On Tue, Dec 31, 2024 at 09:51:01PM +0100, Gerd Hoerst via Postfix-users wrote:
> So here also the right sender address
> > Yes its the file.... if i change only the file postfix croaks that
> > /etc/aliases is newer then /etc/aliases.db (after i ran postalias
> > /etc/aliases it has an older timestamp
Well, now you need to post the outputs of:
$ postconf -Mf unix/local
$ postmap -q g $(postconf -xh alias_maps)
$ postmap -q g unix:passwd.byname
And fresh logging of a delivery failure, now that (perhaps) the desired
aliases entry is in place.
> > > postconf -nf
> > alias_database = hash:/etc/aliases
> > alias_maps = hash:/etc/aliases
Fine. Presumably the default_database_type is "hash".
> > debug_peer_level = 10
I doubt you want anything higher than 2 here, though for now it does not
matter given debug_peer_list is empty.
> > mailbox_command = procmail -a "$EXTENSION"
Handles local users with shell accounts, after alias expansion.
> > masquerade_domains = hoerst.net
Best avoided, breaks recipient validation by wildcarding subdomains.
> > mydestination = $myhostname, smtp.hoerst.net virgo.hoerst.net,
> > localhost.hoerst.net, localhost, $mydomain
> > mydomain = hoerst.net
> > myorigin = $mydomain
As expected.
> > qmgr_message_active_limit = 150
> > qmgr_message_recipient_limit = 150
That's remarkably small, but if you never have more than a handful of
messages in the queue, fine...
> > relay_domains = hoerst.net
> > relay_recipient_maps = hash:/etc/postfix/relay_recipients
Just set these empty instead. This is a local domain.
> > smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP,
> > 3DES,eNULL,
> > aNULL, ADH-AES256-GCM-SHA384
> > smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP,
> > 3DES,eNULL,
> > aNULL, ADH-AES256-GCM-SHA384
The "eNULL" and "ADH-AES256-GCM-SHA384" exclusions are redundant.
No idea what "PSD" is supposed to be (perhaps "PSK", which along
with "SRP" are merely "cosmetic" exclusions, because these require
additional configuration before they're actually usable).
> > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1, !TLSv1
> > smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.1
> > smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1, !TLSv1
The preferred syntax is ">=TLSv1.2" (no space or "," after ">=").[
> > smtpd_sasl_auth_enable = yes
Best in master.cf only for the submission services, and not enabled
on port 25.
> > smtpd_tls_eecdh_grade = ultra
This is a obsolete, and now a bad idea. Use the default "auto" instead,
with TLS 1.3 this is ignored, but it limits interoperability and
degrades performance (~17x costlier key exchange relative to P-256) with
TLS 1.2.
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Obsoleted by session tickets, best left empty.
> > smtpd_use_tls = yes
Obsoleted by "smtpd_tls_security_level".
> > tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
The "eNULL" exclusion is redundant. Unclear why you disable aNULL,
though with TLS not having any anonymous ciphers and TLS 1.2 becoming
increasingly less commmon, it hardly matters.
> > tls_random_source = dev:/dev/urandom
Best to let this default.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
