On Tue, Nov 11, 2025 at 02:00:57PM -0800, Hans Carlson via Postfix-users wrote:
> This is a simple home-based relay setup. I use alpine to send email from 2
> local users with ~6 email addresses between them. All email sent via alpine
> goes through the postfix smtpd service and then connects to the ISP's SMTP
> server based on the sender address.
> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
This changes only the nexthop hostname, but not the delivery transport.
Per the below, You'll need to set:
sender_dependent_default_transport_maps
> smtp_tls_security_level = encrypt
Best practice here may be to set "smtp_tls_security_level = verify", and
configure "smtp_tls_CAfile" to a PEM with appropriate mainstream
certification authority certificates that make it possible to
authenticate the current and plausible future certificates used by the
ISP relays. The "verify" level is identical to the "secure" level in
almost all ways except for the default values of:
$ postconf -d smtp_tls_secure_cert_match smtp_tls_verify_cert_match
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_verify_cert_match = hostname
Since you're not doing MX lookups (the nexthops are all of the form
[hostname]:port), the nexthop is the hostname, so "verify" is slightly
more precise/strict in your case. If you explicitly set either
smtp_tls_secure_cert_match = nexthop
smtp_tls_secure_cert_match = hostname
the two are then equivalent (in your case):
> smtp_dns_support_level = enabled
You don't need to set this explicitly.
> sender_relay contains lines like this:
>
> [email protected] [smtp.isp1.com]:465
> [email protected] [smtp.isp1.com]:465
> [email protected] [smtp.isp2.com]:587
> [email protected] [smtp.isp2.com]:587
Replace this with:
main.cf:
indexed = ${default_database_type}:${config_directory}/
sender_dependent_default_transport_maps = ${indexed}sender_transport
sender_transport:
[email protected] smtps:[smtp.isp1.com]:465
[email protected] smtps:[smtp.isp1.com]:465
[email protected] smtp:[smtp.isp2.com]:587
[email protected] smtp:[smtp.isp2.com]:587
> ChatGPT-5 suggested the following setup.
>
> add this to master.cf:
>
> smtps unix - - n - - smtp
> -o smtp_tls_wrappermode=yes
> # No need, use the main.cf setting instead.
> # -o smtp_tls_security_level=encrypt
> # No need for now
> # -o smtp_fallback_relay=
> change main.cf to this:
>
> # This is the default value
> # smtp_tls_wrappermode = no
> transport_maps = hash:/etc/postfix/sender_transport
That's not the sender-dependent table.
> with sender_transport containing this:
>
> [smtp.isp1.com]:465 smtps:
> [smtp.ips2.com]:587 smtp:
And this is completely wrong. The nexthop relayhost is never transport
maps lookup key. Instead the lookup key is a domain name or full email
address, typically the recipient's but possibly sender with:
sender_dependent_default_transport_maps = ...
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
