Authentication on Postfix

Hello,
I recently changed from exim to postfix and now cannot get my simpleAuthenticator to work.
Are there any differences with postfix in terms of the authentication required, also how do I need to enter the username, i.e.
username or
username@myDomain
Thanks

combining prarie-guy and kevin mck posts, heres what worked on my snow leopard 10.6.2 box:
error was:
Jan 6 17:05:10 cavell postfix/smtp[36921]: warning: SASL authentication failure: No worthy mechs found
Jan 6 17:05:10 cavell postfix/smtp[36921]: 08A7856920: to=<[email protected]>, relay=mail.telushosting.com[216.251.32.97]:25, delay=1.2, delays=0/0.01/1.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server mail.telushosting.com[216.251.32.97]: no mechanism available)
to fix:
stop mail using server admin or cmd line
in terminal window, sudo -s -H
cd /etc/postfix
cp -p main.cf main.cf.orig
vi main.cf
check the following lines are set up as follows:
smtpsasl_authenable = yes
smtpsasl_securityoptions =
smtpsasl_passwordmaps = hash:/etc/postfix/sasl/passwd
smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated permit
smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination checkpolicyservice unix:private/policy permit
smtpdsasl_authenable = yes
restart mail.

Similar Messages

Removing Anonymous Access on Exchange for postfix relay (inbound)

Hi good afternoon. I'm trying to make the Posftix authenticate to the Exchange to deliver mail to local accounts. In the SMTP Virtual server Exchange 2003 i disable anonymous access and configure postfix to authenticate with an account that exists in the
Active directory. The problem is that now in the postfix log of when you want to try to deliver a mail coming from an external domain throws me:
said: 454 5.7.3 Client does not have permission to Send As This sender.
I missed to configure something? The idea is not to allow anonymous access but the SMTP server.
Someone had to do something similar?
Thank you very much.

Hi,
Postfix uses the 'AUTH=<>' verb to indicate the message was received anonymously which creates a conflict with the authentication requirement in Exchange.
Try the following workarounds:
- Authenticate the senders in Postfix using LDAP calls.
- Disable authentication between Postfix and Exchange.
- Configure the web applications to send mail directly to Exchange.
- Add the service account used for authentication to the Exchange Domain Servers.
Thanks,
Simon Wu
TechNet Community Support

How to use Message FIlter to log postfix authenticated sender header

I'm trying to log the username from the postfix authenticated sender header information.
Here is an example of the header:
Received: from [123.123.123.123] (client.domain.edu [234.234.234.234])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client
certificate requested) (Authenticated sender: [email protected]) by
postfix.domain.edu (Postfix) with ESMTPSA id DE8A3E9429 for
<[email protected]>; Thu, 12 Jun 2014 12:16:56 -0700 (PDT)
And here is the message filter I'm working on:
if (recv-int == "OutboundIP") {
if(header('Received') == '\$Authenticated sender: .+@ad\\.domain\\.edu\$') {
log-entry("Authenticated Sender: '$MatchedContent'");
Everything is working except for the $MatchedContent variable. It is creating the custom log entry but it is only showing as "Authenticated Sender: "
Does anyone have any ideas on how to get the $MatchedContent variable to work or another way to log that username?

Try taking out the ' from around your '$MatchedContent'...
My example:
dictionary_match:
if (dictionary-match('not_allowed_words')){
edit-header-text ("Subject", "^", "Notice Content Matched on: $MatchedContent");
log-entry("#---# This email had: $MatchedContent #---#");
notify('[email protected]');
Sent an email with a known "secret" in the email body... and "secret" is in my "not_allowed_words" dictionary... so it'll trip my "dictionary_match" message filter...
Mail logs --->
Thu Jun 12 23:10:46 2014 Info: New SMTP ICID 181 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
Thu Jun 12 23:10:46 2014 Info: ICID 181 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Thu Jun 12 23:10:46 2014 Info: Start MID 105 ICID 181
Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 From: <[email protected]>
Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 RID 0 To: <[email protected]>
Thu Jun 12 23:10:46 2014 Info: MID 105 Message-ID '<[email protected]>'
Thu Jun 12 23:10:46 2014 Info: MID 105 Subject 'This email has an issue'
Thu Jun 12 23:10:46 2014 Info: MID 105 ready 561 bytes from <[email protected]>
Thu Jun 12 23:10:46 2014 Info: MID 105 Custom Log Entry: #---# This email had: secret #---#
Thu Jun 12 23:10:46 2014 Info: Start MID 106 ICID 0
Thu Jun 12 23:10:46 2014 Info: MID 106 was generated based on MID 105 by notify filter 'dictionary_match'
Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 From: <[email protected]>
Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 RID 0 To: <[email protected]>
Thu Jun 12 23:10:46 2014 Info: MID 106 DomainKeys: cannot sign - no profile matches [email protected]
Thu Jun 12 23:10:46 2014 Info: MID 106 DKIM: cannot sign - no profile matches [email protected]
Thu Jun 12 23:10:46 2014 Info: MID 106 ready 970 bytes from <[email protected]>
Thu Jun 12 23:10:46 2014 Info: MID 106 queued for delivery
Thu Jun 12 23:10:46 2014 Info: MID 105 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Thu Jun 12 23:10:46 2014 Info: MID 105 queued for delivery
Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 53 interface 172.16.6.165 address 173.36.13.143 port 25
Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 54 interface 172.16.6.165 address 173.36.13.143 port 25
Thu Jun 12 23:10:46 2014 Info: Delivery start DCID 54 MID 105 to RID [0]
Thu Jun 12 23:10:47 2014 Info: DCID 53 TLS success protocol TLSv1 cipher RC4-SHA
Thu Jun 12 23:10:47 2014 Info: Delivery start DCID 53 MID 106 to RID [0]
Thu Jun 12 23:10:47 2014 Info: Message done DCID 54 MID 105 to RID [0]
Thu Jun 12 23:10:47 2014 Info: MID 105 RID [0] Response '2.0.0 s5D3Aobe022251 Message accepted for delivery'
Thu Jun 12 23:10:47 2014 Info: Message finished MID 105 done
Thu Jun 12 23:10:47 2014 Info: Message done DCID 53 MID 106 to RID [0]
Thu Jun 12 23:10:47 2014 Info: MID 106 RID [0] Response '2.0.0 s5D3AoFH012632 Message accepted for delivery'
Thu Jun 12 23:10:47 2014 Info: Message finished MID 106 done
Thu Jun 12 23:10:52 2014 Info: DCID 54 close
Thu Jun 12 23:10:52 2014 Info: DCID 53 close
I hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

SMTP Authentication (SASL on Postfix)

I am migrating my personal mail server from Tiger Server to Snow Leopard Server.
I have had Postfix on the Tiger Server working for years. I am having trouble configuring Snow Leopard to do the same. My set up for SMTP is to relay email from my respective Postfix server to my ISP, mail.speakeasy.net, and then authenticate with my speakeasy name/password. As I use SSL, I come in on port 995.
From Postfix's perspective, this involves configuring SASL.
Here are the relevant SASL configuration lines from postfix.conf
smtpsasl_authenable = yes
smtpsasl_passwordmaps = hash:/etc/postfix/sasl/passwd
smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated rejectrblclient zen.spamhaus.org rejectrblclient bl.spamcop.net permit
smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination checkpolicyservice unix:private/policy permit
smtpdsasl_authenable = yes
When I attempt to relay through mail.speakeasy.net, here are the log file entries in my Snow Leopard SMTP Log files:
Oct 22 17:26:38 tin postfix/smtp[98906]: warning: SASL authentication failure: No worthy mechs found
Oct 22 17:26:38 tin postfix/smtp[98906]: D6EC5500F2: to=<[email protected]>, relay=mail.speakeasy.net[69.12.123.12]:25, delay=0.29, delays=0/0/0.28/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server mail.speakeasy.net[69.12.123.12]: no mechanism available)
Any advice would be appreciated.
Thanks,

combining prarie-guy and kevin mck posts, heres what worked on my snow leopard 10.6.2 box:
error was:
Jan 6 17:05:10 cavell postfix/smtp[36921]: warning: SASL authentication failure: No worthy mechs found
Jan 6 17:05:10 cavell postfix/smtp[36921]: 08A7856920: to=<[email protected]>, relay=mail.telushosting.com[216.251.32.97]:25, delay=1.2, delays=0/0.01/1.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server mail.telushosting.com[216.251.32.97]: no mechanism available)
to fix:
stop mail using server admin or cmd line
in terminal window, sudo -s -H
cd /etc/postfix
cp -p main.cf main.cf.orig
vi main.cf
check the following lines are set up as follows:
smtpsasl_authenable = yes
smtpsasl_securityoptions =
smtpsasl_passwordmaps = hash:/etc/postfix/sasl/passwd
smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated permit
smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination checkpolicyservice unix:private/policy permit
smtpdsasl_authenable = yes
restart mail.

Sending php mail(); using postfix. Authentication failed.

Trying to set up my localhost to send php mail() using postfix.
I did the following:
Created the sasl_passwd file
Created the sasl_passwd.db file
Edited mail.cf in the postfix folder to include relay host: relayhost=smtp.live.com:587
I'm trying to relay through my hotmail account. The mail.log returns the following:
Jan 24 13:17:30 Richards-MacBook-Pro.local postfix/error[927]: E75CCE40EE4: to=<[email protected]>, relay=none, delay=1580, delays=1580/0.07/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: SASL authentication failed; server smtp.live.com[65.55.162.200] said: 535 5.0.0 Authentication Failed)
Any ideas what I'm doing wrong here?

Ok problem solved :)
Problem was between oracle and MS exchange server. Live server oracle 9i is on linux, and testing server works on windows.
So the problem was with configuration. Our admins corrected it and now works :). I don't know details.

Postfix - enable username authentication

Hi all,
I have created a dovecot and postfix email server
My dovecot/IMAP users authenticate by it by there username and passwords that are either created on the local server or my email server queries the LDAP server for authentication
Now I want to have SMTP authentication for my users that use postfix
Basically I want my user on there email clients to tick the box on the outgoing smtp server that says, "use the same authentication method that I use for my IMAP/dovecot server
How do I do this as i think atm my smtp postfix server any one can send out via it so want to lock it down
Many thanks in advanced
Rob
This topic first appeared in the Spiceworks Community

ChristopherAngel wrote:
2) Clearly I don't know what I am doing :)Then you need a bit of background reading. As a starting point -
"Beginning Cryptography With Java" by David Hook published by Wrox
"Applet Cryptography" by Bruce Schneier published by Wiley
"Practical Cryptogrpahy" by Ferguson and Schneier published by Wiley
"SSL and TLS Essentials" by Steven Thomas published by Wiley
[JSSE Reference Guide|http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/security/jsse/JSSERefGuide.html]
[SSL and Custom Sockets|http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html]

Mail Server Relay Authentication Failure in Server Admin

I need to set up Mail Server to relay through my ISP. I know that I can authenticate to smtp.comcast.net:587 using my account and TLS usnig a mail client.
However, when I use Server Admin to configure my server's SMTP to send all outgoing email through this relay (Server Admin>Mail>Settings>General>
Rely outgoing mail through host: smtp.comcast.net:587
Authenticate to rely with user name: user
I get the SMTP error:
SASL authentication failed: cannot authenticate to server smtp.comcast.net[76.96.62.117]: no mechanism available
There are no toggles on Server Admin to specify TLS or SSL or anything for authentication.
Does anyone know how to tell Server Admin how to authenticate an SMTP relay to smtp.comcast.net using TLS, which is apparently what comcast expects?

Wow, this is an obscure solution, but it works. According to this thread, the problem is that:
Although Comcast advertises "AUTH LOGIN PLAIN", the Postfix SASL library won't do plain text auth by default. It needs to be told it's okay with:
smtp_sasl_security_options = noanonymous
Solution:
$ su -
$ cd /etc/postfix
$ cp main.cf main.cf.no_smtp_sasl_security_options
$ echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
$ serveradmin stop mail
$ serveradmin start mail
I'm not sure how often /etc/postfix/main.cf is overwritten, but presumably this happens every time you change and save Mail settings in Server Admin, so you must redo these steps every time you change the Mail server if you want to use smtp.comcast.net as your mail relay.
AAPL, would you please add a toggle to handle this in Server Admin?

[SOLVED] Postfix smtpd exits when using dovecot SASL auth

I've been trying to configure my mail server with dovecot SASL authentication. I've been following the guide here to set this up. However, when I telnet to the server on port 25, I get this in the postfix logs:
Aug 4 21:51:00 localhost postfix/smtpd[2316]: connect from unknown[192.168.1.27]
Aug 4 21:51:00 localhost postfix/smtpd[2316]: fatal: no SASL authentication mechanisms
Aug 4 21:51:01 localhost postfix/master[2312]: warning: process /usr/lib/postfix/smtpd pid 2316 exit status 1
Aug 4 21:51:01 localhost postfix/master[2312]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
After enabling debug logging in dovecot, I get this at the same time in the dovecot logs:
Aug 04 21:51:00 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Aug 04 21:51:00 auth: Debug: auth client connected (pid=0)
System info:
Linux matrix 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux
Output from postconf:
2bounce_notice_recipient = postmaster
access_map_defer_code = 450
access_map_reject_code = 554
address_verify_cache_cleanup_interval = 12h
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map = btree:$data_directory/verify_cache
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = ${stress?1}${stress:3}
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = $double_bounce_sender
address_verify_sender_dependent_default_transport_maps = $sender_dependent_default_transport_maps
address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
address_verify_sender_ttl = 0s
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = yes
allow_untrusted_routing = no
alternate_config_directories =
always_add_missing_headers = no
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_at_myorigin = yes
append_dot_mydomain = yes
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
biff = yes
body_checks =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 50000
bounce_template_file =
broken_sasl_auth_clients = no
canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
canonical_maps =
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
cyrus_sasl_config_path =
daemon_directory = /usr/lib/postfix
daemon_table_open_error_is_fatal = no
daemon_timeout = 18000s
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_failed_cohort_limit = 1
default_destination_concurrency_limit = 20
default_destination_concurrency_negative_feedback = 1
default_destination_concurrency_positive_feedback = 1
default_destination_rate_delay = 0s
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_filter_nexthop =
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 20000
default_recipient_refill_delay = 5s
default_recipient_refill_limit = 100
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
destination_concurrency_feedback_debug = no
detect_8bit_encoding_header = yes
disable_dns_lookups = no
disable_mime_input_processing = no
disable_mime_output_conversion = no
disable_verp_bounces = no
disable_vrfy_command = no
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
dont_remove = 0
double_bounce_sender = double-bounce
duplicate_filter_limit = 1000
empty_address_default_transport_maps_lookup_key = <>
empty_address_recipient = MAILER-DAEMON
empty_address_relayhost_maps_lookup_key = <>
enable_long_queue_ids = no
enable_original_recipient = yes
error_delivery_slot_cost = $default_delivery_slot_cost
error_delivery_slot_discount = $default_delivery_slot_discount
error_delivery_slot_loan = $default_delivery_slot_loan
error_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
error_destination_concurrency_limit = $default_destination_concurrency_limit
error_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
error_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
error_destination_rate_delay = $default_destination_rate_delay
error_destination_recipient_limit = $default_destination_recipient_limit
error_extra_recipient_limit = $default_extra_recipient_limit
error_initial_destination_concurrency = $initial_destination_concurrency
error_minimum_delivery_slots = $default_minimum_delivery_slots
error_notice_recipient = postmaster
error_recipient_limit = $default_recipient_limit
error_recipient_refill_delay = $default_recipient_refill_delay
error_recipient_refill_limit = $default_recipient_refill_limit
error_service_name = error
execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
expand_owner_alias = no
export_environment = TZ MAIL_CONFIG LANG
fallback_transport =
fallback_transport_maps =
fast_flush_domains = $relay_domains
fast_flush_purge_time = 7d
fast_flush_refresh_time = 12h
fault_injection_code = 0
flush_service_name = flush
fork_attempts = 5
fork_delay = 1s
forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
frozen_delivered_to = yes
hash_queue_depth = 1
hash_queue_names = deferred, defer
header_address_token_limit = 10240
header_checks =
header_size_limit = 102400
helpful_warnings = yes
home_mailbox = Maildir/
hopcount_limit = 50
html_directory = no
ignore_mx_lookup_error = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
internal_mail_filter_classes =
invalid_hostname_reject_code = 501
ipc_idle = 5s
ipc_timeout = 3600s
ipc_ttl = 1000s
line_length_limit = 2048
lmtp_address_preference = any
lmtp_assume_final = no
lmtp_bind_address =
lmtp_bind_address6 =
lmtp_body_checks =
lmtp_cname_overrides_servername = no
lmtp_connect_timeout = 0s
lmtp_connection_cache_destinations =
lmtp_connection_cache_on_demand = yes
lmtp_connection_cache_time_limit = 2s
lmtp_connection_reuse_time_limit = 300s
lmtp_data_done_timeout = 600s
lmtp_data_init_timeout = 120s
lmtp_data_xfer_timeout = 180s
lmtp_defer_if_no_mx_address_found = no
lmtp_delivery_slot_cost = $default_delivery_slot_cost
lmtp_delivery_slot_discount = $default_delivery_slot_discount
lmtp_delivery_slot_loan = $default_delivery_slot_loan
lmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
lmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
lmtp_destination_rate_delay = $default_destination_rate_delay
lmtp_destination_recipient_limit = $default_destination_recipient_limit
lmtp_discard_lhlo_keyword_address_maps =
lmtp_discard_lhlo_keywords =
lmtp_dns_resolver_options =
lmtp_enforce_tls = no
lmtp_extra_recipient_limit = $default_extra_recipient_limit
lmtp_generic_maps =
lmtp_header_checks =
lmtp_host_lookup = dns
lmtp_initial_destination_concurrency = $initial_destination_concurrency
lmtp_lhlo_name = $myhostname
lmtp_lhlo_timeout = 300s
lmtp_line_length_limit = 998
lmtp_mail_timeout = 300s
lmtp_mime_header_checks =
lmtp_minimum_delivery_slots = $default_minimum_delivery_slots
lmtp_mx_address_limit = 5
lmtp_mx_session_limit = 2
lmtp_nested_header_checks =
lmtp_per_record_deadline = no
lmtp_pix_workaround_delay_time = 10s
lmtp_pix_workaround_maps =
lmtp_pix_workaround_threshold_time = 500s
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
lmtp_quit_timeout = 300s
lmtp_quote_rfc821_envelope = yes
lmtp_randomize_addresses = yes
lmtp_rcpt_timeout = 300s
lmtp_recipient_limit = $default_recipient_limit
lmtp_recipient_refill_delay = $default_recipient_refill_delay
lmtp_recipient_refill_limit = $default_recipient_refill_limit
lmtp_reply_filter =
lmtp_rset_timeout = 20s
lmtp_sasl_auth_cache_name =
lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_enable = no
lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter =
lmtp_sasl_password_maps =
lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
lmtp_send_dummy_mail_auth = no
lmtp_send_xforward_command = no
lmtp_sender_dependent_authentication = no
lmtp_skip_5xx_greeting = yes
lmtp_skip_quit_response = no
lmtp_starttls_timeout = 300s
lmtp_tcp_port = 24
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_block_early_mail_reply = no
lmtp_tls_cert_file =
lmtp_tls_ciphers = export
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_eccert_file =
lmtp_tls_eckey_file = $lmtp_tls_eccert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = !SSLv2
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_protocols = !SSLv2
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
lmtp_xforward_timeout = 300s
local_command_shell =
local_delivery_slot_cost = $default_delivery_slot_cost
local_delivery_slot_discount = $default_delivery_slot_discount
local_delivery_slot_loan = $default_delivery_slot_loan
local_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
local_destination_concurrency_limit = 2
local_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
local_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
local_destination_rate_delay = $default_destination_rate_delay
local_destination_recipient_limit = 1
local_extra_recipient_limit = $default_extra_recipient_limit
local_header_rewrite_clients = permit_inet_interfaces
local_initial_destination_concurrency = $initial_destination_concurrency
local_minimum_delivery_slots = $default_minimum_delivery_slots
local_recipient_limit = $default_recipient_limit
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_recipient_refill_delay = $default_recipient_refill_delay
local_recipient_refill_limit = $default_recipient_refill_limit
local_transport = local:$myhostname
luser_relay =
mail_name = Postfix
mail_owner = postfix
mail_release_date = 20120801
mail_spool_directory = /var/mail
mail_version = 2.9.4
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = fcntl, dotlock
mailbox_size_limit = 51200000
mailbox_transport =
mailbox_transport_maps =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
maps_rbl_reject_code = 554
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions =
master_service_disable =
max_idle = 100s
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_reject_characters =
message_size_limit = 10240000
message_strip_characters =
milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} v
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_data_macros = i
milter_default_action = tempfail
milter_end_of_data_macros = i
milter_end_of_header_macros = i
milter_header_checks =
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
milter_macro_daemon_name = $myhostname
milter_macro_v = $mail_name $mail_version
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
milter_protocol = 6
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}
milter_unknown_command_macros =
mime_boundary_length_limit = 2048
mime_header_checks = $header_checks
mime_nesting_limit = 100
minimal_backoff_time = 300s
multi_instance_directories =
multi_instance_enable = no
multi_instance_group =
multi_instance_name =
multi_instance_wrapper =
multi_recipient_bounce_reject_code = 550
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = (hidden)
myhostname = (hidden)
mynetworks = 127.0.0.1/32 192.168.1.32/32
mynetworks_style = host
myorigin = $mydomain
nested_header_checks = $header_checks
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 504
non_smtpd_milters =
notify_classes = resource, software
owner_request_special = yes
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
permit_mx_backup_networks =
pickup_service_name = pickup
plaintext_reject_code = 450
postmulti_control_commands = reload flush
postmulti_start_commands = start
postmulti_stop_commands = stop abort drain quick-stop
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = ignore
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps = $smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = ignore
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 1h
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = ignore
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = static:all
prepend_delivered_header = command, file, forward
process_id_directory = pid
propagate_unmatched_extensions = canonical, virtual
proxy_interfaces =
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map
proxymap_service_name = proxymap
proxywrite_service_name = proxywrite
qmgr_clog_warn_time = 300s
qmgr_daemon_timeout = 1000s
qmgr_fudge_factor = 100
qmgr_ipc_timeout = 60s
qmgr_message_active_limit = 20000
qmgr_message_recipient_limit = 20000
qmgr_message_recipient_minimum = 10
qmqpd_authorized_clients =
qmqpd_client_port_logging = no
qmqpd_error_delay = 1s
qmqpd_timeout = 300s
queue_directory = /var/spool/postfix
queue_file_attribute_count_limit = 100
queue_minfree = 0
queue_run_delay = 300s
queue_service_name = qmgr
rbl_reply_maps =
readme_directory = no
receive_override_options =
recipient_bcc_maps =
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_canonical_maps =
recipient_delimiter =
reject_code = 554
reject_tempfail_action = defer_if_permit
relay_clientcerts =
relay_delivery_slot_cost = $default_delivery_slot_cost
relay_delivery_slot_discount = $default_delivery_slot_discount
relay_delivery_slot_loan = $default_delivery_slot_loan
relay_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
relay_destination_concurrency_limit = $default_destination_concurrency_limit
relay_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
relay_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
relay_destination_rate_delay = $default_destination_rate_delay
relay_destination_recipient_limit = $default_destination_recipient_limit
relay_domains = $mydestination
relay_domains_reject_code = 554
relay_extra_recipient_limit = $default_extra_recipient_limit
relay_initial_destination_concurrency = $initial_destination_concurrency
relay_minimum_delivery_slots = $default_minimum_delivery_slots
relay_recipient_limit = $default_recipient_limit
relay_recipient_maps =
relay_recipient_refill_delay = $default_recipient_refill_delay
relay_recipient_refill_limit = $default_recipient_refill_limit
relay_transport = relay
relayhost =
relocated_maps =
remote_header_rewrite_domain =
require_home_directory = no
reset_owner_alias = no
resolve_dequoted_address = yes
resolve_null_domain = no
resolve_numeric_domain = no
retry_delivery_slot_cost = $default_delivery_slot_cost
retry_delivery_slot_discount = $default_delivery_slot_discount
retry_delivery_slot_loan = $default_delivery_slot_loan
retry_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
retry_destination_concurrency_limit = $default_destination_concurrency_limit
retry_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
retry_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
retry_destination_rate_delay = $default_destination_rate_delay
retry_destination_recipient_limit = $default_destination_recipient_limit
retry_extra_recipient_limit = $default_extra_recipient_limit
retry_initial_destination_concurrency = $initial_destination_concurrency
retry_minimum_delivery_slots = $default_minimum_delivery_slots
retry_recipient_limit = $default_recipient_limit
retry_recipient_refill_delay = $default_recipient_refill_delay
retry_recipient_refill_limit = $default_recipient_refill_limit
rewrite_service_name = rewrite
sample_directory = /etc/postfix/sample
send_cyrus_sasl_authzid = no
sender_bcc_maps =
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps =
sender_dependent_default_transport_maps =
sender_dependent_relayhost_maps =
sendmail_fix_line_endings = always
sendmail_path = /usr/sbin/sendmail
service_throttle_time = 60s
setgid_group = postdrop
show_user_unknown_table_name = yes
showq_service_name = showq
smtp_address_preference = any
smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_body_checks =
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_delivery_slot_cost = $default_delivery_slot_cost
smtp_delivery_slot_discount = $default_delivery_slot_discount
smtp_delivery_slot_loan = $default_delivery_slot_loan
smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_dns_resolver_options =
smtp_enforce_tls = no
smtp_extra_recipient_limit = $default_extra_recipient_limit
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_header_checks =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 998
smtp_mail_timeout = 300s
smtp_mime_header_checks =
smtp_minimum_delivery_slots = $default_minimum_delivery_slots
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks =
smtp_never_send_ehlo = no
smtp_per_record_deadline = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps =
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_recipient_limit = $default_recipient_limit
smtp_recipient_refill_delay = $default_recipient_refill_delay
smtp_recipient_refill_limit = $default_recipient_refill_limit
smtp_reply_filter =
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_dummy_mail_auth = no
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file =
smtp_tls_ciphers = export
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_port_logging = no
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_command_filter =
smtpd_data_restrictions =
smtpd_delay_open_until_valid_rcpt = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = ${stress?1}${stress:20}
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = ${stress?1}${stress:100}
smtpd_milters =
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_per_record_deadline = ${stress?yes}${stress:no}
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_options =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_reject_footer =
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_service_name = smtpd
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = ${stress?10}${stress:300}s
smtpd_timeout = ${stress?10}${stress:300}s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file =
smtpd_tls_ciphers = export
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols =
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
soft_bounce = no
stale_lock_time = 500s
stress =
strict_7bit_headers = no
strict_8bitmime = no
strict_8bitmime_body = no
strict_mailbox_ownership = yes
strict_mime_encoding_domain = no
strict_rfc821_envelopes = no
sun_mailtool_compatibility = no
swap_bangpath = yes
syslog_facility = mail
syslog_name = ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name}
tcp_windowsize = 0
tls_append_default_CA = no
tls_daemon_random_bytes = 32
tls_disable_workarounds =
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
tls_preempt_cipherlist = no
tls_random_bytes = 32
tls_random_exchange_name = ${data_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
tlsproxy_enforce_tls = $smtpd_enforce_tls
tlsproxy_service_name = tlsproxy
tlsproxy_tls_CAfile = $smtpd_tls_CAfile
tlsproxy_tls_CApath = $smtpd_tls_CApath
tlsproxy_tls_always_issue_session_ids = $smtpd_tls_always_issue_session_ids
tlsproxy_tls_ask_ccert = $smtpd_tls_ask_ccert
tlsproxy_tls_ccert_verifydepth = $smtpd_tls_ccert_verifydepth
tlsproxy_tls_cert_file = $smtpd_tls_cert_file
tlsproxy_tls_ciphers = $smtpd_tls_ciphers
tlsproxy_tls_dcert_file = $smtpd_tls_dcert_file
tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file
tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file
tlsproxy_tls_dkey_file = $smtpd_tls_dkey_file
tlsproxy_tls_eccert_file = $smtpd_tls_eccert_file
tlsproxy_tls_eckey_file = $smtpd_tls_eckey_file
tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade
tlsproxy_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
tlsproxy_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
tlsproxy_tls_key_file = $smtpd_tls_key_file
tlsproxy_tls_loglevel = $smtpd_tls_loglevel
tlsproxy_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_req_ccert = $smtpd_tls_req_ccert
tlsproxy_tls_security_level = $smtpd_tls_security_level
tlsproxy_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
tlsproxy_use_tls = $smtpd_use_tls
tlsproxy_watchdog_timeout = 10s
trace_service_name = trace
transport_maps =
transport_retry_time = 60s
trigger_timeout = 10s
undisclosed_recipients_header =
unknown_address_reject_code = 450
unknown_address_tempfail_action = $reject_tempfail_action
unknown_client_reject_code = 450
unknown_helo_hostname_tempfail_action = $reject_tempfail_action
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_defer_code = 450
unverified_recipient_reject_code = 450
unverified_recipient_reject_reason =
unverified_recipient_tempfail_action = $reject_tempfail_action
unverified_sender_defer_code = 450
unverified_sender_reject_code = 450
unverified_sender_reject_reason =
unverified_sender_tempfail_action = $reject_tempfail_action
verp_delimiter_filter = -=+
virtual_alias_domains = $virtual_alias_maps
virtual_alias_expansion_limit = 1000
virtual_alias_maps = $virtual_maps
virtual_alias_recursion_limit = 1000
virtual_delivery_slot_cost = $default_delivery_slot_cost
virtual_delivery_slot_discount = $default_delivery_slot_discount
virtual_delivery_slot_loan = $default_delivery_slot_loan
virtual_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
virtual_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
virtual_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
virtual_destination_rate_delay = $default_destination_rate_delay
virtual_destination_recipient_limit = $default_destination_recipient_limit
virtual_extra_recipient_limit = $default_extra_recipient_limit
virtual_gid_maps =
virtual_initial_destination_concurrency = $initial_destination_concurrency
virtual_mailbox_base =
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_limit = 51200000
virtual_mailbox_lock = fcntl, dotlock
virtual_mailbox_maps =
virtual_minimum_delivery_slots = $default_minimum_delivery_slots
virtual_minimum_uid = 100
virtual_recipient_limit = $default_recipient_limit
virtual_recipient_refill_delay = $default_recipient_refill_delay
virtual_recipient_refill_limit = $default_recipient_refill_limit
virtual_transport = virtual
virtual_uid_maps =
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_sasl_auth_only=yes
Output from doveconf:
# 2.1.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.4.7-1-ARCH x86_64 Arch Linux
auth_anonymous_username = anonymous
auth_cache_negative_ttl = 1 hours
auth_cache_size = 0
auth_cache_ttl = 1 hours
auth_debug = yes
auth_debug_passwords = no
auth_default_realm =
auth_failure_delay = 2 secs
auth_first_valid_uid = 500
auth_gssapi_hostname =
auth_krb5_keytab =
auth_last_valid_uid = 0
auth_master_user_separator =
auth_mechanisms = plain login
auth_proxy_self =
auth_realms =
auth_socket_path = auth-userdb
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = no
auth_use_winbind = no
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_username_translation =
auth_verbose = no
auth_verbose_passwords = no
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_worker_max_count = 30
base_dir = /var/run/dovecot
config_cache_size = 1 M
debug_log_path =
default_client_limit = 1000
default_idle_kill = 1 mins
default_internal_user = dovecot
default_login_user = dovenull
default_process_limit = 100
default_vsz_limit = 256 M
deliver_log_format = msgid=%m: %$
dict_db_config =
director_doveadm_port = 0
director_mail_servers =
director_servers =
director_user_expire = 15 mins
director_username_hash = %Lu
disable_plaintext_auth = yes
dotlock_use_excl = yes
doveadm_allowed_commands =
doveadm_password =
doveadm_proxy_port = 0
doveadm_socket_path = doveadm-server
doveadm_worker_count = 0
dsync_alt_char = _
dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -l%{lock_timeout} -n%{namespace}
first_valid_gid = 1
first_valid_uid = 500
hostname =
imap_capability =
imap_client_workarounds =
imap_id_log =
imap_id_send =
imap_idle_notify_interval = 2 mins
imap_logout_format = in=%i out=%o
imap_max_line_length = 64 k
imapc_features =
imapc_host =
imapc_list_prefix =
imapc_master_user =
imapc_password =
imapc_port = 143
imapc_rawlog_dir =
imapc_ssl = no
imapc_ssl_ca_dir =
imapc_ssl_verify = yes
imapc_user = %u
import_environment = TZ LISTEN_PID LISTEN_FDS
info_log_path =
instance_name = dovecot
last_valid_gid = 0
last_valid_uid = 0
lda_mailbox_autocreate = no
lda_mailbox_autosubscribe = no
lda_original_recipient_header =
libexec_dir = /usr/lib/dovecot
listen = *, ::
lmtp_address_translate =
lmtp_proxy = no
lmtp_save_to_detail_mailbox = no
lock_method = fcntl
log_path = /var/log/dovecot.log
log_timestamp = "%b %d %H:%M:%S "
login_access_sockets =
login_greeting = Dovecot ready.
login_log_format = %$: %s
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c session=<%{session}>
login_trusted_networks =
mail_access_groups = mail
mail_attachment_dir =
mail_attachment_fs = sis posix
mail_attachment_hash = %{sha1}
mail_attachment_min_size = 128 k
mail_cache_fields = flags
mail_cache_min_mail_count = 0
mail_chroot =
mail_debug = no
mail_fsync = optimized
mail_full_filesystem_access = no
mail_gid =
mail_home =
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%u): "
mail_max_keyword_length = 50
mail_max_lock_timeout = 0
mail_max_userip_connections = 10
mail_never_cache_fields = imap.envelope
mail_nfs_index = no
mail_nfs_storage = no
mail_plugin_dir = /usr/lib/dovecot/modules
mail_plugins =
mail_prefetch_count = 0
mail_privileged_group =
mail_save_crlf = no
mail_shared_explicit_inbox = yes
mail_temp_dir = /tmp
mail_temp_scan_interval = 1 weeks
mail_uid =
mailbox_idle_check_interval = 30 secs
mailbox_list_index = no
maildir_broken_filename_sizes = no
maildir_copy_with_hardlinks = yes
maildir_stat_dirs = no
maildir_very_dirty_syncs = no
master_user_separator =
mbox_dirty_syncs = yes
mbox_dotlock_change_timeout = 2 mins
mbox_lazy_writes = yes
mbox_lock_timeout = 5 mins
mbox_md5 = apop3d
mbox_min_index_size = 0
mbox_read_locks = fcntl
mbox_very_dirty_syncs = no
mbox_write_locks = dotlock fcntl
mdbox_preallocate_space = no
mdbox_rotate_interval = 0
mdbox_rotate_size = 2 M
mmap_disable = no
passdb {
args =
default_fields =
deny = no
driver = pam
master = no
override_fields =
pass = no
pop3_client_workarounds =
pop3_enable_last = no
pop3_fast_size_lookups = no
pop3_lock_session = no
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_no_flag_updates = no
pop3_reuse_xuidl = no
pop3_save_uidl = no
pop3_uidl_duplicates = allow
pop3_uidl_format = %08Xu%08Xv
pop3c_host =
pop3c_master_user =
pop3c_password =
pop3c_port = 110
pop3c_rawlog_dir =
pop3c_ssl = no
pop3c_ssl_ca_dir =
pop3c_ssl_verify = yes
pop3c_user = %u
postmaster_address =
protocols = imap
quota_full_tempfail = no
recipient_delimiter = +
rejection_reason = Your message to <%t> was automatically rejected:%n%r
rejection_subject = Rejected: %s
replication_full_sync_interval = 12 hours
replication_max_conns = 10
replicator_host = replicator
replicator_port = 0
sendmail_path = /usr/sbin/sendmail
service aggregator {
chroot = .
client_limit = 0
drop_priv_before_exec = no
executable = aggregator
extra_groups =
fifo_listener replication-notify-fifo {
group =
mode = 0600
user =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener replication-notify {
group =
mode = 0600
user =
user = $default_internal_user
vsz_limit = 18446744073709551615 B
service anvil {
chroot = empty
client_limit = 0
drop_priv_before_exec = no
executable = anvil
extra_groups =
group =
idle_kill = 4294967295 secs
privileged_group =
process_limit = 1
process_min_avail = 1
protocol =
service_count = 0
type = anvil
unix_listener anvil-auth-penalty {
group =
mode = 0600
user =
unix_listener anvil {
group =
mode = 0600
user =
user = $default_internal_user
vsz_limit = 18446744073709551615 B
service auth-worker {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = auth -w
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol =
service_count = 1
type =
unix_listener auth-worker {
group =
mode = 0600
user = $default_internal_user
user =
vsz_limit = 18446744073709551615 B
service auth {
chroot =
client_limit = 0
drop_priv_before_exec = no
executable = auth
extra_groups =
group =
idle_kill = 0
inet_listener {
address =
port = 12345
ssl = no
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
unix_listener auth-client {
group = postfix
mode = 0660
user = postfix
unix_listener auth-login {
group =
mode = 0600
user = $default_internal_user
unix_listener auth-master {
group =
mode = 0600
user =
unix_listener auth-userdb {
group =
mode = 0666
user = $default_internal_user
unix_listener login/login {
group =
mode = 0666
user =
user = root
vsz_limit = 18446744073709551615 B
service config {
chroot =
client_limit = 0
drop_priv_before_exec = no
executable = config
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol =
service_count = 0
type = config
unix_listener config {
group =
mode = 0600
user =
user =
vsz_limit = 18446744073709551615 B
service dict {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = dict
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener dict {
group =
mode = 0600
user =
user = $default_internal_user
vsz_limit = 18446744073709551615 B
service director {
chroot = .
client_limit = 0
drop_priv_before_exec = no
executable = director
extra_groups =
fifo_listener login/proxy-notify {
group =
mode = 00
user =
group =
idle_kill = 4294967295 secs
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener director-admin {
group =
mode = 0600
user =
unix_listener login/director {
group =
mode = 00
user =
user = $default_internal_user
vsz_limit = 18446744073709551615 B
service dns_client {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = dns-client
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener dns-client {
group =
mode = 0666
user =
unix_listener login/dns-client {
group =
mode = 0666
user =
user = $default_internal_user
vsz_limit = 18446744073709551615 B
service doveadm {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = doveadm-server
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol =
service_count = 1
type =
unix_listener doveadm-server {
group =
mode = 0600
user =
user =
vsz_limit = 18446744073709551615 B
service imap-login {
chroot = login
client_limit = 0
drop_priv_before_exec = no
executable = imap-login
extra_groups =
group =
idle_kill = 0
inet_listener imap {
address =
port = 143
ssl = no
inet_listener imaps {
address =
port = 993
ssl = yes
privileged_group =
process_limit = 0
process_min_avail = 0
protocol = imap
service_count = 1
type = login
user = $default_login_user
vsz_limit = 18446744073709551615 B
service imap {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = imap
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 1024
process_min_avail = 0
protocol = imap
service_count = 1
type =
unix_listener login/imap {
group =
mode = 0666
user =
user =
vsz_limit = 18446744073709551615 B
service indexer-worker {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = indexer-worker
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 10
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener indexer-worker {
group =
mode = 0600
user = $default_internal_user
user =
vsz_limit = 18446744073709551615 B
service indexer {
chroot =
client_limit = 0
drop_priv_before_exec = no
executable = indexer
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener indexer {
group =
mode = 0666
user =
user = $default_internal_user
vsz_limit = 18446744073709551615 B
service ipc {
chroot = empty
client_limit = 0
drop_priv_before_exec = no
executable = ipc
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener ipc {
group =
mode = 0600
user =
unix_listener login/ipc-proxy {
group =
mode = 0600
user = $default_login_user
user = $default_internal_user
vsz_limit = 18446744073709551615 B
service lmtp {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = lmtp
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
type =
unix_listener lmtp {
group =
mode = 0666
user =
user =
vsz_limit = 18446744073709551615 B
service log {
chroot =
client_limit = 0
drop_priv_before_exec = no
executable = log
extra_groups =
group =
idle_kill = 4294967295 secs
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type = log
unix_listener log-errors {
group =
mode = 0600
user =
user =
vsz_limit = 18446744073709551615 B
service pop3-login {
chroot = login
client_limit = 0
drop_priv_before_exec = no
executable = pop3-login
extra_groups =
group =
idle_kill = 0
inet_listener pop3 {
address =
port = 110
ssl = no
inet_listener pop3s {
address =
port = 995
ssl = yes
privileged_group =
process_limit = 0
process_min_avail = 0
protocol = pop3
service_count = 1
type = login
user = $default_login_user
vsz_limit = 18446744073709551615 B
service pop3 {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = pop3
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 1024
process_min_avail = 0
protocol = pop3
service_count = 1
type =
unix_listener login/pop3 {
group =
mode = 0666
user =
user =
vsz_limit = 18446744073709551615 B
service replicator {
chroot =
client_limit = 0
drop_priv_before_exec = no
executable = replicator
extra_groups =
group =
idle_kill = 4294967295 secs
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener replicator {
group =
mode = 0600
user = $default_internal_user
user =
vsz_limit = 18446744073709551615 B
service ssl-params {
chroot =
client_limit = 0
drop_priv_before_exec = no
executable = ssl-params
extra_groups =
group =
idle_kill = 0
privileged_group =
process_limit = 0
process_min_avail = 0
protocol =
service_count = 0
type = startup
unix_listener login/ssl-params {
group =
mode = 0666
user =
user =
vsz_limit = 18446744073709551615 B
service stats {
chroot = empty
client_limit = 0
drop_priv_before_exec = no
executable = stats
extra_groups =
fifo_listener stats-mail {
group =
mode = 0600
user =
group =
idle_kill = 4294967295 secs
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener stats {
group =
mode = 0600
user =
user = $default_internal_user
vsz_limit = 18446744073709551615 B
shutdown_clients = yes
ssl = yes
ssl_ca =
ssl_cert = /etc/ssl/certs/mail.crt
ssl_cert_username_field = commonName
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_client_cert =
ssl_client_key =
ssl_crypto_device =
ssl_key = /etc/ssl/private/mail.key
ssl_key_password =
ssl_parameters_regenerate = 1 weeks
ssl_protocols = !SSLv2
ssl_require_crl = yes
ssl_verify_client_cert = no
stats_command_min_time = 1 mins
stats_domain_min_time = 12 hours
stats_ip_min_time = 12 hours
stats_memory_limit = 16 M
stats_session_min_time = 15 mins
stats_user_min_time = 1 hours
submission_host =
syslog_facility = mail
userdb {
args =
default_fields =
driver = passwd
override_fields =
valid_chroot_dirs =
verbose_proctitle = no
verbose_ssl = yes
version_ignore = no
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
Last edited by ryukafalz (2012-08-08 15:10:31)

Oh, my apologies, I'd forgotten about the -n flag. In any case, the lines you quoted from my config are for smtp client auth, which I'm not using. The three lines you provided are for smtp server auth, and they're already in my config. My fault, it's easy to miss that when wading through that huge output I provided.
postconf -n output:
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = (hidden)
myhostname = (hidden)
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix/sample
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_sasl_auth_only=yes
doveconf -n output (in case you need it):
# 2.1.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.4.7-1-ARCH x86_64 Arch Linux
auth_debug = yes
auth_mechanisms = plain login
log_path = /var/log/dovecot.log
mail_access_groups = mail
mail_location = maildir:~/Maildir
passdb {
driver = pam
protocols = imap
service auth {
inet_listener {
port = 12345
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
unix_listener auth-client {
group = postfix
mode = 0660
user = postfix
user = root
ssl_cert = /etc/ssl/certs/mail.crt
ssl_key = /etc/ssl/private/mail.key
userdb {
driver = passwd
verbose_ssl = yes
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep

SMTP Postfix refuses all connections both internal and external

My server initially started bouncing all outgoing e-mail from our users saying that an invalid user name and password has been specified. Now it has progressed to bouncing all SMTP traffic both incoming and outgoing. I've got hours into trying to decode the mystery of why Postfix is doing this but still can't come up with an explanation. The server is an OD master running just AFP and Mail. Here is the output from postconf -n
If anyone can provide me with some insight I would be extremely grateful!
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
header_checks =
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = _postfix
mailboxsizelimit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mapsrbldomains =
messagesizelimit = 10485760
mydomain = mydomain.com
mydomain_fallback = localhost
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated rejectrblclient zen.spamhaus.org permit
smtpdenforcetls = no
smtpdhelorequired = no
smtpdhelorestrictions =
smtpdpw_server_securityoptions = cram-md5,gssapi
smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination permit
smtpdsasl_authenable = yes
smtpdtlsCAfile = /etc/certificates/server.mydomain.com.5E4E6414CE4D89A47A4D36A04661CAEAC9F0DE82. chain.pem
smtpdtls_certfile = /etc/certificates/server.mydomain.com.5E4E6414CE4D89A47A4D36A04661CAEAC9F0DE82. cert.pem
smtpdtls_excludeciphers = SSLv2, aNULL, ADH, eNULL
smtpdtls_keyfile = /etc/certificates/server.mydomain.com.5E4E6414CE4D89A47A4D36A04661CAEAC9F0DE82. key.pem
smtpdtlsloglevel = 0
smtpduse_pwserver = yes
smtpdusetls = yes
unknownlocal_recipient_rejectcode = 550
virtualaliasmaps =

I'm also seeing entires like this in the SMTP log. I don't know if this is a misconfiguration of main.cf or something else that I haven't considered. Authentication for AFP works fine though.
Feb 19 13:35:50 server postfix/smtpd[29788]: connect from unknown[10.0.55.116]
Feb 19 13:35:51 server postfix/smtpd[29788]: lost connection after EHLO from unknown[10.0.55.116]
Feb 19 13:35:51 server postfix/smtpd[29788]: disconnect from unknown[10.0.55.116]

Mail service not requiring SMTP Authentication

hello everyone,
I have been trying to find an answer and could not. I want my mail server to require SMTP Authentication. I have "CRAM-MD5" and "Login" checked in Server Admin -> Computers & Services -> Mail -> Advanced -> Security. Still, I can set up a mail account with any name and domain and SMTP through my server. (It does require a password for POP, so at least no one can read others folks mail)
I have begun to notice that I get many returned mails that I never sent, from accounts that are not on my server. So, I am thinking that spammers are relaying or just using my server to spam. I would like that to stop.
I have changed the configurations with Server Admin, stopped service, started service, and even restarted the whole server. Still, mail will not require SMTP Authentication.
Can anyone help me do this with Terminal or manually?

thanks, for any help in advance.
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
html_directory = no
inet_interfaces = all
localrecipientmaps = proxy:unix:passwd.byname $alias_maps
luser_relay =
mail_owner = postfix
mailboxsizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mapsrbldomains =
messagesizelimit = 52428800
mydestination = $myhostname,localhost.$mydomain,localhost,highlevelit.eu
mydomain = highlevelit.eu
mydomain_fallback = localhost
myhostname = mailx.highlevelit.eu
mynetworks = 127.0.0.0/8
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpdclientrestrictions = permit_mynetworks permit
smtpdenforcetls = no
smtpdpw_server_securityoptions = login
smtpdrecipientrestrictions = permitsasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpdsasl_authenable = yes
smtpdtls_certfile = /etc/certificates/mailx.highlevelit.eu.crt
smtpdtls_keyfile = /etc/certificates/mailx.highlevelit.eu.key
smtpduse_pwserver = yes
smtpdusetls = yes
unknownlocal_recipient_rejectcode = 550
virtualmailboxdomains = hash:/etc/postfix/virtual_domains
virtual_transport = lmtp:unix:/var/imap/socket/lmtp

I need to modify Postfix to listen to port 587

Mountain Lion Server OS X 10.8.4
Running Mail service with Postfix and Dovecot. In production with several mailboxes.
I need to modify Postfix to listen to port 587. I should be able to telnet to port 587, and finally send mail via 587.
587 already redirects to 25 via the firewall, but external devices need to visit the internal subnet without modifications to the mail app.
At this stage I just want to get it working with password authentication. SSL is a project for another day.
Here's my understanding of the OS X Postfix config:
/etc/services file:
Maps service names to port numbers. Port 25 is "smtp" and port 587 is "submission".
/etc/postfix/master.cf file:
Loads Postfix preferences. Service configurations for "smtp" and "submission" are listed at the top of the file. Each service configuration can be modified with parameters (-o variable_name_here=value_here).
I found many discussion boards with instructions for enabling 587. They suggest removing the comment syntax for the existing "submission" line:
# submission inet n - - n - smtpd
My server didn't have a comment, the line was already enabled:
submission inet n - - n - smtpd
I restarted services and 587 didn't work.
Then I tried a more direct approach:
587 inet n - - n - smtpd
This had no effect.
After each attempt to enable 587 I test with:
telnet 127.0.0.1 587
And I get: Connection Refused
I used the Server app and turned Mail off and on. This stops and starts Postfix.
I also used commands to restart Postfix:
postfix stop
postfix start
sudo postfix stop
sudo postfix start
postfix reload
sudo postfix reload
Nothing opens 587. Any ideas? Thanks in advance for your insights.
-SE30Emulation

@Kraftwerk: You cannot change the TCP port used for SMTP. Well, technically, you can, but then no other mail servers on the Internet will find and communicate with your mail server. So... forget that.
The ISP controls the terms and conditions for the network connection, and particularly controls the network and network access. There's just no way 'round that either, as the ISP has the network position to implement port blocks and firewalls, and usually the contractual authority to allow or deny access.
With the proper (static) network connection and proper DNS, there is nothing to struggle with; this stuff works.
Which implies your ISP does not offer static connections, or there's an ISP error, or you're attempting to operate a mail server on a dynamic address. None of this works.
You might try mailhop service — if that's permitted within the limits of the terms of service — but it'll be easier and cheaper to host your mail elsewhere. Or to get a static IP address and proper public DNS, if your ISP offers that.
SMTP services are also tied to DNS, as well; other mail servers use DNS checks to detect rogue (spam) servers, and a mail server erroneously configured on a dynamic IP address will have mismatched DNS, and other mail servers will detect that and drop mail from and often to that mail server; that server is indistinguishable from a spam engine.
There's rather more the ISP can do as part of best-practices networking, too. TCP port 25 connections both inbound and outbound are usually spam engines operating on malware-infested, so it's common to block that traffic to reduce the volume of spam. Various ISPs will further blacklist dynamic IP address blocks, which means other SMTP servers using these blacklist services will ignore servers in these address ranges.
Get static IP. Or host elsewhere. Or (if permitted) mail hop.

Authenticated users blocked by rbl

Hi,
I have a user who is now having email sent via our server blocked by an rbl. The email being sent was to me, so we both have an account on the same server and no other mail server was involved.
Is there a way to configure Postfix to accept all incoming email from authenticated users, bypassing the rbl list for authenticated users?
Output of postconf -n below.
Thanks
Ron
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
html_directory = no
inet_interfaces = all
localrecipientmaps = proxy:unix:passwd.byname $alias_maps
luser_relay =
mail_owner = postfix
mailboxsizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mapsrbldomains =
messagesizelimit = 10485760
mydomain = wagnercreativegroup.com
mydomain_fallback = localhost
myhostname = smtp.wagnercreativegroup.com
mynetworks = 127.0.0.1/32,66.167.106.195/32,66.167.106.194
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
ownerrequestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpdclientrestrictions = permit_mynetworks rejectrblclient zen.spamhaus.org rejectrblclient combined.njabl.org rejectrblclient bl.spamcop.net permit
smtpdpw_server_securityoptions = plain,login,cram-md5
smtpdrecipientrestrictions = permitsasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpdsasl_authenable = yes
smtpduse_pwserver = yes
unknownlocal_recipient_rejectcode = 550
virtualaliasdomains = hash:/etc/postfix/virtual_domains
virtualaliasmaps = hash:/etc/postfix/virtual,hash:/var/mailman/data/virtual-mailman
virtualmailboxdomains = hash:/etc/postfix/virtualdomainsdummy
virtual_transport = lmtp:unix:/var/imap/socket/lmtp
Mac OS X (10.4.8)

Change:
smtpdclientrestrictions = permit_mynetworks rejectrblclient zen.spamhaus.org rejectrblclient combined.njabl.org rejectrblclient bl.spamcop.net permit
to:
smtpdclientrestrictions = permitsaslauthenticated, permit_mynetworks rejectrblclient zen.spamhaus.org rejectrblclient combined.njabl.org rejectrblclient bl.spamcop.net permit
Issue: sudo postfix reload
Also, if you like, see my tutorial on "Frontline spam defense for Mac OS X Server", available here:
http://osx.topicdesk.com/downloads/

Best Practice Mail Authentication not really possible?

Hi All,
In an effort to clamp down on my security a bit better, I've decided to try and remove all possible Mail auth methods besides Kerberos, Cram-MD5 and APOP. In other words, no Login, PLAIN or Clear.
I have my own Certificate Authority that I give to my users and secure IMAP, POP and SMTP all work well. I've even turned on the submission port (587).
Now, I was hoping that I could have an environment where Login, Plain and Clear are ALL disabled, but still permitted IF done over SSL. I don't see any way of achieving this.
SO, I set my machine to REQUIRE SSL. While this is somewhat satisfactory for IMAP and POP, this cannot be done for SSL as it would then require all external sending mail servers to speak with my server over SSL, which next to none are willing to do.
Last but not least, webmail of course now chokes. I've set it to use port 993 and use SSL but as I'm sure some have guessed, my certificate's common name is not "localhost" and my server is behind a NAT router, so to get webmail to work traffic would have to be routed out my network to the router and back in, otherwise the proper SSL host name doesn't match.
All in all, it's quite a pain!!!
Here's what I'd LIKE to see possible:
1. Support Cram-MD5 and Kerberos from any IP with or without SSL. This will enable webmail and modern email clients to work.
2. Support Clear ONLY IF IT IS VIA SSL ("plaintext + TLS" as my logs refer to it). This will enable Treos, PCs running Outlook [Express]. and other non-cram-md5 devices to work WITHOUT compromising on security
3. Reject Clear, Login and Plain IF IT IS NOT VIA SSL.
Is this possible?

There is no way to ensure you users are completely unable to send authorization in the clear. You can only take steps to minimize the potential risks. Here are my thoughts.
Again, my answer is sendmail specific but hopefully that points you to what to look for in postfix.
In the m4 config file for sendmail there is the following:
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS', `A p')dnl
Lines with dnl at beginning are basically comments.
What the above says that defining this option you are going to allow plain text logins but only if the connection is first encrypted with TLS/SSL. Undocumented in the comments, if you delete the "p" then you can have PLAIN text without TLS.
I was actually testing this out this weekend just doing a verification on my server. The results:
1. No authentication no ssl - Mail.app rejected. Log message on server stated relaying not allowed.
2. Authentication, no ssl - Mail.app just kept asking me for my password. Server log file showed multiple entries of what amounts to a client connect/disconnect with no traffic.
3. Authentication, plus ssl - Message sent immediately.
Now, I did not test for number 2 whether the client was actually sending the password to the server and the server was just ignoring. I'm concerned about protecting passwords but more concerned about preventing my server from becoming an open relay. The password may have indeed left the client and traversed the network in the clear.
Optional solutions to take to prevent users from harming themselves.
1. VPN and two smtp servers. One smtp server that receives mail from the world. One smtp server that only can be connected to via VPN tunnel. VPN smtp server then uses the exposed smtp server as its upstream provider, (I forget the term). This assumes the user remembers to start the VPN before the email client. Without the vpn running, then you run into the possibility I mentioned in #2 above. Maybe there is a setting that could enforce vpn before sending.
2. https webmail. Only allow access to email via web interface. SMTP authentication is not an issue then since you can have the localhost MTA of the webserver handle sending.
3. Managed accounts of some sort. So users couldn't turn off ssl auth.
Just some thoughts that I hope provide some ideas for you.
Cheers
- Mark

SMTP postfix crashing - network_biopair_interop read timeout

Periodically, my mail server goes into a crash cycle. Error messages like those below appear, and very quickly, the machine becomes unresponsive (I believe because it can't fork any more process - so OD won't authenticate, and any command which requires authentication (like a restart or service restart) hangs indefinitely).
The machine will crash every ~12 hours after being rebooted, for maybe 2-3 days before the problem mysteriously goes into remission. I don't know what confluence of events causes this, or how to see it coming sooner so I can stop and restart the mail service.
Any insight or solutions would be greatly appreciated.
/var/log/system.log:
Apr 25 07:37:43 mercury postfix/smtpd[8213]: warning: Read failed in networkbiopairinterop with errno=0: num_read=0, want_read=5
Apr 25 07:48:39 mercury postfix/smtpd[8475]: warning: Read failed in networkbiopairinterop with errno=0: num_read=0, want_read=5
Apr 25 07:50:06 mercury postfix/master[51]: warning: unixtriggerevent: read timeout for service public/flush
Apr 25 07:55:50 mercury postfix/pipe[8467]: warning: pipecommandwrite: write time limit exceeded
Apr 25 07:55:50 mercury postfix/pipe[8470]: warning: pipecommandread: read time limit exceeded
Apr 25 07:57:08 mercury postfix/pipe[8479]: warning: pipecommandread: read time limit exceeded

The output of postconf -n:
mercury:/ root# postconf -n
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailboxsizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
messagesizelimit = 15728640
mydestination = $myhostname,localhost.$mydomain,tjs.org,staff.tjs.org,mercury.tjs.org,info.tjs. org
mydomain = tjs.org
mydomain_fallback = localhost
myhostname = mail.tjs.org
mynetworks = 127.0.0.1/32,10.1.1.0/24,66.148.181.0/24,66.90.0.0/16,192.168.1.0/24,66.93.192. 247/32,66.93.193.247/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
ownerrequestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpdpw_server_securityoptions = cram-md5,gssapi
smtpdrecipientrestrictions = permitsasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpdsasl_authenable = yes
smtpdtls_certfile = /etc/certificates/*.tjs.org.crt
smtpdtls_keyfile = /etc/certificates/*.tjs.org.key
smtpduse_pwserver = yes
smtpdusetls = yes
unknownlocal_recipient_rejectcode = 550
And here's a more full version of the logs. I think the increasing pids is a symptom of the problem:
Apr 27 10:34:58 mercury pop3[7164]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:34:58 mercury pop3[7369]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:35:18 mercury pop3[7164]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Apr 27 10:35:19 mercury pop3[7164]: login: ppp-70-245-234-7.dsl.stlsmo.swbell.net [70.245.234.7] YYY APOP+TLS User logged in
Apr 27 10:35:28 mercury pop3[7369]: login: c-69-241-232-137.hsd1.mi.comcast.net [69.241.232.137] XXX APOP User logged in
Apr 27 10:35:59 mercury pop3[7164]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:36:10 mercury pop3[7369]: login: dsl093-192-247.stl1.dsl.speakeasy.net [66.93.192.247] XXX APOP User logged in
Apr 27 10:36:11 mercury pop3[7164]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:37:01 mercury pop3[7164]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:37:01 mercury pop3[7369]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:37:01 mercury pop3[7833]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:37:07 mercury ctl_cyrusdb[7836]: checkpointing cyrus databases
Apr 27 10:37:08 mercury ctl_cyrusdb[7836]: done checkpointing cyrus databases
Apr 27 10:37:15 mercury pop3[7164]: login: dsl093-192-247.stl1.dsl.speakeasy.net [66.93.192.247] XXX APOP User logged in
Apr 27 10:37:26 mercury pop3[7833]: login: dsl093-192-247.stl1.dsl.speakeasy.net [66.93.192.247] XXX APOP User logged in
Apr 27 10:37:38 mercury pop3[7369]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:37:52 mercury imap[7842]: login: localhost [::1] jroth CRAM-MD5 User logged in
Apr 27 10:37:52 mercury pop3[7164]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:38:03 mercury imap[7842]: login: localhost [::1] XXX CRAM-MD5 User logged in
Apr 27 10:38:13 mercury imap[7842]: login: localhost [::1] XXX CRAM-MD5 User logged in
Apr 27 10:38:15 mercury imap[7842]: login: localhost [::1] XXX CRAM-MD5 User logged in
Apr 27 10:38:26 mercury pop3[7833]: login: 66.148.181.178.nw.nuvox.net [66.148.181.178] XXX APOP User logged in
Apr 27 10:38:30 mercury imap[7842]: login: localhost [::1] XXX CRAM-MD5 User logged in
Apr 27 10:40:18 mercury pop3[7871]: TLS server engine: cannot load CA data
Apr 27 10:40:19 mercury pop3[7871]: TLS server engine: No CA file specified. Client side certs may not work
Apr 27 10:40:19 mercury pop3[7871]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Apr 27 10:41:41 mercury postfix/master[51]: warning: unixtriggerevent: read timeout for service public/flush
Apr 27 10:50:18 mercury pop3[7913]: TLS server engine: cannot load CA data
Apr 27 10:50:18 mercury pop3[7913]: TLS server engine: No CA file specified. Client side certs may not work
Apr 27 10:50:18 mercury pop3[7913]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
And then the crash. Note this is a more recent crash cycle than the last one which I posted logs from.
Interesting that SSL certificates might be the issue. The one user, shown above as YYY, always triggers the log messages about TLS, which none of the other users seem to use. I haven't enabled SSL for email, but I wouldn't mind doing it to fix this problem.
Thanks for your thoughts and time.
Brian Howard

SMTP Authentication fix?

I was looking for a way to let our mail server relay mail through our ISP. Everything I found said use the terminal and create a file with our username and password in etc/postfix/sasl_passwd
Then in SA go to mail->settings->relay outgoing mail through host
put in your isp mail server and you were all set.
Well I made it a bit easier, by creating a txt file named sasl_passwd, and placing it in etc/postfix
Everything seems to work, but my question is, did I break any rules? Am I asking for trouble later on? I'm not getting the port 25 blocked error anymore, and mail seems to be going through.
Powermac G4 MDD FW 800 Mac OS X (10.4.8) OSX Server

I was looking for a way to let our mail server relay
mail through our ISP.
Presumably you mean the ISP who supplies the internet connection to your mail server? Normally, the mail relay should just be 'available' without any authentication since your IP will be on their network and so they 'know' you are a customer. Authentication is normally only necessary when you are sending from outwith the ISP's own network - they then need you to use authentication to prove you are a customer. Maybe your own ISP is different?
-david

Authentication on Postfix

Similar Messages

Maybe you are looking for