Re: Duplicate spamd lines in Postfix log file

[Bill Cole]

On 30 Jun 2019, at 9:36, dpjanda wrote:

It sure is is, and that's why I posted the original question here. As 
it
could, perhaps, be an error on my part how I call it from POSTFIX, so 
I

thought I would ask the question here, first.


The us...@spamassassin.apache.org list would be a far better place for 
it, as this is entirely about spamd, a component of SpamAssasssin.


Having written some of the code involved in spamd switching to specific 
users, I believe that what you're seeing is normal, at least for some 
configurations. As I am not currently working with any system that uses 
spamd with per-user configurations, I am hesitant to make a definitive 
assertion.


I am almost certain that you can get a more definitive answer on the 
right mailing list.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: custom mail forwarder/relay program?

[Viktor Dukhovni]

On Mon, Jul 01, 2019 at 04:56:29PM +, Patton, Matthew [Contractor] wrote:

> In effect I need to do; For each message in delivery queue, construct JSON
> payload and use Curl to post to API endpoint, mark message as forwarded.
> Next.

Send it via LMTP to a proxy process that is listening on a unix-domain
socket.  The proxy needs a bare-bones LMTP implementation, and some
code to re-post the message via HTTP and reinterpret HTTP success/fail
responses as LMTP responses.

The LMTP proxy is the cleanest way to do this, but will require
writing an LMTP server.  If you want to just assemble existing code,
then fork/exec curl could work, but getting reliable success/fail/temp-fail
out of curl is tricky.

-- 
Viktor.

Re: custom mail forwarder/relay program?

[Viktor Dukhovni]

On Mon, Jul 01, 2019 at 03:19:37PM +, Patton, Matthew [Contractor] wrote:

> I need a way for Postfix to listen to SMTP (think smarthost) and then
> re-send all emails via HTTP POST operation. Is the correct way to tackle
> this (aside from telling them to go to hell) a transport definition using
> Pipe(8)? I've never done this before and it doesn't appear to be a very
> common scenario. Otherwise I could write a small Perl program that is
> launched via inetd, that would do the same even though it wouldn't be very
> efficient.

Two key reasons that SMTP servers have queues:

* Multi-recipient messages may require forwarding of a "split-envelope"
  to multiple domains.  This can't be done atomically, so the message
  is queued and the separate parts are delivered asynchronously.

* Forwarding may be to remote systems that are not always up, but the
  client may be ephemeral and unable to retry.

If in your case all message are always shunted to the same destination
one-in/one-out, and the destination is sufficiently available, or
the client is capable of retries, a non-queueing proxy may well be
a better choice than an MTA.  It could even be more efficient (if
it avoids fork/exec of scripts that involve CPU-intensive parsing
the code each time).

The SMTP proxy can return 4XX if the HTTP POST fails.  It can run
as a threaded or forking server.  In Python or Perl, I'd go with a
forking server for simplicity.  In Haskell, threading is very
light-weight and safe/correct concurrency is pain-free, so if you
need a lot more performance, Haskell (or Rust) would likely raise
your throughput ceiling by an order of magnitude.

-- 
Viktor.

Re: custom mail forwarder/relay program?

[Noel Jones]

On 7/1/2019 11:56 AM, Patton, Matthew [Contractor] wrote:

On 7/1/2019 10:19 AM, Patton, Matthew [Contractor] wrote:

I need a way for Postfix to listen to SMTP (think smarthost) and then re-send

all emails via HTTP POST operation. Is the correct way to tackle this (aside 
from



Maybe if you explain your base problem in detail someone can help with an
alternate solution.


A disturbing number of USA FedGov agencies have contracted with a "digitial communications 
provider" (aka marketing campaign site) as their outbound email provider where it concerns 
sending email to the filthy citizens, because SMTP is too scary. (I'm not kidding, they've 
"certified" this service as FedRamp approved but AWS Simple Email Service is prohibited). 
This so-called service does not run SMTP listeners, authenticated or otherwise. Incredibly the only 
way to send mail using the platform is an API call (HTTP POST) with a JSON payload or via Web 
browser and forms template.



It seems like the best solution is to not fight the system... tell 
them to use the web form to send their announcements.




In effect I need to do;
For each message in delivery queue, construct JSON payload and use Curl to post 
to API endpoint, mark message as forwarded. Next.

There will not be any local delivery so I'm guessing I can just change the default transport from smtp to Pipe(8)? 


Yes, this should work. Pretty much anything that can be reliably 
scripted can be implemented as a postfix pipe transport.  Make sure 
your script exists with an appropriate sysexits.h code - 0 for 
success, non-zero for failure - so postfix knows if it worked.  See 
pipe(8) for important details.




I haven't looked at what's involved in writing a 'native' transport agent that 
Postfix can call directly to process the queue.



Not recommended.  The postfix internal plumbing is intentionally 
undocumented as it may change between versions, possibly without 
warning.




  -- Noel Jones

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

[Viktor Dukhovni]

> On Jul 1, 2019, at 11:24 AM, Tanstaafl  wrote:
> 
> On 6/28/2019, 12:52:55 PM, Bill Cole
>  wrote:
>> The solution is to repackage messages as attachments inside entirely new 
>> messages, which isn't really forwarding but remailing.
> 
> Sounds like 'forward as attachment' to me...

Yes, but the recipient loses message-threading, and does not see the
right From: address (which is the unfortunate point of DMARC).  So,
yes technically a form forwarding, but basic email "relaying" is
increasingly untenable.

-- 
Viktor.

Re: custom mail forwarder/relay program?

[svinther]

The basics for this is quite simple. I once used this article to get started
(found with a google search)

http://brianbrunner.com/automation/postfix/email/2013/09/09/postfix.html



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: custom mail forwarder/relay program?

[Wietse Venema]

Patton, Matthew [Contractor]:
> I need a way for Postfix to listen to SMTP (think smarthost) and
> then re-send all emails via HTTP POST operation. Is the correct
> way to tackle this (aside from telling them to go to hell) a
> transport definition using Pipe(8)? I've never done this before
> and it doesn't appear to be a very common scenario. Otherwise I
> could write a small Perl program that is launched via inetd, that
> would do the same even though it wouldn't be very efficient.

It is unclear why Postfix needs to be involved at all. It sounds like
you do not really want to receive this email.

Wietse

RE: custom mail forwarder/relay program?

[Patton, Matthew [Contractor]]

> On 7/1/2019 10:19 AM, Patton, Matthew [Contractor] wrote:
> > I need a way for Postfix to listen to SMTP (think smarthost) and then 
> > re-send
> all emails via HTTP POST operation. Is the correct way to tackle this (aside 
> from

> Maybe if you explain your base problem in detail someone can help with an
> alternate solution.

A disturbing number of USA FedGov agencies have contracted with a "digitial 
communications provider" (aka marketing campaign site) as their outbound email 
provider where it concerns sending email to the filthy citizens, because SMTP 
is too scary. (I'm not kidding, they've "certified" this service as FedRamp 
approved but AWS Simple Email Service is prohibited). This so-called service 
does not run SMTP listeners, authenticated or otherwise. Incredibly the only 
way to send mail using the platform is an API call (HTTP POST) with a JSON 
payload or via Web browser and forms template.

In effect I need to do;
For each message in delivery queue, construct JSON payload and use Curl to post 
to API endpoint, mark message as forwarded. Next.

There will not be any local delivery so I'm guessing I can just change the 
default transport from smtp to Pipe(8)? I haven't looked at what's involved in 
writing a 'native' transport agent that Postfix can call directly to process 
the queue. 

Re: custom mail forwarder/relay program?

[Noel Jones]

On 7/1/2019 10:19 AM, Patton, Matthew [Contractor] wrote:

I need a way for Postfix to listen to SMTP (think smarthost) and then re-send 
all emails via HTTP POST operation. Is the correct way to tackle this (aside 
from telling them to go to hell) a transport definition using Pipe(8)? I've 
never done this before and it doesn't appear to be a very common scenario. 
Otherwise I could write a small Perl program that is launched via inetd, that 
would do the same even though it wouldn't be very efficient.




Relaying email via HTTP POST is not really a thing.

Maybe if you explain your base problem in detail someone can help 
with an alternate solution.




  -- Noel Jones

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

[Tanstaafl]

On 6/28/2019, 12:52:55 PM, Bill Cole
 wrote:
> The solution is to repackage messages as attachments inside entirely new 
> messages, which isn't really forwarding but remailing.

? Sounds like 'forward as attachment' to me...

custom mail forwarder/relay program?

[Patton, Matthew [Contractor]]

I need a way for Postfix to listen to SMTP (think smarthost) and then re-send 
all emails via HTTP POST operation. Is the correct way to tackle this (aside 
from telling them to go to hell) a transport definition using Pipe(8)? I've 
never done this before and it doesn't appear to be a very common scenario. 
Otherwise I could write a small Perl program that is launched via inetd, that 
would do the same even though it wouldn't be very efficient.

postfix p0f milter

[David Mehler]

Hello,

I hope this isn't to off topic, but hopefully someone will have more
information on this than I do.

I've got a postfix with virtual mail users system going. I'm needing
to tighten my antispam setup.I'm wanting to integrate p0f in to my
system, and am hoping there's a milter out there that will do it. My
goal is I've got postfix going on port 25 for incoming connections, so
I'm wanting the milter to passively scan that port and only if a
client makes a successful connection, i.e. is able to deliver mail,
p0f kicks off and scans the tcp/ip connection. As an example if it
comes from a windows xp machine then a p0f header is placed in to that
message with a spam probability value. Further down the line my rspamd
looks for that header, finds it, reads the value, and since it's a
high number from xp it immediately takes spam actions.

If anyone has this working with a milter for postfix either shell,
perl, python, or something similar i'd appreciate knowing it.
Thanks.
Dave.

Re: Mails to gmail bouncing

[Ralf Hildebrandt]

* Wietse Venema :
> Viktor Dukhovni:
> > > On Jun 21, 2019, at 3:32 AM, Ralf Hildebrandt  wrote:
> > > 
> > > /^452-4\.2\.2 (The email account that you tried to reach is over 
> > > quota.*)/ 552 5.2.2 ${1}
> > 
> > Just as I expected. Now change that to:
> > 
> >   /^4(52[- ]4\.2\.2 The email account that you tried to reach is over 
> > quota.*)/ 5${1}
> > 
> > and don't do it again! :-)
> > 
> 
> Use smtp_delivery_status_filter instead.
> 
> (Postfix uses the last 452-4.2.2 from the multiline response)

Thanks!

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
   
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Smptd intruder

[Ralf Hildebrandt]

* John Plate :
> Hi
> 
> I introduced "smtpd_reject_unlisted_sender=yes" in main.cf to avoid attempts 
> to login to my smtpd.

This doesn't block logins, it merely blocks envelope sender addresses
it KNOWS NOT TO exist (mainly stuff from your own domain -- i.e. if you
only have the address a@domain.example, nobody can use
b@domain.example or c@domain.example as sender)

> This morning it looks like an unknown ip-number succeded:
> 
> Jun 23 07:38:02 lunar postfix/smtpd[14806]: connect from 
> unknown[185.137.111.22]

What you want is
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
or
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

in Postfix lingo it means "block IP addresses with no hostname assigned
or the assigned hostname doesn't resolve back to the same IP.

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
   
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SMTP-Relay/Satelite-Sytem

[Wietse Venema]

fanfan1:
> How do I get postfix to "listen" for emails that get sent from 
> "use...@t-online.com" and then relay them twice (destination & the 
> archive mailbox)?

To copy one sender's email:

/etc/postfix/main.cf
sender_bcc_maps = inline:{
{use...@t-online.com = other@example} } ...

Wietse

SMTP-Relay/Satelite-Sytem

[fanfan1]

Hi,

im quite new to postfix and have a question about a scenario I would
like to achieve.

I would like to accomplish the following:

1. User A has an email account like use...@t-online.com at an standard
   E-Mail Provider
1. He is either not able or willing to setup/use exchange or some
   other mail server to accomplish the given scenario!
2. He is not able or willing to use some "Auto-BCC" Function (which
   Outlook only gets through a Plugin) because of mobile use with
   smartphone/tablet or E-Mail Programms that dont offer this function!
2. All (outgoing) E-Mail is sent to 
1. This means using E-Mail clients like Outlook, Thunderbird and
   smartphones
3. The postfix server should then relay that message to the SMTP-Server
   from the Provider where User A has his E-Mail Account.
4. _*AND*_ as well as relaying the E-Mail to get sent to its original
   destination it should also be resend to a second destination for
   archiving (lets say user-a-arch...@t-online.com)

I found countless tutorials on how to setup postfix as a relay but they
all intend to sent their mail from the server directly.
In my case it has to be sent from pc/mobile via standard E-Mail client
to postfix and from there to its destination & the archive mailbox.

How do I get postfix to "listen" for emails that get sent from
"use...@t-online.com" and then relay them twice (destination & the
archive mailbox)?

Can anyone help me with this setup or has some more information on how
to get it going?


regards
Luke


---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus

Re: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197

[Curtis Maurand]

I'm making an assumption, here.  You know how dangerous assumptions 
are.  My assumption is that you're running an exchange server.  You need 
to modify the helo/ehlo repsonse.


https://social.technet.microsoft.com/Forums/azure/en-US/4dde9b79-18e4-407f-8edc-896e6c40eb25/need-to-modify-server-response-to-ehlo-helo?forum=exchangesvradmin

Cheers,
Curtis

On 7/1/19 1:24 AM, subscription1 wrote:

I'd appreciate you help with the following:

I'm looking after two server on 2 differents domains. During testing I 
found the following issue.


On the sending server I get the following

Jul  1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host 
mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected: 
cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command)


On the receiving server I get:

Jul  1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from 
[xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25
Jul  1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD 
[xxx.xxx.73.197]:44014
Jul  1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname 
dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or 
service not known
Jul  1 06:18:21 mail1 postfix/smtpd[19348]: connect from 
unknown[xxx.xxx.73.197]
Jul  1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from 
unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find 
your hostname, [150.107.73.197]; from= to= 
proto=ESMTP helo=


I can ping 'mail.xxx.net' on this server ok.

Sending Server postconf -n 
output


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} 
{auth_authen}

milter_protocol = 6
mua_client_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions = 
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = 
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject

mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = xxx.net
myhostname = mail.xxx.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks 
cidr:/etc/postfix/postscreen_access

postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = mail.xxx.net
smtpd_client_restrictions = permit_mynetworks check_client_access 
hash:/etc/postfix/without_ptr reject_unknown_client_hostname

smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks 
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname 
reject_unknown_helo_hostname

smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = check_recipient_access 
mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient 
reject_unknown_recipient_domain permit_mynetworks 
reject_unauth_destination

smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist = 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp



Sending Server postconf -Mf  output ---


smtp   inet  n   -   y   -   1 postscreen
    -o smtpd_sasl_auth_enable=no
smtpd  pass  -   

Re: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197

[subscription1]

I think I found the issue.

I just found that the reverse DNS entry at the service provider had the 
dc1.xxx.xom.au entry


Thanks


On 1/7/19 3:24 pm, subscription1 wrote:

I'd appreciate you help with the following:

I'm looking after two server on 2 differents domains. During testing I 
found the following issue.


On the sending server I get the following

Jul  1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host 
mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected: 
cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command)


On the receiving server I get:

Jul  1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from 
[xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25
Jul  1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD 
[xxx.xxx.73.197]:44014
Jul  1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname 
dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or 
service not known
Jul  1 06:18:21 mail1 postfix/smtpd[19348]: connect from 
unknown[xxx.xxx.73.197]
Jul  1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from 
unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find 
your hostname, [150.107.73.197]; from= to= 
proto=ESMTP helo=


I can ping 'mail.xxx.net' on this server ok.

Sending Server postconf -n 
output


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} 
{auth_authen}

milter_protocol = 6
mua_client_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions = 
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = 
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject

mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = xxx.net
myhostname = mail.xxx.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks 
cidr:/etc/postfix/postscreen_access

postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = mail.xxx.net
smtpd_client_restrictions = permit_mynetworks check_client_access 
hash:/etc/postfix/without_ptr reject_unknown_client_hostname

smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks 
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname 
reject_unknown_helo_hostname

smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = check_recipient_access 
mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient 
reject_unknown_recipient_domain permit_mynetworks 
reject_unauth_destination

smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist = 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp



Sending Server postconf -Mf  output ---


smtp   inet  n   -   y   -   1 postscreen
    -o smtpd_sasl_auth_enable=no
smtpd  pass  -   -   y   -   -   smtpd
dnsblog    unix  -   -   y   -   0   dnsblog
tlsproxy   unix  -   -   y   -   0   tlsproxy
9925   inet  n   -   y   -   -