On Sun, Jul 14, 2019 at 07:51:11PM -0600, @lbutlr wrote:
> You should not have permit_mynetworks anywhere, reject_non_fqdn_sender
> should do absolutely nothing if your system is setup properly. I have
> opinions on reject_sender_login_mismatch, but I don’t know that it would
> be a problem here.
>
> Submission is used for authenticate users. You already know who that user
> is, you don’t need to check their email address.
Some sites like to restrict authenticated users to a matching sender address.
And in some cases also allow some clients by IP address.
> > -o tls_preempt_cipherlist=yes
>
> Why?
This is not an unreasonable setting. Some services assume well
configured clients and optimize for client performance, others are
optimized for server performance and/or are less optimistic about
sound client settings.
> > -o
> > smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
>
> This should not be necessary, dovecot handles the login already.
It is needed for the above mentioned sender address policy.
> -o smtpd_milters=
> -o milter_connect_macros=
> -o milter_macro_daemon_name=ORIGINATING
>
> That is likely where you are going to run into the most issues.
No. DKIM signing is a typical use-case for this.
--
Viktor.
