openssl dhparam -out dh.pem

So I was getting errors like this in syslog:

Jul  6 17:35:53 integrity systemd[1]: Started Dovecot IMAP/POP3 email server.
Jul  6 17:35:53 integrity dovecot[10775]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 79: ssl_dh: Can't open file /etc/dovecot/dh.pem: No such file or directory
Jul  6 17:35:53 integrity systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
Jul  6 17:35:53 integrity systemd[1]: dovecot.service: Failed with result 'exit-code'.

This failure was affecting other parts of my system (i.e. postfix SASL).
The solution was to generate the dh.pem file:

root@integrity:/etc/dovecot
# openssl dhparam -out dh.pem 4096

Adding a sender blacklist to Postfix

Here at ProgClub, as moderator for our mailing lists, I get a bunch of spam that I have to get rid of every day, to keep our lists sparkling and spam-free. I regularly get spam from senders from ofenews.co.uk, and I wanted to add their entire domain to a blacklist on our mail server… I hadn’t configured a Postfix blacklist before, so I did a little research and came up with this:

I created a file /etc/postfix/sender_access like this:

ofenews.co.uk REJECT

Then I created the access database:

# postmap /etc/postfix/sender_access

Then I added the sender restrictions into /etc/postfix/main.cf:

smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/sender_access

Then I restarted postfix and was done! Everything is easy when you know how.

For reference, here is the doco which I read to help me:

Binding Postfix to particular IP addresses

I had a problem where my postfix mail system wasn’t listening on its IP address 10.1.1.123 but it was listening on 127.0.0.1. I checked my firewall settings and made sure port 25 was open, but I still couldn’t connect.

I read an article, Bind Postfix Mail Server To Localhost or Specific IP Address Only, which gave me the hint I needed.

The trick was to comment out inet_interfaces in /etc/postfix/main.cf because it was specifying loopback-only which meant postfix wasn’t listening on its other IP addresses.

Configure Postfix for DNS Blackhole Lists

Followed the instructions in this article Configure Postfix for DNS Blackhole Lists such as dsbl.org / spamhaus.org database to configure my Postfix email server to stop spam. I used the whole recommendation:


smtpd_recipient_restrictions =
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   permit_mynetworks,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit

Before that my settings where:


smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination

I kept the permit_sasl_authenticated setting too.

Mailman 3.0 and Postfix Virtual Domains

Read the spec for Mailman 3.0. Looks like it will be pretty good. The feature that I’m interested in, and I’m annoyed I can’t do this with my current version of Mailman, is to be able to put a link to the web archived message in the bottom of the outgoing SMTP message. I.e. so there’s a link back to that message on the web in the message itself. Would be really handy for referencing. At the moment if I want a link I have to go to the web archive for the particular list and find it.

While I was reading the Mailman 3.0 spec I noticed a link to Postfix Virtual Domain Hosting Howto. I think I might have read (at least some of) that before. But… reading that is now definitely on my TODO list.