postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: main.cf sanity check request

main.cf sanity check request

From: Robert Fantini <robertfantini_at_nospam>
Date: Thu Oct 28 2010 - 16:04:20 GMT
To: postfix-users@postfix.org

Hello
this is not urgent. our postfix system runs great using open-vz and
debian lenny.

However I've been using postfix for a long time, and know that I am
far from an expert on postfix.

We send and receive mail for our local network. In addition I've
recently setup secure smtp so that we can use thunderbird at home and
send mails using fantinibakery.com

What I'd like is comments on how to improve our config. here is
main.cf and master.cf . I am certain that this can be improved:

postconf -n :
alias_database = hash:/etc/postfix/Aliases/aliases
alias_maps = hash:/etc/postfix/Aliases/aliases,hash:/etc/postfix/Aliases/aliases-fbc,hash:/etc/postfix/Aliases/aliases-distributors
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_warning_time = 1h
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
myhostname = fantinibakery.com
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = no
require_home_directory = yes
sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_recipient_restrictions =
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_invalid_hostname,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            reject_unauth_destination,
            check_sender_access hash:/etc/postfix/sender_access ,
            check_recipient_access hash:/etc/postfix/recipient_checks,
            check_client_access hash:/etc/postfix/client_checks,
            check_client_access pcre:/etc/postfix/fqrdns.pcre,
            check_policy_service inet:127.0.0.1:60000,
            reject_rbl_client b.barracudacentral.org,
            reject_rbl_client zen.spamhaus.org,
            check_recipient_access regexp:/etc/postfix/ext-access.regexp,
    permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

master.cf:
smtp inet n - n - - smtpd
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
        -o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
# 2010-10-16 for offsite mail send this works.
smtps inet n - - - - smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
#