AW: Bindestriche im MX Hostanteil und Wildcard-Zertifikate für TLS

Ronny Seffner r.seffner at seffner-schlesier.de
Mo Sep 8 15:45:19 CEST 2025 

Hallo Markus,

Interessant, dass es gehen kann. 

> Was sagt 'postconf -nf'?
>

ns1:~# postconf -nf
alias_maps = $alias_database
allow_min_user = yes
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 48h
broken_sasl_auth_clients = yes
compatibility_level = 3.6
default_process_limit = 75
disable_vrfy_command = yes
dovecot_destination_concurrency_limit = 1
dovecot_destination_recipient_limit = 1
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = 78.46.92.37 127.0.0.1 [::1] [2a01:4f8:120:6442::2]
mail_name = postfix on linux
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 4294967296
maximal_backoff_time = 15m
maximal_queue_lifetime = 48h
message_size_limit = 209715200
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
myhostname = ns1.seffner-schlesier.de
mynetworks = 127.0.0.0/8 78.46.92.37/32 [::ffff:127.0.0.0]/104 [::1]/128
    [fe80::]/64 [2a01:4f8:120:6442::]/64
myorigin = $mydomain
non_smtpd_milters = ${rspamd_milter}
permit_mx_backup_networks = 144.76.78.17/32 [2a01:4f8:192:10::]/64
    148.251.243.123/32 148.251.125.23/32 [2a01:4f8:210:2016::]/64
    194.25.101.195/32
proxy_read_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf,
    proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf,
    proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf,
    proxy:unix:passwd.byname
queue_minfree = 1024000000
recipient_bcc_maps = hash:/etc/postfix/bcc_by_recipient
recipient_canonical_maps = hash:/etc/postfix/rewrite_recipient_addresses
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relay_domains
rspamd_milter = inet:localhost:11332
sender_bcc_maps = hash:/etc/postfix/bcc_by_sender
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = hash:/etc/postfix/rewrite_sender_addresses
smtp_bind_address = 78.46.92.37
smtp_bind_address6 = 2a01:4f8:120:6442::2
smtp_dns_support_level = dnssec
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_policy_maps = hash:/etc/postfix/tls_client2server_policy,
    socketmap:inet:127.0.0.1:8461:postfix
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP server
smtpd_client_restrictions = permit_mynetworks sleep 2 reject_unauth_pipelining
smtpd_data_restrictions = check_helo_access
    pcre:/etc/postfix/trust_helo_hostnames check_sender_access
    hash:/etc/postfix/trust_senders reject_multi_recipient_bounce
smtpd_delay_reject = no
smtpd_end_of_data_restrictions = check_helo_access
    pcre:/etc/postfix/trust_helo_hostnames check_sender_access
    hash:/etc/postfix/trust_senders check_policy_service
    unix:private/size-policy
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access
    pcre:/etc/postfix/blacklist_helo_hostnames check_helo_access
    pcre:/etc/postfix/whitelist_helo_checks check_helo_access
    pcre:/etc/postfix/trust_helo_hostnames
smtpd_milters = ${rspamd_milter}
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_helo_access
    pcre:/etc/postfix/trust_helo_hostnames permit_mynetworks
    permit_sasl_authenticated check_recipient_access
    hash:/etc/postfix/blacklist_recipients check_recipient_access
    hash:/etc/postfix/whitelist_recipient_checks check_sender_access
    hash:/etc/postfix/trust_senders permit_mx_backup reject_unauth_destination
    reject_unverified_recipient
smtpd_relay_restrictions = check_helo_access
    pcre:/etc/postfix/trust_helo_hostnames permit_mynetworks
    permit_sasl_authenticated check_recipient_access
    hash:/etc/postfix/blacklist_recipients check_recipient_access
    hash:/etc/postfix/whitelist_recipient_checks check_sender_access
    hash:/etc/postfix/trust_senders permit_mx_backup reject_unauth_destination
    reject_unverified_recipient
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_helo_access
    pcre:/etc/postfix/trust_helo_hostnames permit_mynetworks
    permit_sasl_authenticated check_client_access
    hash:/etc/postfix/client-whitelist reject_unknown_reverse_client_hostname
    check_sender_access hash:/etc/postfix/blacklist_senders check_sender_access
    hash:/etc/postfix/whitelist_sender_checks check_sender_access
    hash:/etc/postfix/trust_senders check_sender_mx_access
    cidr:/etc/postfix/blacklist_senders_mx reject_unlisted_sender
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/le_wildcard.seffner-schlesier.de.fullchain
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dh_4096.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL
smtpd_tls_key_file = /etc/ssl/le_wildcard.seffner-schlesier.de.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_medium_cipherlist =
    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
tls_preempt_cipherlist = no
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unverified_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /
virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_mailbox_limit = 4294967296
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:2000


Mit freundlichen Grüßen

Ronny Seffner
Geschäftsführung

-- 
Seffner & Schlesier GmbH . Am Gewerbepark 6 . 01723 Wilsdruff

vertreten d. Ronny Seffner und Nicky Schlesier . Amtsgericht Dresden, HRA 39006 
WEB seffner-schlesier.de . MAIL info at seffner-schlesier.de . FON +49 35204 392050

Mehr Informationen über die Mailingliste postfix-users