Sequence of checks for virtual alias
I have some user email addresses (in domains that are specified as virtual_alias_domain) listed in /etc/postfix/recipient_access and configured to return 550 Mailbox no longer in use. Do I still need to list them in virtual_alias_maps, or is check_recipient_access processed first? Simon smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policyd-spf permit -- Simon Wilson M: 0400 12 11 16
Re: Rewrite user xxx in a specific local domain
- Message from Simon Wilson - Date: Tue, 23 Mar 2021 11:23:58 +1000 From: Simon Wilson Reply-To: si...@simonandkate.net Subject: Re: Rewrite user xxx in a specific local domain To: postfix-users@postfix.org - Message from Viktor Dukhovni - Date: Mon, 22 Mar 2021 20:25:01 -0400 From: Viktor Dukhovni Reply-To: postfix-users@postfix.org Subject: Re: Rewrite user xxx in a specific local domain To: postfix-users@postfix.org On Tue, Mar 23, 2021 at 10:16:31AM +1000, Simon Wilson wrote: I run multiple local domains, and for the first time need to have the same username in two of them go to different local accounts. I.e. my son has a local (LDAP) account "dom". Mail sent to dom@his-personal-domain reaches that mailbox fine. He now has a business domain, and I have setup a LDAP account dom.w, so dom.w@his-business-domain works fine. What I want to be able to do is rewrite dom@his-business-domain when it is received so it delivers to dom.w@his-business-domain. From what I read at http://www.postfix.org/aliases.5.html I don't think I can do this with aliases directly, as the "name" component of the alias line is a local address with no domain part. What I need to have happen (written in alias-style format) is this: dom@his-personal-domain: dom # this works fine already dom.w@his-business-domain: dom.w # this works fine already dom@his-business-domain: dom.w # this is the bit I want to add How do I achieve this with rewriting or aliasing, i.e. without having to move to virtual domains? You don't have to move to "virtual domains". The virtual(5) aliases table applies to all recipient addresses, regardless of "address class". In fact you should avoid local aliases(5) for address to address rewriting, and do all such rewriting in virtual(5) instead, using the aliases(5) file only for "|command", "/some/file" or ":include:" aliases. That said, I recommend making *all* you real domains be virtual alias domains, and using only "localhost.localdomain" or similar as the only domain in mydestination, with all addresses intended for local delivery rewritten into that domain as appropriate. In some cases I go further and add access(5) rules that block direct remote addressing of that domain, so that all inbound mail has to come through one of the virtual alias domains. So you can certainly migrate to virtual alias domains, which is a better model. - End message from Viktor Dukhovni - Thanks Viktor and Noel. Reading http://www.postfix.org/VIRTUAL_README.html, what I currently have is "As simple as can be: shared domains, UNIX system accounts": /etc/postfix/main.cf: mydestination = $myhostname, localhost.$mydomain ... simonandkate.net,... etc ...with any required aliases in /etc/aliases, e.g.: root: si...@simonandkate.net si: si...@simonandkate.net etc. Noel's response is the 'quickest way to achieve what I want': - insert "dom@business-domain dom.w@business-domain" into /etc/postfix/virtual - postmap /etc/postfix/virtual & postfix reload - I assume this works because of: [root@emp87 postfix]# postconf -n | grep virtual_transport [root@emp87 postfix]# postconf -d | grep virtual_transport ... virtual_transport = virtual - This keeps me on "As simple as can be: shared domains, UNIX system accounts", but uses the virtual transport to resolve my requirement for this one address only. I read Viktor's response as a step further, taking me to "Postfix virtual ALIAS example: separate domains, UNIX system accounts" (http://www.postfix.org/VIRTUAL_README.html): - mydestination = $myhostname, localhost.$mydomain # no hosted domains in here - virtual_alias_domains = simonandkate.net, ... # all hosted domains here - virtual_alias_maps = hash:/etc/postfix/virtual - have all hosted email addresses mapped to locals in /etc/postfix/virtual: si...@simonandkate.net simon s...@simonandkate.net simon dom@personal-domain dom dom@business-domain dom.w etc. Questions on 'virtual': 1. leave local aliases in /etc/aliases? e.g. postmaster: root; virusalert: root; root: si...@simonandkate.net, etc.? 2. looks like virtual multiple recipients works per aliases, e.g. "voicem...@simonandkate.net si...@simonandkate.net, us...@simonandkate.net"? 3. http://www.postfix.org/virtual.5.html says that each virtual alias domain needs a line with no addresses: /etc/postfix/virtual: virtual-alias.domain anything (right-hand content does not matter) <- this line - postmaster@virtual-alias.domain postmaster user1@virtual-alias.domain address1 user2@virtual-alias.domain address2, address3 The virtual-alias.domain anything entry is required for a virtual alias domain. Without this entry, mail is rejected with "relay access denied", or bounces with "mail loops back to myself". ...yet this
Re: Postfix Helo reverse Exception
On 3/20/21 10:33 PM, li...@lazygranch.com wrote: > This got me wondering about my own configuration. It turns out I use the > other reverse check: > > smtpd_client_restrictions = > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination, > check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre, > reject_unknown_reverse_client_hostname, > check_client_access hash:/etc/postfix/spamsources > > This stops many a spammer. I forget who posted the info on the fqrdns > but that is very effective as well. So I switched a couple of days ago now to using this instead of reject_unknown_helo_hostname. So far it seems to be working well. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
Re: Rewrite user xxx in a specific local domain
- Message from Viktor Dukhovni - Date: Mon, 22 Mar 2021 20:25:01 -0400 From: Viktor Dukhovni Reply-To: postfix-users@postfix.org Subject: Re: Rewrite user xxx in a specific local domain To: postfix-users@postfix.org On Tue, Mar 23, 2021 at 10:16:31AM +1000, Simon Wilson wrote: I run multiple local domains, and for the first time need to have the same username in two of them go to different local accounts. I.e. my son has a local (LDAP) account "dom". Mail sent to dom@his-personal-domain reaches that mailbox fine. He now has a business domain, and I have setup a LDAP account dom.w, so dom.w@his-business-domain works fine. What I want to be able to do is rewrite dom@his-business-domain when it is received so it delivers to dom.w@his-business-domain. From what I read at http://www.postfix.org/aliases.5.html I don't think I can do this with aliases directly, as the "name" component of the alias line is a local address with no domain part. What I need to have happen (written in alias-style format) is this: dom@his-personal-domain:dom # this works fine already dom.w@his-business-domain: dom.w # this works fine already dom@his-business-domain:dom.w # this is the bit I want to add How do I achieve this with rewriting or aliasing, i.e. without having to move to virtual domains? You don't have to move to "virtual domains". The virtual(5) aliases table applies to all recipient addresses, regardless of "address class". In fact you should avoid local aliases(5) for address to address rewriting, and do all such rewriting in virtual(5) instead, using the aliases(5) file only for "|command", "/some/file" or ":include:" aliases. That said, I recommend making *all* you real domains be virtual alias domains, and using only "localhost.localdomain" or similar as the only domain in mydestination, with all addresses intended for local delivery rewritten into that domain as appropriate. In some cases I go further and add access(5) rules that block direct remote addressing of that domain, so that all inbound mail has to come through one of the virtual alias domains. So you can certainly migrate to virtual alias domains, which is a better model. - End message from Viktor Dukhovni - Thanks Viktor and Noel. Reading http://www.postfix.org/VIRTUAL_README.html, what I currently have is "As simple as can be: shared domains, UNIX system accounts": /etc/postfix/main.cf: mydestination = $myhostname, localhost.$mydomain ... simonandkate.net,... etc ...with any required aliases in /etc/aliases, e.g.: root: si...@simonandkate.net si: si...@simonandkate.net etc. Noel's response is the 'quickest way to achieve what I want': - insert "dom@business-domain dom.w@business-domain" into /etc/postfix/virtual - postmap /etc/postfix/virtual & postfix reload - I assume this works because of: [root@emp87 postfix]# postconf -n | grep virtual_transport [root@emp87 postfix]# postconf -d | grep virtual_transport ... virtual_transport = virtual - This keeps me on "As simple as can be: shared domains, UNIX system accounts", but uses the virtual transport to resolve my requirement for this one address only. I read Viktor's response as a step further, taking me to "Postfix virtual ALIAS example: separate domains, UNIX system accounts" (http://www.postfix.org/VIRTUAL_README.html): - mydestination = $myhostname, localhost.$mydomain # no hosted domains in here - virtual_alias_domains = simonandkate.net, ... # all hosted domains here - virtual_alias_maps= hash:/etc/postfix/virtual - have all hosted email addresses mapped to locals in /etc/postfix/virtual: si...@simonandkate.net simon s...@simonandkate.net simon dom@personal-domain dom dom@business-domain dom.w etc. Questions on 'virtual': 1. leave local aliases in /etc/aliases? e.g. postmaster: root; virusalert: root; root: si...@simonandkate.net, etc.? 2. looks like virtual multiple recipients works per aliases, e.g. "voicem...@simonandkate.net si...@simonandkate.net, us...@simonandkate.net"? 3. http://www.postfix.org/virtual.5.html says that each virtual alias domain needs a line with no addresses: /etc/postfix/virtual: virtual-alias.domainanything (right-hand content does not matter) <- this line - postmaster@virtual-alias.domain postmaster user1@virtual-alias.domain address1 user2@virtual-alias.domain address2, address3 The virtual-alias.domain anything entry is required for a virtual alias domain. Without this entry, mail is rejected with "relay access denied", or bounces with "mail loops back to myself". ...yet this requirement for "virtual-alias.domainanything (right-hand content does not matter)" is not stated in http://www.postfix.org/VIRTUAL_README.html. If it is required, should
Re: upgrade 2.10 - 3.3 config compatibility
On 22/03/21 3:44 am, Wietse Venema wrote: Matus UHLAR - fantomas: With those set, all services in master.cf explicitly chroot=n, and compatibility_level set to 99 don't do this. You never know what changes in the future and will require your intervention. Indeed. Postfix 3.6 comes with a handful breaking changes. The compatibility_level allows you to updated Postfix without disruption. It might be a good idea to have Postfix log a warning if the compatibility level is higher than whatever is current for the running version of Postfix. Peter
Re: Rewrite user xxx in a specific local domain
On Tue, Mar 23, 2021 at 10:16:31AM +1000, Simon Wilson wrote: > I run multiple local domains, and for the first time need to have the > same username in two of them go to different local accounts. > > I.e. my son has a local (LDAP) account "dom". Mail sent to > dom@his-personal-domain reaches that mailbox fine. He now has a > business domain, and I have setup a LDAP account dom.w, so > dom.w@his-business-domain works fine. What I want to be able to do is > rewrite dom@his-business-domain when it is received so it delivers to > dom.w@his-business-domain. > > From what I read at http://www.postfix.org/aliases.5.html I don't > think I can do this with aliases directly, as the "name" component of > the alias line is a local address with no domain part. What I need to > have happen (written in alias-style format) is this: > > dom@his-personal-domain:dom # this works fine already > dom.w@his-business-domain: dom.w # this works fine already > dom@his-business-domain:dom.w # this is the bit I want to add > > How do I achieve this with rewriting or aliasing, i.e. without having > to move to virtual domains? You don't have to move to "virtual domains". The virtual(5) aliases table applies to all recipient addresses, regardless of "address class". In fact you should avoid local aliases(5) for address to address rewriting, and do all such rewriting in virtual(5) instead, using the aliases(5) file only for "|command", "/some/file" or ":include:" aliases. That said, I recommend making *all* you real domains be virtual alias domains, and using only "localhost.localdomain" or similar as the only domain in mydestination, with all addresses intended for local delivery rewritten into that domain as appropriate. In some cases I go further and add access(5) rules that block direct remote addressing of that domain, so that all inbound mail has to come through one of the virtual alias domains. So you can certainly migrate to virtual alias domains, which is a better model. -- Viktor.
Re: Rewrite user xxx in a specific local domain
On 3/22/2021 7:16 PM, Simon Wilson wrote: I run multiple local domains, and for the first time need to have the same username in two of them go to different local accounts. I.e. my son has a local (LDAP) account "dom". Mail sent to dom@his-personal-domain reaches that mailbox fine. He now has a business domain, and I have setup a LDAP account dom.w, so dom.w@his-business-domain works fine. What I want to be able to do is rewrite dom@his-business-domain when it is received so it delivers to dom.w@his-business-domain. From what I read at http://www.postfix.org/aliases.5.html I don't think I can do this with aliases directly, as the "name" component of the alias line is a local address with no domain part. What I need to have happen (written in alias-style format) is this: dom@his-personal-domain: dom # this works fine already dom.w@his-business-domain: dom.w # this works fine already dom@his-business-domain: dom.w # this is the bit I want to add How do I achieve this with rewriting or aliasing, i.e. without having to move to virtual domains? Simon You can use virtual_alias_maps for this (NOT virtual_alias_domains). # virtual_alias dom@business-domain dom.w@business-domain -- Noel Jones
Rewrite user xxx in a specific local domain
I run multiple local domains, and for the first time need to have the same username in two of them go to different local accounts. I.e. my son has a local (LDAP) account "dom". Mail sent to dom@his-personal-domain reaches that mailbox fine. He now has a business domain, and I have setup a LDAP account dom.w, so dom.w@his-business-domain works fine. What I want to be able to do is rewrite dom@his-business-domain when it is received so it delivers to dom.w@his-business-domain. From what I read at http://www.postfix.org/aliases.5.html I don't think I can do this with aliases directly, as the "name" component of the alias line is a local address with no domain part. What I need to have happen (written in alias-style format) is this: dom@his-personal-domain:dom # this works fine already dom.w@his-business-domain: dom.w # this works fine already dom@his-business-domain:dom.w # this is the bit I want to add How do I achieve this with rewriting or aliasing, i.e. without having to move to virtual domains? Simon -- Simon Wilson M: 0400 12 11 16
Re: Postfix Helo reverse Exception
On 20 Mar 2021, at 19:21, Phil Stracchino wrote: > On 3/20/21 8:23 PM, Wietse Venema wrote: >> But it is better to stop using reject_unknown_helo_hostname because >> the are many misconfigured servers that send legitimat mail. > > That is an interesting piece of advice. I have tested this several times over the years and for too much mail people want gets rejected. Annoying, but accurate. Or maybe that was reject_unknown_reverse_client_hostname? I don't have either in my main.cf -- 'And I promise you this,' he [Carrot] shouted, 'if we succeed, no-one will remember. And if we fail, no one will forget!'
Re: quoted-unprintable, was BINARYMIME in Postfix
John Levine: > It appears that Wietse Venema said: > >With uniform or compressed payloads, 256 bytes become 261 on average, > >thus it takes 978.9 bytes on average to expand into 998. Add CR > >and LF to the 998, and we have an expansion of 1000/978.9=1.022 or > >just a little over 2%. > > That was my estimate too. I was rounding, so sue me. I demonstrated that I am a worse sales person, when I pointed out that the expansion rate can range from 0.2% (when no quoting is needed) to over 100% (when every octet needs quoting). > >It could have been a good idea 25 years ago. > > Turns out it came up on the ietf-smtp list in 2003. Here's the > mail discussion Note that the quoting scheme came up in the context of compressed data, where I agree that the 2% expansion claim can be strong. With uncompressed data, YMMV. Thanks for the history lesson :-) Wietse
Re: Echange virtual and local domain
So I could "just" turn maennerchor-kirchseeon.de into another local domain? Would there be benefits or problems? In the end all I want is to run mailman on maennerchor-kirchseeon.de ... If you have multiple local domains, they are treated as equivalent Thank you for the explanation. I'll ponder this thread and I think with all the help I got from this list I should be able to do what I want :) -- Markus Grunwald https://www.the-grue.de/~markus/markus_grunwald.gpg signature.asc Description: PGP signature
Re: Echange virtual and local domain
Dnia 22.03.2021 o godz. 16:03:43 Markus Grunwald pisze: > > So I could "just" turn maennerchor-kirchseeon.de into another local > domain? Would there be benefits or problems? In the end all I want > is to run mailman on maennerchor-kirchseeon.de ... If you have multiple local domains, they are treated as equivalent - it means, you have the same usernames across all local domains. If domain1 and domain2 are both local domains, then user@domain1 and user@domain2 are equivalent email addresses for exactly the same user/account. So if you have the same user names (even one) in both domains, but they should actually correspond to different email accounts, you cannot have both these domains as local. If your user names in one domain are all different from the other domain, you can have two local domains, but then your users would be equally reachable under email accounts in both domains. If you don't want this, you have to use recipient access restrictions like in the example I sent previously. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Echange virtual and local domain
Hello, If you want "maennerchor-kirchseeon.de" to be a local domain instead, you need to make "the-grue.de" a virtual domain, This is not true. Multiple local domains are fine. That's interresting. I didn't know that I could have multiple local domains, so I asked how I can turn the-grue.de into a virtual domain and maennerchor-kirchseeon.de into a local domain. So I could "just" turn maennerchor-kirchseeon.de into another local domain? Would there be benefits or problems? In the end all I want is to run mailman on maennerchor-kirchseeon.de ... Thanks, -- Markus Grunwald https://www.the-grue.de/~markus/markus_grunwald.gpg signature.asc Description: PGP signature
Re: upgrade 2.10 - 3.3 config compatibility
I have a well established 2.10 Postfix instance on 2.10 (CentOS7) which is to be migrated to a new machine running Postfix 3.3 (on RHEL8). I've been reading http://www.postfix.org/COMPATIBILITY_README.html, and from what I can see the backward compatibility issues I may run into are (with existing config from 2.10) - append_dot_mydomain (not explicitly set on 2.10, i.e. implicitly "yes") - chroot (explicitly set to n on 2.10 in master.cf) - smtpd_relay_restrictions (explicitly set to empty on 2.10) - mynetworks_style (not explicitly set on 2.10, i.e. implicitly "subnet") - relay_domains (not explicitly set on 2.10, i.e. implicitly "$mydestination") To re-use the existing configuration I'm thinking I need to: 1. explicitly set append_dot_mydomain to yes 2. explicitly set mynetworks_style to subnet (2.10 config = "mynetworks = 127.0.0.0/8, 192.168.1.0/24") 3. explicitly set relay_domains=$mydestination If I do those should I explicitly set compatibility_level, or would it not be needed because I have addressed the compatibility issues? And are there any other 'gotchas' to be aware of with this upgrade? On 21.03.21 21:57, Simon Wilson wrote: Ok, I migrated the config from the 2.10 server, and added new specific configuration items for: append_dot_mydomain = yes On 22.03.21 10:17, Simon Wilson wrote: localhost is in mydestination, so the first message noted at http://www.postfix.org/COMPATIBILITY_README.html won't happen... mydomain is not explicitly set, so postconf -d tells me it is 'simonandkate.lan', as expected. Local servers using this server as SMTP do send using emails without FQDN - hence I set append_dot_mydomain = yes. Is that incorrect? The test I suppose would be to unset it, put compatibility_level to less than 1 and monitor? you can set it as you want/need. If you set it to any value, you don't have to take care of compatibility_level: compatibility_level only affects default values, which is only problem if you rely on defaults (and they change). and using only relay_domains makes sense if you are relay for anyone. The server is set to reject_unath_destination: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policyd-spf permit If relay_domains is empty, will it still accept to act as a local network relay (with restricted access) to domains listed in mydestination from mynetworks - I assume yes, from 'permit_mynetworks'? In which case, I can leave relay_domains blank? relay_domains is list of destination domains postfix accepts mail for, but relays them to other servers (e.g. via transport_maps). If you don't use this functionality, you can keep it empty. setting relay_domains to mydestination (default for compatibility_level<2) and parent_domain_matches_subdomains to include "relay_domains" means that your mailserver accepts mail for all subdomains under domains in "mydestination" and tries to pass it further. I personally recommend to have parent_domain_matches_subdomains empty and specify including subdomains as ".example.com" With those set, all services in master.cf explicitly chroot=n, and compatibility_level set to 99 don't do this. You never know what changes in the future and will require your intervention. I've removed mynetworks_style based on improved knowledge as noted above; commented out append_dot_mydomain and relay_domains, have set compatibility_level to 0, and will monitor for messages. mynetworks_style is not used if you have configured mynetworks. if you have configured all options needed, or you don't care of their values, you can set compatibility_level=2 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: upgrade 2.10 - 3.3 config compatibility
- Message from Viktor Dukhovni - Date: Mon, 22 Mar 2021 00:13:00 -0400 From: Viktor Dukhovni Reply-To: postfix-users@postfix.org Subject: Re: upgrade 2.10 - 3.3 config compatibility To: postfix-users@postfix.org On Mon, Mar 22, 2021 at 12:32:18PM +1000, Simon Wilson wrote: I have temporarily set it at 0 after reading http://www.postfix.org/COMPATIBILITY_README.html to ensure that I pick up in logging if/when backwards-compatibility is triggered by the legacy settings as follows (from http://www.postfix.org/COMPATIBILITY_README.html): Logged with compatibility_level < 1: **Using backwards-compatible default setting append_dot_mydomain=yes** Using backwards-compatible default setting chroot=y This will only be logged if you have not explicitly set a value for "append_dot_mydomain". Logged with compatibility_level < 2: Using backwards-compatible default setting "smtpd_relay_restrictions = (empty)" Using backwards-compatible default setting mynetworks_style=subnet **Using backwards-compatible default setting relay_domains=$mydestination** Using backwards-compatible default setting smtputf8_enable=no Ditto. My advice is generally to set "relay_domains" empty, or at least to not include "relay_domains" in "parent_domain_matches_subdomains". And of course set mynetworks explicitly, which makes "mynetworks_style" irrelevant, but best to set that to "host". //Main.cf: # comment out, compat to 0, and monitor # append_dot_mydomain = yes # relay_domains = $mydestination compatibility_level = 0 //postconf -n: [root@emp87 log]# postconf -n | grep comp compatibility_level = 0 [root@emp87 log]# postconf -n | grep append_dot_mydomain [root@emp87 log]# postconf -n | grep relay_domains [root@emp87 log]# postconf -n | grep my_networks [root@emp87 log]# postconf -n | grep "mynetworks =" mynetworks = 127.0.0.0/8, 192.168.1.0/24, 103.16.129.171 For the smtpd_relay_restrictions, set: # Typically, there's no SASL on port 25, and for submission, # you'd should have an explicit override in master.cf # smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination but given that prior to 3.6 the order of relay vs. recipient restrictions is not as expected, also do the same at the top of smtpd_recipient_restrictions for now. smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination ... RBLs, ... for inbound mail ... [root@emp87 log]# postconf -n | grep "smtpd_relay" smtpd_relay_restrictions = [root@emp87 log]# postconf -n | grep "smtpd_recip" smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, permit_mynetworks, check_recipient_access hash:/etc/postfix/recipient_access, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policyd-spf permit Submission port is only accessible on internal network from webmail host, but has: # submission port 587 - TLS and SASL submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject -o cleanup_service_name=auth-cleanup -o content_filter=amavisfeed:[127.0.0.1]:10026 Complete postconf -n is at the bottom of this email. With the items I need to watch for (emphasis added ** **) that means I need it to be less than 1. Once I am confident of the outcome I'll set to 2. When you upgrade to Postfix 3.6, and set the compatibility level to 3.6, you can simplify the recipient restrictions to just the anti-abuse rules (privided the relay restrictions are all set), Noted, thank you. - End message from Viktor Dukhovni - [root@emp87 log]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/etc/postfix/report_aliases bounce_queue_lifetime = 3d bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin compatibility_level = 0 content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5