Re: Blocking TLDs

[mailmary]

Here is how I do it:

check_sender_access regexp:/etc/postfix/sender_domain_checks

here are the (partial) contents of /etc/postfix/sender_domain_checks:

/\.top$/ REJECT
/\.xyz$/ REJECT
/\.cam$/ REJECT
/\.fun$/ REJECT
/\.buzz$/ REJECT
/\.club$/ REJECT
/\.link$/ REJECT
/\.hinet\.net$/ REJECT


Since I'm using AlmaLinux, a derivative of RHEL, it does not have PCRE because 
Redhat decided to remove it entirely from RHEL. Thus, I had to convert all my 
"pcre:" into "regexp:", like the above.



On Tue, 7 Feb 2023 16:49:13 -0500 James Pifer  wrote:

> Hello all. I'm trying to block some TLDs and everything I try I'm 
> getting:  451 4.3.5 : Sender address rejected: Server 
> configuration error;
> 
> Obviously this is a configuration issue. I've tried following these 
> sites among others:
> https://forum.centos-webpanel.com/index.php?topic=10649.0
> https://www.davidmartinwhite.com/2016/10/25/fighting-spam-block-entire-ttld-with-postfix/
> https://www.ericmichaelstone.com/how-to-block-an-entire-tld-in-postfix/
> 
> Hoping there's and easy fix in my configuration. Sorry, not a postfix 
> expert. If you see any issues in my config I would appreciate suggestions.
> 
> Thanks
> 
> 
> My /etc/postfix/reject_domains looks like:
> 
> /\.(pro)$/ REJECT We reject all .pro domains
> /\.(date)$/ REJECT We reject all .date domains
> /\.(science)$/ REJECT We reject all .science domains
> /\.(top)$/ REJECT We reject all .top domains
> /\.(download)$/ REJECT We reject all .download domains
> /\.(work)$/ REJECT We reject all .work domains
> /\.(click)$/ REJECT We reject all .click domains
> /\.(link)$/ REJECT We reject all .link domains
> /\.(diet)$/ REJECT We reject all .diet domains
> /\.(review)$/ REJECT We reject all .review domains
> /\.(party)$/ REJECT We reject all .party domains
> /\.(zip)$/ REJECT We reject all .zip domains
> /\.(xyz)$/ REJECT We reject all .xyz domains
> /\.(stream)$/ REJECT We reject all .stream domains
> /\.(bid)$/ REJECT We reject all .bid domains
> /\.(store)$/ REJECT We reject all .store domains
> 
> 
> 
> My /etc/postfix/main.cf
> 
> virtual_alias_maps = hash:/etc/postfix/virtual
> relay_domains = mydomain.com
> relayhost = 192.168.1.188:25
> mynetworks = 192.168.188.0/24
> recipient_delimiter = +
> #debug_peer_list = 0.0.0.0
> 
> smtpd_restriction_classes = sender_white_list
> sender_white_list = check_client_access 
> hash:/etc/postfix/check_client_access
> 
> ### AS SOON AS I UNCOMMENT THESE TWO LINES I GET THE ERROR ON ALL 
> EMAILS##
> #smtpd_recipient_restrictions =
> #    check_sender_access pcre:/etc/postfix/reject_domains
> 
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
>      permit_mynetworks
>      permit_sasl_authenticated
>      check_helo_access hash:/etc/postfix/helo_access
>      reject_invalid_helo_hostname
>      reject_non_fqdn_helo_hostname
> #    reject_unknown_helo_hostname   ## Commented out 01/30/2023 ##
> #    reject_rhsbl_helo dbl.spamhaus.org,
> #    reject_rhsbl_reverse_client dbl.spamhaus.org,
> #    reject_rhsbl_sender dbl.spamhaus.org,
> #    reject_rbl_client zen.spamhaus.org
> 
> smtpd_client_restrictions =
>      permit_mynetworks,
>      permit_sasl_authenticated,
>      reject_unknown_sender_domain,
>      reject_unknown_reverse_client_hostname,
>      reject_unknown_client_hostname,
>      #...the rest of them,
>      permit

Re: Blocking TLDs

[natan]

Hi
Please send info like:

postconf -m

Probably you dont have pcre

try postmap -q your_ask pcre:/etc/postfix/reject_domains

W dniu 7.02.2023 o 22:49, James Pifer pisze:
Hello all. I'm trying to block some TLDs and everything I try I'm 
getting:  451 4.3.5 : Sender address rejected: Server 
configuration error;


Obviously this is a configuration issue. I've tried following these 
sites among others:

https://forum.centos-webpanel.com/index.php?topic=10649.0
https://www.davidmartinwhite.com/2016/10/25/fighting-spam-block-entire-ttld-with-postfix/ 


https://www.ericmichaelstone.com/how-to-block-an-entire-tld-in-postfix/

Hoping there's and easy fix in my configuration. Sorry, not a postfix 
expert. If you see any issues in my config I would appreciate 
suggestions.


Thanks


My /etc/postfix/reject_domains looks like:

/\.(pro)$/ REJECT We reject all .pro domains
/\.(date)$/ REJECT We reject all .date domains
/\.(science)$/ REJECT We reject all .science domains
/\.(top)$/ REJECT We reject all .top domains
/\.(download)$/ REJECT We reject all .download domains
/\.(work)$/ REJECT We reject all .work domains
/\.(click)$/ REJECT We reject all .click domains
/\.(link)$/ REJECT We reject all .link domains
/\.(diet)$/ REJECT We reject all .diet domains
/\.(review)$/ REJECT We reject all .review domains
/\.(party)$/ REJECT We reject all .party domains
/\.(zip)$/ REJECT We reject all .zip domains
/\.(xyz)$/ REJECT We reject all .xyz domains
/\.(stream)$/ REJECT We reject all .stream domains
/\.(bid)$/ REJECT We reject all .bid domains
/\.(store)$/ REJECT We reject all .store domains



My /etc/postfix/main.cf

virtual_alias_maps = hash:/etc/postfix/virtual
relay_domains = mydomain.com
relayhost = 192.168.1.188:25
mynetworks = 192.168.188.0/24
recipient_delimiter = +
#debug_peer_list = 0.0.0.0

smtpd_restriction_classes = sender_white_list
sender_white_list = check_client_access 
hash:/etc/postfix/check_client_access


### AS SOON AS I UNCOMMENT THESE TWO LINES I GET THE ERROR ON ALL 
EMAILS##

#smtpd_recipient_restrictions =
#    check_sender_access pcre:/etc/postfix/reject_domains

smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access hash:/etc/postfix/helo_access
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
#    reject_unknown_helo_hostname   ## Commented out 01/30/2023 
##

#    reject_rhsbl_helo dbl.spamhaus.org,
#    reject_rhsbl_reverse_client dbl.spamhaus.org,
#    reject_rhsbl_sender dbl.spamhaus.org,
#    reject_rbl_client zen.spamhaus.org

smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unknown_sender_domain,
    reject_unknown_reverse_client_hostname,
    reject_unknown_client_hostname,
    #...the rest of them,
    permit


--

Re: Blocking TLDs

[Viktor Dukhovni]

On Wed, Feb 08, 2023 at 10:00:14AM +0200, mailm...@ionos.gr wrote:

> /\.top$/ REJECT
> /\.xyz$/ REJECT
> /\.cam$/ REJECT
> /\.fun$/ REJECT
> /\.buzz$/ REJECT
> /\.club$/ REJECT
> /\.link$/ REJECT
> /\.hinet\.net$/ REJECT

Why everyone feels they need regular expressions for this is a mystery.

/etc/postfix/sender-access:
top REJECT I employ crude anti-spam measures
.topREJECT I employ crude anti-spam measures
cam REJECT I employ crude anti-spam measures
.camREJECT I employ crude anti-spam measures
...

main.cf:
texthash = texthash:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${texthash}sender-access

or directly in main.cf:

main.cf:
smtpd_sender_restrictions =
check_sender_access inline:{
  { top   = REJECT I employ crude anti-spam measures }
  { .top  = REJECT I employ crude anti-spam measures }
  { cam   = REJECT I employ crude anti-spam measures }
  { .cam  = REJECT I employ crude anti-spam measures } }

or an indexed table (with same sender-access file, after "postmap"):

main.cf:
# "cdb" is better when available
default_database_type = hash
indexed = ${default_database_type}:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${indexed}sender-access

Whatever you choose, regular expressions should last or on your list, or
not at all.  A very small fraction of mortals are capable of using
regular expressions correctly.

-- 
Viktor.

Re: Blocking TLDs

[Wietse Venema]

mailm...@ionos.gr:
> Here is how I do it:
> 
> check_sender_access regexp:/etc/postfix/sender_domain_checks
> 
> here are the (partial) contents of /etc/postfix/sender_domain_checks:
> 
> /\.top$/ REJECT
> /\.xyz$/ REJECT
> /\.cam$/ REJECT
> /\.fun$/ REJECT
> /\.buzz$/ REJECT
> /\.club$/ REJECT
> /\.link$/ REJECT
> /\.hinet\.net$/ REJECT
> 

Again what is the error message in Postfix logs?

https://www.postfix.org/DEBUG_README.html#logging

Wietse

Re: Blocking TLDs

[James Pifer]

On 2/8/2023 4:14 AM, Viktor Dukhovni wrote:

On Wed, Feb 08, 2023 at 10:00:14AM +0200, mailm...@ionos.gr wrote:


/\.top$/ REJECT
/\.xyz$/ REJECT
/\.cam$/ REJECT
/\.fun$/ REJECT
/\.buzz$/ REJECT
/\.club$/ REJECT
/\.link$/ REJECT
/\.hinet\.net$/ REJECT

Why everyone feels they need regular expressions for this is a mystery.

 /etc/postfix/sender-access:
 top REJECT I employ crude anti-spam measures
 .topREJECT I employ crude anti-spam measures
 cam REJECT I employ crude anti-spam measures
 .camREJECT I employ crude anti-spam measures
 ...

 main.cf:
 texthash = texthash:${config_directory}/
 smtpd_sender_restrictions =
 check_sender_access ${texthash}sender-access

or directly in main.cf:

 main.cf:
 smtpd_sender_restrictions =
 check_sender_access inline:{
   { top   = REJECT I employ crude anti-spam measures }
   { .top  = REJECT I employ crude anti-spam measures }
   { cam   = REJECT I employ crude anti-spam measures }
   { .cam  = REJECT I employ crude anti-spam measures } }

or an indexed table (with same sender-access file, after "postmap"):

 main.cf:
 # "cdb" is better when available
 default_database_type = hash
 indexed = ${default_database_type}:${config_directory}/
 smtpd_sender_restrictions =
 check_sender_access ${indexed}sender-access

Whatever you choose, regular expressions should last or on your list, or
not at all.  A very small fraction of mortals are capable of using
regular expressions correctly.



Thanks for everyone who has responded. This (directly in main.cf) 
appears to be the answer that works for me and is much simpler.


I tried the suggested regexp before this one and still got the same error.

The error was:
Feb  8 07:38:11 mailserver postfix/smtpd[446839]: NOQUEUE: reject: RCPT 
from mail-qt1-f179.google.com[209.85.160.179]: 451 4.3.5 Server 
configuration error; from= 
to= proto=ESMTP helo=

Re: Blocking TLDs

[Wietse Venema]

James Pifer:
> The error was:
> Feb? 8 07:38:11 mailserver postfix/smtpd[446839]: NOQUEUE: reject: RCPT 
> from mail-qt1-f179.google.com[209.85.160.179]: 451 4.3.5 Server 
> configuration error; from= 
> to= proto=ESMTP helo=

The cause of the problem was logged IMMEDIATELY BEFORE THAT LINE.

Wietse

Re: Blocking TLDs

[natan]

Hi
Before add sender-acces works fine ?

Can you send output postconf -m ?

W dniu 8.02.2023 o 14:15, James Pifer pisze:

On 2/8/2023 4:14 AM, Viktor Dukhovni wrote:

On Wed, Feb 08, 2023 at 10:00:14AM +0200, mailm...@ionos.gr wrote:


/\.top$/ REJECT
/\.xyz$/ REJECT
/\.cam$/ REJECT
/\.fun$/ REJECT
/\.buzz$/ REJECT
/\.club$/ REJECT
/\.link$/ REJECT
/\.hinet\.net$/ REJECT

Why everyone feels they need regular expressions for this is a mystery.

 /etc/postfix/sender-access:
 top REJECT I employ crude anti-spam measures
 .top    REJECT I employ crude anti-spam measures
 cam REJECT I employ crude anti-spam measures
 .cam    REJECT I employ crude anti-spam measures
 ...

 main.cf:
 texthash = texthash:${config_directory}/
 smtpd_sender_restrictions =
 check_sender_access ${texthash}sender-access

or directly in main.cf:

 main.cf:
 smtpd_sender_restrictions =
 check_sender_access inline:{
   { top   = REJECT I employ crude anti-spam measures }
   { .top  = REJECT I employ crude anti-spam measures }
   { cam   = REJECT I employ crude anti-spam measures }
   { .cam  = REJECT I employ crude anti-spam measures } }

or an indexed table (with same sender-access file, after "postmap"):

 main.cf:
 # "cdb" is better when available
 default_database_type = hash
 indexed = ${default_database_type}:${config_directory}/
 smtpd_sender_restrictions =
 check_sender_access ${indexed}sender-access

Whatever you choose, regular expressions should last or on your list, or
not at all.  A very small fraction of mortals are capable of using
regular expressions correctly.



Thanks for everyone who has responded. This (directly in main.cf) 
appears to be the answer that works for me and is much simpler.


I tried the suggested regexp before this one and still got the same 
error.


The error was:
Feb  8 07:38:11 mailserver postfix/smtpd[446839]: NOQUEUE: reject: 
RCPT from mail-qt1-f179.google.com[209.85.160.179]: 451 4.3.5 Server 
configuration error; from= 
to= proto=ESMTP helo=


--

Re: Blocking TLDs

[James Pifer]

On 2/8/2023 8:32 AM, Wietse Venema wrote:

James Pifer:

The error was:
Feb? 8 07:38:11 mailserver postfix/smtpd[446839]: NOQUEUE: reject: RCPT
from mail-qt1-f179.google.com[209.85.160.179]: 451 4.3.5 Server
configuration error; from=
to= proto=ESMTP helo=

The cause of the problem was logged IMMEDIATELY BEFORE THAT LINE.

Wietse



Yes, looks like you are correct. Looks like a typo. Previous line:

 warning: unknown smtpd restriction: "check_sender_acces"


And for those that asked:

# postconf -m
btree
cidr
environ
fail
hash
inline
internal
memcache
nis
pipemap
proxy
randmap
regexp
socketmap
static
tcp
texthash
unionmap
unix

Re: SSL_accept error from unknown[10.5.2.1]: lost connection

[Wolfgang Paul Rauchholz]

Thank you for the insight.

It helped solving the issue.

Un cordial saludo,
Wolfgang Rauchholz
+34 627 994 977
https://www.linkedin.com/in/wolfgangrauchholz/



On Tue, Feb 7, 2023 at 6:51 PM Wietse Venema  wrote:

> Wolfgang Paul Rauchholz:
> > Hello I run postfix (postfix-3.5.8-4.el8.x86_64) on my Rocky Linux 8.7
> home
> > server
> > I setup postfix and dovecot as a firs step and it seems to be working;
> > meaning I can send and receive mails (I send/returned mail from a gmail
> > account).
> > But I find these error messages in  /var/log/maillog and after
> researching
> > and making changes cannot fix them.
> > I searched on the web and there are many different cases discussed,
> but...
> >
> > Feb  5 03:50:12 home postfix/smtps/smtpd[402300]: SSL_accept error from
> > unknown[10.5.2.1]: lost connection
> > Feb  5 03:50:12 home postfix/smtps/smtpd[402300]: lost connection after
> > CONNECT from unknown[10.5.2.1]
> > Feb  5 03:50:12 home postfix/smtps/smtpd[402300]: disconnect from
> > unknown[10.5.2.1] commands=0/0
>
> This could be a TLS wrappermode mismatch.
>
> Port 587 (submission) should not use TLS wrappermode.
>
> Port 465 (smtps) should use TLS wrappermode.
>
> Port 25 (smtp) should not use TLS wrappermode.
>
> Either the client or the server got this wrong.
>
> Wietse
>

Re: Blocking TLDs

[postfix]

Since I'm using AlmaLinux, a derivative of RHEL, it does not have PCRE because 
Redhat decided to remove it entirely from RHEL.
Thus, I had to convert all my "pcre:" into "regexp:", like the above.



I'm using a similar flavor of RHEL and

dnf -y install postfix-pcre

worked for me. Is that package available for Alma?

Repetitive message in /var/log/maillog

[Wolfgang Paul Rauchholz]

I get the following message almost every one minute.
Is this for information only or do I need to be worried?


Feb  8 17:33:03 home dovecot[484616]: imap-login: Login:
user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=485528, TLS, session=<2vR70TL0Lr9/AAAB>
Feb  8 17:33:03 home dovecot[484616]:
imap(wp.rauchholz)<485528><2vR70TL0Lr9/AAAB>: Disconnected: Logged out
in=338 out=1748 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0
body_count=0 body_bytes=0
Feb  8 17:33:03 home dovecot[484616]: imap-login: Login:
user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=485533, TLS, session=
Feb  8 17:33:03 home dovecot[484616]:
imap(wp.rauchholz)<485533>: Disconnected: Logged out
in=87 out=662 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0
body_count=0 body_bytes=0

Kind regards,

Wolfgang Rauchholz
+34 627 994 977
https://www.linkedin.com/in/wolfgangrauchholz/

Re: Repetitive message in /var/log/maillog

[Wietse Venema]

Wolfgang Paul Rauchholz:
> Feb  8 17:33:03 home dovecot[484616]: imap-login: Login:

This is the Postfix mailing list. For questions about Dovecot,
see their lists.

Wietse

Re: Blocking TLDs

[Rob McGee]

On 2/8/2023 3:14 AM, Viktor Dukhovni wrote:

On Wed, Feb 08, 2023 at 10:00:14AM +0200, mailm...@ionos.gr wrote:


/\.top$/ REJECT
/\.xyz$/ REJECT
/\.cam$/ REJECT
/\.fun$/ REJECT
/\.buzz$/ REJECT
/\.club$/ REJECT
/\.link$/ REJECT
/\.hinet\.net$/ REJECT


Why everyone feels they need regular expressions for this is a mystery.

 /etc/postfix/sender-access:
 top REJECT I employ crude anti-spam measures
 .topREJECT I employ crude anti-spam measuressnip


Very good post as always, but there was a typo. Here's a regexp (!) to 
fix it:


s/crude/crude and ineffective/g

HTH :)

Those of you doing this should refer back to Viktor's previous post. 
This is a bad idea: it won't really do much against spam and could 
easily block non-spam. Again, none of these TLDs employ any tests to 
ensure that registrants are spammers.


Something I have noticed recently: many times the envelope and header 
sender addresses differ. It's an easy way for large-scale hosting 
operations to manage their own DKIM keys. I saw this with Amazon 
Workmail hosting.


Google Workspace hosting always uses the single account name as the 
envelope sender, so when multiple domains are configured in the same 
company account, each user always has the same envelope sender, 
regardless of the header sender.


Here's a rule of thumb: if you think you can do much about spam based on 
sender addresses, whether envelope or header: you're wrong.

--
   http://rob0.nodns4.us/

Re: Repetitive message in /var/log/maillog

[Jaroslaw Rafa]

Dnia  8.02.2023 o godz. 17:53:07 Wolfgang Paul Rauchholz pisze:
> I get the following message almost every one minute.
> Is this for information only or do I need to be worried?
> 
> 
> Feb  8 17:33:03 home dovecot[484616]: imap-login: Login:
> user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
> mpid=485528, TLS, session=<2vR70TL0Lr9/AAAB>

This message is not from Postfix, but from Dovecot. Something is connecting
to your Dovecot server from the same machine (127.0.0.1). Maybe some kind of
webmail?
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: Blocking TLDs

[James Pifer]

On 2/8/2023 12:37 PM, Rob McGee wrote:

On 2/8/2023 3:14 AM, Viktor Dukhovni wrote:

On Wed, Feb 08, 2023 at 10:00:14AM +0200, mailm...@ionos.gr wrote:


/\.top$/ REJECT
/\.xyz$/ REJECT
/\.cam$/ REJECT
/\.fun$/ REJECT
/\.buzz$/ REJECT
/\.club$/ REJECT
/\.link$/ REJECT
/\.hinet\.net$/ REJECT


Why everyone feels they need regular expressions for this is a mystery.

 /etc/postfix/sender-access:
 top REJECT I employ crude anti-spam measures
 .top    REJECT I employ crude anti-spam measuressnip


Very good post as always, but there was a typo. Here's a regexp (!) to 
fix it:


s/crude/crude and ineffective/g

HTH :)

Those of you doing this should refer back to Viktor's previous post. 
This is a bad idea: it won't really do much against spam and could 
easily block non-spam. Again, none of these TLDs employ any tests to 
ensure that registrants are spammers.


Something I have noticed recently: many times the envelope and header 
sender addresses differ. It's an easy way for large-scale hosting 
operations to manage their own DKIM keys. I saw this with Amazon 
Workmail hosting.


Google Workspace hosting always uses the single account name as the 
envelope sender, so when multiple domains are configured in the same 
company account, each user always has the same envelope sender, 
regardless of the header sender.


Here's a rule of thumb: if you think you can do much about spam based 
on sender addresses, whether envelope or header: you're wrong.



I would prefer to quarantine rather than reject, if I can figure out how 
to do that. I would at least be able to look through them periodically 
and see if something is legit.


I suddenly started getting these (.store,.shop, etc) a could days ago. 
They are all coming from this block of addresses: 107.182.131.0.

Re: Blocking TLDs

[Jaroslaw Rafa]

Dnia  8.02.2023 o godz. 12:55:58 James Pifer pisze:
> I would prefer to quarantine rather than reject, if I can figure out
> how to do that. I would at least be able to look through them
> periodically and see if something is legit.
> 
> I suddenly started getting these (.store,.shop, etc) a could days
> ago. They are all coming from this block of addresses:
> 107.182.131.0.

So definitely a better idea is to block these IP addresses.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: Blocking TLDs

[James Pifer]

On 2/8/2023 1:02 PM, Jaroslaw Rafa wrote:

Dnia  8.02.2023 o godz. 12:55:58 James Pifer pisze:

I would prefer to quarantine rather than reject, if I can figure out
how to do that. I would at least be able to look through them
periodically and see if something is legit.

I suddenly started getting these (.store,.shop, etc) a could days
ago. They are all coming from this block of addresses:
107.182.131.0.

So definitely a better idea is to block these IP addresses.


Good suggestion. I have modified accordingly (I think). ;-)

Thanks

Re: Blocking TLDs

[mailmary]

It was added later, but by then I had already converted to regex.



On Wed, 08 Feb 2023 11:34:49 -0500 post...@ptld.com wrote:

> > Since I'm using AlmaLinux, a derivative of RHEL, it does not have PCRE 
> > because Redhat decided to remove it entirely from RHEL.
> > Thus, I had to convert all my "pcre:" into "regexp:", like the above.  
> 
> 
> I'm using a similar flavor of RHEL and
> 
>  dnf -y install postfix-pcre
> 
> worked for me. Is that package available for Alma?

Re: Blocking TLDs

[postfix]

dnf -y install postfix-pcre



It was added later, but by then I had already converted to regex.


FYI: I was given the impression that pcre has better performance than regex in 
postfix, if that is something relevant to you.

Integrating mailman with postfix

[Doug Hardie]

I am trying to setup a static maillist.  My first approach was to just include 
the addresses in a list in the virtual_alias file.  That works properly if the 
original message is being sent from someone authorized to send through my mail 
server.  However, the users of this list are all outside my domains and postfix 
rightlfully denies them relay privileges.  

I am supporting a few domains for mail.  All of them are virtual domains.  
There are a couple of addresses that have their mailboxes on my server.  Those 
are configured a virtual also.  Some of them have addresses in multiple 
domains.  

My second approach was to install and setup mailman.  I am using the 
instructions from /usr/local/share/doc/mailman/mailman-install.txt.  Obviously 
I am getting something wrong as postfix never seems to send an email to mailman.


From main.cf:
myhostname is not specified.
mydomain = sermon-archive.info
mydestination = localhost.$mydomain, localhost
virtual_alias_maps = hash:/usr/local/etc/postfix/vmail_alias, 
hash:/usr/local/etc/postfix/lafn_alias, hash:/usr/local/etc/postfix/vcsc_alias


The only test entry is in lafn_alias:
t...@lafn.org   test


Sending a message from the host master to t...@lafn.org gives the following log 
entries:
Feb  8 23:06:29 mail postfix-submission/smtpd[10647]: connect from 
master[10.0.1.250]
Feb  8 23:06:29 mail postfix-submission/smtpd[10647]: Anonymous TLS connection 
established from master[10.0.1.250]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 
(256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest 
SHA256
Feb  8 23:06:29 mail postfix-submission/smtpd[10647]: 4PC7Fd2yDbz2fjQ8: 
client=master[10.0.1.250], sasl_method=CRAM-MD5, sasl_username=doug
Feb  8 23:06:29 mail postsrsd[10652]: srs_forward:  rewritten as 

Feb  8 23:06:29 mail postsrsd[10652]: srs_forward: 
 not rewritten: Valid SRS address 
for 
Feb  8 23:06:29 mail postfix/cleanup[10651]: 4PC7Fd2yDbz2fjQ8: 
message-id=<63e49b75.97dc8a.5f43d...@master.sermon-archive.info>
Feb  8 23:06:29 mail clamd[1202]: fd[11]: Unable to determine the filepath 
given the file descriptor.
Feb  8 23:06:29 mail postfix/qmgr[10640]: 4PC7Fd2yDbz2fjQ8: 
from=, size=612, nrcpt=1 (queue 
active)
Feb  8 23:06:29 mail postfix-submission/smtpd[10647]: disconnect from 
master[10.0.1.250] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 
commands=8
Feb  8 23:06:29 mail dovecot[10655]: 
lda(t...@mail.sermon-archive.info)[]<0fouIHWb5GOfKQAAZU03Dg>: 
msgid=<63e49b75.97dc8a.5f43d...@master.sermon-archive.info>: saved mail to INBOX
Feb  8 23:06:29 mail postfix/pipe[10654]: 4PC7Fd2yDbz2fjQ8: 
to=, orig_to=, relay=dovecot, 
delay=0.15, delays=0.1/0.02/0/0.03, dsn=2.0.0, status=sent (delivered via 
dovecot service)
Feb  8 23:06:29 mail postfix/qmgr[10640]: 4PC7Fd2yDbz2fjQ8: removed

The message is delivered to a mailbox on the host, not sent to mailman.


Here is the postconf -n output:
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 1d
command_directory = /usr/local/sbin
compatibility_level = 3.6
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
header_checks = pcre:/usr/local/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
incoming_smtpd_restrictions = check_policy_service inet:127.0.0.1:10040, 
reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, 
reject_unknown_sender_domain, reject_unknown_recipient_domain, 
reject_unauth_pipelining, permit_mynetworks, check_recipient_access 
hash:/usr/local/etc/postfix/tempfail, reject_unauth_destination, 
reject_unlisted_recipient reject_rbl_client bl.spamcop.net, reject_rbl_client 
b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
max_use = 5
message_size_limit = 102400
mydestination = localhost.$mydomain, localhost
mydomain = sermon-archive.info
mynetworks = 10.0.1.205, 10.0.1.230, 10.0.1.250, 10.0.1.200, 10.0.1.235, 
127.0.0.0/8
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks, 
cidr:/usr/local/etc/postfix/access.cidr
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:localhost:10002
relocated_maps = hash:/usr/local/etc/postfix/relocated
sample_directory = /usr/local/etc/postfix
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:localhost:10001
sendmail_path = /usr/local/s