Re: Postfix Mac Aministration
- On 1/6/2012 8:35 PM, Eric Lemings wrote:
> Current 'postconf -n' output:This is likely your default. Check with 'postconf -d command_directory'
> command_directory = /usr/sbin
and remove this line if it is. Don't re-specify default values in
main.cf. It simply clutters things up making sleuthing more difficult
than need be.
> config_directory = /etc/postfixSame as above.
> daemon_directory = /usr/libexec/postfixPossibly here as well. On Debian it's /usr/lib/postfix but on OSX it
may be libexec. If the default is libexec, remove this line.
> debug_peer_level = 2This is the default value. Remove this line. Unless of course Apple
changed the default to another value, which they should not have.
> enable_server_options = yesThis doesn't seem to be a valid main.cf parameter. An Apple add-on I
> imap_submit_cred_file = /private/etc/postfix/submit.credSame here.
> inet_interfaces = allAgain, default. Remove this line.
> local_recipient_maps = proxy:unix:passwd.byname $alias_mapsDefault. Remove.
> mail_owner = _postfixDefault. Remove.
> mailq_path = /usr/bin/mailqDefault. Remove.
> manpage_directory = /usr/share/manDefault. Remove.
> maps_rbl_domains =Deprecated parameter. Remove.
> mydestination = $myhostname, localhost.$mydomain, localhost, myhost, $mydomain, mailAre you sure you need all 6 of these?
> mydomain_fallback = localhostAnother Apple add on, seems useless.
> newaliases_path = /usr/bin/newaliasesDefault. Remove.
> postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org bl.spamcop.netAgain, MAPS is a paid service. If you don't have a subscription remove.
> readme_directory = /usr/share/doc/postfixDefault. Remove.
> relayhost =Default. Remove.
> sendmail_path = /usr/sbin/sendmailDefault. Remove.
> smtp_sasl_auth_enable = noAll 3 are defaults. Remove them.
> smtp_sasl_password_maps =
> smtpd_enforce_tls = no
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permitConsolidate your helo restrictions into recipient restrictions.
> smtpd_pw_server_security_options = cram-md5,gssapi,login,plainYet another Apple add on...
> smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/policy, permitYou may want to move these first 3 after reject_unauth_destination.
Also, there's no need for an explicit permit at the end as that is the
> smtpd_use_pw_server = yesYet another Apple add on.
> tls_random_source = dev:/dev/urandomDefault. Remove.
> unknown_local_recipient_reject_code = 550Default. Remove.
> use_sacl_cache = yesAnother Apple add on.
> virtual_alias_maps = $virtual_mapsDefault. Remove.
I'm guessing a lot of the redundant default junk in your main.cf was
inserted by Apple (IIRC the CentOS/Red Hat people are horrible about
this as well). Thus your next package upgrade may put them right back in.
> Still quite a bit of spam getting through.The spam making it in is probably not related to some of the changes you
should make above. Post the "connect from:" lines in your mail log of a
dozen or so of these spam connections so we can identify the sources and
recommend tools/methods to put a dent in it.