[pfx] Re: Looking For Advice/Guidance

2023-09-09 Thread duluxoz via Postfix-users 

Thanks Viktor

On 10/09/2023 03:02, Viktor Dukhovni via Postfix-users wrote:

On Sat, Sep 09, 2023 at 06:24:27PM +1000, duluxoz via Postfix-users wrote:


***My Questions***

In the mail.example.local's postfix main.cf file:

1. Should mydomin be set to example.local or one of the external facing
domains?

The value of this parameter is used as the default suffix for non-FQDN
hostnames when "append_dot_mydomain = yes".  Choose a setting that works
for you.


2. Should myorigin be set to example.local or one of the external
facing domains?

The value of this parameter is used as the default domain part of
bare username email addresses.  Typically, mail from cron jobs, or
users doing local submission via sendmail(1).

Along with the domain names in $mydestination, email addresses whose
domain parts are equal to this parmeter match "bare" user names in
various address rewriting tables.  Choose a setting that works for you.


3. Have I missed anything obvious to anyone?

Test.  Perhaps consider "soft_bounce = yes" as a *short-term* measure
for the first few days of deployment, and watch the logs closely.

Generally, best to avoid wildcard certificates, but you may have
plausible reasons to want them.  They reduce security and tend to
create single points of failure when all the nodes in an HA setup
field the same "wrong" wildcard cert.


--
Peregrine IT Signature

*Matthew J BLACK*
  M.Inf.Tech.(Data Comms)
  MBA
  B.Sc.
  MACS (Snr), CP, IP3P

When you want it done /right/ ‒ the first time!

Phone:  +61 4 0411 0089
Email:  matt...@peregrineit.net 
Web:www.peregrineit.net 

View Matthew J BLACK's profile on LinkedIn 



This Email is intended only for the addressee.  Its use is limited to 
that intended by the author at the time and it is not to be distributed 
without the author’s consent.  You must not use or disclose the contents 
of this Email, or add the sender’s Email address to any database, list 
or mailing list unless you are expressly authorised to do so.  Unless 
otherwise stated, Peregrine I.T. Pty Ltd accepts no liability for the 
contents of this Email except where subsequently confirmed in 
writing.  The opinions expressed in this Email are those of the author 
and do not necessarily represent the views of Peregrine I.T. Pty 
Ltd.  This Email is confidential and may be subject to a claim of legal 
privilege.


If you have received this Email in error, please notify the author and 
delete this message immediately.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: configure a relayhost

2023-09-09 Thread Viktor Dukhovni via Postfix-users 
On Sat, Sep 09, 2023 at 07:37:13PM +0200, François Patte via Postfix-users 
wrote:

> > > As my postfix install is configured, I get only (in mail-log):
> > > 
> > > Sep  9 16:50:49 myserver postfix/qmgr[205575]: 92BEFB4BEA:
> > > from=, size=484, nrcpt=1 (queue active)
> > > Sep  9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA:
> > > to=, relay=my-fai-smtp[x.x.x.x]:465, delay=0.22,
> > > delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host
> > > my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to
> > > MAIL FROM command))
> > 
> >  https://www.postfix.org/DEBUG_README.html#mail

It looks like you "tampered" with the logs.  They don't match your
reported configuration below.

> postconf -n

> relayhost = [myfai.fqdn]:465

This is not equal to "my-fai-smtp".

> smtp_tls_wrappermode = yes

Good, needed for transmission via port 465.

> smtp_enforce_tls = yes
> smtp_use_tls = yes

These are obsolete and redundant.

> smtp_tls_security_level = encrypt

If the relay has a valid certificate, make that "secure".

> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> smtp_tls_CApath = /etc/pki/tls/certs

Otherwise, no need to bother with CAfile / CApath.

You should also have "smtp_tls_loglevel = 1".

> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

> smtp_tls_verify_cert_match = myhost.fqdn

More needless tampering with the configuration.  THe real setting is
surely not secret, and should be equal to what you expect to find in the
relayhost's certificate.  And this is only needed if the security level
is "verify", but it is currently "encrypt" (should be "secure", with
the corresponding "cert_match" set if need be).

> smtpd_sasl_auth_enable = yes

You probably don't want this.

> smtpd_tls_security_level = encrypt

Nor this, except on the submission services in master.cf.

> >  https://www.postfix.org/SASL_README.html#client_sasl
> 
> My main.cf has the same values for the smtp_xxx listed on the page;
> other values are the default ones given by the postfix package.

You're obfuscating the essential hostnames, making help needlessly
difficult.  Did you read the text in SASL_README that explains the
lookup key syntax for the password table, when using "[]" and/or ":port"
in the relay name?

You probably have the wrong lookup key syntax.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: configure a relayhost

2023-09-09 Thread François Patte via Postfix-users 

Le 09/09/2023 à 19:10, Viktor Dukhovni via Postfix-users a écrit :

On Sat, Sep 09, 2023 at 06:55:03PM +0200, François Patte via Postfix-users 
wrote:


I would like to use my fai smtp server to send mails using postfix.

As my postfix install is configured, I get only (in mail-log):

Sep  9 16:50:49 myserver postfix/qmgr[205575]: 92BEFB4BEA:
from=, size=484, nrcpt=1 (queue active)
Sep  9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA:
to=, relay=my-fai-smtp[x.x.x.x]:465, delay=0.22,
delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host
my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to
MAIL FROM command))


 https://www.postfix.org/DEBUG_README.html#mail


postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 3.7
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination =
myhostname = myhost.fqdn
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [myfai.fqdn]:465
sample_directory = /usr/share/doc/postfix/samples
sender_canonical_maps =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_enforce_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_security_level = encrypt
smtp_tls_verify_cert_match = myhost.fqdn
smtp_tls_wrappermode = yes
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = encrypt
unknown_local_recipient_reject_code = 550



 https://www.postfix.org/SASL_README.html#client_sasl


My main.cf has the same values for the smtp_xxx listed on the page;
other values are the default ones given by the postfix package.

F.P.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: configure a relayhost

2023-09-09 Thread Viktor Dukhovni via Postfix-users 
On Sat, Sep 09, 2023 at 06:55:03PM +0200, François Patte via Postfix-users 
wrote:

> I would like to use my fai smtp server to send mails using postfix.
> 
> As my postfix install is configured, I get only (in mail-log):
> 
> Sep  9 16:50:49 myserver postfix/qmgr[205575]: 92BEFB4BEA:
> from=, size=484, nrcpt=1 (queue active)
> Sep  9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA:
> to=, relay=my-fai-smtp[x.x.x.x]:465, delay=0.22,
> delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host
> my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to
> MAIL FROM command))

https://www.postfix.org/DEBUG_README.html#mail
https://www.postfix.org/SASL_README.html#client_sasl

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Looking For Advice/Guidance

2023-09-09 Thread Viktor Dukhovni via Postfix-users 
On Sat, Sep 09, 2023 at 06:24:27PM +1000, duluxoz via Postfix-users wrote:

> ***My Questions***
> 
> In the mail.example.local's postfix main.cf file:
> 
> 1. Should mydomin be set to example.local or one of the external facing
>domains?

The value of this parameter is used as the default suffix for non-FQDN
hostnames when "append_dot_mydomain = yes".  Choose a setting that works
for you.

> 2. Should myorigin be set to example.local or one of the external
>facing domains?

The value of this parameter is used as the default domain part of
bare username email addresses.  Typically, mail from cron jobs, or
users doing local submission via sendmail(1).

Along with the domain names in $mydestination, email addresses whose
domain parts are equal to this parmeter match "bare" user names in
various address rewriting tables.  Choose a setting that works for you.

> 3. Have I missed anything obvious to anyone?

Test.  Perhaps consider "soft_bounce = yes" as a *short-term* measure
for the first few days of deployment, and watch the logs closely.

Generally, best to avoid wildcard certificates, but you may have
plausible reasons to want them.  They reduce security and tend to
create single points of failure when all the nodes in an HA setup
field the same "wrong" wildcard cert.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] configure a relayhost

2023-09-09 Thread François Patte via Postfix-users 

Bonjour,

I would like to use my fai smtp server to send mails using postfix.

As my postfix install is configured, I get only (in mail-log):

Sep  9 16:50:49 myserver postfix/qmgr[205575]: 92BEFB4BEA:
from=, size=484, nrcpt=1 (queue active)
Sep  9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA:
to=, relay=my-fai-smtp[x.x.x.x]:465, delay=0.22,
delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host
my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to
MAIL FROM command))

I would like some help.

Thank you.

F.P.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] [Probably OT] Issue with Schleuder ML

2023-09-09 Thread roughnecks via Postfix-users 

Hello.

I have a Postfix install with a .space main domain and an .eu virtual 
domain. Prior to the virtual domain setup, I had a schleuder mailing 
list.. After the new domain setup I wanted to create a second list but 
as it happens I am not able to make it work (first list is still fine).


Messages sent to this .eu list are stored in mailbox account instead of 
being processed by schleuder from stdin.


Here's the relevant config. I'm using system users and Postfix + Dovecot.

https://chat.woodpeckersnest.space:5281/pastebin/0905a9b2-7241-4018-bcce-244e159c29e0

Sorry for the possible OT but schleuder support couldn't help me and I'm 
out of ideas.


Thanks, have a nice w/e.

--
roughnecks


OpenPGP_0x8FBF94AC1E006074.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread Viktor Dukhovni via Postfix-users 
On Sat, Sep 09, 2023 at 08:10:19PM +1000, lists--- via Postfix-users wrote:

> hmmm, noticed that system has quite high load average, reaching  1.5/1.6
> when I was checking... is that my problem ? or part of it ?
> have I overloaded/underresourced ?
> 
> Tasks: 114, 98 thr; 2 running  2
> Load average: 1.18 0.92 0.69

That's not a high load average.  Your amavis filter is congested
(high latency), and your recent logs also suggest network issues.

The problems are too many to meaningfully make progress on this list.
You may need to simplify the problem to make progress.  Perhaps
do without a content filter for a while, and see what problems
remain.  Or focus on just timeouts in incoming mail...

Also see how much mail is already queued and stop accepting new
mail until you can drain down what you already have...

Hard to say, you're not well prepared to isolate the issue, and
the symptoms are diverse.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread lists--- via Postfix-users 
On Sat, September 9, 2023 9:00 pm, Matus UHLAR - fantomas via
Postfix-users wrote:
>> On Sat, September 9, 2023 2:42 am, Matus UHLAR - fantomas via
>> Postfix-users wrote:

Matus, Michel, thanks

> did you reorder those lines? look at timestamps.

didn't intend to, but maybe stuffed up when I've tried to get out of
maillog like:
grep "Sep  8"' followed by grep "16:40:" and grep "16:41:"
was trying to get entries between 16:40


On Sat, September 9, 2023 8:45 pm, Michel Verdier via Postfix-users wrote:

> How much cores do you have on that system ?

2 cores 4gb


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread Matus UHLAR - fantomas via Postfix-users 

On Sat, September 9, 2023 2:42 am, Matus UHLAR - fantomas via
Postfix-users wrote:

On 08.09.23 23:13, lists--- via Postfix-users wrote:



logs from unsuccessful attempts are important, not from the one that
succeeded.


On 09.09.23 20:03, lists--- via Postfix-users wrote:

is there some proper way to identify that..?


your IP address could help that.


looking at lines immediately
above I see like, I screen scrapped lines immediately above:



Sep  8 16:40:37 geko postfix/postscreen[21264]: CONNECT from
[111.222.333.444]:50452 to [103.106.168.106]:25

[...]

Sep  8 16:40:37 geko postfix/smtpd[15732]: disconnect from
unknown[111.222.333.444] ehlo=1 starttls=1 commands=2


this is connection from the rantom internet IP.



Sep  8 16:40:46 geko postfix/smtpd[15519]: connect from
unknown[111.222.333.444]
Sep  8 16:40:46 geko postfix/smtpd[15519]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128
Sep  8 16:40:47 geko postfix/smtpd[15519]: 2556C4346EC:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep  8 16:44:24 geko postfix/anvil[1945]: statistics: max connection rate
4/3600s for (smtpd:185.222.58.40) at Sep  8 16:40:22
Sep  8 16:44:24 geko postfix/anvil[1945]: statistics: max connection count
3 for (smtpd:185.222.58.40) at Sep  8 16:40:19
Sep  8 16:41:06 geko postfix/smtpd[15519]: lost connection after DATA (0
bytes) from unknown[111.222.333.444]
Sep  8 16:41:06 geko postfix/smtpd[15519]: disconnect from
unknown[111.222.333.444] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=0/1
commands=6/7



did you reorder those lines? look at timestamps.

However, this looks like user i...@tld.com.au logged in and dropped the 
connection 19 seconds later.  Perhaps they were unsatisfied with sending 
mail taking so long.




Sep  8 16:41:24 geko postfix/smtpd[15518]: connect from
unknown[111.222.333.444]
Sep  8 16:41:25 geko postfix/smtpd[15518]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128
Sep  8 16:41:25 geko postfix/smtpd[15518]: C92564346E5:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep  8 16:41:31 geko postfix/cleanup[15407]: C92564346E5:
message-id=




so, your users send mail on port 25?



hmmm... supposed to be using 587...


if you properly uncommented submission service in master.cf, the smtp should 
log as postfix/smtps/smtpd or postfix/submission/smtpd


or your user used port 25 which is used for server-server mail transfer and 
may have different setup.


I e.g. use postscreen (which sometimes adds 6-seconds delay) and also spam 
and virus checking milters (like amavisd-milter) on 25. This takes much time.


on port 587/465 I tend to use amavis as content_filter, which means mail is 
received from user and filtered afterwards. This makes apparent receiving 
mail from client much faster.



Sep  8 16:41:31 geko opendkim[910]: C92564346E5: DKIM-Signature field
added (s=default, d=tld.com)


and you run opendkim (milter) on that? any other milters?


dkim/dmarc


amavisd can also dkim-sign message so I don't need these on such servers.
(no problem if you use them on 25 tho)


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread Michel Verdier via Postfix-users 
On 2023-09-09, lists--- via Postfix-users wrote:

> hmmm, noticed that system has quite high load average, reaching  1.5/1.6
> when I was checking... is that my problem ? or part of it ?
> have I overloaded/underresourced ?
>
> Tasks: 114, 98 thr; 2 running  2
> Load average: 1.18 0.92 0.69

How much cores do you have on that system ?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread lists--- via Postfix-users 
On Sat, September 9, 2023 3:52 am, Viktor Dukhovni via Postfix-users wrote:
> On Fri, Sep 08, 2023 at 11:13:02PM +1000, lists--- via Postfix-users
> wrote:


>
> Your amavis content filter has a non-trivial backlog of mail, probably
> because each message takes a long time to process.  Here the message sat
> 5.4 seconds in the incoming queue and then took 11 seconds to to deliver
> to amavis.  This bottleneck suggess that the amavis filter is doing remote
> DNS lookups that are quite slow.
>
>
> You need to review your amavis configuration and disable or tune the
> actions that lead to the processing delays.


Viktor, thank you

hmmm, noticed that system has quite high load average, reaching  1.5/1.6
when I was checking... is that my problem ? or part of it ?
have I overloaded/underresourced ?

Tasks: 114, 98 thr; 2 running  2
Load average: 1.18 0.92 0.69


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread lists--- via Postfix-users 
On Sat, September 9, 2023 2:42 am, Matus UHLAR - fantomas via
Postfix-users wrote:
> On 08.09.23 23:13, lists--- via Postfix-users wrote:


Matus, Viktor, thanks

> logs from unsuccessful attempts are important, not from the one that
> succeeded.

is there some proper way to identify that..? looking at lines immediately
above I see like, I screen scrapped lines immediately above:

Sep  8 16:40:34 geko postfix/qmgr[1654]: 708204346EE: removed
Sep  8 16:40:37 geko postfix/postscreen[21264]: CONNECT from
[111.222.333.444]:50452 to [103.106.168.106]:25
Sep  8 16:40:37 geko postfix/postscreen[21264]: PASS OLD
[111.222.333.444]:50452
Sep  8 16:40:37 geko postfix/smtpd[15732]: connect from
unknown[111.222.333.444]
Sep  8 16:40:37 geko postfix/smtpd[15732]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bitsSep  8 16:40:37 geko
postfix/smtpd[15732]: lost connection after STARTTLS from
unknown[111.222.333.444]
Sep  8 16:40:37 geko postfix/smtpd[15732]: disconnect from
unknown[111.222.333.444] ehlo=1 starttls=1 commands=2
Sep  8 16:40:46 geko postfix/smtpd[15519]: connect from
unknown[111.222.333.444]
Sep  8 16:40:46 geko postfix/smtpd[15519]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128
Sep  8 16:40:47 geko postfix/smtpd[15519]: 2556C4346EC:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep  8 16:44:24 geko postfix/anvil[1945]: statistics: max connection rate
4/3600s for (smtpd:185.222.58.40) at Sep  8 16:40:22
Sep  8 16:44:24 geko postfix/anvil[1945]: statistics: max connection count
3 for (smtpd:185.222.58.40) at Sep  8 16:40:19
Sep  8 16:41:06 geko postfix/smtpd[15519]: lost connection after DATA (0
bytes) from unknown[111.222.333.444]
Sep  8 16:41:06 geko postfix/smtpd[15519]: disconnect from
unknown[111.222.333.444] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=0/1
commands=6/7
Sep  8 16:41:24 geko postfix/smtpd[15518]: connect from
unknown[111.222.333.444]
Sep  8 16:41:25 geko postfix/smtpd[15518]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128
Sep  8 16:41:25 geko postfix/smtpd[15518]: C92564346E5:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep  8 16:41:31 geko postfix/cleanup[15407]: C92564346E5:
message-id=


>
> so, your users send mail on port 25?


hmmm... supposed to be using 587...

>
>> Sep  8 16:41:31 geko postfix/cleanup[15407]: C92564346E5:
>> message-id=
>
> this one took 6 seconds.
>
>> Sep  8 16:41:31 geko opendkim[910]: C92564346E5: DKIM-Signature field
>> added (s=default, d=tld.com)
>
> and you run opendkim (milter) on that? any other milters?

dkim/dmarc



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Looking For Advice/Guidance

2023-09-09 Thread duluxoz via Postfix-users 

Hi All,

I'm looking for some advice / guidance / help / whatever in making sure 
that I'm setting up my postfix installation correctly. I've gone through 
various on-line tutorials and read just about all of the postfix doco, 
but I'm still unsure / confused about exactly how to set a couple of 
settings.


I have a rather complex (network) setup which is what's throwing me "off".

***The Network***

Four domains:

 * example.local
 * example.net
 * example.com
 * example.org

Lots of servers:

 * mail.example.local
 * sql.example.local (mariadb)
 * haproxy.example.local
 * dns.example.local (plus externally facing dns servers)
 * ca.example.local
 * www.example.local
 * others(.example.local)

Notes:

 * I'm using a split-dns setup
 * example.net, .com, and .org are all Internet via their own dns server(s)
 * haproxy.example.local is a bastion host in the dmz and (almost) all
   traffic flows through it
 * haproxy.example.local proxies www.example.net, mail.example.net,
   etc, etc, etc
 * all servers apart from mail.example.local are null-client postfix
   boxes (for internal alerts, etc)
 * mail.example.local uses sql.example.local for virtual domains,
   mailboxes, etc
 * I run an interal pki (ca.example.net) and all servers have x.509
   certificates
 * haproxy.example.local runs certbot to obtain Let's Encrypt wildcard
   certs for example.net, .com, and .org, and these three certs are
   also (securely) transferred automatically upon renewal to
   mail.example.local
 * mail.example.local also has a wildcard cert for example.local (from
   our internal pki)
 * I am using virtual domains, virtual mailboxes, etc
 * Mail from example.local does not go out to the Internet
 * Mail to example.local is not received from the Internet
 * Mail from example.net, .com, & .org does go out to the Internet
 * Mail to example.net, .com, & .org is received from the Internet
 * I've set up sni for each domain's wildcard cert

***My Questions***

In the mail.example.local's postfix main.cf file:

1. Should mydomin be set to example.local or one of the external facing
   domains?
2. Should myorigin be set to example.local or one of the external
   facing domains?
3. Have I missed anything obvious to anyone?

Thanks in advance for the help

Cheers

Dulux-Oz



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org