"You seem to be explicitly setting many parameters to their defaults."
I removed a bunch, but might have missed some. That "command_directory" parameter I definitely didn't set. I think that's a result of building from source. "You have the address mappings happening before, which means that the filter doesn't have access to the original addresses." I was unaware entirely. I'm thinking I probably want the original addresses? "I don't know what the milter on port 11332 is doing" Believe that's rspamd. "But I expect that you understand this much better than I do" I've gotten into "from scratch" mail hosting a couple months back. I've done all I can to learn before asking questions. I want to know the reason why I put each line of config. "Removing $myhostname from mydestination looks unusual to me. I assume there's a good reason" That was early on in my research. Believe it had something to do with Postfix saying my LDAP user didn't exist. Removing it allowed delivery. "This can lead to your mail server transmitting email unencrypted" In my effort to be a little less flexible (to get more encryption), it seems I'll do the opposite. I'll change that. Speaking of which... smtp_tls_mandatory_protocols smtp_tls_protocol What is the difference between these two? I've read the docs but it didn't help. "then you could make Postfix DANE-aware and avoid falling prey to man-in-the-middle attack" Going to have to brush up on this. I have my AD PDC running DNS. Does it have to be localhost or can it be LAN? "You might want to add "silent-discard" to the above to suppress warnings in your log files about it." Good call, I was noticing that a bit. I'm sure when it goes into production that error would've annoyed me. "I assume port 10023 is running Postgrey." Correct. "smtpd_sasl_auth_enable shouldn't be in main.cf." Ah, because that would set the default across everything and we prefer it on 587. "That limits authentication attempts (successful or not" Do you have a specific recommendation on anvil or just pointing out what that parameter does? "you eliminate the chance of a race condition when Postfix reads the new key and chain" Race condition on renewal? If this happened, what would the effects look like? An untrusted certificate until I reload? "if you set up a renewal hook that executes a script like this" Thanks, saves me some work. "It's best not to disable_dns_lookups. The Amavis guide says to do it" It's tough to find much of anything on Amavis. Nowhere near as documented as Postfix and Dovecot. Is it still a good one to go with? "Yep." Does this mean "ditto" or "OK don't change"? "you might also want to add SPF checking" I did have 'postfix-policyd-spf-perl' but noticed OpenDMARC offers SPF. I have it set to always check even if the headers are provided. Or am I misunderstanding? Thanks for taking the time to review this. I feel confident now in putting it online (after I make a few of your adjustments).
