AW: Verständnisfrage zu smtpd_tls_security_level / maincf und master.cf

[Jens via postfix-users]

Gern!
Ich habe den Parameter in meiner master.cf jetzt aktiviert. Da es sich eh noch 
um ein nichtproduktives Testsystem auf VMware handelt, "spiele" ich da noch 
dran rum, um mir eine Konfiguration für das Live-System zu erarbeiten.
Die Konfiguration basiert auf den Büchern von Peer Heinlein.

postconf -n

alias_database = btree:/etc/aliases
alias_maps = btree:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 2h
compatibility_level = 3.6
default_database_type = btree
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maximal_queue_lifetime = 2h
mydestination = $myhostname, $mydomain, localhost, localhost.$mydomain
myhostname = backup.dummy.eu
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = btree:/etc/postfix/relay_domains
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = dslb-090-186-244-190.090.186.pools.vodafone-ip.de
smtpd_recipient_restrictions = check_recipient_access 
btree:/etc/postfix/access-recipient-rfc, check_client_access 
btree:/etc/postfix/access-client, check_helo_access 
btree:/etc/postfix/access-helo, check_sender_access 
btree:/etc/postfix/access-sender, check_recipient_access 
btree:/etc/postfix/access-recipient, reject_non_fqdn_sender, 
reject_non_fqdn_recipient, reject_unknown_sender_domain, 
reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, 
reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, 
reject_rbl_client bl.spamcop.net, check_policy_service inet:127.0.0.1:12525, 
check_policy_service inet:127.0.0.1:10023, reject_unverified_recipient, 
permit_mx_backup, reject_unauth_destination, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/backup.dummy.eu/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/backup.dummy.eu/privkey.pem
smtpd_tls_security_level = may
soft_bounce = yes
transport_maps = btree:/etc/postfix/transport_maps
virtual_alias_domains = btree:/etc/postfix/virtual_alias_domains
virtual_alias_maps = btree:/etc/postfix/virtual_alias_maps

postconf -M

smtp       inet  n       -       y       -       -       smtpd -o 
smtpd_sasl_auth_enable=no
submission inet  n       -       y       -       -       smtpd -o 
smtpd_etrn_restrictions=reject -o 
smtpd_client_restrictions=permit_sasl_authenticated,reject -o 
syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o 
smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o 
smtpd_reject_unlisted_recipient=no
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp -o 
syslog_name=postfix/$service_name
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
postlog    unix-dgram n  -       n       -       1       postlogd
maildrop   unix  -       n       n       -       -       pipe flags=DRXhu 
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu 
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn 
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq. 
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R 
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} 
${extension}
mailman    unix  -       n       n       -       -       pipe flags=FRX 
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

-----Ursprüngliche Nachricht-----
Von: postfix-users 
<postfix-users-bounces+postfix_dovecot=gmx...@de.postfix.org> Im Auftrag von 
Markus Winkler via postfix-users
Gesendet: Mittwoch, 22. Mai 2024 09:31
An: postfix-users@de.postfix.org
Betreff: Re: Verständnisfrage zu smtpd_tls_security_level / maincf und master.cf

Hi Jens,

On Wed, 22 May 2024 at 09:10:14AM +0200, Jens via postfix-users wrote:

>Ein Beispiel (von mehreren):

schicke doch bitte mal die Ausgaben von 'postconf -n' und 'postconf -M', damit 
man die _komplette_ Config sehen kann.

Danke und Gruß
Markus