Differences

This shows you the differences between two versions of the page.

--- email:configure-postfix [2025/03/03 09:32] – created willy
+++ email:configure-postfix [2025/03/13 13:30] (current) – [Configuration: postfix] willy
@@ Line 1: / Line 1: @@
-USE flags:
+====== F) Configuration: postfix ======
-<code bash>
-echo "*/* maildir dovecot sasl" >> /etc/portage/package.use/mailserver
-echo "net-mail/dovecot managesieve sqlite lz4" >> /etc/portage/package.use/mailserver
-echo "mail-mta/postfix dovecot-sasl sqlite -sasl" >> /etc/portage/package.use/mailserver
-echo "dev-lang/php imap" >> /etc/portage/package.use/mailserver
-</code>
+Postfix is the Mail Transfer Agent, the tool that actually **moves** your email messages from a the sender to the destination (recipient). It speak the Simple Mail Transport Protocol (SMTP) and it has some serious responsibilities which are:
+  * Ensure that mail **for** you is properly delivered to you
+  * Ensure that mail **from** you is properly sent to whoever need to deliver it
+  * Filter out all undesired mail (spam)
+  * Prevent abuse from malicious actors who pretend to be you to send unauthorized mail in your name
+  * Prevent abuse from spammers to send mail pretending to be others (not act as an open relay)
+  * Ensure that all good practices are followed to prevent your mail server from being listed in blacklists and flagged down as a spammer.
-===== Installation: postfixadmin web gui =====
+Due to these many tasks, an MTA is not a simple piece of software to properly setup. Postfix is no exception, and you need to understand a few basic concepts before proceeding.
-postfixadmin and roundcube will be installed manually and not via Gentoo portage, to avoid upgrade issues.
+===== Mail Delivery Pipeline =====
-Download latest release of **postfixadmin** from [[https://github.com/postfixadmin/postfixadmin/releases|here]] and decompress in a folder accessible to the **web** user, since i use the **web** user to run all PHP based software on the external webserver:
+Traditionally, on UNIX systems, a mail server would deliver and send e-mails for local users as defined in the /etc/passwd file of the server itself. This is called **local delivery** and it is linked to the concept of **mynetwork**. In our modern internet world, this has substantially changed.
-<code bash>
-su # do this as root! You don't need to make postfixadmin writable by the web user
-cd /home/web
-mkdir postfixadmin
-cd postfixadmin
-wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.15.tar.gz
-tar xvf postfixadmin-3.3.15.tar.gz
-mv postfixadmin-postfixadmin-3.3.15 postfixadmin
-#The following folder must be writeable by web user:
-mkdir -p postfixadmin/templates_c
-chown -R web postfixadmin/templates_c
-</code>
-Now, configure it by creating a file called **postfixadmin/config.local.php** with the following content (see postfixadmin/config.inc.php for all available stuff to configure):
+Nowadays you have a complete separation between **server** users and **email** accounts. But the //traditional// approach needs to be considered when configuring Postfix.
-<file - config.local.php>
-<?php
-$CONF['database_type'] = 'sqlite';
-$CONF['database_name'] = '/home/vmail/db/vmail.sqlite3';
-$CONF['encrypt'] = 'dovecot:SHA512';
-$CONF['postfix_admin_url'] = 'https://mail.mydomain.com';
-$CONF['admin_email'] = 'postmaster@mydomain.com';
-$CONF['default_aliases'] = array (
-    'abuse' => 'abuse@mydomain.com',
-    'hostmaster' => 'hostmaster@mydomain.com',
-    'postmaster' => 'postmaster@mydomain.com',
-    'webmaster' => 'webmaster@mydomain.com'
-);
-$CONF['transport'] = 'YES';
-$CONF['configured'] = true;
-/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */
-</file>
-Now setup NGINX to point to it. You need of course to setup a certbot certificate, then (see [[selfhost:nginx|this page]]) configure your NGINX to use PHP-FPM. See the following **postfixadmin.conf** file as reference:
+The pipeline is:
-<file postfixadmin.conf>
+  * An SMTP client connect to your Postfix (SMTP server)
-server {
+  * Optional TLS encryption is performed
-        server_name mail.mydomain.com;
+  * The client identifies itself (HELO / EHLO)
-        listen 443 ssl;
+  * Optional authentication is performed using SASL
+  * Sender identifies itself (MAIL FROM:)
+  * Recipient is identified (RCPT TO:)
+  * Email data is transferred (DATA...)
-        access_log /var/log/nginx/mail.mydomain.com_access_log main;
+Along all the steps of this pipeline, Postfix can be configured to perform checks to reject the entire transaction.
-        error_log /var/log/nginx/mail.mydomain.com_error_log info;
-        index index.php;
-        root /home/web/postfixadmin/postfixadmin/public;
-# Uncomment the following lines only AFTER setup is complete!
-#        location ~ /(setup.php) {
-#                deny all;
-#                alias /home/web/postfixadmin/postfixadmin/public;
-#        }
-        location ~ /.*\.php$ {
-                try_files $uri =404;
-                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                include fastcgi_params;
-                fastcgi_param SCRIPT_FILENAME $request_filename;
-                fastcgi_pass 127.0.0.1:9000;
-        }
-}
-</file>
-restart NGINX and go to the URL **https://mail.mydomain.com/setup.php** and follow the on-screen instructions to create a password hash that you need to add to the above config.local.php file, then reload the page itself.
+=== The local delivery ===
+Emails will be delivered locally to local users on the server. I mean, users of the server, like users that can login on the server via shell and such. In the local delivery concept, there is no difference between user and mailbox.
-Also don't forget to create a superadmin-account. I suggest you call it **user@mydomain.com** and set a password you will not forget.
+In our case, local delivery will be routed to virtual delivery, no local server users will be able to receive emails.
-Go back, uncomment the lines in the NGINX config file to disable the setup.php, and restart NGINX.
+=== The virtual delivery ===
+Emails will be delivered to a list of domains and mailboxes, not users. It's called //virtual// because there the domains and the mailboxes are defined in a database and are not linked to //real// users of the server.
-__note:__ when adding new domains, choose "virtual" as transport, and 0 as password expiry.
+For our needs, i will show you how to link PostfixAdmin SQLite database to Postfix to perform domains and mailboxes lookup. Postfix virtual delivery activity will be deferred to Dovecot LMTP (Local Mail Transport) so that the emails are properly stored in to Dovecot management.
-At this point, you can already create all the mail domains and user accounts you want.
+=== The mail Relay ===
+So far, i always referred to emails to be delivered to the server (local) or to domains hosted on the server (virtual). What about emails to be delivered to **others**? This is called **email relay** and it happens when the Postfix server accepts an email destination which is not local, nor virtual.
+The **relay** should be allowed only to authorized users to prevent spammers to abuse our server, which will cause the server itself to be blacklisted and unable to send any emails at all.
-===== Configuration: postfix =====
-Link to SQL.
+===== Mail Security =====
+The SMTP protocol by itself is unencrypted and unsecured. This was maybe ok at the beginning of Internet, but not today. Today you need to enable both authentication and encryption.
-File: **/etc/postfix/sql/virtual_mailbox_domains.cf**:
+Encryption is performed using TLS, but for legacy reasons you cannot **require** it. There are three types of SMTP connections:
-<file - virtual_mailbox_domains.cf>
+  * Plain, no TLS (port 25)
-dbpath = /home/vmail/db/vmail.sqlite3
+  * STARTTLS, connection starts unencrypted and can be __upgraded__ to a TLS connection if both parties support it (port 587)
-query  = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1';
+  * SSL/TLS, connection must be established encrypted (port 465)
-</file>
-File: **/etc/postfix/sql/virtual_mailbox_maps.cf**:
+Plain must always be provided, but you can at least prohibit authentication on non-encrypted connections.
-<file - virtual_mailbox_maps.cf>
-dbpath = /home/vmail/db/vmail.sqlite3
-query  = SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1';
-</file>
-File: **/etc/postfix/sql/virtual_alias_maps.cf**:
+The [[https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer~SASL]] (Simple Authentication Security Layer) is used for authentication. This implies the transmission on the connection of the username+password combination using a Base64 encoding. Please note, and this is **very important**, that Base64 is //not// an encryption and can easily be de-coded. For this reason, it is mandatory that authentication is enabled only is TLS too is enabled.
-<file - virtual_alias_maps.cf>
-dbpath = /home/vmail/db/vmail.sqlite3
-query  = SELECT goto FROM alias WHERE address='%s' AND active='1';
-</file>
-Now, link it all in **/etc/postfix/main.cf**:
+Postfix does not provide a SASL authentication, this is demanded to Dovecot SASL implementation. The added value of this choice is to have the same background for both SMTP and IMAP servers.
-<code>
-# A list of all virtual domains serviced by this instance of postfix.
-virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf
-# Look up the mailbox location based on the email address received.
-virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf
-# Any aliases that are supported by this system
-virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf
-</code>
+===== Postfix documentation resources =====
+Postfix website has tons of great documentation, which i strongly suggest you go read. [[https://www.postfix.org/BASIC_CONFIGURATION_README.html|Basic configuration]], [[https://www.postfix.org/VIRTUAL_README.html|Virtual delivery]], [[https://www.postfix.org/SASL_README.html|SASL]], [[https://www.postfix.org/TLS_README.html|TLS]].
-<file>
+On the internet there are lots of wikis and HOWTOs about postfix, including [[https://wiki.gentoo.org/wiki/Postfix|this page]] specific to Gentoo. Most of them are outdated or mix different approaches, i strongly suggest to go to the source and read the Postfix links above instead.
-compatibility_level = 3.6
-# Prevent hard-bounces
-soft_bounce = yes
-queue_directory = /var/spool/postfix
+===== Postfix Configuration =====
-command_directory = /usr/sbin
-daemon_directory = /usr/libexec/postfix
-data_directory = /var/lib/postfix
-mail_owner = postfix
+Postfix configuration files are located under **/etc/postfix** and can be summarized as:
+  * main.cf: contains all the oeprative directives of Postfix
+  * master.cf: contains the services started by Postfix
+  * sql/*.cf: the specific SQLite link files. You //need// to create this folder.
-# Usa gethostname() per default
+Please note that Postfix configuration is deeply connected to Dovecot, Spamassassin, SPF, OpenDKIM and OpenDMARC. The following configuration assumes you have already configured them all. So before you start Postfix you will need to set them up as well. See the relevant pages.
-#myhostname = gardiol.org
-mydomain = gardiol.org
-#myorigin = $mydomain
+===== PostfixAdmin Link =====
-#inet_interfaces = all
+Postfix support all kinds of SQL databases, including SQLite. To integrate it, you need to create a few //cf// files and specify associated directives in the //main.cf//.
-mydestination = localhost.localdomain
+Create the sql folder:
-unknown_local_recipient_reject_code = 550
+<code bash>
+mkdir /etc/postfix/sql
+</code>
-mynetworks_style = host
+Drop //all// the following files in the sql folder.
-in_flow_delay = 1s
+File: **/etc/postfix/sql/virtual_mailbox_domains.cf** which fetch the list of domains:
+<file - virtual_mailbox_domains.cf>
+dbpath = /home/vmail/database/vmail.sqlite3
+query  = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1';
+</file>
-home_mailbox = .maildir/
+File: **/etc/postfix/sql/virtual_mailbox_maps.cf** which fetch the list of mailboxes:
+<file - virtual_mailbox_maps.cf>
+dbpath = /home/vmail/database/vmail.sqlite3
+query  = SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1';
+</file>
-header_checks = regexp:/etc/postfix/header_checks
+File: **/etc/postfix/sql/virtual_alias_maps.cf** which fetch the list of accounts and aliases:
+<file - virtual_alias_maps.cf>
+dbpath = /home/vmail/database/vmail.sqlite3
+query  = SELECT goto FROM alias WHERE address='%s' AND active='1';
+</file>
-smtpd_banner = $myhostname ESMTP NO UCE
+To ensure the above files are used by postfix, the following lines need to be added to the **main.cf** config file as show below.
-debug_peer_level = 2
-#debug_peer_list = 127.0.0.1
-sendmail_path = /usr/sbin/sendmail
+===== main.cf: configuration =====
-newaliases_path = /usr/bin/newaliases
-mailq_path = /usr/bin/mailq
-setgid_group = postdrop
+For more details on all the possible options, see [[http://www.postfix.org/postconf.5.html|Postfix documentation]].
-html_directory = no
-manpage_directory = /usr/share/man
-sample_directory = /etc/postfix
-readme_directory = no
-inet_protocols = ipv4
-meta_directory = /etc/postfix
-shlib_directory = /usr/lib64/postfix/${mail_version}
+This is the overall file. **Do not copy it blindly**, double check everything, because there are comments that will cause postfix **not** to start if ignored:
+<file - main.cf>
+compatibility_level = 3.9
-############################################
+# Generic stuff
-###########################################
+mail_owner = postfix
-###########################################
+myhostname = mydomain.com
-disable_vrfy_command = yes
+mydomain = mydomain.com <- this and the above line should be identical, not a typo!
-message_size_limit = 0
+myorigin = $mydomain
-#20971520
+inet_interfaces = all
 biff = no
+message_size_limit = 0 <- this is unlimited, you might want to set a mail size limit here
+disable_vrfy_command = yes
+syslog_facility = mail
+syslog_name = postfix
+# Protection from lost mail
+soft_bounce = yes <- switch to no in production
+unknown_local_recipient_reject_code = 450 <- switch to 550 in production
+# Important to keep as is to avoid delivery loops with the virtual domains
+mydestination = localhost.localdomain
+mynetworks_style = host
+# Local delivery is actually managed by virtual delivery
 local_transport = virtual
-local_recipient_maps = $alias_maps $virtual_mailbox_maps
+local_recipient_maps = $virtual_mailbox_maps
+# Manage postfix virtual delivery mechanism via dovecot lmtp service
 virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf
+virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf
+virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf
-virtual_uid_maps = static:999
+# SMTPD (server) SASL + TLS setup
-virtual_gid_maps = static:999
-virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
-virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
-virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
-                       proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
-# if you let postfix store your mails directly (without using maildrop, dovecot deliver etc.)
-virtual_mailbox_base = /home/vmail
-# SASL
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
-smtpd_sasl_security_options = noanonymous
-smtpd_sasl_local_domain =
 broken_sasl_auth_clients = no
-smtpd_sasl_authenticated_header = yes
+smtpd_tls_auth_only = yes
-# Setup TLS
+smtpd_sasl_type = dovecot
-smtpd_tls_cert_file = /etc/letsencrypt/live/mail.gardiol.org/fullchain.pem
+smtpd_sasl_path = private/auth
-smtpd_tls_key_file = /etc/letsencrypt/live/mail.gardiol.org/privkey.pem
+smtpd_sasl_security_options = noanonymous, noplaintext
-# abilita il debug...
+smtpd_sasl_tls_security_options = noanonymous
-smtpd_tls_loglevel = 0
-# metti a "encrypt" per obbligare l'uso di TLS lato server (non fare, sconsigliato)
 smtpd_tls_security_level = may
-# Metti a yes per impedire AUTH non cifrata
+smtpd_tls_cert_file = /etc/letsencrypt/live/casa.gardiol.org/fullchain.pem
-smtpd_tls_auth_only = no
+smtpd_tls_key_file = /etc/letsencrypt/live/casa.gardiol.org/privkey.pem
-# Fai la cache delle sessioni
+smtpd_tls_mandatory_protocols = >=TLSv1.2
 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
-# Some ANTISPAM
+# Generic access rules
-smtpd_delay_reject = yes
+strict_rfc821_envelopes = yes
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
+smtpd_reject_unlisted_sender = yes
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, permit
-smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient,  check_policy_service unix:private/policy-spf, permit
-smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
-#, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
-policy-spf_time_limit = 3600s
+# Client connection (do not put "reject" here or nobody will be able to send you emails)
+smtpd_client_restrictions = permit_sasl_authenticated
+# HELO / EHLO filtering
+smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_helo_hostname
+# MAIL FROM
+smtpd_sender_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain
+# RCPT TO: (before recipient)
+smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
+# DATA
+smtpd_data_restrictions = reject_unauth_pipelining
+# R *   smtpd_milters         = unix:/run/opendkim/opendkim.sock
+ *   non_smtpd_milters = unix:/run/opendkim/opendkim.sockCPT TO: (after relay) add here spam checks (blacklists etc)
+smtpd_recipient_restrictions = permit_sasl_authenticated check_policy_service unix:private/policy-spf
-smtpd_timeout = 60s
+# OpenDKIM & OpenDMARC setup
-default_process_limit = 200
+smtpd_milters     = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
+non_smtpd_milters = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
+milter_default_action = accept
-smtputf8_enable = no
+</file>
-smtp_data_done_timeout = 1800
-smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
-non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
-syslog_facility = mail
-syslog_name = postfix
-body_checks = regexp:/etc/postfix/body_checks
+===== master.cf: configuration =====
+The master.cf contains a list of the services (and ports) managed by Postfix on startup:
+<file - master.cf>
+# Port 25 listener
+smtp      inet  n       -       n       -       -       smtpd
+# Port 587 listener (STARTTLS)
+smtps      inet  n       -       n       -       -       smtpd
+   -o smtpd_tls_wrappermode=yes
-maximal_queue_lifetime = 60m
+# Port 465 listener (pure TLS)
-bounce_queue_lifetime = 60m
+submission inet n       -       n       -       -       smtpd
-smtp_connect_timeout  = 15s
-smtp_helo_timeout = 60s
-smtpd_relay_before_recipient_restrictions = no
+# SPF inbound check filter
+policy-spf  unix  -       n       n       -       -       spawn
+     user=nobody argv=/usr/bin/policyd-spf
+pickup    fifo  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
 </file>
+===== Aliases =====
+Before starting postfix you need to generate the aliases database:
+<code bash>
+newaliases
+</code>
+that's it.
+===== Testing =====
-===== Installation: DKIM, SPF and DKIM =====
+To test Postfix you need your Dovecot to be running, so set it up, ensure Dovecot SASL is working, then come back here.
-This step is **mandatory** and critical for proper email delivery.
+To generate a valid Base64 encoding for authentication see [[https://www.mailslurp.com/tools/plain-authentication-encoder/|here]].
+To test your unencrypted SMTP service:
+<code bash>
+telnet 127.0.0.1 25
+Trying 127.0.0.1...
+Connected to 127.0.0.1.
+Escape character is '^]'.
+gardiol.org ESMTP Postfix
+EHLO mydomain.com
+-gardiol.org
+-PIPELINING
+-SIZE
+-ETRN
+-STARTTLS
+-ENHANCEDSTATUSCODES
+-8BITMIME
+-DSN
+-SMTPUTF8
+CHUNKING
+quit
+2.0.0 Bye
+Connection closed by foreign host.
+</code>
-===== Installation: Antispam =====
+ensure that AUTH is not offered! Make sure there is no **250-AUTH PLAIN LOGIN** in the output! This means you have successfully disabled SASL authentication on plain text connections.
-Install spamassassin & amavisd-new
+To test SSL/TLS:
+<code bash>
+openssl s_client -starttls smtp -connect 127.0.0.1:587
+Connecting to 127.0.0.1
+CONNECTED(00000003)
+[ ... long TLS handshake omissis ... ]
-FILE /etc/postfix/main.cf Binding UID and GID's to postfix
+EHLO mydomain.com
-<code>
+-mydomain.com
-# Link the mailbox uid and gid to postfix.
+-PIPELINING
-virtual_uid_maps = static:5000
+-SIZE
-virtual_gid_maps = static:5000
+-ETRN
+-AUTH PLAIN LOGIN
-# Set the base address for all virtual mailboxes
+-ENHANCEDSTATUSCODES
-virtual_mailbox_base = /var/vmail
+-8BITMIME
+-DSN
+-SMTPUTF8
+CHUNKING
+AUTH PLAIN -- never post your Base64 strings on internet! --
+2.7.0 Authentication successful
+MAIL FROM:<user@mydomain.com>
+2.1.0 Ok
+RCPT TO:<user@mydomain.com>
+2.1.5 Ok
+DATA
+End data with <CR><LF>.<CR><LF>
+Subject: My Test Email
+Test email body
+.
+2.0.0 Ok: queued as 194869C1AB
+quit
+2.0.0 Bye
+QUIT
 </code>
+Double check that you have that **250-AUTH PLAIN LOGIN**, this means that you have properly setup SASL authentication using TLS.
+To tets TLS without STARTLS, repeat the same command above without //-starttls smtp//, but remember to use port 465 instead of 587!
+You should now test that:
+  * You can send an email from yourself to yourself
+  * You can send an email from yourself to another mailbox of your domain
+  * You can **not** send emails to other domains if you do not authenticate with SASL on TLS
+That should do.
+After you are done, go back to your **main.cf** disable soft_bounce and set 550 as error code instead of 450.

Willy's Wiki

User Tools

Differences