Einige Fragen

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Einige Fragen

listserv
Werte postfix-user,

da ich nun nach einer längeren Zeit wieder die Möglichkeit habe, mich intensiv
mit postfix und angrenzende Themen zu beschäftigen, sind einige Fragen
aufgekommen, bei denen ich etwas Hilfe oder Rat benötige.
Des weiteren habe ich meine aktuelle Konfiguration angehängt, die ich
seinerzeit im wesentlich mit dem Postfix-Buch von Peer erstellt habe, mit der
Bitte, da mal einen oder zwei Blicke drauf zuwerfen und mir ggf.
Merkwürdigkeiten, sonstige Ungereimtheiten oder auch aktuelle
Verbesserungsmöglichkeiten zurückzumelden. Schon mal im voraus vielen Dank dafür!

So jetzt noch meine Fragen:
● Ich habe Dovecot per "relay_domains" an postfix angebunden. Die
Weiterleitung und Umschreibung der Empfänger mache ich mit virtual_alias_maps.
Gibt es aber gemäß dem "Peerschem Gebot:" "Du sollte nur eine Adressklasse
haben!" so etwas wie eine relay_alias_maps? oder ist das beschrieben Verfahren
immer noch so "richtig"?

● Ein neuer Mailserver soll u.a. viele Mail-Adressen einer Organisation auf
private Adressen umschreiben. Gibt es da ein best practice für SPF, DKIM und
DMARC, da bei der Umschreibung per virtual_alias_maps nur das Envelop-To aber
sonst weder das FROM noch das Header-To angefaßt werden und damit die
entsprechenden Records "ungültig" werden? Welche Möglichkeiten hätte ich,
entsprechende Header-Zeilen eventuell zu löschen oder besser den Absender
umschreiben, aber was ist dann mit den Bounces?

● Gibt es eine Möglichkeit auszuwerten, welche Mail-Server immer noch OHNE TLS
einliefern?

● OT - gibt es hier Erfahrungen mit dem Webmailer RainLoop - und wenn ja - welche?

● nachfolgend noch meine aktuelle Konfiguration:

Mit Grüßen
Mario

postconf -n
address_verify_map = btree:${data_directory}/verify_cache
address_verify_positive_refresh_time = 1d
alias_database = btree:/etc/aliases
alias_maps = btree:/etc/aliases
allow_percent_hack = no
allow_untrusted_routing = no
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/pcre/body_checks_pcre,
pcre:/etc/postfix/pcre/_body_checks.act
bounce_queue_lifetime = 1d
bounce_template_file = /etc/postfix/bounce-template/bounce.de-DE.cf
canonical_maps = proxy:btree:/etc/postfix/lookup/canonical_maps
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 1
default_database_type = btree
default_destination_recipient_limit = 44
delay_warning_time = 2h
disable_vrfy_command = yes
echo_destination_recipient_limit = 1
enable_long_queue_ids = yes
enable_original_recipient = yes
header_checks = pcre:/etc/postfix/pcre/header_checks_pcre,
pcre:/etc/postfix/pcre/_header_checks.act,
pcre:/etc/postfix/pcre/header_checks_pcre_spam,
pcre:/etc/postfix/pcre/header_checks_pcre_out
header_size_limit = 32768
inet_interfaces = 127.0.0.1, 84.38.75.37, 84.38.76.9, [2a00:5080:1:15::8],
[2a00:5080:1:15::7]
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = permit_inet_interfaces,
permit_sasl_authenticated, permit_tls_clientcerts
mail_owner = postfix
maximal_queue_lifetime = 2d
message_size_limit = 24000000
mime_header_checks = pcre:/etc/postfix/pcre/mime_header_checks_pcre
minimal_backoff_time = 444
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
myhostname = mx00.vx.hn
mynetworks = 127.0.0.0/24
myorigin = $myhostname
non_fqdn_reject_code = 474
notify_classes = resource, software, bounce, delay, 2bounce
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen/postscreen_access.cidr
postscreen_bare_newline_action = drop
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_cache_map = btree:${data_directory}/postscreen_cache
postscreen_cache_retention_time = 37d
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2, bl.spamcop.net*1,
multi.uribl.com*1, b.barracudacentral.org*1, bl.mailspike.net*1,
swl.spamhaus.org*-2,
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_wait = ${stress?2}${stress:8}s
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_watchdog_timeout = 11s
postscreen_whitelist_interfaces = !84.38.76.9, ![2a00:5080:1:15::7],
static:84.38.75.37, static:[2a00:5080:1:15::8]
queue_directory = /var/spool/postfix
recipient_canonical_maps =
proxy:btree:/etc/postfix/lookup/recipient_canonical_maps
recipient_delimiter = +
relay_clientcerts = btree:/etc/postfix/restrictions/relay_clientcerts
relay_domains = proxy:btree:/etc/postfix/lookup/relay_domains
relocated_maps = proxy:btree:/etc/postfix/lookup/relocated_maps
remote_header_rewrite_domain = domain.invalid
sender_canonical_maps = proxy:btree:/etc/postfix/lookup/sender_canonical_maps
show_user_unknown_table_name = no
smtp_dns_reply_filter = pcre:/etc/postfix/pcre/smtp_dns_reply_filter
smtp_dns_support_level = dnssec
smtp_helo_timeout = 120
smtp_reply_filter = pcre:/etc/postfix/pcre/smtp_reply_filter
smtp_starttls_timeout = 120
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_block_early_mail_reply = yes
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_cache
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce,
smtpd_delay_reject = yes
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn, pipelining
smtpd_end_of_data_restrictions = permit
smtpd_etrn_restrictions = reject
smtpd_forbidden_commands = CONNECT GET POST
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_proxy_options = speed_adjust
smtpd_proxy_timeout = 595s
smtpd_recipient_limit = 44
smtpd_recipient_restrictions = reject_invalid_helo_hostname,
check_client_access btree:/etc/postfix/restrictions/access_client,
check_client_access cidr:/etc/postfix/restrictions_cidr/access_client_cidr,
check_helo_access btree:/etc/postfix/restrictions/access_helo,
check_sender_access btree:/etc/postfix/restrictions/access_sender,
check_recipient_access btree:/etc/postfix/restrictions/access_recipient,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
check_sender_access pcre:/etc/postfix/pcre/umlaute_pcre check_recipient_access
pcre:/etc/postfix/pcre/umlaute_pcre permit_sasl_authenticated,
permit_mynetworks, permit_tls_clientcerts, reject_unlisted_recipient
check_client_access cidr:/etc/postfix/sperrlists/ch_ko_sperrlist.act.cidr
warn_if_reject check_client_access pcre:/etc/postfix/pcre/_dynip,
check_sender_ns_access btree:/etc/postfix/restrictions_misc/_bogus_dns,
check_sender_ns_access cidr:/etc/postfix/restrictions_cidr/invalid_ns_cidr,
check_sender_mx_access cidr:/etc/postfix/restrictions_cidr/_bogus_mx_cidr,
check_sender_mx_access cidr:/etc/postfix/restrictions_cidr/spamhaus_mx_cidr,
check_client_access btree:/etc/postfix/restrictions/access_client_dns,
reject_unknown_helo_hostname, reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname, reject_non_fqdn_helo_hostname,
check_recipient_access btree:/etc/postfix/restrictions/access_recipient_rfc,
check_policy_service unix:private/postgrey-lmtp, check_policy_service
unix:postfwd/postfwd-lmtp, reject_unverified_recipient, check_policy_service
unix:private/quota-status,
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks = 127.0.0.0/8
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/keys/vx.hn.ca.bundle-2018-2020.crt
smtpd_tls_dh1024_param_file = /etc/postfix/keys/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/keys/dh2048.pem
smtpd_tls_eecdh_grade = ultra
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/keys/vx.hn-wc-2018-2020.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3700s
smtputf8_enable = no
soft_bounce = no
strict_7bit_headers = no
strict_rfc821_envelopes = yes
tls_high_cipherlist =
EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!aNULL:!eNULL:!LOW:!MEDIUM:!EXP:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL:!PSK:!kRSA:!SRP:!kDHd:!EXPORT:!ADH:!LOW@STRENGTH
tls_preempt_cipherlist = yes
tls_random_exchange_name = ${data_directory}/prng_exch
tls_ssl_options = no_compression
transport_maps =
proxy:btree:/etc/postfix/lookup/transport_maps,proxy:btree:/etc/postfix/lookup/relay_domains
unknown_address_reject_code = 571
unknown_client_reject_code = 473
unknown_hostname_reject_code = 572
unverified_recipient_reject_code = 570
virtual_alias_maps = proxy:btree:/etc/postfix/lookup/virtual_alias_maps
virtual_gid_maps = static:5000
virtual_minimum_uid = 100
virtual_uid_maps = static:5000

--
Persönlich IS0-Zertifiziert in angewandter Kompetenzsimulation.