Postfix most important setting?

[Angel Hess]

In your opinion, what are the two most important settings to have enabled or disabled in Postfix main.cf / master.cf ?
Just asking.

 

[iRobbery]

Important seems rather vague, many settings are important to make it run at all. Others are good for fending of spammers and so on.

 

[RypPn]

I started here before tweaking...

FreeBSD 10: postfix, dovecot, Roundcube, amavisd-new, spamassassin, clamav, pigeonhole – Blog of Kliment Andreev – A place so I won't forget things

Tweaks were informed by this test tool

Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt

internet.nl

 

[Argentum]

In your opinion, what are the two most important settings to have enabled or disabled in Postfix main.cf / master.cf ?
Just asking.

Some settings are essential - without these it does not work. But here are some of my non-essential settings

default_process_limit = 700
mailbox_size_limit = 2000000000

smtpd_delay_reject = yes
smtpd_helo_required=yes
smtpd_helo_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, permit_mynetworks
smtpd_sender_restrictions = reject_unknown_sender_domain

# AbuseAt.ORG
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client cbl.abuseat.org

 

[SirDice]

Others are good for fending of spammers and so on.

And other settings will prevent it from getting abused too.

If the mailserver is accessible from the internet you're going to want to run a check with https://mxtoolbox.com/diagnostic.aspx too.

 

[Jose]

smtpd_relay_restrictions = reject_unauth_destination

Postfix SMTP relay and access control

 

[Argentum]

smtpd_relay_restrictions = reject_unauth_destination

Postfix SMTP relay and access control

Just wanted to add that my current configuration I did quote in my is historical and can be improved for sure. Process limit is not relevant any more for me and comes from historical set-up.
Ref

Will probably add this also to the next version of Postfix conf

# Spam control: exclude local clients and authenticated clients
    # from DNSBL lookups.
    smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        # reject_unauth_destination is not needed here if the mail
        # relay policy is specified under smtpd_relay_restrictions
        # (available with Postfix 2.10 and later).
        reject_unauth_destination
        reject_rbl_client zen.spamhaus.org,
        reject_rhsbl_reverse_client dbl.spamhaus.org,
        reject_rhsbl_helo dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org

But yes, this thread is actually relevant. There are many possible settings and it may be difficult to understand the manual in full extent. It is a good idea to share experiences.

 

[dbdemon]

smtpd_helo_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, permit_mynetworks

What would be the purpose of rejecting hosts without a fully-qualified hostname? That feels a tad too restrictive to me.

 

[biggsy]

the two most important settings to have enabled

postscreen and . . . postscreen

http://www.postfix.org/POSTSCREEN_README.html