Hello, I'm running a FreeBSD 10.3 AMD64 system. I just upgraded Postfix from 2.11 to 3.1. I'm using Dovecot for Sasl authentication via mysql and email storage via maildir.
The system can receive emails from the internet via port 25, (running postscreen), and store them on disk using dovecot, no p roblem. I'm using Thunderbird 31.7.0 to connect remotely to my server and retrieve and send email. Retrieval again goes fine, port 993, sending through the system does not, I get a message from thunderbird can not send message because the connection to the server timed out. On the server side of things the submission/smtpd service gets the incoming connection and then just hangs until it eventually does indeed time out. I'm also wanting to know if my current configuration, included below, which was brought from 2.11 now running in 3.1, is current in terms of antispam techniques from the postfix perspective? Lastly, related to antispam, currently I'm running MailScanner, but to be honest I'm really liking it, it did the job, but it was slow. An example, sent a single message, postfix got it, passed it to MailScanner, which then took 3 to 5 minutes to process it, and send it back to postfix, which then picked it up and sent it on to dovecot for normal delivery. I've also used Amavisd-new in the past and noted the same slowness, wondering if this is a Spamassassin thing? So, I'm thinking about going to rspamd and if anyone is using this i'd appreciate some pro conn feedback. I'd appreciate any suggestions on any of these issues. Thanks. Dave. main.cf: soft_bounce = no queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix mail_owner = postfix myhostname = mail.example.com mydomain = example.com myorigin = $mydomain inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1 mydestination = localhost local_recipient_maps = unknown_local_recipient_reject_code = 550 mynetworks = 127.0.0.0/8, 192.168.0.0/24, xxx.xxx.xxx.xxx/32, [::1]/128, [fe80::]/10 in_flow_delay = 1s recipient_delimiter = + smtpd_banner = $myhostname ESMTP sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/bin/newaliases mailq_path = /usr/local/bin/mailq setgid_group = maildrop html_directory = /usr/local/share/doc/postfix manpage_directory = /usr/local/man sample_directory = /usr/local/etc/postfix readme_directory = /usr/local/share/doc/postfix # Misc options biff = no # The next was originally uncommented #append_dot_mydomain = no bounce_template_file = /usr/local/etc/postfix/bounce.cf smtp_helo_timeout = 60s smtpd_soft_error_limit = 3 header_checks = regexp:/usr/local/etc/postfix/mailscanner_header_checks, pcre:/usr/local/etc/postfix/header_checks, regexp:/usr/local/etc/postfix/phish419.regexp mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks hash_queue_depth = 2 hash_queue_names = incoming, hold defer deferred # Virtual mailbox domains virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf, proxy:mysql:/usr/local/etc/postfix/mysql-virtual-email2email.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:999 virtual_gid_maps = static:999 virtual_minimum_uid = 999 # Increase the virtual mailbox limit from 51 mb to 250 mb virtual_mailbox_limit = 262144000 virtual_transport = dovecot dovecot_destination_recipient_limit = 1 # For users who have moved #relocated_maps = mysql:/usr/local/etc/postfix/mysql_relocated.cf # Dovecot sasl authentication smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous # Shows to everyone the sasl authenticated username #smtpd_sasl_authenticated_header = yes # uce strict_rfc821_envelopes = yes smtpd_helo_required = yes disable_vrfy_command = yes smtpd_reject_unlisted_sender = yes show_user_unknown_table_name = no unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/safe_addresses check_sender_access hash:/usr/local/etc/postfix/auto-whtlst check_client_access cidr:/usr/local/etc/postfix/spamfarms check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3] check_reverse_client_hostname_access pcre:/usr/local/etc/postfix/fqrdns.pcre reject_unknown_reverse_client_hostname reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname reject_unlisted_recipient reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service unix:private/spf-policy # Postfix Quota status service check_policy_service inet:127.0.0.1:12345 smtpd_data_restrictions = reject_unauth_pipelining # TLS parameters smtpd_tls_auth_only = yes smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = high smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_eecdh_grade = strong # Offer opportunistic TLS (STARTTLS) to connections to this mail server. smtpd_tls_security_level = may #smtpd_tls_security_level = encrypt smtpd_tls_cert_file = /etc/ssl/certs/server.crt smtpd_tls_key_file = /etc/ssl/private/server.key smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt # for smtpd pfs smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem #smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem # I wanted a little more logging than default for incoming mail. smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # Add TLS information to the message headers smtpd_tls_received_header = yes # Use opportunistic TLS (STARTTLS) for outgoing mail if the remote server supports it. #smtp_tls_security_level = may smtp_tls_security_level = encrypt smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_ciphers = high #smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA # I wanted a little more logging than default for outgoing mail. smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_CAfile = /etc/ssl/certs/cacert.crt # For SPF spf-policy_time_limit = 3600s # OpenDKIM smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept # postscreen(8) settings ### Before-220 tests postscreen_access_list = permit_mynetworks, cidr:/usr/local/etc/postfix/postscreen_access.cidr, cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 3 postscreen_greet_action = enforce ### End of before-220 tests ### After-220 tests ### WARNING -- See "Tests after the 220 SMTP server greeting" in the ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the ### following tests! #postscreen_bare_newline_action = drop #postscreen_bare_newline_enable = yes #postscreen_non_smtp_command_action = drop #postscreen_non_smtp_command_enable = yes #postscreen_pipelining_enable = yes #postscreen_pipelining_action = drop ### ADDENDUM: Any one of the foregoing three *_enable settings may cause ### significant and annoying mail delays. # For sharing a tempoary whitelist of addresses postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache postscreen_cache_cleanup_interval = 0 # Set the smtputf8 option because the dovecot service was not working smtputf8_enable = no compatibility_level = 9999 master.cf: #smtp inet n - n - - smtpd smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy # Submission port 587 for client connection / sending mails from authenticated users submission inet n - n - - smtpd -d -o syslog_name=postfix/submission -o smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # Dovecot local delivery agent - allows us to use sieve filters for spam dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient} # for SPF support spf-policy unix - n n - 0 spawn user=vmail argv=/usr/local/bin/perl /usr/local/libexec/postfix-policyd-spf-perl