Hello,
I'm running a FreeBSD 10.3 AMD64 system. I just upgraded Postfix from
2.11 to 3.1. I'm using Dovecot for Sasl authentication via mysql and
email storage via maildir.
The system can receive emails from the internet via port 25, (running
postscreen), and store them on disk using dovecot, no p roblem.
I'm using Thunderbird 31.7.0 to connect remotely to my server and
retrieve and send email. Retrieval again goes fine, port 993, sending
through the system does not, I get a message from thunderbird can not
send message because the connection to the server timed out.
On the server side of things the submission/smtpd service gets the
incoming connection and then just hangs until it eventually does
indeed time out.
I'm also wanting to know if my current configuration, included below,
which was brought from 2.11 now running in 3.1, is current in terms of
antispam techniques from the postfix perspective?
Lastly, related to antispam, currently I'm running MailScanner, but to
be honest I'm really liking it, it did the job, but it was slow. An
example, sent a single message, postfix got it, passed it to
MailScanner, which then took 3 to 5 minutes to process it, and send it
back to postfix, which then picked it up and sent it on to dovecot for
normal delivery. I've also used Amavisd-new in the past and noted the
same slowness, wondering if this is a Spamassassin thing? So, I'm
thinking about going to rspamd and if anyone is using this i'd
appreciate some pro conn feedback.
I'd appreciate any suggestions on any of these issues.
Thanks.
Dave.
main.cf:
soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
mydestination = localhost
local_recipient_maps =
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, 192.168.0.0/24, xxx.xxx.xxx.xxx/32,
[::1]/128, [fe80::]/10
in_flow_delay = 1s
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix
# Misc options
biff = no
# The next was originally uncommented
#append_dot_mydomain = no
bounce_template_file = /usr/local/etc/postfix/bounce.cf
smtp_helo_timeout = 60s
smtpd_soft_error_limit = 3
header_checks =
regexp:/usr/local/etc/postfix/mailscanner_header_checks,
pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
hash_queue_depth = 2
hash_queue_names = incoming, hold defer deferred
# Virtual mailbox domains
virtual_mailbox_domains =
proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps =
proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps =
proxy:mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf,
proxy:mysql:/usr/local/etc/postfix/mysql-virtual-email2email.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:999
virtual_gid_maps = static:999
virtual_minimum_uid = 999
# Increase the virtual mailbox limit from 51 mb to 250 mb
virtual_mailbox_limit = 262144000
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# For users who have moved
#relocated_maps = mysql:/usr/local/etc/postfix/mysql_relocated.cf
# Dovecot sasl authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
# Shows to everyone the sasl authenticated username
#smtpd_sasl_authenticated_header = yes
# uce
strict_rfc821_envelopes = yes
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_reject_unlisted_sender = yes
show_user_unknown_table_name = no
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
# Postfix Quota status service
check_policy_service inet:127.0.0.1:12345
smtpd_data_restrictions = reject_unauth_pipelining
# TLS parameters
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_eecdh_grade = strong
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
# for smtpd pfs
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
#smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
# I wanted a little more logging than default for incoming mail.
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Add TLS information to the message headers
smtpd_tls_received_header = yes
# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote
server supports it.
#smtp_tls_security_level = may
smtp_tls_security_level = encrypt
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_ciphers = high
#smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
# I wanted a little more logging than default for outgoing mail.
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt
# For SPF
spf-policy_time_limit = 3600s
# OpenDKIM
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
# postscreen(8) settings
### Before-220 tests
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
dnsbl.ahbl.org*2
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
#postscreen_bare_newline_action = drop
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_action = drop
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = drop
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.
# For sharing a tempoary whitelist of addresses
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_cache_cleanup_interval = 0
# Set the smtputf8 option because the dovecot service was not working
smtputf8_enable = no
compatibility_level = 9999
master.cf:
#smtp inet n - n - - smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
# Submission port 587 for client connection / sending mails from
authenticated users
submission inet n - n - - smtpd -d
-o syslog_name=postfix/submission
-o smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o
smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
# Dovecot local delivery agent - allows us to use sieve filters for spam
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver
-f ${sender} -d ${recipient}
# for SPF support
spf-policy unix - n n - 0 spawn
user=vmail argv=/usr/local/bin/perl
/usr/local/libexec/postfix-policyd-spf-perl
