiest way to do so.  I am running postfix on 
>RHEL 7.  Any help is greatly appreciated!

I'm surprised Google couldn't find 
http://www.postfix.org/TLS_README.html

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

-- 
Philip Paeps
Senior Reality Engineer
Ministry of Information

Re: Offering STARTTLS in postfix. need help!

2018-01-12 Thread Viktor Dukhovni 


> On Jan 12, 2018, at 3:55 PM, Sean Son  
> wrote:
> 
> By default, TLS is disabled in the Postfix SMTP server, so no difference to 
> plain Postfix is visible. Explicitly switch it on with 
> "smtpd_tls_security_level = may". 
> 
> Example: 
> 
> /etc/postfix/main.cf
> :
> 
> smtpd_tls_security_level
>  = may
> 
> With this, the Postfix SMTP server announces STARTTLS support to remote SMTP 
> clients, but does not require that clients use TLS encryption.
> 
> I think this is the correct solution?   Would this require an SSL cert?

Yes, of course.  See:

   http://www.postfix.org/TLS_README.html#quick-start

and if your Postfix release is older than Postfix 3.1, in particular:

   http://www.postfix.org/TLS_README.html#self-signed

-- 
Viktor.

Re: [SOLVED] Postfix not delivering mail

2018-01-12 Thread James Moe 
On 01/12/2018 01:37 PM, Viktor Dukhovni wrote:
>
>> 2018-01-12T12:29:40-0700 sma-server3 postfix/smtp[26036]: fatal: unknown
>> service: smtp/tcp
> Your problem is a misconfigured chroot-jail, or permission issues reading
> /etc/services.
>
  Quite so. That is a change that I made recently and then forgot it.
And not understanding its implications, I failed to configure it properly.
  Thank you all for your insight and support.

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.



signature.asc
Description: OpenPGP digital signature

Re: Offering STARTTLS in postfix. need help!

2018-01-12 Thread Sean Son 
On Fri, Jan 12, 2018 at 4:06 PM, Viktor Dukhovni  wrote:

>
>
> > On Jan 12, 2018, at 3:55 PM, Sean Son 
> wrote:
> >
> > By default, TLS is disabled in the Postfix SMTP server, so no difference
> to plain Postfix is visible. Explicitly switch it on with
> "smtpd_tls_security_level = may".
> >
> > Example:
> >
> > /etc/postfix/main.cf
> > :
> >
> > smtpd_tls_security_level
> >  = may
> >
> > With this, the Postfix SMTP server announces STARTTLS support to remote
> SMTP clients, but does not require that clients use TLS encryption.
> >
> > I think this is the correct solution?   Would this require an SSL cert?
>
> Yes, of course.  See:
>
>http://www.postfix.org/TLS_README.html#quick-start
>
> and if your Postfix release is older than Postfix 3.1, in particular:
>
>http://www.postfix.org/TLS_README.html#self-signed
>
> --
> Viktor.
>
>
Thank you Viktor.. it looks like I will need either a self signed or signed
SSL cert from a CA to be able to offer STARTTLS. Please let me know if I am
wrong.

Thanks

Curious startup warning

2018-01-12 Thread James Moe 
postfix v3.2.0
linux v4.4.103-36-default x86_64

  Whenever postfix (re-)starts, the message below is emitted.
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
group or other writable: /etc/postfix/./ssl/cacerts
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting the
Postfix mail system

  Following the various paths yields the following directory listings:

$ ls -l .
drwxr-xr-x 1 root root 24 Nov  4 13:04 ssl/
$ ls -l ssl/
lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/
drwxr-xr-x 1 root root  0 May 17  2017 certs/
$ ls -l /etc/
drwxr-xr-x 1 root root 146 Dec 15 02:29 ssl/
$ ls -l /etc/ssl/
lrwxrwxrwx 1 root root  28 Nov  4 12:49 certs ->
/var/lib/ca-certificates/pem/
$ ls -l /
drwxr-xr-x 1 root root   234 Nov  4 13:04 var/
$ ls -l /var/
drwxr-xr-x 1 root root 1090 Jan  9 10:40 lib/
$ ls -l /var/lib/
drwxr-xr-x 1 root root  70 Nov 13 03:05 ca-certificates/
$ ls -l /var/lib/ca-certificates/
dr-xr-xr-x 1 root root  17324 Nov 13 03:05 pem/

  Any real directories are not group/other writable. Only the links have
the writable attributes.
  Are the links what triggers the warning message?

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.



signature.asc
Description: OpenPGP digital signature

Re: Curious startup warning

2018-01-12 Thread Bill Cole 

On 12 Jan 2018, at 16:51 (-0500), James Moe wrote:


postfix v3.2.0
linux v4.4.103-36-default x86_64

  Whenever postfix (re-)starts, the message below is emitted.
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
group or other writable: /etc/postfix/./ssl/cacerts
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting 
the

Postfix mail system

  Following the various paths yields the following directory listings:

$ ls -l .
drwxr-xr-x 1 root root 24 Nov  4 13:04 ssl/
$ ls -l ssl/
lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/
drwxr-xr-x 1 root root  0 May 17  2017 certs/
$ ls -l /etc/
drwxr-xr-x 1 root root 146 Dec 15 02:29 ssl/
$ ls -l /etc/ssl/
lrwxrwxrwx 1 root root  28 Nov  4 12:49 certs ->
/var/lib/ca-certificates/pem/
$ ls -l /
drwxr-xr-x 1 root root   234 Nov  4 13:04 var/
$ ls -l /var/
drwxr-xr-x 1 root root 1090 Jan  9 10:40 lib/
$ ls -l /var/lib/
drwxr-xr-x 1 root root  70 Nov 13 03:05 ca-certificates/
$ ls -l /var/lib/ca-certificates/
dr-xr-xr-x 1 root root  17324 Nov 13 03:05 pem/

  Any real directories are not group/other writable. Only the links 
have

the writable attributes.
  Are the links what triggers the warning message?


Maybe...

What are the permissions of the directory /etc/postfix/ssl/ ? Note that 
if any directory above the symlink or the real directory is 
group-writable (or less likely and worse: world-writable) then it is 
conceivable that a non-root member of the group could engineer a 
replacement for the target directory.


OTOH, it is possible that Postfix is seeing the 777 permissions of the 
symlink itself and griping about that. You can solve that with 'chmod 
go-w /etc/postfix/./ssl/cacerts'


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Curious startup warning

2018-01-12 Thread Wietse Venema 
James Moe:

Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
> postfix v3.2.0
> linux v4.4.103-36-default x86_64
> 
>   Whenever postfix (re-)starts, the message below is emitted.
> Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
> group or other writable: /etc/postfix/./ssl/cacerts
> Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting the
> Postfix mail system
> 
>   Following the various paths yields the following directory listings:
> 
> $ ls -l .
> drwxr-xr-x 1 root root 24 Nov  4 13:04 ssl/
> $ ls -l ssl/
> lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/

The above is not needed, if you configure Postfix to read the system
SSL certificate database with "tls_append_default_CA = yes". Not a
good idea if you use certificates to allow relaying!

Symlinks from /etc/postfix or other Postfix directories are not
supported, because it is hard to verify the target of a symlink and
all its parent directories are secure, at least in a shell script
that has to run on more than one OS type.

[I suppose one could add a Postfix dependency on perl and do some
more sophisticated analyses. Basically all the directories traversed
must be secure as in:

- All directories traversed while resolving a pathname under
/etc/postfix including any directories traversed while resolving a
symlink target must be writable only by root. And of course so must
be the file that we eventually arrive at.

- Similar logic for /var/lib/postfix, except that files/directories
must be writable only by postfix (Postfix never writes to such files
as root).

- The rules for /var/spool/postfix are more complex because some
directories must be writable only by root and others only by postfix.

A potential complication with symlinks is that they may create a
loop, so a Postfix checker would have to be robust against that.
If the postfix user becomes compromised, then a malicious symlink
from /var/spool/postfix should not result in damage to the host.]

Wietse