postfix with mailman and tls configuration file

The file below is a sample copy of a postfix main.cf configuration file used in an installation which runs the mailman list server. The postfix configuration allows for TLS protected upstream authentication to a commercial ISP mail service. The file is referenced by the discussion about this set up at baldric.net.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
#
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.

# this file contains the name of our mailer (in my case the domain name)
myorigin = /etc/mailname

# what we display on connection
smtpd_banner = $myhostname ESMTP – OK

# disable the comsat client code in the Postfix delivery agent
biff = no

# appending .domain is the MUA’s job.
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings
delay_warning_time = 4h

readme_directory = no

# mailbox_command = procmail -a “$EXTENSION”

mailbox_size_limit = 0

# all local configs below:

# origin set to domainname
myorigin = /etc/mailname

# hostname set to smtp
myhostname = smtp.ourdomain.org
# and domain
mydomain = ourdomain.org

# who do we accept mail for?
mydestination = smtp.ourdomain.org, ourdomain.org, localhost.ourdomain.org, localhost

# privileged local networks allowed to relay out
mynetworks = 127.0.0.0/8, 192.168.1.0/24

# only listen on localhost and specific local network address
inet_interfaces = $myhostname, localhost

# note the NAT interface address
proxy_interfaces = 123.123.123.123

# note the addition of the mailman aliases database in maps – but NOT to the alias_database

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +

# TLS parameters
#
# where we get our entropy

tls_random_source = dev:/dev/urandom

# first server side details – i.e. when we accept TLS connections – not needed so

smtpd_use_tls=no

# now the important bit – our client TLS details for the upstream

smtp_use_tls = yes
#
# note that the cert below was generated locally using openssl thusly:
# “openssl req -new -x509 -nodes -out smtp-client.pem -keyout smtp-client.pem -days 10000”
#
smtp_tls_cert_file = /etc/postfix/tls/smtp-client-cert.pem
# use the cert file as the key file as well
smtp_tls_key_file = $smtp_tls_cert_file

# now list the certs of the servers we trust (actually, we only need the Thawte cert used by our upstream).
smtp_tls_CAfile = /etc/postfix/tls/cacert.pem

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# increase the logging
smtp_tls_loglevel = 2

# and set the per site details (force TLS with specific hosts)
smtp_tls_per_site = hash:/etc/postfix/tls/tls_sites

# Now the SASL details
#
# no for the server
smtpd_sasl_auth_enable = no

# but yes when we act as a client
smtp_sasl_auth_enable = yes

# where we store the hashed UID and password
smtp_sasl_password_maps = hash:/etc/postfix/sasl/saslpw
# security options set to disallow anon auth (but allow plaintext within the TLS session)
smtp_sasl_security_options = noanonymous
# our upstream relay
relayhost = [auth.smtp.upstream.com]

# and now some configs necessary for mailman
#
owner_request_special = no
recipient_delimiter = +
unknown_local_recipient_reject_code = 550

# virtual maps database added – but note also alias_maps above

virtual_maps = hash:/var/lib/mailman/data/aliases
relay_domains = lists.ourdomain.org
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
#
# end

Permanent link to this article: https://baldric.net/postfix-with-mailman-and-tls-configuration-file/