I have a working solution for a submission-only system I’m setting up. It seems to be doing what I need.
There will be no local delivery. Even the cronjobs on this system will be sent elsewhere. The configuration is shown below. I’ve disabled several services; I think they won’t be required. Suggestions and comments welcomed. # postconf -n alias_maps = hash:/etc/mail/aliases config_directory = /usr/local/etc/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth inet_protocols = ipv4 message_size_limit = 32768000 mynetworks = smtp_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtp_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtp_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sender_login_maps = hash:/usr/local/etc/postfix/virtual smtpd_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtpd_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtpd_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache # postconf postconf -Mf pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard anvil unix - - n - 1 anvil scache unix - - n - 1 scache submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=reject_sender_login_mismatch,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,permit_sasl_authenticated,reject -o syslog_name=postfix/submission — Dan Langille http://langille.org/