master.cf - "using backwards-compatible"

Andreas postfix at linuxmaker.de
Fr Sep 7 09:24:36 CEST 2018


Hallo zusammen,

ich habe folgende main.cf-Einstellungen

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
broken_sasl_auth_clients = yes
compatibility_level = 2
disable_vrfy_command = yes
greylist = permit_dnswl_client list.dnswl.org, check_policy_service inet:
127.0.0.1:10023
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 26214400
minimal_backoff_time = 300s
mydestination = mx.example.com, localhost.example.com, localhost
myhostname = mx.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
plaintext_reject_code = 550
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/
postscreen_access.cidr
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 
dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 
bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 
dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 
dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 
dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 
zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 
zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 
hostkarma.junkemailfilter.com=127.0.0.4*1 
hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.
[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 2d
postscreen_greet_wait = 3s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
proxy_read_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, 
proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf, proxy:mysql:/
etc/postfix/sql/mysql_tls_enforce_in_policy.cf, $local_recipient_maps 
$mydestination $virtual_alias_maps $virtual_alias_domains 
$virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps 
$relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
$smtpd_sender_login_maps
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/
mysql_relay_recipient_maps.cf
relayhost =
sender_dependent_default_transport_maps = proxy:mysql:/etc/postfix/sql/
mysql_tls_enforce_out_policy.cf
smtp_dns_support_level = dnssec
smtp_header_checks = pcre:/etc/postfix/submission_header_cleanup
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/
postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_helo_required = yes
smtpd_proxy_timeout = 600s
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, 
reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, 
reject_unauth_destination
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth_dovecot
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/
mysql_virtual_sender_acl.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, 
permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, 
reject_unlisted_sender, reject_unknown_sender_domain
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
smtpd_tls_key_file = /etc/ssl/mail/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
smtpd_tls_mandatory_protocols = !SSLv3
smtpd_tls_protocols = !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA
+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:
+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!
ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf, proxy:mysql:/
etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/
sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/
mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/
mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/
mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000

mit dieser master.cf:

# Postscreen on Port 25/tcp, filters zombies (spam machines) on first level 
with lowest costs.
smtp       inet  n       -       n       -       1       postscreen

# Postscreen passes sane clients to the real SMTP daemon here.
smtpd      pass  -       -       n       -       -       smtpd
  -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust

smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust

# For mail submitting users. Authenticated clients and known networks only.
submission inet n       -       -       -       -       smtpd
  -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o tls_preempt_cipherlist=yes

127.0.0.1:588 inet n    -       -       -       -       smtpd
  -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=127.0.0.1:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust

# Handles TLS connections for postscreen to make them readable
tlsproxy  unix  -       -       n       -       0       tlsproxy
# This implements an ad-hoc DNS white/blacklist lookup service
dnsblog   unix  -       -       n       -       0       dnsblog
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
smtp_enforced_tls      unix  -       -       -       -       -       smtp
  # This will not work on Postfix <=3.1 but is okay to reside here on
  # unsupported versions (will print a warning though)
  # Furthermore we cannot mark missing TLS support as hard-fail, mails will 
stay in our queue
  -o smtp_delivery_status_filter=pcre:/etc/postfix/smtp_dsn_filter.pcre
  -o smtp_tls_security_level=encrypt
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender 
$recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $
{nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
127.0.0.1:10026 inet n - n - - smtpd
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o receive_override_options=no_unknown_recipient_checks
  -o smtpd_milters=inet:127.0.0.1:10040


Im Logfiles sehe ich nach einem Reload:

Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 19: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 28: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 38: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 39: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 41: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 42: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 43: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 44: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 45: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 46: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 47: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 50: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 51: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 57: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 58: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 59: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 60: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 61: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 64: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 65: 
using backwards-compatible default setting chroot=y 
Sep  4 13:29:20 mx postfix/master[8411]: /etc/postfix/master.cf: line 66: 
using backwards-compatible default setting chroot=y


Was will mir Postfix mit "using backwards-compatible default setting chroot=y
" sagen?

Grüße und vielen Dank

Andreas
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20180907/c92dec66/attachment-0001.html>


Mehr Informationen über die Mailingliste Postfixbuch-users