postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: main.cf sanity check request

Re: main.cf sanity check request

From: Jeroen Geilman <jeroen_at_nospam>
Date: Thu Oct 28 2010 - 16:59:39 GMT
To: postfix-users@postfix.org

On 10/28/2010 06:04 PM, Robert Fantini wrote:
> Hello
> this is not urgent. our postfix system runs great using open-vz and
> debian lenny.
>
> However I've been using postfix for a long time, and know that I am
> far from an expert on postfix.
>
> We send and receive mail for our local network. In addition I've
> recently setup secure smtp so that we can use thunderbird at home and
> send mails using fantinibakery.com
>
> What I'd like is comments on how to improve our config. here is
> main.cf and master.cf . I am certain that this can be improved:
>

You could use TLS instead of the (deprecated) SMTPS.
SMTPS is only required for incoherent clients such as MS Outook.

Thunderbird fully supports submission with STARTTLS and SASL authentication.

> postconf -n :
> alias_database = hash:/etc/postfix/Aliases/aliases
> alias_maps = hash:/etc/postfix/Aliases/aliases,hash:/etc/postfix/Aliases/aliases-fbc,hash:/etc/postfix/Aliases/aliases-distributors
> bounce_queue_lifetime = 1d
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib/postfix
> debug_peer_level = 2
> delay_warning_time = 1h
> disable_vrfy_command = yes
> html_directory = no
> inet_interfaces = all
> mail_owner = postfix
> mailbox_command = /usr/bin/procmail -a "$EXTENSION"
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> maximal_queue_lifetime = 1d
> myhostname = fantinibakery.com
> newaliases_path = /usr/bin/newaliases
> parent_domain_matches_subdomains = smtpd_access_maps
> queue_directory = /var/spool/postfix
> readme_directory = no
> require_home_directory = yes
> sample_directory = /etc/postfix
>
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_client_restrictions = permit_mynetworks
>

Superfluous, as you're already requiring it in _recipient_.

> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
>
You need to swap those two to be able to send authenticated mail from
outside your network.

> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/sender_access ,
> check_recipient_access hash:/etc/postfix/recipient_checks,
> check_client_access hash:/etc/postfix/client_checks,
> check_client_access pcre:/etc/postfix/fqrdns.pcre,
> check_policy_service inet:127.0.0.1:60000,
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> check_recipient_access regexp:/etc/postfix/ext-access.regexp,
> permit
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_mynetworks
>
And then permit ?
That makes no sense - you don't need this.
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
>
>
> master.cf:
> smtp inet n - n - - smtpd
> #628 inet n - n - - qmqpd
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> -o fallback_relay=
> # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix n - n - - showq
> error unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> # 2010-10-16 for offsite mail send this works.
> smtps inet n - - - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> #
>

Add a dedicated submission listener for authenticated user submission on
port 587.
The docs will have details.

-- J.