POSTFIX ADDITIONAL NOTES

To keep the main guide approximately clean, here’s some more comments

STARTTLS

alternatives / more options

#inbound
#smtpd_tls_security_level = may
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

#outbound
#smtp_tls_security_level = may
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#both directions
#smtp_tls_enforce_peername = yes (default)

unverified_sender and its false-positives

we did NOT enable the unverified_sender feature as it is too restrictive – this prevents unreal addresses to send you messages. try to book a hotel or a flight with that and you will feel the pain. now in case you DO enable it,

draft

        reject_unverified_sender

unverified_sender_reject_code = 550
unverified_sender_reject_reason = Address verification failed
address_verify_map = proxy:btree:$data_directory/verify_cache
address_verify_cache_cleanup_interval = 72h

#unverified_sender_defer_code = 250 #Postfix 2.6 and later
#proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map

you will then need to deal with false-positives on the domains that do not pass through

vi /etc/postfix/client_access

securityfocus.com       OK

postmap /etc/postfix/sender_access

TROUBLESHOOTING

while starting Postfix

postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./sbin/lmtp
...

==> don’t give a fuck about it, it’s complaining about symlinks' rights which point to files with OKAY permissions.

in the logs

close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug)

==> use proxy: in the address_verify_map statement as shown above. http://www.postfix.org/ADDRESS_VERIFICATION_README.html

you are triggering reject_unknown_client_hostname or reject_unknown_reverse_client_hostname while you’ve just updated client’s DNS records?

54 5.7.25 Client host rejected: cannot find your hostname, [x.x.x.x]

==> if something fails, it won’t re-check again for a certain time – restart postfix or alter address_verify_negative_cache (default: yes)

RESOURCES

backup mx

Setting Up Postfix As A Backup MX https://www.howtoforge.com/postfix_backup_mx

Configuring Postfix as backup MX host https://www.akadia.com/services/postfix_mx_backup.html

Postfix as backup MX http://www.linuxlasse.net/linux/howtos/Postfix_as_backup_MX


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml