On Thu, May 22, 2014 at 10:39:57AM +0200, [email protected] wrote:
> relayhost = relay.domain.com
Had you not obfuscated the relay name, you'd have your answer already.
You should also post log entries exhibiting the unwated behaviour.
Typically ISP relays are hostnames not MX records:
relayhost = [relay.example.net]
and often use the submission port:
relayhost = [relay.example.net]:587
> smtpd_tls_cert_file = /etc/ssl/private/server.crt
> smtpd_tls_key_file = /etc/ssl/private/server.key
> smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtpd_tls_security_level = may
> smtp_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_session_cache_database = hash:${data_directory}/smtpd_scache
That should probably be "smtpd_tls_mandatory_ciphers" or you're
grouping your settings very poorly. Use btree, not hash for
session caches.
> smtp_tls_security_level = fingerprint
> smtp_tls_mandatory_ciphers = high
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_fingerprint_digest = md5
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> smtpd_tls_session_cache_database = hash:${data_directory}/smtpd_scache
> smtpd_tls_received_header = yes
That should probably be:
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
or you're grouping your settings very poorly and like repeating yourself.
What's in the policy table (entry for the relay)?
Is "fingerprint" really a good idea here? Will the receiving party
coordinate key rollover with you? Or are you operating both servers?
--
Viktor.
