postfix with mailman and tls configuration file

The file below is a sample copy of a postfix configuration file used in an installation which runs the mailman list server. The postfix configuration allows for TLS protected upstream authentication to a commercial ISP mail service. The file is referenced by the discussion about this set up at

# See /usr/share/postfix/ for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.

# this file contains the name of our mailer (in my case the domain name)
myorigin = /etc/mailname

# what we display on connection
smtpd_banner = $myhostname ESMTP – OK

# disable the comsat client code in the Postfix delivery agent
biff = no

# appending .domain is the MUA’s job.
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings
delay_warning_time = 4h

readme_directory = no

# mailbox_command = procmail -a “$EXTENSION”

mailbox_size_limit = 0

# all local configs below:

# origin set to domainname
myorigin = /etc/mailname

# hostname set to smtp
myhostname =
# and domain
mydomain =

# who do we accept mail for?
mydestination =,,, localhost

# privileged local networks allowed to relay out
mynetworks =,

# only listen on localhost and specific local network address
inet_interfaces = $myhostname, localhost

# note the NAT interface address
proxy_interfaces =

# note the addition of the mailman aliases database in maps – but NOT to the alias_database

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +

# TLS parameters
# where we get our entropy

tls_random_source = dev:/dev/urandom

# first server side details – i.e. when we accept TLS connections – not needed so


# now the important bit – our client TLS details for the upstream

smtp_use_tls = yes
# note that the cert below was generated locally using openssl thusly:
# “openssl req -new -x509 -nodes -out smtp-client.pem -keyout smtp-client.pem -days 10000”
smtp_tls_cert_file = /etc/postfix/tls/smtp-client-cert.pem
# use the cert file as the key file as well
smtp_tls_key_file = $smtp_tls_cert_file

# now list the certs of the servers we trust (actually, we only need the Thawte cert used by our upstream).
smtp_tls_CAfile = /etc/postfix/tls/cacert.pem

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# increase the logging
smtp_tls_loglevel = 2

# and set the per site details (force TLS with specific hosts)
smtp_tls_per_site = hash:/etc/postfix/tls/tls_sites

# Now the SASL details
# no for the server
smtpd_sasl_auth_enable = no

# but yes when we act as a client
smtp_sasl_auth_enable = yes

# where we store the hashed UID and password
smtp_sasl_password_maps = hash:/etc/postfix/sasl/saslpw
# security options set to disallow anon auth (but allow plaintext within the TLS session)
smtp_sasl_security_options = noanonymous
# our upstream relay
relayhost = []

# and now some configs necessary for mailman
owner_request_special = no
recipient_delimiter = +
unknown_local_recipient_reject_code = 550

# virtual maps database added – but note also alias_maps above

virtual_maps = hash:/var/lib/mailman/data/aliases
relay_domains =
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
# end

Permanent link to this article: