you don't want "reject_unknown_recipient_domain" for submissions because
a MUA can't handle a 4xx reject and the same for
"reject_unknown_sender_domain"
"smtpd_sender_restrictions" is not needed at all if you enforce auth and
"reject_authenticated_sender_login_mismatch"
for a submission-only server add that as only restriciton to "main.cf"
because after that it don't matter with port, with or without TLS, you
are enforcing SASL auth and forbid foreign unlisted senders
smtpd_recipient_restrictions = permit_mynetworks
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unlisted_sender
reject_authenticated_sender_login_mismatch
reject_rbl_client dnsbl.thelounge.net
permit_sasl_authenticated
reject
Am 31.12.2014 um 16:47 schrieb Dan Langille:
I have a working solution for a submission-only system I’m setting up. It
seems to be doing what I need.
There will be no local delivery. Even the cronjobs on this system will be sent
elsewhere.
The configuration is shown below. I’ve disabled several services; I think they
won’t be required.
Suggestions and comments welcomed.
# postconf -n
alias_maps = hash:/etc/mail/aliases
config_directory = /usr/local/etc/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth
inet_protocols = ipv4
message_size_limit = 32768000
mynetworks =
smtp_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem
smtp_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem
smtp_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sender_login_maps = hash:/usr/local/etc/postfix/virtual
smtpd_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem
smtpd_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem
smtpd_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
# postconf postconf -Mf
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=reject_sender_login_mismatch,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-o
smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,permit_sasl_authenticated,reject
-o syslog_name=postfix/submission