Loading ...
Sorry, an error occurred while loading the content.

Whitelisting from reverse DNS checks

Expand Messages
  • L.W. van Braam van Vloten
    Hello list, I have configured postfix to not accept connections from clients that fail the reverse dns check. But I want to be able to whitelist specific
    Message 1 of 7 , Jul 19, 2013
    • 0 Attachment
      Hello list,

      I have configured postfix to not accept connections from clients that fail the reverse dns check.
      But I want to be able to whitelist specific clients, even if the reverse hostname check fails.
       
      To achieve this I configured the following:
      smtpd_client_restrictions =
          check_client_access hash:/etc/postfix/client-whitelist,
          reject_unknown_reverse_client_hostname
       
      /etc/postfix/client-whitelist contains comment lines (starting with #) and entries, like this:
      # mail.acipol.ac.mz
      197.218.14.50         OK
       
      The file is "compiled" with postmap:
      # postmap /etc/postfix/client-whitelist

      This is the result:
      # ls -alF /etc/postfix/client-whitelist*
      -rw-r--r--. 1 root root 1.6K Jul 19 12:07 /etc/postfix/client-whitelist
      -rw-r--r--. 1 root root  12K Jul 19 12:07 /etc/postfix/client-whitelist.db
      I reloaded the postfix configuration:
      # service postfix reload

      The log shows the reload and no further errors or warnings.

      However, connections from the addresses in /etc/postfix/client-whitelist are still rejected:
      Jul 19 12:33:02 christoffel postfix/smtpd[12614]: NOQUEUE: reject: RCPT from unknown[197.218.14.50]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [197.218.14.50]; from=<> to=<<masked>> proto=ESMTP helo=<mail.acipol.ac.mz>
       
      So my question is: What am I doing wrong?
      Any help would be appreciated.

      Some background information:

      I am running Postfix 2.7.1 on Debian Squeeze

      My full configuration is as follows:
      smtpd_banner = $myhostname ESMTP $mail_name
      biff = no
      append_dot_mydomain = no
      readme_directory = no
       
      # TLS parameters
      smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
      smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
      smtpd_use_tls=yes
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
       
      myhostname = <masked>
      relay_domains =
      myorigin = /etc/mailname
      # <masked> is the primary domain
      mydestination = <masked>
      # We are not interested in delivering mail to local system accounts
      local_recipient_maps =
       
      mynetworks_style = host
      mailbox_command = procmail -a "$EXTENSION"
      mailbox_size_limit = 0
       
      recipient_delimiter = *
      inet_interfaces = all
       
      delay_warning_time = 4h
      unknown_local_recipient_reject_code = 550
      maximal_queue_lifetime = 7d
      minimal_backoff_time = 300s
      maximal_backoff_time = 4000s
      smtp_helo_timeout = 60s
      smtpd_recipient_limit = 16
      smtpd_soft_error_limit = 3
      smtpd_hard_error_limit = 12
       
      smtpd_helo_restrictions =
          permit_mynetworks,
          warn_if_reject reject_non_fqdn_helo_hostname,
          reject_invalid_helo_hostname,
          permit
      smtpd_sender_restrictions =
          permit_mynetworks,
          warn_if_reject reject_non_fqdn_sender,
          check_sender_access hash:/etc/postfix/access,
          permit
       
      # Using "smtpd_client_restrictions" to implement basic filtering of badly configured clients.
      # Currently only "reject_unknown_client_hostname" is used to ensure that no clients can send
      # mail to us using a host / domain that does not pass the DNS hostname -> IP mapping and the
      # IP -> hostname reverse mapping test
      smtpd_client_restrictions =
          check_client_access hash:/etc/postfix/client-whitelist,
          reject_unknown_reverse_client_hostname
       
      # WARNING: The following placement of check_recipient_access implies that
      # /etc/postfix/access may ONLY contain REJECT results. Any other results
      # may lead to an open relay.
      # See http://tech.groups.yahoo.com/group/postfix-users/message/207679
      smtpd_recipient_restrictions =
          permit_mynetworks,
          permit_sasl_authenticated,
          reject_unauth_pipelining,
          reject_non_fqdn_sender,
          reject_non_fqdn_recipient,
          reject_unknown_sender_domain,
          reject_unknown_recipient_domain,
          reject_unauth_destination,
          check_recipient_access hash:/etc/postfix/access,
          check_sender_access hash:/etc/postfix/sender_access,
          check_policy_service inet:127.0.0.1:10023,
          reject_rbl_client sbl.spamhaus.org,
          reject_rbl_client blackholes.easynet.nl,
          reject_rbl_client dnsbl.sorbs.net,
          reject_rbl_client relays.ordb.org,
          reject_rbl_client cbl.abuseat.org,
          reject_rbl_client proxies.blackholes.wirehub.net,
          reject_rbl_client bl.spamcop.net,
          reject_rbl_client sbl.spamhaus.org,
          permit
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_helo_required = yes
      smtpd_delay_reject = yes
      disable_vrfy_command = yes
       
      # smtpd_log_access_permit_actions
      # Setting this to "static:all" will enable logging of all explicit "permit" actions using the above rules
      # See http://www.postfix.org/postconf.5.html#smtpd_log_access_permit_actions
      smtpd_log_access_permit_actions = static:all
       
      alias_maps =
         hash:/etc/aliases,
         hash:/var/lib/mailman/data/aliases
      # alias_database specifies which databases are rebuilt when the
      # "newaliases" command is invoked. Obviously, only maps that need
      # to be rebuilt (hash, btree, dbm) are to be listed here.
      # alias_maps specifies where Postfix looks for aliases.
      alias_database = $alias_maps
       
      # De UID en GID for the mailbox files
      virtual_uid_maps = static:5000
      virtual_gid_maps = static:5000
      virtual_mailbox_base = /var/spool/mail/virtual
      virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
      virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
       
      # amavis anti-spam and virusscanner
      content_filter = amavis:[127.0.0.1]:10024
       
      # recipient_bcc_maps : We use this setting to generate an automatic
      # bcc of all mail to the management address, to an external account
      # Entries in this file are in the form "<internal address> <bcc address>"
      # After modifying this file, give a "postmap /etc/postfix/recipient_bcc"
      recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
       
      # DKIM implementation
      # See http://www.debiantutorials.com/setup-domainkeys-identified-mail-dkim-in-postfix/
      milter_default_action = accept
      milter_protocol = 2
      smtpd_milters = inet:localhost:8891
      non_smtpd_milters = inet:localhost:8891

      Regards,
      Lucas
    • Michael Orlitzky
      ... What you probably want is, smtpd_client_restrictions = check_client_access cidr:/etc/postfix/client_access and then, $ cat /etc/postfix/client_access #
      Message 2 of 7 , Jul 19, 2013
      • 0 Attachment
        On 07/19/2013 08:19 AM, L.W. van Braam van Vloten wrote:
        > Hello list,
        >
        > I have configured postfix to not accept connections from clients that
        > fail the reverse dns check.
        > But I want to be able to whitelist specific clients, even if the reverse
        > hostname check fails.
        >
        > To achieve this I configured the following:
        > smtpd_client_restrictions =
        > check_client_access hash:/etc/postfix/client-whitelist,
        > reject_unknown_reverse_client_hostname
        >
        > /etc/postfix/client-whitelist contains comment lines (starting with #)
        > and entries, like this:
        > # mail.acipol.ac.mz
        > 197.218.14.50 OK
        >

        What you probably want is,

        smtpd_client_restrictions =
        check_client_access cidr:/etc/postfix/client_access

        and then,

        $ cat /etc/postfix/client_access

        # Legitimate clients without rDNS.
        197.218.14.50 DUNNO

        # Default action
        0.0.0.0/0 reject_unknown_reverse_client_hostname

        The first matching entry in /etc/postfix/client_access is what will be
        used, so the whitelist entries will hit first. If none of the whitelist
        entries are matched, then the default will kick in.

        If you ever add more smtpd_client_restrictions, this method avoids
        skipping the entire set of tests for hosts which should only be
        whitelisted against the reject_unknown_reverse_client_hostname test.
      • Noel Jones
        ... The general procedure you describe is correct. I suspect a typo in your main.cf. Please show your postconf -n output for further help. -- Noel Jones
        Message 3 of 7 , Jul 19, 2013
        • 0 Attachment
          On 7/19/2013 7:19 AM, L.W. van Braam van Vloten wrote:
          > Hello list,
          >
          > I have configured postfix to not accept connections from clients
          > that fail the reverse dns check.
          > But I want to be able to whitelist specific clients, even if the
          > reverse hostname check fails.
          >
          > To achieve this I configured the following:
          > smtpd_client_restrictions =
          > check_client_access hash:/etc/postfix/client-whitelist,
          > reject_unknown_reverse_client_hostname
          >
          > /etc/postfix/client-whitelist contains comment lines (starting with
          > #) and entries, like this:
          > # mail.acipol.ac.mz
          > 197.218.14.50 OK
          >
          > The file is "compiled" with postmap:
          > # postmap /etc/postfix/client-whitelist
          >
          > This is the result:
          > # ls -alF /etc/postfix/client-whitelist*
          > -rw-r--r--. 1 root root 1.6K Jul 19 12:07 /etc/postfix/client-whitelist
          > -rw-r--r--. 1 root root 12K Jul 19 12:07
          > /etc/postfix/client-whitelist.db
          > I reloaded the postfix configuration:
          > # service postfix reload
          >
          > The log shows the reload and no further errors or warnings.
          >
          > However, connections from the addresses in
          > /etc/postfix/client-whitelist are still rejected:
          > Jul 19 12:33:02 christoffel postfix/smtpd[12614]: NOQUEUE: reject:
          > RCPT from unknown[197.218.14.50]: 450 4.7.1 Client host rejected:
          > cannot find your reverse hostname, [197.218.14.50]; from=<>
          > to=</*<masked>*/> proto=ESMTP helo=<mail.acipol.ac.mz>
          >
          > So my question is: What am I doing wrong?
          > Any help would be appreciated.


          The general procedure you describe is correct. I suspect a typo in
          your main.cf.

          Please show your "postconf -n" output for further help.



          -- Noel Jones
        • L.W. van Braam van Vloten
          Hello list, Thanks for the info, in a different thread I also saw a reference to
          Message 4 of 7 , Jul 22, 2013
          • 0 Attachment
            Hello list,

            Thanks for the info, in a different thread I also saw a reference to
            http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-Best-Practices-td10171.html and it helped me to modify my config. In addition I upgraded to Postfix 2.9.3 because I want to start using permit_dnswl_client as
            well.

            It seems to work as expected, but I have the uncomfortable feeling
            that I still missed something crucial...

            >
            > Please show your "postconf -n" output for further help.
            >

            Are there any bad mistakes in the following config, in particular
            regarding smtpd_recipient_restrictions and releated settings?

            Thank you for your help,
            Lucas

            # postconf -nf

            alias_database = $alias_maps
            alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
            append_dot_mydomain = no
            biff = no
            config_directory = /etc/postfix
            content_filter = amavis:[127.0.0.1]:10024
            delay_warning_time = 4h
            disable_vrfy_command = yes
            inet_interfaces = all
            local_recipient_maps =
            mailbox_command = procmail -a "$EXTENSION"
            mailbox_size_limit = 0
            maximal_backoff_time = 4000s
            maximal_queue_lifetime = 7d
            milter_default_action = accept
            milter_protocol = 2
            minimal_backoff_time = 300s
            mydestination = list.ecompass.nl
            myhostname = mail.ecompass.nl
            mynetworks_style = host
            myorigin = /etc/mailname
            non_smtpd_milters = inet:localhost:8891
            readme_directory = no
            recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
            recipient_delimiter = *
            relay_domains =
            smtp_helo_timeout = 60s
            smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
            smtpd_banner = $myhostname ESMTP $mail_name
            smtpd_client_restrictions = check_client_access
            cidr:/etc/postfix/client-access
            smtpd_data_restrictions = reject_unauth_pipelining
            smtpd_delay_reject = yes
            smtpd_hard_error_limit = 12
            smtpd_helo_required = yes
            smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname,
            reject_invalid_helo_hostname, permit
            smtpd_milters = inet:localhost:8891
            smtpd_recipient_limit = 16
            smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
            reject_unauth_destination, reject_unauth_pipelining,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient, reject_unknown_recipient_domain,
            reject_unknown_sender_domain, check_policy_service inet:127.0.0.1:10023,
            check_recipient_access hash:/etc/postfix/recipient-access,
            check_sender_access hash:/etc/postfix/sender-access, check_client_access
            cidr:/etc/postfix/client-whitelist, permit_dnswl_client
            list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client zen.spamhaus.org,
            reject_rbl_client dnsbl.sorbs.net, reject_rbl_client
            bl.spamcop.net, permit
            smtpd_sender_restrictions = permit_mynetworks, warn_if_reject
            reject_non_fqdn_sender, permit
            smtpd_soft_error_limit = 3
            smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
            smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
            smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
            smtpd_use_tls = yes
            unknown_local_recipient_reject_code = 550
            virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
            virtual_gid_maps = static:5000
            virtual_mailbox_base = /var/spool/mail/virtual
            virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
            virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
            virtual_uid_maps = static:5000
          • Noel Jones
            ... some comments below... ... An empty local_recipient_maps will cause your postfix to accept mail for undeliverable local address, then attempt to bounce
            Message 5 of 7 , Jul 22, 2013
            • 0 Attachment
              On 7/22/2013 10:21 AM, L.W. van Braam van Vloten wrote:
              > Hello list,
              >
              > Thanks for the info, in a different thread I also saw a reference to
              > http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-Best-Practices-td10171.html
              > and it helped me to modify my config. In addition I upgraded to
              > Postfix 2.9.3 because I want to start using permit_dnswl_client as
              > well.
              >
              > It seems to work as expected, but I have the uncomfortable feeling
              > that I still missed something crucial...
              >
              >>
              >> Please show your "postconf -n" output for further help.
              >>
              >
              > Are there any bad mistakes in the following config, in particular
              > regarding smtpd_recipient_restrictions and releated settings?

              some comments below...


              >
              > Thank you for your help,
              > Lucas
              >
              > # postconf -nf
              >
              > alias_database = $alias_maps
              > alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
              > append_dot_mydomain = no
              > biff = no
              > config_directory = /etc/postfix
              > content_filter = amavis:[127.0.0.1]:10024
              > delay_warning_time = 4h
              > disable_vrfy_command = yes
              > inet_interfaces = all
              > local_recipient_maps =

              An empty local_recipient_maps will cause your postfix to accept mail
              for undeliverable local address, then attempt to bounce them. This
              will clog your queue with undeliverable bounces and get you blacklisted.


              > mailbox_command = procmail -a "$EXTENSION"
              > mailbox_size_limit = 0

              A size limit of 0 is unwise. Far better to set an absurdly large
              limit than no limit at all.

              > maximal_backoff_time = 4000s
              > maximal_queue_lifetime = 7d
              > milter_default_action = accept
              > milter_protocol = 2
              > minimal_backoff_time = 300s
              > mydestination = list.ecompass.nl
              > myhostname = mail.ecompass.nl
              > mynetworks_style = host
              > myorigin = /etc/mailname
              > non_smtpd_milters = inet:localhost:8891
              > readme_directory = no
              > recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
              > recipient_delimiter = *
              > relay_domains =
              > smtp_helo_timeout = 60s
              > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
              > smtpd_banner = $myhostname ESMTP $mail_name
              > smtpd_client_restrictions = check_client_access
              > cidr:/etc/postfix/client-access

              typically you would begin this with permit_mynetworks,
              permit_sasl_authenticated so you don't reject authorized mail.

              > smtpd_data_restrictions = reject_unauth_pipelining
              > smtpd_delay_reject = yes
              > smtpd_hard_error_limit = 12
              > smtpd_helo_required = yes
              > smtpd_helo_restrictions = permit_mynetworks,

              Probably want permit_sasl_authenticated here.


              > reject_non_fqdn_helo_hostname,
              > reject_invalid_helo_hostname, permit

              The final "permit" is unnecessary, but won't break anything. This
              is true for all the smtpd_*_restrictions sections.

              > smtpd_milters = inet:localhost:8891
              > smtpd_recipient_limit = 16

              This limits each SMTP transaction to no more than 16 RCPT TO
              commands per session. The sender is then free to connect again with
              more recipients. Setting this parameter to a low value can actually
              increase the load on your server, and does little or nothing to
              thwart unwanted mail.


              > smtpd_recipient_restrictions = permit_mynetworks,
              > permit_sasl_authenticated,
              > reject_unauth_destination, reject_unauth_pipelining,
              > reject_non_fqdn_sender,

              Good.

              > reject_non_fqdn_recipient, reject_unknown_recipient_domain,

              Putting reject_unknown_recipient_domain after
              reject_unauth_destination can only reject your own domain.

              The intended use is before "permit_mynetworks,
              permit_sasl_authenticated" to prevent your own users from sending
              mail to mistyped destinations.


              > reject_unknown_sender_domain, check_policy_service
              > inet:127.0.0.1:10023,
              > check_recipient_access hash:/etc/postfix/recipient-access,
              > check_sender_access hash:/etc/postfix/sender-access,
              > check_client_access
              > cidr:/etc/postfix/client-whitelist,

              Typically the whitelist would be before any of the rules that might
              reject mail, such as the check_*_access and the reject_* rules.


              > permit_dnswl_client
              > list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
              > zen.spamhaus.org,
              > reject_rbl_client dnsbl.sorbs.net, reject_rbl_client
              > bl.spamcop.net, permit
              > smtpd_sender_restrictions = permit_mynetworks,


              missing permit_sasl_authenticated here.

              > warn_if_reject
              > reject_non_fqdn_sender, permit
              > smtpd_soft_error_limit = 3
              > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
              > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
              > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
              > smtpd_use_tls = yes
              > unknown_local_recipient_reject_code = 550
              > virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
              > virtual_gid_maps = static:5000
              > virtual_mailbox_base = /var/spool/mail/virtual
              > virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
              > virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
              > virtual_uid_maps = static:5000
              >
              >



              -- Noel Jones
            • L.W. van Braam van Vloten
              Hi, Thanks for your clear reply, that really helps! One last question: How should I configure local_recipient_maps? ... I am running a mailing list server
              Message 6 of 7 , Jul 22, 2013
              • 0 Attachment

                Hi,

                Thanks for your clear reply, that really helps!

                One last question: How should I configure local_recipient_maps?

                Noel said:

                local_recipient_maps =
                An empty local_recipient_maps will cause your postfix to accept mail
                for undeliverable local address, then attempt to bounce them.  This
                will clog your queue with undeliverable bounces and get you blacklisted.
                I am running a mailing list server Listserv for which all available addresses are defined in /etc/aliases
                And also a mailman server using /var/lib/mailman/data/aliases
                I also use a limited number of virtual mailboxes, using a mysql databases containing a table for mailboxes and a table for aliases, and local maildir storage
                I don't want to deliver mail to local system accounts

                So I thought I had to use the following:
                local_recipient_maps = $alias_maps $virtual_mailbox_maps $virtual_alias_maps
                Which works

                But if I use 
                local_recipient_maps = $alias_maps
                then mail to the virtual mailboxes is still delivered...

                In addition, if I use
                local_recipient_maps = 
                then the server will not accept mail for non-existing adresses, which seems to contradict Noel's warning:
                     550 5.1.1 <nonexisting@...>: Recipient address rejected: User unknown in local recipient table

                So I don't really understand how this setting works...

                Thanks!
                Lucas

                My latest config:
                # postconf -nf
                alias_database = $alias_maps
                alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
                append_dot_mydomain = no
                biff = no
                config_directory = /etc/postfix
                content_filter = amavis:[127.0.0.1]:10024
                delay_warning_time = 4h
                disable_vrfy_command = yes
                inet_interfaces = all
                mailbox_command = procmail -a "$EXTENSION"
                mailbox_size_limit = 107374182400
                maximal_backoff_time = 4000s
                maximal_queue_lifetime = 7d
                milter_default_action = accept
                milter_protocol = 2
                minimal_backoff_time = 300s
                mydestination = list.ecompass.nl
                myhostname = mail.ecompass.nl
                mynetworks_style = host
                myorigin = /etc/mailname
                non_smtpd_milters = inet:localhost:8891
                readme_directory = no
                recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
                recipient_delimiter = *
                relay_domains =
                smtp_helo_timeout = 60s
                smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                smtpd_banner = $myhostname ESMTP $mail_name
                smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
                    check_client_access cidr:/etc/postfix/client-access
                smtpd_data_restrictions = reject_unauth_pipelining
                smtpd_delay_reject = yes
                smtpd_hard_error_limit = 12
                smtpd_helo_required = yes
                smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
                    reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
                smtpd_milters = inet:localhost:8891
                smtpd_recipient_restrictions = reject_unknown_recipient_domain,
                    permit_mynetworks, permit_sasl_authenticated, check_client_access
                    cidr:/etc/postfix/client-whitelist, permit_dnswl_client
                    list.dnswl.org=127.0.[0..255].[1..3], check_sender_access
                    hash:/etc/postfix/sender-access, check_recipient_access
                    hash:/etc/postfix/recipient-access, reject_unauth_destination,
                    reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient,
                    reject_unknown_sender_domain, check_policy_service inet:127.0.0.1:10023,
                    reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net,
                    reject_rbl_client bl.spamcop.net, permit
                smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
                    warn_if_reject reject_non_fqdn_sender, permit
                smtpd_soft_error_limit = 3
                smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
                smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
                smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                smtpd_use_tls = yes
                unknown_local_recipient_reject_code = 550
                virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
                virtual_gid_maps = static:5000
                virtual_mailbox_base = /var/spool/mail/virtual
                virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
                virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
                virtual_uid_maps = static:5000
                 
              • Noel Jones
                ... The default setting of local_recipient_maps = proxy:unix:passwd.byname $alias_maps should be appropriate for the vast majority of sites. Note that local
                Message 7 of 7 , Jul 22, 2013
                • 0 Attachment
                  On 7/22/2013 4:27 PM, L.W. van Braam van Vloten wrote:
                  > Hi,
                  >
                  > Thanks for your clear reply, that really helps!
                  >
                  > One last question: How should I configure local_recipient_maps?


                  The default setting of
                  local_recipient_maps = proxy:unix:passwd.byname $alias_maps
                  should be appropriate for the vast majority of sites.

                  Note that "local recipients" means domains listed in mydestination,
                  not virtual alias or virtual mailbox domains.


                  -- Noel Jones
                Your message has been successfully submitted and would be delivered to recipients shortly.