On Tue, Oct 26, 2021 at 09:05:46PM +0000, Cooper, Robert A wrote:
> Posftinger output:
> https://gist.github.com/racooper/a560c84080e2ee6c336d508918344f5a
Please avoid paste bins in the future. Also where are the (couple of)
requested log entries that show the problem behaviour?
compatibility_level = 2
header_checks = pcre:/etc/postfix/header_checks
Any FILTER directives in header_checks?
relayhost = [smtp-relay.site.com]:25
This applies to all remote destinations where the transport table does
not set an explicit nexthop.
smtp_connection_reuse_count_limit = 1
This is needlessly tight.
smtpd_sender_restrictions = hash:/etc/postfix/reject_sender
Any FILTER directives there?
smtpd_tls_CApath = /etc/ssl/certs/
not useful unless you're using "smtpd_tls_ask_ccert".
smtpd_tls_eecdh_grade = strong
This is now obsolete, better to use "auto".
smtpd_tls_exclude_ciphers = aNULL, DES, MD5, 3DES, RC4, eNULL, DES+MD5
With the cipher grade set to "high", you don't need to worry about DES
(LOW) or RC4 (medium). And with OpenSSL newer than 1.0.2, even 3DES is
no longer "high", and 3DES TLS ciphers may even be disabled at
compile-time by default.
smtpd_tls_fingerprint_digest = sha1
if you don't have tables with explicitly trusted sha1 hashes of client
certs, "sha256" would be a better choice, this is the default in Postfix
3.6, provided you set the compatibility level to 3.6, see:
http://www.postfix.org/COMPATIBILITY_README.html
smtpd_tls_mandatory_protocols = TLSv1, !SSLv2, !SSLv3
This is very much not a good idea:
http://www.postfix.org/postconf.5.html#smtpd_tls_protocols[
With Postfix < 3.6 there is no support for a minimum or maximum
version, and the protocol range is configured via protocol
exclusions. To require at least TLS 1.0, set "smtpd_tls_protocols =
!SSLv2, !SSLv3". Listing the protocols to include, rather than
protocols to exclude, is supported, but not recommended. The
exclusion form more accurately matches the underlying OpenSSL
interface.
instead (given you have Postfix 3.6) use (no whitespace after ">="):
smtpd_tls_protocols = >=TLSv1
smtpd_tls_mandatory_protocols = >=TLSv1.2
Session tickets have largely obsoleted server side session caches:
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
just leave this empty.
smtp_host_lookup = dns, native
You really should avoid "native".
transport_maps = hash:/etc/postfix/error_transport
What's in the "compiled" file, run "postmap -s hash:error_transport" to
be sure.
--master.cf--
xerox unix - - n - - smtp
-o relayhost=
-o content_filter=
Setting relayhost and content_filter here has no effect.
> I am not finding anywhere in our configuration where email.site.com is
> set to use an alternate transport.
This is where your logs are key to further understanding what happened.
--
Viktor.
