On 1/21/2011 7:42 PM, Walter Pinto wrote:
Thanks Noel. Let me know if I'm missing anything. This server is
supposed to act just as a relay.
postconf -n
alias_maps =
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = /var/www/html/postfix
OK so far.
in_flow_delay = 0
in_flow_delay should probably be left at the default.
inet_protocols = all
initial_destination_concurrency = 10
local_destination_concurrency_limit = 10
local_recipient_maps =
local_transport = error:local mail delivery disabled
OK.
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 90m
maximal_queue_lifetime = 5d
message_size_limit = 14500000
mime_header_checks = $header_checks
minimal_backoff_time = 45m
That seems high for a minimal backoff (especially with a 120s
queue run delay). A min backoff of 2~15 minutes is common; 5m
is the default.
mydestination =
mydomain = mx.example.net
myhostname = mx.example.net
mynetworks = 127.0.0.0/16
Usually that should be /8, but I can't imagine /16 will cause
any problems...
myorigin = example.net
nested_header_checks =
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_run_delay = 120s
The default is 300s and is probably appropriate for most
sites. If your queue has lots of deferred mail, frequent runs
will slow postfix down.
readme_directory = /var/www/html/postfix
relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf
relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.confer
looks as if you have a list of valid recipients. Very good.
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_connect_timeout = 45s
smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 0
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_hostname
reject_invalid_hostname
smtpd_recipient_restrictions = reject_invalid_hostname
reject_non_fqdn_hostname reject_non_fqdn_sender
reject_non_fqdn_recipient reject_unknown_sender_domain
reject_unknown_recipient_domain reject_unlisted_recipient
check_policy_service inet:127.0.0.1:10031 permit_mynetworks
reject_unauth_destination check_recipient_access
hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org
reject_rbl_client b.barracudacentral.org reject_rbl_client
bl.spamcop.net check_policy_service inet:127.0.0.1:10023
I would expect "permit_mynetworks, reject_unauth_destination"
to be the first entries here.
If your :10031 policy service must run before
reject_unauth_destination, move it to
smtpd_sender_restrictions so that it can't accidentally cause
an open relay. (Not likely, but better safe...)
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/postfix/certs/mx.example.net.cert
smtpd_tls_key_file = /etc/postfix/certs/mx.example.net.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 7200s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/domains/localhost
hash:/etc/postfix/domains/example.com
hash:/etc/postfix/domains/example.net
hash:/etc/postfix/domains/example.org
OK, no glaring errors.
I don't use SQL, so I won't comment on that part.
Note that postfix 2.3 is no longer supported. Postfix 2.3.19
is the last patchlevel of that version, so 2.3.3 is *way*
behind.
As Stan mentioned, there are lots of entries above that are
defaults. It would clean up your config and make your
"postconf -n" easier to examine for errors if you remove
default entries from main.cf.
-- Noel Jones
/etc/postfix/sql/relay_transport_map.conf
user = user
password = password
dbname = postfix
table = relay_transport_map
select_field = y
where_field = x
query =
SELECT y
FROM relay_transport_map
WHERE x='%s'
Example:
mysql> SELECT *
-> FROM `relay_transport_map`
-> WHERE `x`
-> REGEXP CONVERT( _utf8 'enduser.com'
-> USING latin1 )
-> COLLATE latin1_swedish_ci
-> LIMIT 0 , 30
-> \g
+--------+----------------------------+----------------+
| x | y | ip |
+--------+----------------------------+----------------+
| enduser.com | cpanel:[x.x.x.x]:26 | x.x.x.x |
+--------+----------------------------+----------------+
sql/relay_recipient_map.conf
user = user
password = password
dbname = postfix
query =
SELECT y
FROM relay_recipient_map
WHERE x='%s'
Example:
-> SELECT *
-> FROM `relay_recipient_map`
-> WHERE `x`
-> REGEXP CONVERT( _utf8 'enduser.com'
-> USING latin1 )
-> COLLATE latin1_swedish_ci
-> LIMIT 0 , 30
-> \g
+----------------------------------+------+----------------+
| x | y | ip |
+----------------------------------+------+----------------+
| exam...@enduser.com | OK | x.x.x.x |