Re: accept email if pass SPF or DKIM
On Wed, 10 Jan 2018 21:59:26 -0500 "Kevin A. McGrail" wrote: > On 1/10/2018 9:53 PM, li...@lazygranch.com wrote: > > RTFMing, I see that both opendkim and python-policyd-spf have > > whitelisting capabilities (especially python-policyd-spf). But for > > the most part, my legitimate incoming email passes DKIM or SPF, but > > often not both. What I would like to do is accept email that passes > > either DKIM or SPF, but the milters are not connected in anyway > > that I can see. What I'm trying to avoid is setting up whitelists > > for each domain based on which method of identity the sysop decided > > to implement. > That sounds like a problematic approach to me. > > If an administrator of a domain sets up DNS for SPF records and then > fails, it should fail. > If an administrator of a domain sets up DNS for DKIM records and that > fails, it should fail. > > If an email is failing either, the administrator of the sending > domain fails either, that indicates a problem. Assuming your system > isn't breaking DKIM, the sender really should be notified to resolve > the issue. Whitelisting would really open you up to problems. > > Regards, > KAM I help with a few people I know that set up their own email to pass SPF and DKIM, but realistically no major corporation is going to give a sample of fecal matter to my opinion, presuming I could ever find the person in charge. Google is of the opinion that all you need is DKIM. Seems to me they are correct, but we have to work with whatever the sysop wants to implement. (Google provides SPF for their cloud servers as a means to get the IP space. I see hacking from that space of course, so the list comes in handy for blocking.) Maybe there is a way to check DKIM first, then skip the SPF check. The number of servers that only do SPF but not DKIM is small. I have one contact whose email employs neither SPF or DKIM. That is plus.net. In the spirit of making the world a better place, I will contact them and see how far I get.
Re: accept email if pass SPF or DKIM
On January 11, 2018 2:53:10 AM UTC, "li...@lazygranch.com" wrote: >RTFMing, I see that both opendkim and python-policyd-spf have >whitelisting capabilities (especially python-policyd-spf). But for the >most part, my legitimate incoming email passes DKIM or SPF, but often >not both. What I would like to do is accept email that passes either >DKIM or SPF, but the milters are not connected in anyway that I can >see. What I'm trying to avoid is setting up whitelists for each domain >based on which method of identity the sysop decided to implement. This is approximately what DMARC does: https://dmarc.org/ Scott K
Re: accept email if pass SPF or DKIM
On 1/10/2018 9:53 PM, li...@lazygranch.com wrote: RTFMing, I see that both opendkim and python-policyd-spf have whitelisting capabilities (especially python-policyd-spf). But for the most part, my legitimate incoming email passes DKIM or SPF, but often not both. What I would like to do is accept email that passes either DKIM or SPF, but the milters are not connected in anyway that I can see. What I'm trying to avoid is setting up whitelists for each domain based on which method of identity the sysop decided to implement. That sounds like a problematic approach to me. If an administrator of a domain sets up DNS for SPF records and then fails, it should fail. If an administrator of a domain sets up DNS for DKIM records and that fails, it should fail. If an email is failing either, the administrator of the sending domain fails either, that indicates a problem. Assuming your system isn't breaking DKIM, the sender really should be notified to resolve the issue. Whitelisting would really open you up to problems. Regards, KAM
accept email if pass SPF or DKIM
RTFMing, I see that both opendkim and python-policyd-spf have whitelisting capabilities (especially python-policyd-spf). But for the most part, my legitimate incoming email passes DKIM or SPF, but often not both. What I would like to do is accept email that passes either DKIM or SPF, but the milters are not connected in anyway that I can see. What I'm trying to avoid is setting up whitelists for each domain based on which method of identity the sysop decided to implement.
Re: check_sasl_access' ignored: no SASL support
On Thu, January 11, 2018 1:17 pm, Voytek wrote: > I'm in the process of enabling postscreen, and, just noticed started > getting these warnings today, after editing/adding postscreen > oops. forgot to add: as a part of postscreen setup, I've altered (was) smtpd_sasl_auth_enable = yes (current) smtpd_sasl_auth_enable = no I've now reverted to 'yes' - and, am checking if message goes away
check_sasl_access' ignored: no SASL support
I'm in the process of enabling postscreen, and, just noticed started getting these warnings today, after editing/adding postscreen Jan 11 13:03:12 geko postfix/smtpd[5403]: warning: restriction `check_sasl_access' ignored: no SASL support Jan 11 13:03:54 geko postfix/smtpd[5403]: warning: restriction `check_sasl_access' ignored: no SASL support Jan 11 13:04:39 geko postfix/smtpd[5403]: warning: restriction `check_sasl_access' ignored: no SASL support looking at log events for one of these, I see like[1]: in my /etc/postfix/main.cf I have # grep check_sasl_access main.cf check_sasl_access hash:/etc/postfix/sasl_access this was put 2 yrs ? ago, aiming to blocking compromised user account to stop being used for spam never had (or, noticed ??) these errors before what did I screw up..? postconf [2] # ls -al /etc/postfix/sasl_access -rw-r--r-- 1 root postfix 269 Oct 8 2015 /etc/postfix/sasl_access # cat /etc/postfix/sasl_access minto HOLD casula HOLD bankstown HOLD cas...@dom.org.au HOLD bankst...@dom.org.au HOLD [2] # postconf -n address_verify_sender = $double_bounce_sender alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_min_user = no allow_percent_hack = no anvil_rate_time_unit = 1h append_dot_mydomain = yes biff = no body_checks = pcre:/etc/postfix/body_checks body_checks_size_limit = 15 bounce_queue_lifetime = 4h broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 0h disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 enable_original_recipient = no header_checks = pcre:/etc/postfix/header_checks.pcre home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_backoff_time = 4000s maximal_queue_lifetime = 4h message_size_limit = 30971520 mime_header_checks = pcre:$config_directory/mime_headers.pcre minimal_backoff_time = 300s mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname mydomain = sbt.net.au myhostname = geko.sbt.net.au mynetworks = 163.47.110.6 163.47.110.7 103.15.178.123 110.175.246.167 60.242.27.57 127.0.0.1 myorigin = geko.sbt.net.au newaliases_path = /usr/bin/newaliases.postfix postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = DROP postscreen_command_count_limit = 8 postscreen_command_time_limit = 30 postscreen_dnsbl_action = ENFORCE postscreen_dnsbl_sites = zen.spamhaus.org*5, psbl.surriel.com*2, bl.spamcop.net*2, dnsbl.spfbl.net*2, db.wpbl.info, dnsbl.dronebl.org, pofon.foobar.hu, bl.ipv6.spameatingmonkey.net*2,dnsbl6.anticaptcha.net, bl.spameatingmonkey.net*2, bl.mailspike.net, b.barracudacentral.org*2, dnsbl.sorbs.net, ubl.unsubscore.com, truncate.gbudb.net, list.dnswl.org*-3, zz.countries.nerd.dk=127.0.3.58*-1 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_greet_action = ENFORCE proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions queue_directory = /var/spool/postfix queue_run_delay = 300s readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf recipient_delimiter = + relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop show_user_unknown_table_name = no smtp-amavis_destination_recipient_limit = 1 smtp_data_init_timeout = 240s smtp_data_xfer_timeout = 600s smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 12 smtpd_data_restrictions = reject_unauth_pipelining smtpd_error_sleep_time = 3s smtpd_hard_error_limit = 10 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre smtpd_junk_comma
Re: Postfix with sqlite - Database becomes locked
> On Jan 10, 2018, at 7:45 PM, Wietse Venema wrote: > >> I am uncertain as to what?s causing the DB to get locked - I am also running >> Roundcube (webmail) on the server, maybe that?s the reason. I will check the >> permission roundcube uses to access the db, I think it can be read-only >> which will hopefully fix the locking issue. > > It certainly looks like a problem specific to your setup. The Postfix > sqlite client has been around since Postfix 2.8 and it has hardly > changed. > >> As a feature request, would it maybe make sense to add a waiting >> period to be able to wait for the lock for 1-2 seconds and then >> retry with the database query? > > The only lock that can prevent sqlite from reading is a write lock, > and there is nothing in Postfix that generate an sqlite write request. > > Look at the file modification time. Did the file change recently? > > Let's find out more about the error first. See John Fawcett's suggestion. SQLite is designed primarily for embedded access and writers acquire exclusive locks when making updates, or merging the write-ahead-log into the database ... Read-only users need to be willing to retry database operations when it is locked by a writer. The easiest way to do that is by making the first raw SQL command at the start of a connection a pragma to set a busy timeout: https://www.sqlite.org/pragma.html#pragma_busy_timeout PRAGMA busy_timeout = milliseconds For a database with email-related info large transactions and long write-locks should be rare, so 1000ms or so should be enough. -- Viktor.
Re: Postfix with sqlite - Database becomes locked
Sebastian Wolfgarten: > Hi, > > I am uncertain as to what?s causing the DB to get locked - I am also running > Roundcube (webmail) on the server, maybe that?s the reason. I will check the > permission roundcube uses to access the db, I think it can be read-only which > will hopefully fix the locking issue. It certainly looks like a problem specific to your setup. The Postfix sqlite client has been around since Postfix 2.8 and it has hardly changed. > As a feature request, would it maybe make sense to add a waiting > period to be able to wait for the lock for 1-2 seconds and then > retry with the database query? The only lock that can prevent sqlite from reading is a write lock, and there is nothing in Postfix that generate an sqlite write request. Look at the file modification time. Did the file change recently? Let's find out more about the error first. See John Fawcett's suggestion. Wietse > > Kind regards > Sebastian > > > Am 10.01.2018 um 21:15 schrieb Wietse Venema : > > > > Sebastian Wolfgarten: > >> Dear all, > >> > >> I am running postfix 3.3 and recently migrated all my virtual > >> domains from MySQL to Sqlite for performance reasons. So far, > >> everything works fine however up to 5-8 times a day, I am seeing > >> an error message in my mail.log saying that the Sqlite 3 database > >> may be locked. Here is an example: > > > > So what is locking the database? The query as shown does not attempt > > to modify the database. Note that the query fails immediately, there > > is no attempt to wait for a lock to be released. > > > > Wietse > > > >> Jan 10 18:00:45 waldfest postfix/smtpd[88198]: 3D13F5076C7: > >> client=spring-chicken-bi.twitter.com[199.16.156.174] > > ... > >> Jan 10 18:00:45 waldfest postfix/cleanup[88252]: fatal: > >> dict_sqlite_lookup: /etc/postfix/sqlite_virtual_alias_maps.cf: SQL > >> finalize failed for query 'SELECT goto FROM alias WHERE > >> address='pre...@freizeitpark-erlebnis.de' AND active = '1'': database is > >> locked? > >
Re: Questions regarding ecliptic curve support
> On Jan 10, 2018, at 5:38 PM, J Doe wrote: > > Hi, > > I had two short questions regarding Postfix’s elliptic curve support for the > SMTP server. > > 1. Under the man documentation for: tls_eecdh_strong_curve the documentation > states > “...approximately 128-bit security...”. Is that saying that it is equivalent > to > 128-bits RSA or it provides an elliptic curve key size of nearly 128-bits ? No, it is 2^128 work-factor, as in AES-128 or RSA ~3072. You should generally not change tls_eecdh_strong_curve. 128-bit RSA is *not* 128-bit security. See: http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade > 2. To make use of elliptic curve encryption a TLS certificate must have been > made with support for elliptic curves, correct? EECDH key-agreement is largely independent of the certificate type. You can EECDH key agreement with either RSA or ECDSA certificates. > A TLS certificate using RSA keys will not work? Actually it works just fine. RSA certificates are used to *authenticate* the key exchange, which performed via EECDH. See also http://www.postfix.org/FORWARD_SECRECY_README.html -- Viktor.
Questions regarding ecliptic curve support
Hi, I had two short questions regarding Postfix’s elliptic curve support for the SMTP server. 1. Under the man documentation for: tls_eecdh_strong_curve the documentation states “...approximately 128-bit security...”. Is that saying that it is equivalent to 128-bits RSA or it provides an elliptic curve key size of nearly 128-bits ? 2. To make use of ecliptic curve encryption a TLS certificate must have been made with support for ecliptic curves, correct ? A TLS certificate using RSA keys will not work ? Thanks, - J
Re: Postfix with sqlite - Database becomes locked
On 01/10/2018 09:28 PM, Sebastian Wolfgarten wrote: > Hi, > > I am uncertain as to what’s causing the DB to get locked - I am also running > Roundcube (webmail) on the server, maybe that’s the reason. I will check the > permission roundcube uses to access the db, I think it can be read-only which > will hopefully fix the locking issue. > > As a feature request, would it maybe make sense to add a waiting period to be > able to wait for the lock for 1-2 seconds and then retry with the database > query? > > Thanks. > > Kind regards > Sebastian > >> Am 10.01.2018 um 21:15 schrieb Wietse Venema : >> >> Sebastian Wolfgarten: >>> Dear all, >>> >>> I am running postfix 3.3 and recently migrated all my virtual >>> domains from MySQL to Sqlite for performance reasons. So far, >>> everything works fine however up to 5-8 times a day, I am seeing >>> an error message in my mail.log saying that the Sqlite 3 database >>> may be locked. Here is an example: >> So what is locking the database? The query as shown does not attempt >> to modify the database. Note that the query fails immediately, there >> is no attempt to wait for a lock to be released. >> >> Wietse >> >>> Jan 10 18:00:45 waldfest postfix/smtpd[88198]: 3D13F5076C7: >>> client=spring-chicken-bi.twitter.com[199.16.156.174] >> ... >>> Jan 10 18:00:45 waldfest postfix/cleanup[88252]: fatal: dict_sqlite_lookup: >>> /etc/postfix/sqlite_virtual_alias_maps.cf: SQL finalize failed for query >>> 'SELECT goto FROM alias WHERE address='pre...@freizeitpark-erlebnis.de' AND >>> active = '1'': database is locked? Could be useful to see the return code from sqlite3_step. If this is different to SQLITE_DONE or SQLITE_ROW then the warning message is triggered. When using sqlite3_step() after the sqlite3_prepare_v2() function the return code can contain extended error information. https://www.sqlite.org/rescode.html If you're able to compile from source: --- dict_sqlite.c 2015-01-11 17:52:40.0 +0100 +++ dict_sqlite_new.c 2018-01-10 21:55:12.149559110 +0100 @@ -244,8 +244,8 @@ } /* Fix 20100616 */ else { - msg_warn("%s: %s: SQL step failed for query '%s': %s\n", - myname, dict_sqlite->parser->name, + msg_warn("%s: %s: SQL step failed with result %d for query '%s': %s\n", + myname, dict_sqlite->parser->name,status, vstring_str(query), sqlite3_errmsg(dict_sqlite->db)); dict->error = DICT_ERR_RETRY; break; John
Re: Postfix with sqlite - Database becomes locked
Hi, I am uncertain as to what’s causing the DB to get locked - I am also running Roundcube (webmail) on the server, maybe that’s the reason. I will check the permission roundcube uses to access the db, I think it can be read-only which will hopefully fix the locking issue. As a feature request, would it maybe make sense to add a waiting period to be able to wait for the lock for 1-2 seconds and then retry with the database query? Thanks. Kind regards Sebastian > Am 10.01.2018 um 21:15 schrieb Wietse Venema : > > Sebastian Wolfgarten: >> Dear all, >> >> I am running postfix 3.3 and recently migrated all my virtual >> domains from MySQL to Sqlite for performance reasons. So far, >> everything works fine however up to 5-8 times a day, I am seeing >> an error message in my mail.log saying that the Sqlite 3 database >> may be locked. Here is an example: > > So what is locking the database? The query as shown does not attempt > to modify the database. Note that the query fails immediately, there > is no attempt to wait for a lock to be released. > > Wietse > >> Jan 10 18:00:45 waldfest postfix/smtpd[88198]: 3D13F5076C7: >> client=spring-chicken-bi.twitter.com[199.16.156.174] > ... >> Jan 10 18:00:45 waldfest postfix/cleanup[88252]: fatal: dict_sqlite_lookup: >> /etc/postfix/sqlite_virtual_alias_maps.cf: SQL finalize failed for query >> 'SELECT goto FROM alias WHERE address='pre...@freizeitpark-erlebnis.de' AND >> active = '1'': database is locked?
Re: Postfix with sqlite - Database becomes locked
Sebastian Wolfgarten: > Dear all, > > I am running postfix 3.3 and recently migrated all my virtual > domains from MySQL to Sqlite for performance reasons. So far, > everything works fine however up to 5-8 times a day, I am seeing > an error message in my mail.log saying that the Sqlite 3 database > may be locked. Here is an example: So what is locking the database? The query as shown does not attempt to modify the database. Note that the query fails immediately, there is no attempt to wait for a lock to be released. Wietse > Jan 10 18:00:45 waldfest postfix/smtpd[88198]: 3D13F5076C7: > client=spring-chicken-bi.twitter.com[199.16.156.174] ... > Jan 10 18:00:45 waldfest postfix/cleanup[88252]: fatal: dict_sqlite_lookup: > /etc/postfix/sqlite_virtual_alias_maps.cf: SQL finalize failed for query > 'SELECT goto FROM alias WHERE address='pre...@freizeitpark-erlebnis.de' AND > active = '1'': database is locked?
Re: Postfix Relay per host ACLs
Viktor Dukhovni: > > > > On Jan 10, 2018, at 12:07 PM, Stuart Archer wrote: > > > > Can i use a wildcard in global-recipients ? > > http://www.postfix.org/access.5.html > > EMAIL ADDRESS PATTERNS >user@domain ... >domain.tld ... >.domain.tld ... >user@ ... However, you specify arbitrary patterns in regexp: or prce: tables. In this case Postfix will query only with the full email address user@domain, not the partial forms domain.tld, .domain.tld, user@. Wietse
Postfix with sqlite - Database becomes locked
Dear all, I am running postfix 3.3 and recently migrated all my virtual domains from MySQL to Sqlite for performance reasons. So far, everything works fine however up to 5-8 times a day, I am seeing an error message in my mail.log saying that the Sqlite 3 database may be locked. Here is an example: -- Jan 10 18:00:42 waldfest postfix/smtpd[88198]: connect from spring-chicken-bi.twitter.com[199.16.156.174] Jan 10 18:00:43 waldfest postfix/smtpd[88198]: Anonymous TLS connection established from spring-chicken-bi.twitter.com[199.16.156.174]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Jan 10 18:00:45 waldfest postgrey[656]: action=pass, reason=client AWL, client_name=spring-chicken-bi.twitter.com, client_address=199.16.156.174, sender=n0541a68f73-b84c2c7eb58d4ba4a17c4affd751c95c-presse===freizeitpark-erlebnis...@bounce.twitter.com, recipient=pre...@freizeitpark-erlebnis.de Jan 10 18:00:45 waldfest postfix/smtpd[88198]: 3D13F5076C7: client=spring-chicken-bi.twitter.com[199.16.156.174] Jan 10 18:00:45 waldfest postfix/cleanup[88252]: warning: dict_sqlite_lookup: /etc/postfix/sqlite_virtual_alias_maps.cf: SQL step failed for query 'SELECT goto FROM alias WHERE address='pre...@freizeitpark-erlebnis.de' AND active = '1'': database is locked? Jan 10 18:00:45 waldfest postfix/cleanup[88252]: fatal: dict_sqlite_lookup: /etc/postfix/sqlite_virtual_alias_maps.cf: SQL finalize failed for query 'SELECT goto FROM alias WHERE address='pre...@freizeitpark-erlebnis.de' AND active = '1'': database is locked? Jan 10 18:00:45 waldfest dovecot: imap(tho...@tfalkenberg.com): Logged out in=291 out=2593 Jan 10 18:00:46 waldfest postfix/smtpd[88198]: warning: cannot send milters to service public/cleanup socket Jan 10 18:00:46 waldfest postfix/master[54589]: warning: process /usr/libexec/postfix/cleanup pid 88252 exit status 1 Jan 10 18:00:46 waldfest postfix/smtpd[88198]: too many errors after END-OF-MESSAGE from spring-chicken-bi.twitter.com[199.16.156.174] Jan 10 18:00:47 waldfest postfix/cleanup[88290]: 438125076C8: message-id=<20180110170047.43812507...@waldfest.wolfgarten.com> -- I find this quite odd as the abovementioned SQL query just works fine. I tried to search Google for the error („database is locked?“), however I am unable to find any information on this matter. Also apart from these messages everything works fine and the server handles thousands of emails correctly per day. Any idea on how to troubleshoot this? Thank you. Best regards Sebastian
Re: Postfix Relay per host ACLs
> On Jan 10, 2018, at 12:07 PM, Stuart Archer wrote: > > Can i use a wildcard in global-recipients ? The lookup keys for access(5) tables with check_recipient_access are: http://www.postfix.org/access.5.html EMAIL ADDRESS PATTERNS With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below: user@domain Matches the specified mail address. domain.tld Matches domain.tld as the domain part of an email address. The pattern domain.tld also matches subdomains, but only when the string smtpd_access_maps is listed in the Postfix par- ent_domain_matches_subdomains configuration setting. .domain.tld Matches subdomains of domain.tld, but only when the string smtpd_access_maps is not listed in the Postfix par- ent_domain_matches_subdomains configuration setting. user@ Matches all mail addresses with the specified user part. Note: lookup of the null sender address is not possible with some types of lookup table. By default, Postfix uses <> as the lookup key for such addresses. The value is specified with the smtpd_null_access_lookup_key parameter in the Postfix main.cf file. -- Viktor.
Re: Postfix Relay per host ACLs
Thanks Viktor. Ok. I had to read this about ten times but see what you are saying :) Can i use a wildcard in global-recipients ? Stu On 09/01/2018 14:34, Viktor Dukhovni wrote: On Jan 9, 2018, at 7:30 AM, Stuart Archer wrote: I had assumed this would be a built in function to Postfix but sounds like anything will be a hack of sorts. will take a look at postfwd. thanks for the help. Wietse's answer is correct and sufficient. Put the machines that can send to everyone in "mynetworks". Exclude the rest. Then add any destination domains or addresses that everyone can send to in a recipient access table before "reject_unauth_destination". indexed = ${default_database_type}:${config_directory}/ smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access ${indexed}global-recipients, reject_unauth_destination The global-recipients table can just be: some-addr...@example.com OK if your MTA port 25 is not reachable via the public Internet, or else can be: some-addr...@example.com allow-internal where "allow-internal" is a suitable "restriction class" that permits more machines from your network than does "mynetworks". See RESTRICTION_CLASS_README and cidr_table(5).
migrating mail server: force oldsrvr to newsrvr
I'm in the process of migrating old server postfix 2.x to new server 3.x new server uses almost identical postfix/dovecot/mysql virtual domains/users configuration, so currently, both servers are set up for aaa.tld, bbb.tld, ccc.tld I've edited MX for aaa, aaa's email start arriving at new server (and, some at old server), after couple days, it's all good, some emails on old server to do this properly, when I edit MX of bbb (old to new server), I should tell old server to relay? forward ? any email for bbb to new server this is where I get lost, in terminology, understanding, execution... what do I need to set on old server so all email for virtual domain/users if still arrives on old server gets relayed/forwarded to new MX/new server ? thanks, V