On Tue, Oct 26, 2021 at 09:05:46PM +0000, Cooper, Robert A wrote: > Posftinger output: > https://gist.github.com/racooper/a560c84080e2ee6c336d508918344f5a
Please avoid paste bins in the future. Also where are the (couple of) requested log entries that show the problem behaviour? compatibility_level = 2 header_checks = pcre:/etc/postfix/header_checks Any FILTER directives in header_checks? relayhost = [smtp-relay.site.com]:25 This applies to all remote destinations where the transport table does not set an explicit nexthop. smtp_connection_reuse_count_limit = 1 This is needlessly tight. smtpd_sender_restrictions = hash:/etc/postfix/reject_sender Any FILTER directives there? smtpd_tls_CApath = /etc/ssl/certs/ not useful unless you're using "smtpd_tls_ask_ccert". smtpd_tls_eecdh_grade = strong This is now obsolete, better to use "auto". smtpd_tls_exclude_ciphers = aNULL, DES, MD5, 3DES, RC4, eNULL, DES+MD5 With the cipher grade set to "high", you don't need to worry about DES (LOW) or RC4 (medium). And with OpenSSL newer than 1.0.2, even 3DES is no longer "high", and 3DES TLS ciphers may even be disabled at compile-time by default. smtpd_tls_fingerprint_digest = sha1 if you don't have tables with explicitly trusted sha1 hashes of client certs, "sha256" would be a better choice, this is the default in Postfix 3.6, provided you set the compatibility level to 3.6, see: http://www.postfix.org/COMPATIBILITY_README.html smtpd_tls_mandatory_protocols = TLSv1, !SSLv2, !SSLv3 This is very much not a good idea: http://www.postfix.org/postconf.5.html#smtpd_tls_protocols[ With Postfix < 3.6 there is no support for a minimum or maximum version, and the protocol range is configured via protocol exclusions. To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more accurately matches the underlying OpenSSL interface. instead (given you have Postfix 3.6) use (no whitespace after ">="): smtpd_tls_protocols = >=TLSv1 smtpd_tls_mandatory_protocols = >=TLSv1.2 Session tickets have largely obsoleted server side session caches: smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache just leave this empty. smtp_host_lookup = dns, native You really should avoid "native". transport_maps = hash:/etc/postfix/error_transport What's in the "compiled" file, run "postmap -s hash:error_transport" to be sure. --master.cf-- xerox unix - - n - - smtp -o relayhost= -o content_filter= Setting relayhost and content_filter here has no effect. > I am not finding anywhere in our configuration where email.site.com is > set to use an alternate transport. This is where your logs are key to further understanding what happened. -- Viktor.