Re: Problems with aliases

2017-05-09 Thread Viktor Dukhovni 

> On May 10, 2017, at 12:48 AM, Doug Hardie  wrote:
> 
> In the meantime I was entering some of the addresses and forwarding addresses
> into the vmail alias file.  Each entry was preceded by "# ".  My understanding
> was that lines starting with a # would be ignored.  I did not bother to run
> postmap as it would do nothing useful.

Adding comments to a table has no effect, other than warnings in the log file
that the source file is newer than the table.

> Several hours later I noticed that no outgoing mail was going out.  Everything
> was receiving an error in maillog:
> 
> May  8 00:02:49 mail postfix/error[83540]: 8A72B114C3EE: to=,
> relay=none, delay=94792, delays=94792/0.03/0/0, dsn=4.3.0, status=deferred
> (mail transport unavailable)

There were earlier failures in the log for mail to this domain, with a delivery
agent other than "postfix/error".  The error messages for those failures are the
reason why mail to the destination is not being delivered.

> Note, this address was not in the vmail alias file.  It appears to have 
> affected
> all outgoing mail.  Incoming mail was processed normally.

Coincidence is not causality, something else broke.

> In addition there were a number of these messages (starting hours later in 
> the day):
> 
> May  8 23:44:57 mail postfix/smtpd[95331]: warning: database
> /usr/local/etc/postfix/vmail_alias.db is older than source file
> /usr/local/etc/postfix/vmail_alias

This warning is harmless.

> To restore service, I removed all these entries, ran post map and did postfix
> restart.  Problem continued until I terminated postfix and restarted it.
> Then outgoing mail resumed delivery properly.

The "restart" cleared the list of throttled transports, but the problem is
likely to return.  I still get annoyed when folks seem too lazy to look more
closely at their logs. :-(

-- 
Viktor.

Re: Problems with aliases

2017-05-09 Thread Doug Hardie 

> On 9 May 2017, at 22:19, James B. Byrne  wrote:
> 
> 
> On Wed, May 10, 2017 00:48, Doug Hardie wrote:
>> I have a situation that is most likely a problem with my understanding
>> of postfix and not a code problem.  I am getting ready to take over a
>> domain name for mail service.  A number of new addresses in that
>> domain need to be forwarded to other mail servers.  I setup postfix to
>> do that and it worked fine.  However, there is still some time before
>> I actually take over the domain.  In the meantime I was entering some
>> of the addresses and forwarding addresses into the vmail alias file.
>> Each entry was preceded by "# ".  My understanding was that lines
>> starting with a # would be ignored.  I did not bother to run postmap
>> as it would do nothing useful.
>> 
>> Several hours later I noticed that no outgoing mail was going out.
>> Everything was receiving an error in maillog:
>> 
> 
> If the source file has an mtime later than the resulting map file then
> postfix will treat this as an error condition. At least this is my
> experience so far.

That is what I noticed although I didn't expect postfix to do anything 
different in that situation.

>  If you check your maillog file you will find
> entries if this is the case.

Several hours after I changed the file, those messages began to appear.

>  Further, if you rebuild a mapfile then
> you must reload postfix for it to recognize the changes contained
> therein.

That doesn't seem correct.  I just ran another test and added a valid forward 
in vmail_alias file and ran postmap on it.  Then I sent to that address and 
sure enough it was delivered to the forward address.  I did not run postfix 
reload or restart the service.

Re: Problems with aliases

2017-05-09 Thread James B. Byrne 

On Wed, May 10, 2017 00:48, Doug Hardie wrote:
> I have a situation that is most likely a problem with my understanding
> of postfix and not a code problem.  I am getting ready to take over a
> domain name for mail service.  A number of new addresses in that
> domain need to be forwarded to other mail servers.  I setup postfix to
> do that and it worked fine.  However, there is still some time before
> I actually take over the domain.  In the meantime I was entering some
> of the addresses and forwarding addresses into the vmail alias file.
> Each entry was preceded by "# ".  My understanding was that lines
> starting with a # would be ignored.  I did not bother to run postmap
> as it would do nothing useful.
>
> Several hours later I noticed that no outgoing mail was going out.
> Everything was receiving an error in maillog:
>

If the source file has an mtime later than the resulting map file then
postfix will treat this as an error condition. At least this is my
experience so far.  If you check your maillog file you will find
entries if this is the case.  Further, if you rebuild a mapfile then
you must reload postfix for it to recognize the changes contained
therein.



-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

Problems with aliases

2017-05-09 Thread Doug Hardie 
I have a situation that is most likely a problem with my understanding of 
postfix and not a code problem.  I am getting ready to take over a domain name 
for mail service.  A number of new addresses in that domain need to be 
forwarded to other mail servers.  I setup postfix to do that and it worked 
fine.  However, there is still some time before I actually take over the 
domain.  In the meantime I was entering some of the addresses and forwarding 
addresses into the vmail alias file.  Each entry was preceded by "# ".  My 
understanding was that lines starting with a # would be ignored.  I did not 
bother to run postmap as it would do nothing useful.

Several hours later I noticed that no outgoing mail was going out.  Everything 
was receiving an error in maillog:

May  8 00:02:49 mail postfix/error[83540]: 8A72B114C3EE: to=, 
relay=none, delay=94792, delays=94792/0.03/0/0, dsn=4.3.0, status=deferred 
(mail transport unavailable)

Note, this address was not in the vmail alias file.  It appears to have 
affected all outgoing mail.  Incoming mail was processed normally.

In addition there were a number of these messages (starting hours later in the 
day):

May  8 23:44:57 mail postfix/smtpd[95331]: warning: database 
/usr/local/etc/postfix/vmail_alias.db is older than source file 
/usr/local/etc/postfix/vmail_alias


To restore service, I removed all these entries, ran post map and did postfix 
restart.  Problem continued until I terminated postfix and restarted it.  Then 
outgoing mail resumed delivery properly.


mail# postconf -n
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
max_use = 5
message_size_limit = 10240
mydestination = localhost.$mydomain, localhost
mydomain = sermon-archive.info
mynetworks_style = subnet
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks, 
cidr:/usr/local/etc/postfix/access.cidr
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_destination_recipient_limit = 25
smtpd_authorized_xclient_hosts = 10.0.1.0/24
smtpd_command_filter = pcre:/usr/local/etc/postfix/quote
smtpd_error_sleep_time = 10
smtpd_hard_error_limit = 10
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 1
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/vmail_alias
virtual_gid_maps = static:
virtual_mailbox_base = /var/mail/
virtual_mailbox_domains = hash:/usr/local/etc/postfix/vmail_domains
virtual_mailbox_limit = 10240
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmail_mailbox
virtual_minimum_uid = 
virtual_transport = dovecot
virtual_uid_maps = static:
mail# 


mail# postconf -Mf
smtpd  pass  -   -   n   -   -   smtpd
smtp   inet  n   -   n   -   1   postscreen
dnsblogunix  -   -   n   -   0   dnsblog
tlsproxy   unix  -   -   n   -   0   tlsproxy
submission inet  n   -   n   -   -   smtpd
dovecotunix  -   n   n   -   -   pipe flags=DRhu
user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender}
-d ${recipient}
pickup unix  n   -   n   60  1   pickup
cleanupunix  n   -   n   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   n   1000?   1   tlsmgr
rewriteunix  -   -   n   -   -   trivial-rewrite
bounce unix  -   -   n   -   0   bounce
defer  unix  -   -   n   -   0   bounce
trace  unix  -   -   n   -   0   bounce
verify unix  -   -   n   -   1   verify
flush  unix  n   -   n   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   n   -   -   smtp
relay  unix  -   -   n   -   -   smtp
showq  unix  n   -   n   -

Re: connection results

2017-05-09 Thread Viktor Dukhovni 

> On May 9, 2017, at 10:15 PM, Richard Pickett  
> wrote:
> 
> My boss wants me to write a plugin that will capture the send results from 
> the remote server when email is delivered or instantly bounced.
> 
> Can someone point me in the right direction?


If log parsing is not sufficient, you can enable delegation of DSN notices
to remote downstream systems in the outbound Postfix server.  That way, all
delivery success/failure notices will be generated at the point where mail
leaves your domain and is accepted or reject by a remote domain.

smtp_discard_ehlo_keywords = silent-discard, dsn

See DSN_README.

-- 
Viktor.

Re: connection results

2017-05-09 Thread Noel Jones 
On 5/9/2017 9:15 PM, Richard Pickett wrote:
> My boss wants me to write a plugin that will capture the send
> results from the remote server when email is delivered or instantly
> bounced.
> 
> Messages like:
> 
> 550-5.1.1 The email account that you tried to reach does not
> exist. Please try\n550-5.1.1 double-checking the recipient's
> email address for typos or\n550-5.1.1 unnecessary spaces. Learn
> more at\n550 5.1.1
>  https://support.google.com/mail/?p=NoSuchUser
> c5si1104380pfh.293 - gsmtp
> 
> 
> I need to capture them along with the message ID and put them in a
> mysql database.
> 
> I've looked around, but don't see a "how to write a postfix plugin"
> 
> Can someone point me in the right direction?
> 
> Thanks!


Postfix doesn't have a plugin framework for capturing delivery status.

Use a log scraper instead of trying to write something into postfix.
 Even better, syslog can pipe output directly to a program that can
capture the interesting bits.  This will take you 1/10 the
development time, and won't break every time postfix is updated.


  -- Noel Jones

connection results

2017-05-09 Thread Richard Pickett 
My boss wants me to write a plugin that will capture the send results from
the remote server when email is delivered or instantly bounced.

Messages like:

550-5.1.1 The email account that you tried to reach does not exist. Please
try\n550-5.1.1 double-checking the recipient's email address for typos
or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1
https://support.google.com/mail/?p=NoSuchUser c5si1104380pfh.293 - gsmtp


I need to capture them along with the message ID and put them in a mysql
database.

I've looked around, but don't see a "how to write a postfix plugin"

Can someone point me in the right direction?

Thanks!

Re: What is the best anti-spam and anti-virus combos for Postfix?

2017-05-09 Thread pbw 
Thanks Mark.

So far, so good.  I used this  Linode tutorial

  
in addition to the DO one you mentioned, so that I had two views of the
process.

Now to look at your spamprobe setup.

Peter



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-the-best-anti-spam-and-anti-virus-combos-for-Postfix-tp90210p90369.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Restarting milter application

2017-05-09 Thread Purushotham Nayak 
Hi All,

I have a question about the correct way to restart a milter application.

I'm using postfix 2.6.6 with a milter application that was built using
sendmail's libmilter (8.14.7). The problem I'm having is when I need to
restart the milter application (due to a config change for example), I send
it a SIGTERM and then start it up again.

However, an smtpd instance that was running which was already connected to
milter will not try to connect to the milter after the milter has been
restarted. But when a new SMTP connection arrives from the client the new
smtpd will connect to the milter application and all processing works
correctly. Is this the expected behavior?  or have a missed something in
the configuration / or possibly in the code? (To debug, I'm just using the
sample that comes with sendmail). Is there a way to get smtpd to send
tempfail to client when milter is not there but once the milter starts up
and is listening again smtpd reconnects
and starts sending data to the milter.

(https://www.apt-browse.org/browse/debian/wheezy/main/all/
sendmail-base/8.14.4-4+deb7u1/file/usr/share/sendmail/
examples/milter/sample.c)

In main.cf I have:

milter_default_action = tempfail
smtpd_milters = inet:localhost:10025
milter_protocol = 2

tcpdump output shows:
localhost.45724 > localhost.10025: Flags [.], ack 89, win 33, length 0
localhost.10025 > localhost.45724: Flags [F.], seq 89, ack 588, win 36,
length 0 ==> milter application received SIGTERM
localhost.45724 > localhost.10025: Flags [.], ack 90, win 33, length 0
localhost.45724 > localhost.10025: Flags [P.], seq 588:733, ack 90, win 33,
length 145  ==> SMIFC_ABORT
localhost.10025 > localhost.45724: Flags [R], seq 1329360186, win 0, length
0  ==> Reset since milter application has restarted

Thanks,

Re: SPF best practices

2017-05-09 Thread Scott Kitterman 


On May 9, 2017 8:22:39 AM EDT, Volker Cordes  wrote:
>Hello,
>
>I know this topic is not really postfix related but advice would
>nevertheless be appreciated.
>
>I'm adding a second mail server to my setup, my domains are
>spf-protected by this simple entry:
>
>v=spf1 mx -all
>
>If I add second DNS A entry for my MX server will this still work or do
>I have to list ips individually? Or should I create multiple MX
>entries?
>The reason I don't want to do that in the first place is that there are
>a lot of domains and I'd have to set the entries manually.

The spf-help mailing list would be a much better place to ask this.  See 
http://www.openspf.org/Forums

Scott K

RE: Sanity check - of my postfix setup.

2017-05-09 Thread John Anderson 
I second that in a virtual mail setup I had a mismatch in the postfix (main.cf) 
and dovecot conf files. I wanna say it was the userdb settings for dovecot.

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Paul Kelly
Sent: Tuesday, May 09, 2017 9:40 AM
To: postfix users 
Subject: Re: Sanity check - of my postfix setup.

I had similar issues and my Maildir was misnamed. I solved it by making a link 
from the existing name to the correct name.


On 05/09/2017 07:36 AM, Noel Jones wrote:
> On 5/9/2017 6:59 AM, John wrote:
>> As Andreas pointed out it might help is I outlined the problem.
>>
>> I am losing mail, it just disappears. Postfix seems to deliver it,
>> hands it off the dovecot LMTP and then shows "removed"
>>
>> Dovecot shows ... : saved to INBOX.
> Both postfix and dovecot are very careful to record in the log what
> happens to messages; if they say they delivered a message it was
> delivered.  No amount of misconfiguration can break that.
>
> Read the log carefully to make sure messages are delivered to where
> you expect them to be delivered.
>
>> But messages disappear. I am deeply suspicious of the
>> Dovecot/Thunderbird sieve setup and have disabled it to see if the
>> problem goes away.
> Yes, that's a good place to look for problems.
>
> Another possibility is your file system is broken in some manner,
> and falsely claims files are saved when they aren't.  Run fsck a few
> times to see if any errors are found to eliminate that possibility.
>
>
>
>-- Noel Jones

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager 
immediately. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of Chickasaw 
Nation Industries, Inc. and any of its subsidiaries. Recipient should check 
this email and any attachments for the presence of viruses. Chickasaw Nation 
Industries, Inc. and its subsidiaries accept no liability for any damage caused 
by any virus transmitted by this email.

Re: Sanity check - of my postfix setup.

2017-05-09 Thread Paul Kelly 
I had similar issues and my Maildir was misnamed. I solved it by making 
a link from the existing name to the correct name.



On 05/09/2017 07:36 AM, Noel Jones wrote:

On 5/9/2017 6:59 AM, John wrote:

As Andreas pointed out it might help is I outlined the problem.

I am losing mail, it just disappears. Postfix seems to deliver it,
hands it off the dovecot LMTP and then shows "removed"

Dovecot shows ... : saved to INBOX.

Both postfix and dovecot are very careful to record in the log what
happens to messages; if they say they delivered a message it was
delivered.  No amount of misconfiguration can break that.

Read the log carefully to make sure messages are delivered to where
you expect them to be delivered.


But messages disappear. I am deeply suspicious of the
Dovecot/Thunderbird sieve setup and have disabled it to see if the
problem goes away.

Yes, that's a good place to look for problems.

Another possibility is your file system is broken in some manner,
and falsely claims files are saved when they aren't.  Run fsck a few
times to see if any errors are found to eliminate that possibility.



   -- Noel Jones

Re: Sanity check - of my postfix setup.

2017-05-09 Thread Noel Jones 
On 5/9/2017 6:59 AM, John wrote:
> As Andreas pointed out it might help is I outlined the problem.
> 
> I am losing mail, it just disappears. Postfix seems to deliver it,
> hands it off the dovecot LMTP and then shows "removed"
> 
> Dovecot shows ... : saved to INBOX.

Both postfix and dovecot are very careful to record in the log what
happens to messages; if they say they delivered a message it was
delivered.  No amount of misconfiguration can break that.

Read the log carefully to make sure messages are delivered to where
you expect them to be delivered.

> 
> But messages disappear. I am deeply suspicious of the
> Dovecot/Thunderbird sieve setup and have disabled it to see if the
> problem goes away.

Yes, that's a good place to look for problems.

Another possibility is your file system is broken in some manner,
and falsely claims files are saved when they aren't.  Run fsck a few
times to see if any errors are found to eliminate that possibility.



  -- Noel Jones

Re: SPF best practices

2017-05-09 Thread chaouche yacine 
Hello Volker,
What you need to do is tell other mail servers that they should accept mail 
from server2 on behalf of server1.
If server1 is server1.yourdomain.comand server2 is server2.anotherdomain.com
then you should list anotherdomain.com in your spf. If server2 doesn't have a 
domain name, you can add its IP.If it's already listed in your MX for 
yourdomain.com, then you don't need to change anything.If you have an A record 
for yourdomain.com that points server2's IP (shouldn't be), you need to add A 
to your spf string (v=spf1 mx a ~all). 

  -- Yassine.


 

On Tuesday, May 9, 2017 1:24 PM, Volker Cordes  wrote:
 

 Hello,

I know this topic is not really postfix related but advice would
nevertheless be appreciated.

I'm adding a second mail server to my setup, my domains are
spf-protected by this simple entry:

v=spf1 mx -all

If I add second DNS A entry for my MX server will this still work or do
I have to list ips individually? Or should I create multiple MX entries?
The reason I don't want to do that in the first place is that there are
a lot of domains and I'd have to set the entries manually.

Thanks
Volker

Re: SPF best practices

2017-05-09 Thread Philip Paeps 

On 2017-05-09 14:22:39 (+0200), Volker Cordes  wrote:

I know this topic is not really postfix related but advice would
nevertheless be appreciated.


This is definitely more appropriate for another mailing list.


I'm adding a second mail server to my setup, my domains are
spf-protected by this simple entry:

v=spf1 mx -all

If I add second DNS A entry for my MX server will this still work or do
I have to list ips individually? Or should I create multiple MX entries?
The reason I don't want to do that in the first place is that there are
a lot of domains and I'd have to set the entries manually.


Note that MX records list servers that *receive* email while SPF records 
list servers that *send* email.


As far as SPF is concerned, adding an extra A record to the host pointed 
to by the MX record will just work but that's usually not what you want 
with respect to your receiving mail servers.  If that server will not be 
receiving mail, it's definitely the wrong thing to do.


I prefer to list individual IPs in my SPF records.

If you don't want to maintain many SPF records, look into creating an 
_spf.example.com SPF record and including it in your various domains.


Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

SPF best practices

2017-05-09 Thread Volker Cordes 
Hello,

I know this topic is not really postfix related but advice would
nevertheless be appreciated.

I'm adding a second mail server to my setup, my domains are
spf-protected by this simple entry:

v=spf1 mx -all

If I add second DNS A entry for my MX server will this still work or do
I have to list ips individually? Or should I create multiple MX entries?
The reason I don't want to do that in the first place is that there are
a lot of domains and I'd have to set the entries manually.

Thanks
Volker

Re: Sanity check - of my postfix setup.

2017-05-09 Thread John 

As Andreas pointed out it might help is I outlined the problem.

I am losing mail, it just disappears. Postfix seems to deliver it, hands 
it off the dovecot LMTP and then shows "removed"


Dovecot shows ... : saved to INBOX.

But messages disappear. I am deeply suspicious of the 
Dovecot/Thunderbird sieve setup and have disabled it to see if the 
problem goes away.


When I go through my Postfix config I do not see any problems, but I am 
not a Postfix expert. Ditto for Dovecot, but that's a different list.




On 5/9/17 7:20 AM, John wrote:
I am trying to debug a problem with my mail system. I think the 
problem is with Dovecot, or Thunderbird.


However, just to make sure i am not missing something really stupid 
could I get a check on my postfix setup.


TIA

John A

Sanity check - of my postfix setup.

2017-05-09 Thread John 
I am trying to debug a problem with my mail system. I think the problem 
is with Dovecot, or Thunderbird.


However, just to make sure i am not missing something really stupid 
could I get a check on my postfix setup.


TIA

John A

alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_protocols = all
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks.pcre
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2 bl.spamcop.net
dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_helo_required = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_use_tls = $smtpd_use_tls
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS,
kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
reject_rbl_client zen.spamhaus.org, reject_rbl_client
b.barracudacentral.org, reject_rbl_client bl.spameatingmonkey.net,
reject_rbl_client bl.ipv6.spameatingmonkey.net, reject_rbl_client
bl.spamcop.net
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, check_helo_access
pcre:/etc/postfix/maps/helo_checks.pcre
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, check_recipient_access
pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access
hash:/etc/postfix/maps/recipient_checks, check_policy_service
inet:127.0.0.1:10023
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix/maps/sender_checks
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.klam.ca/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_key_file = /etc/letsencrypt/live/mail.klam.ca/privkey.pem
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtp   inet  n   -   n   -   1   postscreen
smtpd  pass  -   -   n   -   -   smtpd
-o cleanup_service_name=pre-cleanup
pickup fifo  n   -   n   60  1   pickup
-o cleanup_service_name=pre-cleanup
submission inet  n   -   n   -   30  smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/dovecot-auth
-o smtpd_sasl_local_domain=$mydomain
-o broken_sasl_auth_clients=yes
-o smtpd_sas