Postfix Posteingang bleibt leer, Timeout beim Senden

A

ascTim

New Member
Hallo, ich versuche einen Postfix Mailserver zum Laufen zu bekommen. Allerdings fallen bei mir gerade noch 2 Probleme an:

Problem 1:
Der Posteingang bleibt leer, beim Senden einer Test-Email von einem anderen Konto aus erhalte ich dann eine automatische Antwort:
Betreff: Testmail

Diese Nachricht wurde noch nicht zugestellt. Es wird weiterhin versucht, die Nachricht zuzustellen.

Die Zustellung dieser Nachricht wird in den nächsten 1 Tagen, 22 Stunden und 59 Minuten versucht. Sie werden benachrichtigt, wenn die Nachricht bis zu diesem Zeitpunkt nicht zugestellt werden kann.
Click to expand...

Problem 2:
Senden einer E-Mail klappt nur, wenn ich "nach außen" sende. Bei einer Mail an mich selbst erhalte ich einen Timeout. Per "mailq" erhalte ich dann folgende Infos:
(connect to mail.domain.com[2**.***.***.***]:25: Connection timed out)
Click to expand...

Verbindung findet über Port 995 (SSL) und 587 (TLS) statt.

Was kann ich prüfen, um das Problem zu beheben?
 
Das kann alles mögliche sein, Fehler in der Konfiguration, ein nicht laufender Postfix-Dienst, falsche DNS-Konfiguration, per Firewall gesperrte Ports (u.a. Port 25) usw.
Was sagen die Logs?
 
Mit grep nach postfix im syslog oder maillog suchen zum Zeitpunkt des Problems.
Da wird doch was stehen.
 
Postfix-Dienst läuft. Was ich nicht verstehe ist, wieso wird mir Port 25 in der Queue angezeigt, wenn ich doch Port 587 als SMTP-Port ausgewählt habe? Oder steh ich hier aufm Schlauch?

In der syslog finde ich folgenden Eintrag. Könnte hier der Fehler liegen?

Sep 6 12:09:01 Servername postfix/local[31211]: 685031FF40: to=<ascTim@mail.domain.com>, orig_to=<root>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)

Sollte beim fettgedruckten nicht ausschließlich der Domainname stehen?

Edit: Beim Senden einer Mail an mein GMX-Konto erhalte ich folgende Aussage in der Mail Queue:
(host mx00.emig.gmx.net[212.227.15.9] refused to talk to me: 554-gmx.net (mxgmx017) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=80.157.3.250)
Click to expand...

Hilft das evtl. weiter?
 
Last edited by a moderator:
ascTim said:
Postfix-Dienst läuft. Was ich nicht verstehe ist, wieso wird mir Port 25 in der Queue angezeigt, wenn ich doch Port 587 als SMTP-Port ausgewählt habe?
Click to expand...

Weil der Mail-Austausch zwischen Mail-Servern immer über Port 25 läuft. Port 587, der Sumission-Port, ist nur für die Clients gedacht, die darüber per Authentifizierung ihre Mails abliefern.

In der syslog finde ich folgenden Eintrag. Könnte hier der Fehler liegen?
Click to expand...

Das kommt drauf an, was du konfiguriert hast, z.B. was du als User-Datenbank verwendest usw.

Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=80.157.3.250
Click to expand...

Die Fehlermeldung ist doch sehr aussagekräftig. Für deine IP 80.157.3.250 existiert kein oder nur ein ungültiger PTR-Record im DNS (auch bekannt als Reverse-DNS Eintrag). Deren Existenz und Plausiblität wird von GMX (und eigenen anderen Anbieter) geprüft. Das Thema wurde hier im FOrum schon mehrfach recht intensiv durchgekaut, da solltest du recht schnell was finden.
 
ascTim said:
Senden einer E-Mail klappt nur, wenn ich "nach außen" sende. Bei einer Mail an mich selbst erhalte ich einen Timeout.
Click to expand...
Das klingt für mich danach, dass sich der Server nicht für die Domain zuständig fühlt. Ansonsten würde er nicht versuchen sie über Port 25 zuzustellen.

ascTim said:
Was kann ich prüfen, um das Problem zu beheben?
Click to expand...
main.cf von Postfix herzeigen… :-)


MfG Christian
 
Last edited by a moderator:
Das ist meine main.cf...

PHP: 
# SMTPd greeting banner: You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
smtpd_banner = $myhostname

# Disable local biff service
biff = no

# Do not append the string $mydomain to -locally- submitted email.
append_dot_mydomain = no

# Readme directory
readme_directory = /usr/share/doc/postfix

# HTML directory
html_directory = /usr/share/doc/postfix/html

# Certificates
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
smtpd_tls_key_file = /etc/ssl/mail/mail.key

# Opportunistic TLS. TLS auth only.
smtp_use_tls = no
smtpd_use_tls = no
smtp_tls_security_level = none
smtpd_tls_security_level = none

#smtpd_tls_security_level=may
smtpd_tls_auth_only=yes

# DH parameters, actually 2048 bit long
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem

# CA path for SMTP client connections to external servers
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# TLS session cache for SMTPd
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# Disallow SSLv2 and SSLv3, only accept secure ciphers
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA

# Log TLS handling
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

# Delay reject until RCPT TO
smtpd_delay_reject = yes

# Enable elliptic curve cryptography, "ultra" needs more cpu time
smtpd_tls_eecdh_grade = strong

# Default: Anonymize outgoing mail headers
smtp_header_checks = pcre:/etc/postfix/mailcow_anonymize_headers.pcre

# Sender, recipient, client and data restrictions
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
   permit_mynetworks,
   reject_sender_login_mismatch,
   permit_sasl_authenticated,
   reject_unlisted_sender,
   reject_unknown_sender_domain

smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf,
   permit_sasl_authenticated,
   permit_mynetworks,
   reject_invalid_helo_hostname,
   reject_unknown_reverse_client_hostname,
   reject_unauth_destination

smtpd_data_restrictions =
   reject_unauth_pipelining,
   permit

smtpd_restriction_classes = greylist

greylist = permit_dnswl_client list.dnswl.org,
   check_policy_service inet:127.0.0.1:10023

# Determine valid MAIL FROM addresses for a SASL authenticated user.
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf

# Sender dependent smtp service for TLS enforced connections
sender_dependent_default_transport_maps = proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf

# Certificates
smtp_tls_cert_file = /etc/ssl/mail/mail.crt
smtp_tls_key_file = /etc/ssl/mail/mail.key

# Set a higher timeout for connecting, sending and receiving information from/to a proxy (FuGlu)
smtpd_proxy_timeout = 600s

# Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
#smtp_tls_security_level=may

# TLS session cache for SMTP
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# A custom list with secure ciphers.
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

# Use the FQDN for the local hostname!
myhostname = DOMAIN.com

# Alias maps and database for -local- delivery only
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to.
myorigin = /etc/mailname

# The list of domains that are delivered via the -local- mail delivery transport. No external domains like "DOMAIN.com" belong here! "mail.DOMAIN.com" is fine.
mydestination = mail.DOMAIN.com, localhost.DOMAIN.com, localhost

# We lookup MX records to send non-local mail, so this stays empty
relayhost =

# We relay for these domains
relay_domains= proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf

# Relay only for these accounts
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_relay_recipient_maps.cf

# Trusted SMTP clients with more privileges. Trusted clients can relay mail.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# The maximal size of any -local- individual mailbox
mailbox_size_limit = 0

# Handle Postfix-style extensions
recipient_delimiter = +

# The network interface addresses that this mail system receives mail on.
inet_interfaces = all

# Specifies what protocols Postfix will use when it makes or accepts network connections, and also controls what DNS lookups Postfix will use when it makes network connections.
inet_protocols = all

# VRFY command is not really needed anymore
disable_vrfy_command = yes

# Please say hello first...
smtpd_helo_required = yes

# The SASL plug-in type that the Postfix SMTP server should use for authentication.
smtpd_sasl_type=dovecot

# Where to passthrough our authentication information for the above plug-in
smtpd_sasl_path=private/auth_dovecot

# Enable SASL authentication in the Postfix SMTP server.
smtpd_sasl_auth_enable = yes

# Report the SASL authenticated user name in the smtpd Received message header.
smtpd_sasl_authenticated_header = yes

smtpd_sasl_security_options = noanonymous

# Have Postfix advertise AUTH support in a non-standard way.
broken_sasl_auth_clients = yes

# The lookup tables that the proxymap server is allowed to access for the read-only service.
proxy_read_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf, proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf, $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps

## Virtual transport configuration
# A prefix that the virtual delivery agent prepends to all pathname results from $virtual_mailbox_maps
virtual_mailbox_base = /var/vmail/

# THIS contains a list of domains we are the final destination for (unlike "mydestination").
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf

# Alias specific mail addresses or domains to other local or remote address.
virtual_alias_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

# Specify a left-hand side of "@DOMAIN.com" to match any user in the specified domain
virtual_mailbox_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

# The minimum user ID value that the virtual delivery agent accepts
virtual_minimum_uid = 104

# We use "vmail" user with UID/GID 5000 to lookup tables
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

# The default mail delivery transport and next-hop destination for final delivery to domains listed with "virtual_mailbox_domains"
virtual_transport = lmtp:unix:private/dovecot-lmtp

## Queue configuration
# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
maximal_queue_lifetime = 1d

# Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
bounce_queue_lifetime = 1d

# The time between deferred queue scans by the queue manager.
queue_run_delay = 300s

# The maximal/minimal time between attempts to deliver a deferred message.
maximal_backoff_time = 1800s
minimal_backoff_time = 300s

# Maximum mail size
message_size_limit = 26214400

# This tarpits a client after 3 erroneous commands for 10s
smtpd_soft_error_limit = 3
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}

# Feel free to maintain a white-/blacklist for Postscreen
postscreen_access_list = permit_mynetworks,
  cidr:/etc/postfix/postscreen_access.cidr

# Drop connections from blacklisted servers with a 521 reply
postscreen_blacklist_action = drop

# Clean Postscreen cache after 24h
postscreen_cache_cleanup_interval = 24h

postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_greet_banner = $smtpd_banner
postscreen_greet_action = enforce
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_bare_newline_enable = no
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache

# We need milter support for OpenDKIM
milter_protocol = 6
milter_default_action = accept

# Hard-fail missing TLS when enabled for a user
plaintext_reject_code = 550
 
Erst mal gehört in myhostname der FQDN rein und nicht nur die Domain. Du kannst da z.B. mail.domain.com verwenden (dieser muß auch per DNS zur IP deines Servers auflösbar sein).
Da du ein Virtual-Setup mit einer MySQL-Datenbank hast, gehören in mydestination nur die (Sub-)Domains rein, die nicht in der MySQL-Datenbank liegen (local delivery vs. virtual delivery). Oft reicht da schon localhost aus, wenn du mail.domain.com nicht in der Datenbank hast, kommt die als zweite dazu. localhost.domain.com ist immer falsch (IIRC steht localhost grundsätzlich allein, also ohne Domain da) und muß raus.
Dann solltest du noch für deine Linux-User (insbesondere root, da viele "Dienst-User" wie mail oder www-data auf ihn weiterleiten), die Mails erzeugen können (z.B. durch Cronjobs) Einträge in der /etc/aliases auf Adressen aus der MySQL-Datenbank ergänzen, z.B.
Code: 
root: webmaster@domain.com
asctim: asctim@domain.com
So ist sichergestellt, dass du auch Fehlermeldungen von Cronjobs usw. erhälst.
Das sind die Sachen, die mir auf den ersten Blick aufgefallen sind - andere finden sicherlich noch mehr.
 
Zusätzlich zu den Einwänden von danton:
smtpd_banner und myorigin sowie die gesamte SSL/TLS-Konfiguration sind ebenfalls subotimal bis fehlerhaft und an den Timings spielt man nur dann, wenn man ganz genau weiss, was man damit so Alles kaputt macht.
Die smtpd_*_restrictions könnten auch eine Überarbeitung gebrauchen.

Letztendlich sollte die komplette main.cf von Grund auf neu erstellt werden und die master.cf wird vermutlich auch eine Überarbeitung vertragen...
 
Danke für die Infos, ich habe die main.cf mal neu erstellt, mithilfe des von dpkg-reconfigure postfix.
An dem smtp_banner und der SSL/TLS-Konfig. habe ich nichts geändert. Falls hier Fehler vorhanden sind, bitte gerne berichtigen.

PHP: 
# SMTPd greeting banner: You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
smtpd_banner = $myhostname

# Disable local biff service
biff = no

# Do not append the string $mydomain to -locally- submitted email.
append_dot_mydomain = no

# Readme directory
readme_directory = /usr/share/doc/postfix

# HTML directory
html_directory = /usr/share/doc/postfix/html

# Certificates
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
smtpd_tls_key_file = /etc/ssl/mail/mail.key

# Opportunistic TLS. TLS auth only.
smtp_use_tls = no
smtpd_use_tls = no
smtp_tls_security_level = none
smtpd_tls_security_level = none

#smtpd_tls_security_level=may
smtpd_tls_auth_only=yes

# DH parameters, actually 2048 bit long
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem

# CA path for SMTP client connections to external servers
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# TLS session cache for SMTPd
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# Disallow SSLv2 and SSLv3, only accept secure ciphers
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA

# Log TLS handling
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

# Delay reject until RCPT TO
smtpd_delay_reject = yes

# Enable elliptic curve cryptography, "ultra" needs more cpu time
smtpd_tls_eecdh_grade = strong

# Default: Anonymize outgoing mail headers
smtp_header_checks = pcre:/etc/postfix/mailcow_anonymize_headers.pcre

# Sender, recipient, client and data restrictions
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
   permit_mynetworks,
   reject_sender_login_mismatch,
   permit_sasl_authenticated,
   reject_unlisted_sender,
   reject_unknown_sender_domain

smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf,
   permit_sasl_authenticated,
   permit_mynetworks,
   reject_invalid_helo_hostname,
   reject_unknown_reverse_client_hostname,
   reject_unauth_destination

smtpd_data_restrictions =
   reject_unauth_pipelining,
   permit

smtpd_restriction_classes = greylist

greylist = permit_dnswl_client list.dnswl.org,
   check_policy_service inet:127.0.0.1:10023

# Determine valid MAIL FROM addresses for a SASL authenticated user.
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf

# Sender dependent smtp service for TLS enforced connections
sender_dependent_default_transport_maps = proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf

# Certificates
smtp_tls_cert_file = /etc/ssl/mail/mail.crt
smtp_tls_key_file = /etc/ssl/mail/mail.key

# Set a higher timeout for connecting, sending and receiving information from/to a proxy (FuGlu)
smtpd_proxy_timeout = 600s

# Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
#smtp_tls_security_level=may

# TLS session cache for SMTP
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# A custom list with secure ciphers.
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

# Use the FQDN for the local hostname!
myhostname = mail.DOMAIN.com

# Alias maps and database for -local- delivery only
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to.
myorigin = /etc/mailname

# The list of domains that are delivered via the -local- mail delivery transport. No external domains like "DOMAIN.com" belong here! "mail.DOMAIN.com" is fine.
mydestination = localhost

# We lookup MX records to send non-local mail, so this stays empty
relayhost = 

# We relay for these domains
relay_domains= proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf

# Relay only for these accounts
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_relay_recipient_maps.cf

# Trusted SMTP clients with more privileges. Trusted clients can relay mail.
mynetworks = 10.1.0.0

# The maximal size of any -local- individual mailbox
mailbox_size_limit = 0

# Handle Postfix-style extensions
recipient_delimiter = 

# The network interface addresses that this mail system receives mail on.
inet_interfaces = all

# Specifies what protocols Postfix will use when it makes or accepts network connections, and also controls what DNS lookups Postfix will use when it makes network connections.
inet_protocols = all

# VRFY command is not really needed anymore
disable_vrfy_command = yes

# Please say hello first...
smtpd_helo_required = yes

# The SASL plug-in type that the Postfix SMTP server should use for authentication.
smtpd_sasl_type=dovecot

# Where to passthrough our authentication information for the above plug-in
smtpd_sasl_path=private/auth_dovecot

# Enable SASL authentication in the Postfix SMTP server.
smtpd_sasl_auth_enable = yes

# Report the SASL authenticated user name in the smtpd Received message header.
smtpd_sasl_authenticated_header = yes

smtpd_sasl_security_options = noanonymous

# Have Postfix advertise AUTH support in a non-standard way.
broken_sasl_auth_clients = yes

# The lookup tables that the proxymap server is allowed to access for the read-only service.
proxy_read_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf, proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf, $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps

## Virtual transport configuration
# A prefix that the virtual delivery agent prepends to all pathname results from $virtual_mailbox_maps
virtual_mailbox_base = /var/vmail/

# THIS contains a list of domains we are the final destination for (unlike "mydestination").
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf

# Alias specific mail addresses or domains to other local or remote address.
virtual_alias_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

# Specify a left-hand side of "@DOMAIN.com" to match any user in the specified domain
virtual_mailbox_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

# The minimum user ID value that the virtual delivery agent accepts
virtual_minimum_uid = 104

# We use "vmail" user with UID/GID 5000 to lookup tables
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

# The default mail delivery transport and next-hop destination for final delivery to domains listed with "virtual_mailbox_domains"
virtual_transport = lmtp:unix:private/dovecot-lmtp

## Queue configuration
# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
maximal_queue_lifetime = 1d

# Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
bounce_queue_lifetime = 1d

# The time between deferred queue scans by the queue manager.
queue_run_delay = 300s

# The maximal/minimal time between attempts to deliver a deferred message.
maximal_backoff_time = 1800s
minimal_backoff_time = 300s

# Maximum mail size
message_size_limit = 26214400

# This tarpits a client after 3 erroneous commands for 10s
smtpd_soft_error_limit = 3
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}

# Feel free to maintain a white-/blacklist for Postscreen
postscreen_access_list = permit_mynetworks,
  cidr:/etc/postfix/postscreen_access.cidr

# Drop connections from blacklisted servers with a 521 reply
postscreen_blacklist_action = drop

# Clean Postscreen cache after 24h
postscreen_cache_cleanup_interval = 24h

postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_greet_banner = $smtpd_banner
postscreen_greet_action = enforce
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_bare_newline_enable = no
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache

# We need milter support for OpenDKIM
milter_protocol = 6
milter_default_action = accept

# Hard-fail missing TLS when enabled for a user
plaintext_reject_code = 550
mailbox_command = procmail -a "$EXTENSION"

Soll ich die master.cf auch noch reinstellen, zur Überprüfung?
 
Das wäre noch die master.cf:

PHP: 
# Postscreen on Port 25/tcp, filters zombies (spam machines) on first level with lowest costs.
smtp      inet  n       -       n       -       1       postscreen

# Postscreen passes sane clients to the real SMTP daemon here.
smtpd      pass  -       -       n       -       -       smtpd
  -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust

smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust

# For mail submitting users. Authenticated clients and known networks only.
submission inet n       -       -       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust
  -o smtpd_enforce_tls=no
  -o smtpd_tls_security_level=may
  -o tls_preempt_cipherlist=yes

127.0.0.1:588 inet n    -       -       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust

# Handles TLS connections for postscreen to make them readable
tlsproxy  unix  -       -       n       -       0       tlsproxy
# This implements an ad-hoc DNS white/blacklist lookup service
dnsblog   unix  -       -       n       -       0       dnsblog
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
smtp_enforced_tls      unix  -       -       -       -       -       smtp
  # This will not work on Postfix <=3.1 but is okay to reside here on
  # unsupported versions (will print a warning though)
  # Furthermore we cannot mark missing TLS support as hard-fail, mails will stay in our queue
  -o smtp_delivery_status_filter=pcre:/etc/postfix/smtp_dsn_filter.pcre
  -o smtp_tls_security_level=encrypt
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
127.0.0.1:10026 inet n - n - - smtpd
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o receive_override_options=no_unknown_recipient_checks
  -o smtpd_milters=inet:127.0.0.1:10040
 
You must log in or register to reply here.
Back
Top