Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
postfix setup
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 27 Jan 2006
Posts: 290

PostPosted: Mon Aug 27, 2012 9:46 pm    Post subject: postfix setup Reply with quote

Hi, I have a question for a postfix guru.

I followed this Gentoo guide to setup a postfix server

and also setup SenderPolicyFramework authentication

Following the configuration guide,
I have a setup which filters out most spam.
However, I'm also rejecting some legitimate emails.
such as email from state goverment agencies and some banks.

I believe the problem is that these particular domains are not using SPF
and that they have outsourced their mail servers.

For instance, I've had to whitelist the following email address in my client_access hash file:

#          permit_auth_destination

I've checked the mx and spf records for using's tools
and there is no spf record for the county domain and the mx server is listed as

And similarly for Virginia's State Corporation Commission:
# [reverse dns] permit_auth_destination

And CHASE bank sends its secure email using isentry
so mail from
actually comes from:

# permit_auth_destination

And I've just recently run into a problem getting mail
from a mortgage company which seems to be sending
its mail through
smtp[xxx] where xxx would be the last
part of the ip address
and there are many, many xxx where mail is being sent from
for any particular user.
So mail from
actually comes from smtp[xxx]

If all these domains used SPF records, then there would be no problem
authenticating the clients in order to receive mail from them.

Does anybody know if my postfix setup is sane?
I want to reject mail with spoofed rfc822 FROM records
and only accept mail delivery to actual users on my system.
I don't want to be a relay and I will authenticate clients with a proper SPF record.

My /etc/postfix/ :

# cat|grep -v '^#'|grep -v '^$'
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname =
mydomain =
myorigin = $mydomain
inet_interfaces = all
proxy_interfaces =
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,  www.$mydomain, ftp.$mydomain, pbx.$mydomain
local_transport = local
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
virtual_transport = virtual
virtual_mailbox_domains = mysql:$config_directory/
virtual_minimum_uid = 1000
virtual_gid_maps = static:5022
virtual_mailbox_maps = mysql:/etc/postfix/
virtual_alias_maps = mysql:/etc/postfix/
virtual_uid_maps = static:5006
virtual_mailbox_base = /
unknown_local_recipient_reject_code = 550
mynetworks =,,
relayhost = []
alias_maps     = mysql:/etc/postfix/
relocated_maps = mysql:/etc/postfix/
home_mailbox = .maildir/
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -a "DOMAIN"
debug_peer_level = 2
debugger_command =
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.9.3/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.9.3/readme
inet_protocols = ipv4
mail_spool_directory = /var/spool/mail
smtpd_sasl2_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/postfix/
smtpd_tls_key_file  = /etc/ssl/postfix/
smtpd_tls_CAfile = /etc/ssl/postfix/
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_cert_file = /etc/ssl/postfix/
smtp_tls_key_file = /etc/ssl/postfix/
smtp_tls_CAfile = /etc/ssl/postfix/
tls_random_source = dev:/dev/urandom
check_sender_access = hash:/etc/postfix/sender_access
smtpd_restriction_classes = greylist
greylist = check_policy_service inet:
owner_request_special = no
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/valias
alias_maps         = mysql:/etc/postfix/
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options =
allow_mail_to_commands = alias,forward
biff = no
empty_address_recipient = MAILER-DAEMON
queue_minfree = 120000000
smtpd_helo_required = yes
content_filter = smtp-amavis:[]:10024

strict_rfc821_envelopes = yes
smtpd_reject_unlisted_sender = yes
smtpd_client_restrictions = permit_mynetworks,
                            check_client_access hash:/etc/postfix/client_access,
smtpd_sender_restrictions = permit_sasl_authenticated,
        warn_if_reject reject_unverified_sender,
policy_time_limit = 3600
smtpd_recipient_restrictions =
        check_policy_service unix:private/policy,
        check_sender_access hash:/etc/postfix/sender_access,
smtpd_data_restrictions = reject_unauth_pipelining, permit

Thanks for any suggestions.
Back to top
View user's profile Send private message

Joined: 27 Jan 2006
Posts: 290

PostPosted: Tue Aug 28, 2012 5:22 am    Post subject: Reply with quote

For now I'm going to try the following

smtpd_client_restrictions = permit_mynetworks,
                            check_client_access hash:/etc/postfix/client_access,
                            warn_if_reject reject_unknown_client

which will reject using the more foregiving "reject_unknown_reverse_client_hostname"
and warn instead of reject when using the stricter rule 'reject_unknown_client"

I think there may be a separate issue with receiving emails
from some companies with large attachments.
I was receiving most emails from a mortgage company
but was not receiving the critical emails with attachments.
I initially thought postfix was rejecting the client email servers,
but looking throught the maillog
I now think the connections were getting disconnected after a timeout.

(The maillog can be confusing since the log messages
for all the clients trying to deliver mail are all interleaved together
making following the processing of a single email difficult to sort through)

Some Googling suggested I may need to set the MTU of my nic to 1492 to match the setting in
my DD-WRT router for my aDSL connection to internet.
So I've set mtu_eth0=1492 in /etc/conf.d/net
I've also set CLAMPMSS=Yes in shorewall.conf

Hopefully, these changes will fix the postfix missing emails.
Back to top
View user's profile Send private message

Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Tue Aug 28, 2012 5:43 am    Post subject: Reply with quote

one thing to remember with postfix config
the settings you add to are not "starting from scratch" settings
they are overrides for postfix's defaults

so many of the settings you have in are not necessarily needed.

as root, type:


postconf -d

this will show you postfix defaults. Anything postconf -d shows, that you have set in, probably does not need to be in
this will make your much easier to read and manage - especially for me, since i am too lazy to look up what every one of those settings mean in the order you've used them :)

indeed this is not SPF related. The SPF guide you quoted relates to you, the user, sending e-mail, rather than a MTA receiving the e-mail. Specifically, that SPF document is for Gentoo staff using Gentoo mail systems to send e-mail, and instructs Gentoo staff how to set up their mail clients to use Gentoo servers to send their e-mail.
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message

Joined: 27 Jan 2006
Posts: 290

PostPosted: Tue Aug 28, 2012 4:06 pm    Post subject: Reply with quote

Thanks for your tips!

I setup my postfix mail server years ago and couldn't remember the exact Gentoo guides (which might have changed anyhow since then) so I just Googled for "Gentoo postfix + courier-imap + squirrelmail"
and "Gentoo spf" so maybe I got the spf url wrong -- my apologies.

Anyhow I do use spf policy delegation in my

policy  unix  -       n       n       -       -       spawn
   user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl

There is a Gentoo package for a python script for spf (mail-filter/pypolicyd-spf)
but I think I downloaded the perl script instead from
Back to top
View user's profile Send private message

Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Aug 29, 2012 4:00 am    Post subject: Reply with quote

only thing in that that is somewhat foreign to me is courier - never given it much time. I've either had very simple needs, for which Dovecot fit the bill perfectly, or more complex needs, for which I've used Cyrus IMAP. Result of which, I put together this bit of doc:

based on this thread

might be of some use.
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum