Thank you everyone for the excellent information.
> Don't do this. You seem to be following some outdated tutorial.
Old hardware running email gateways needed to be retired and replaced.
I was to keep the same functionality as was on the servers when I
arrived on this job. So, between not having prior knowledge about or
experience with any of the software (postfix, etc.), and being told to
minimize the performance changes to the systems I thought the safest
path was to just copy the master.cf and the main.cf. I ran into the
problem that I also had to replace created here "glue scripts" with
MailScanner. That forced me to make some changes, some which I
obviously did not fully understand. So, I appreciate the corrections.
> > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4
> Yikes. That DNSBL doesn't have a very solid reputation.
I know. I know. I know. And I understand why. I am a member of a team
in which I am the junior member and the senior members all have an
attachment to five-ten because it stops so much spam. I do have to
deal with the over aggressive effects on a weekly basics. I loose on
this point.
> Also, DISCARD is a strange choice. Why not REJECT?
I am told there is a logging difference and a program written here is
looking at log files for those events. I will revisit this point.
>> I currently have these lines in main.cf:
>>
>> check_client_access=hash:/etc/postfix/access
> Irrelevant, ignored.
> This is an example of why the list welcome message asks for "postconf -n" and
> not lines from main.cf.
root:/var/log# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 16777216
mydestination = $myhostname, $mydomain, localhost.localdomain,
cnm.edu, mail.cnm.edu, mg01.cnm.edu, mg02.cnm.edu, mg03.cnm.edu,
mg04.cnm.edu, mg05.cnm.edu, nmvc.org, mail.nmvc.org, mg01.nmvc.org,
mg02.nmvc.org, mg03.nmvc.org, mg04.nmvc.org, mg05.nmvc.org,
nmvirtualcollege.org, mail.nmvirtualcollege.org,
mg01.nmvirtualcollege.org, mg02.nmvirtualcollege.org,
mg03.nmvirtualcollege.org, mg04.nmvirtualcollege.org,
mg05.nmvirtualcollege.org, nmln.net, ideal-nm.org, ideal-nm.net,
idealnm.org, idealnm.net
myhostname = mg05.cnm.edu
mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24,
172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
[::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
notify_classes = resource,software
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = cnm.edu
smtpd_client_restrictions = permit_mynetworks
hash:/etc/postfix/whitelist reject_rbl_client
zen.spamhaus.org reject_rbl_client bl.spamcop.net
reject_rbl_client
dnsbl.njabl.org reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13 permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/overquota reject_non_fqdn_sender
reject_unknown_sender_domain reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unlisted_recipient
permit_mynetworks reject_unauth_destination
reject_unauth_pipeliningreject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_rbl_client zen.spamhaus.org
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/sender_access permit_mynetworks
reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
root:/var/log#
> BTW the use of MailScanner with Postfix is not recommended and will not be
> supported on this list. It uses direct access to the Postfix queue, an
> undocumented and unsupported interface. There are other content filter
> choices which do it properly; my recommendation is amavisd-new.
My understanding is that "uses direct access to the Postfix queue" is
an old issue that is no longer the case. In any event, I do not select
what we use.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
