Use CipherMail Appliance as encrypt decrypt gateway with mailserver

Hello dear community,
in my case I have a working mailserver based on Linux and Mailcow, which I want to connect to Ciphermail.
Unfortunately I always find only very abstract instructions, but no detailed information.

I receive and send everything through my mail server and want to use Ciphermail only to perform encryption and decryption via S/MIME.

I know Mailcow well and have been using it for a long time, Ciphermail separately as well, I just can’t get them combined.

I would really appreciate a concrete link or a few words about this if someone has done this before.
This doesn’t have to be Mailcow specific either, there is postfix, dovecot etc. behind it.

Thank you very much in advance.
Greetings
taumeister

I’m not familiar with Mailcow but if it’s using Postfix, then it should be possible to integrate it with CipherMail.

The CipherMail back-end, which is responsible for encryption/decryption/signing etc., works as an internal SMTP server. Postfix can be configured, using the content_filter setting to send all received email via some configured SMTP server before sending it to the final recipients. The back-end will handle the message, for example encrypt, and then send the message back to Postfix. To prevent Postfix from sending the email again to the back-end, a special reinjection port should be added with content_filter set to an empty value.

Have a look at the CipherMail provided Postfix main.cf and master.cf files to see how this should be configured.

Additional mail filtering, like for example anti-spam/virus filters, can be combined by by chaining the filters using different content_filter settings for the reinjection ports.

If you need some help with some Postfix setup, post your main.cf and master.cf file here.

Some background info on Postfix after queue filters can be found here Postfix After-Queue Content Filter

Hello Martijn,

that’s really super nice of you to reply, thanks also for offering to show my configuration.

So I’m yet to get a CipherMail appliance up and running.
From what I understood, in this scenario that the Ciphermail Appliance will be configured practically hardly ( domain, ca, certs ), since it is used only as an encryption and decryption machine. It will not send or receive any mails itself.
Basically, I only need to configure the content_filter on my real mail server.
I can see examples from the ones provided by Ciphermail.
Ok, I will implement this and get back to you.

PS. Where can I find these example files, In the appliance /installation./etc/postfix/…examples or something?

Thanks a lot Martijn,
Greetings

The Postfix config files can be found in our public Gitlab repo core/conf/system/postfix · main · CipherMail B.V. / ciphermail-community · GitLab.

Hello Martijn,
I have looked at the files (main.cf and master.cf ) and also your link to the ‘content_filter’.
But maybe my knowledge is not sufficient after all,
it would be great if you could help me to get this working.

I have added a drawing to give a little overview.

Home3103×1944 177 KB

Mailserver:
Here I have added the following in both main and master.
Please see ‘# added content’ section in the respective file.

CipherMail Appliance:
Here I have only configured the network, set up my domain ( internal ).
and stored my mail certificate including chain.
I think the rest should work automagically via the mx entries.

After adding the information in main and master on the mail server …restarted everything - of course…nothing happened.
I can still send and receive mails, but they are not sent to the CipherMail Appliance for signature or encryption.
There is nothing in the Ciphermail log about this.

Surely I haven’t understood something here yet and have set it up incorrectly,
maybe you can see it at first sight.

Thanks for your time Martijn.

main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = 57b911375444
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, 57b911375444, localhost.localdomain, , localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all


# added content

# What remote SMTP clients are allowed to use the XFORWARD feature
smtpd_authorized_xforward_hosts = 127.0.0.1/32

# forward incoming email to the Mail Processing Agent (MPA)
content_filter = djigzo:[172.30.30.231]:10025

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

# added content
djigzo unix -       -       n       -       4      smtp
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
            -o smtp_generic_maps=

#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

You forgot to add a couple of important Postfix settings on the Mailcow server:

In main.cf:

content_filter = smtp:[172.30.30.231]:25

This tells Postfix on the Mailcow server to forward all incoming email to CipherMail on 172.30.30.231.

The CipherMail appliance should allow relaying from the Mailcow IP address (i.e., add 172.30.30.230 to My networks)

The CipherMail gateway will receive every email from Mailcow and do it’s thing (encrypt, decrypt etc.). After handling, the email should be sent back to Mailcow for further delivery.

If the CipherMail gateway would send the email back to Mailcow on port 25 the email will be sent back again to the CipherMail gateway, resulting in a mail loop.

You therefore need to add a ‘reinjection’ port configuration to the Postfix configuration of Mailcow which disables sending the email to CipherMail.

Add the following reinjection port on the Mailcow server (master.cf)

# injection port for mail handled by the back-end
:10026 inet  n       -       -       -       10      smtpd
            -o content_filter= 
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=172.30.30.231/32

After changing master.cf, you need to restart Postfix.

There should now be an extra SMTP daemon listening on port 10026.

You should now configure the CipherMail appliance to send all email to Mailcow on port 10026, i.e., set Internal relay host and External relay host to 172.30.30.230.

Note: I have not tested the above setup but in principle this should work. The Postfix config files provided by the CipherMail appliance contain some additional settings which are strictly not required.

Hello Martijn,
again, thank you for taking the time to do this.

I set up everything as you wrote to me and I also understood everything, it seems logical to me.

Unfortunately the systems do not behave as expected.
In simple words, still nothing happens, the settings do not show any change.

The mails are still sent successfully, but I don’t see any indication in the logfiles of Postfix that it establishes a communication with Ciphermail, I am very surprised.
Likewise, I don’t see any communication with my mail server in Ciphermail’s logs.
I have checked all IPs and connections with each other, they could connect ( if they only wanted :=) ).

Martijn, please don’t give up yet :=).

I’ll check everything again.
Info about my domain for better detection in the logs

mydomain = unixuser .de
mailuser = tom[at]unixuser .de (my user[at]mydomain)
send to = taumeister[at]gmail .com (my mail Address [at]gmail for testing)

1. mailserver
   /etc/postfix/main.cf

:10026 inet n - - - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=172.30.30.231/32

2. mailserver
   /etc/postfix/master.cf

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.30.30.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

'# What remote SMTP clients are allowed to use the XFORWARD feature
smtpd_authorized_xforward_hosts = 127.0.0.1/32

'# forward incoming email to the Mail Processing Agent (MPA)
content_filter = smtp:[172.30.30.231]:25

3. mailserver
   Reboot 
   netstat (no open port 10026..)

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:10465 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:10025 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.11:40969 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:588 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:589 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:590 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:591 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:10587 0.0.0.0:* LISTEN -
tcp6 0 0 :::10465 :::* LISTEN -
tcp6 0 0 :::10025 :::* LISTEN -
tcp6 0 0 :::587 :::* LISTEN -
tcp6 0 0 :::588 :::* LISTEN -
tcp6 0 0 :::589 :::* LISTEN -
tcp6 0 0 :::590 :::* LISTEN -
tcp6 0 0 :::591 :::* LISTEN -
tcp6 0 0 :::465 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::10587 :::* LISTEN -
udp 0 0 127.0.0.11:55293 0.0.0.0:* -

Hello Martijn,

again, thank you for taking the time to do this.

I set up everything as you wrote to me and I also understood everything, it seems logical to me.

Unfortunately the systems do not behave as expected.

In simple words, still nothing happens, the settings do not show any change.

The mails are still sent successfully, but I don’t see any indication in the logfiles of Postfix that it establishes a communication with Ciphermail, I am very surprised.

Likewise, I don’t see any communication with my mail server in Ciphermail’s logs.

I have checked all IPs and connections with each other, they could connect ( if they only wanted :=) ).

Martijn, please don’t give up yet :=).

I would give more information and log files but this forum reduced me to send only 2 links and only one pictue( mail addresses included ) per message…for whatever its good for…

administrator SSH: mail 2022-12-19 14-29-53938×240 34.2 KB

In a posting above you paste parts of main.cf but the contents are for master.cf

Is that a typo?

Can you attach the master.cf and main.cf file of the Mailcow system?

Sorry for the confusion, here are postfix´ s main.cf and master.cf
Do you want me to provide some logs?

postfix.main.cf

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = 57b911375444
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, 57b911375444, localhost.localdomain, , localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.30.30.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all


# What remote SMTP clients are allowed to use the XFORWARD feature
smtpd_authorized_xforward_hosts = 127.0.0.1/32

# forward incoming email to the Mail Processing Agent (MPA)
content_filter = smtp:[172.30.30.231]:25

postfix.master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

# injection port for mail handled by the back-end

:10026 inet  n       -       -       -       10      smtpd
   -o content_filter= 
   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=172.30.30.231/32

#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

How do you send email? With SMTP? Or from the command line with sendmail (or some other command line tool)?

Can you post the relevant postfix log file (from the Mailcow server)

I am connected from my outlook client via mail.unixuser.de using smtp port 587.
My account is stored in the mail server in Dovecot.

Konten 2022-12-19 16-50-33738×457 60.7 KB

The Postfix log after I sent a mail.

Dec 19 16:53:13 ac7c4a3d6f05 postfix/submission/smtpd[845]: A0CACC1274: client=unknown[52.97.197.5], sasl_method=LOGIN, sasl_username=tom@unixuser.de
Dec 19 16:53:13 ac7c4a3d6f05 postfix/cleanup[848]: A0CACC1274: replace: header Received: from AM9P193MB0824.EURP193.PROD.OUTLOOK.COM (unknown [52.97.197.5])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??(Authenticated from unknown[52.97.197.5]; from=<tom@unixuser.de> to=<taumeister@gmail.com> proto=ESMTP helo=<AM9P193MB0824.EURP193.PROD.OUTLOOK.COM>: Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id A0CACC1274??for <taumeister@gmail.com>; Mon, 19 Dec 2022 16:53:10 +0100 (CET)
Dec 19 16:53:13 ac7c4a3d6f05 postfix/cleanup[848]: A0CACC1274: message-id=<AM9P193MB08248B2B54E9096CE79E03ECA4E59@AM9P193MB0824.EURP193.PROD.OUTLOOK.COM>
Dec 19 16:53:13 ac7c4a3d6f05 postfix/qmgr[493]: A0CACC1274: from=<tom@unixuser.de>, size=2711, nrcpt=1 (queue active)
Dec 19 16:53:13 ac7c4a3d6f05 postfix/submission/smtpd[845]: disconnect from unknown[52.97.197.5] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Dec 19 16:53:14 ac7c4a3d6f05 postfix/smtp[849]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c1b::1b]:25: Network is unreachable
Dec 19 16:53:15 ac7c4a3d6f05 postfix/smtp[849]: Trusted TLS connection established to gmail-smtp-in.l.google.com[142.251.5.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
Dec 19 16:53:15 ac7c4a3d6f05 postfix/smtp[849]: A0CACC1274: to=<taumeister@gmail.com>, relay=gmail-smtp-in.l.google.com[142.251.5.27]:25, delay=4.6, delays=2.9/0.02/1.2/0.43, dsn=2.0.0, status=sent (250 2.0.0 OK  1671465195 a4-20020a056000188400b0023ac5bcc786si6490060wri.46 - gsmtp)
Dec 19 16:53:15 ac7c4a3d6f05 postfix/qmgr[493]: A0CACC1274: removed

No Logs from Ciphermail

Dec 19 06:31:04 cma postfix[935]: Postfix is running with backwards-compatible default settings
Dec 19 06:31:04 cma postfix[935]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Dec 19 06:31:04 cma postfix[935]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Dec 19 06:31:05 cma postfix/postfix-script[1541]: starting the Postfix mail system
Dec 19 06:31:05 cma postfix/master[1558]: daemon started -- version 3.5.8, configuration /etc/postfix
Dec 19 13:21:21 cma postfix[2877]: Postfix is running with backwards-compatible default settings
Dec 19 13:21:21 cma postfix[2877]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Dec 19 13:21:21 cma postfix[2877]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Dec 19 13:21:21 cma postfix/postfix-script[2884]: refreshing the Postfix mail system
Dec 19 13:21:21 cma postfix/master[1558]: reload -- version 3.5.8, configuration /etc/postfix
Dec 19 13:43:40 cma postfix[3217]: Postfix is running with backwards-compatible default settings
Dec 19 13:43:40 cma postfix[3217]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Dec 19 13:43:40 cma postfix[3217]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Dec 19 13:43:40 cma postfix/postfix-script[3224]: refreshing the Postfix mail system
Dec 19 13:43:40 cma postfix/master[1558]: reload -- version 3.5.8, configuration /etc/postfix
Dec 19 13:48:27 cma postfix[1101]: Postfix is running with backwards-compatible default settings
Dec 19 13:48:27 cma postfix[1101]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Dec 19 13:48:27 cma postfix[1101]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Dec 19 13:48:28 cma postfix/postfix-script[1579]: starting the Postfix mail system
Dec 19 13:48:28 cma postfix/master[1584]: daemon started -- version 3.5.8, configuration /etc/postfix

The content_filter setting you posted, is that configured on the Mailcow server? Or did you configure this on the CipherMail gateway?

The log file does not match the master and main config you posted. The master.cf files shows that the submission service (port 587) is not enabled. Are you absolutely certain that you are posing the postfix config of the Mailcow server and not the CipherMail gateway?

Hello Martijn,

I am absolutely sure that I have given the correct information.

The content-filter settings, I did on the mailserver, not on the Ciphermail appliance, that would be useless.

In the ‘postfix’ log you can see that I sent a mail and with the correct time.

I checked with the command: ‘docker logs -f mailcow-postfix-mailcow-1’.

I only look at the Ciphermail log via the appliance, not via the command line.

I have checked everything again, Yes I am sure with the information.

But strangely enough the postfix master config you posted has the submission service disabled. The log file however says that the email was received via the submission service. I therefore think that the postfix config you posted is not the postfix config which is used.

Since you mention docker, I assume that postfix is running as a docker image?

Could it be that the postfix config used by the docker image is a different postfix config?

How can I better help to solve the problem?

That could be of course, at Mailcow each service, so postfix, dovecot etc is outsourced to individual containers, normally you don’t have to get there.

I looked at the postfix config of the mailcow-postfix container and assumed that this is the correct configuration.
Is there anything I can do to check this?

We are of course moving a bit away from the actual solution here ( which I’m sure you’ve already given )…annoying. thanks for your patience, again.

What can I do, do you have any idea?

Are you using this GitHub - mailcow/mailcow-dockerized: mailcow: dockerized - 🐮 + 🐋 = 💕?

If so, I think the postfix main config used by the image is different from the one you posted:

Could it be that you are changing your local postfix config, i.e., the one on your local file system, and not the one from the docket container? (which according to the mailcow site, should be under /opt/postfix/conf

Oh Jesus Christ this is embarrassing…

First of all, I am definitely on the right server
(proxmox, dedicated virtual machine only for this ), BUT
the docker version of mailcow actually doesn’t use the configuration you would expect under /etc/postfix ( because that’s where I looked and configured ), but in a different location and that’s going to …/data/conf/postfix/… into the filesystem of the Docker server ( volume ) and here I guess you have to make changes if you want to.

Even if you laugh now have to say in my defense that I never had to set anything outside the GUI with Mailcow, still a bit embarrassing…

thanks for your link and doing my research job…

Looking at the file now I see the following.

main.cf

# --------------------------------------------------------------------------
# Please create a file "extra.cf" for persistent overrides to main.cf
# --------------------------------------------------------------------------
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/mail/cert.pem
smtpd_tls_key_file = /etc/ssl/mail/key.pem
tls_server_sni_maps = hash:/opt/postfix/conf/sni.map
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination
# alias maps are auto-generated in postfix.sh on startup
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost =
mynetworks_style = subnet
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
maximal_backoff_time = 1800s
maximal_queue_lifetime = 5d
delay_warning_time = 4h
message_size_limit = 104857600
milter_default_action = tempfail
milter_protocol = 6
minimal_backoff_time = 300s
plaintext_reject_code = 550
postscreen_access_list = permit_mynetworks,
  cidr:/opt/postfix/conf/custom_postscreen_whitelist.cidr,
  cidr:/opt/postfix/conf/postscreen_access.cidr,
  tcp:127.0.0.1:10027
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
  list.dnswl.org=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].1*-4
  list.dnswl.org=127.0.[0..255].2*-6
  list.dnswl.org=127.0.[0..255].3*-8
  ix.dnsbl.manitu.net*2
  bl.spamcop.net*2
  bl.suomispam.net*2
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*2
  hostkarma.junkemailfilter.com=127.0.1.2*1
  backscatter.spameatingmonkey.net*2
  bl.ipv6.spameatingmonkey.net*2
  bl.spameatingmonkey.net*2
  b.barracudacentral.org=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
postscreen_dnsbl_threshold = 6
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 2d
postscreen_greet_wait = 3s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
proxy_read_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
  $sender_dependent_default_transport_maps,
  $smtp_tls_policy_maps,
  $local_recipient_maps,
  $mydestination,
  $virtual_alias_maps,
  $virtual_alias_domains,
  $virtual_mailbox_maps,
  $virtual_mailbox_domains,
  $relay_recipient_maps,
  $relay_domains,
  $canonical_maps,
  $sender_canonical_maps,
  $sender_bcc_maps,
  $recipient_bcc_maps,
  $recipient_canonical_maps,
  $relocated_maps,
  $transport_maps,
  $mynetworks,
  $smtpd_sender_login_maps,
  $smtp_sasl_password_maps
queue_run_delay = 300s
relay_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
relay_recipient_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
sender_dependent_default_transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/mail/cert.pem
smtp_tls_key_file = /etc/ssl/mail/key.pem
smtp_tls_loglevel = 1
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_helo_required = yes
smtpd_proxy_timeout = 600s
smtpd_recipient_restrictions = check_recipient_mx_access proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
  permit_sasl_authenticated,
  permit_mynetworks,
  check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
  reject_invalid_helo_hostname,
  reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = inet:dovecot:10001
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unlisted_sender,
  reject_unknown_sender_domain
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
smtpd_tls_loglevel = 1

# Mandatory protocols and ciphers are used when a connections is enforced to use TLS
# Does _not_ apply to enforced incoming TLS settings per mailbox
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high

smtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3

smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
virtual_alias_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_alias_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_resource_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
# -- moved to rspamd on 2021-06-01
#recipient_bcc_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_bcc_maps.cf
#sender_bcc_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sender_bcc_maps.cf
recipient_canonical_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
recipient_canonical_classes = envelope_recipient
virtual_mailbox_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:inet:dovecot:24
virtual_uid_maps = static:5000
smtpd_milters = inet:rspamd:9900
non_smtpd_milters = inet:rspamd:9900
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
mydestination = localhost.localdomain, localhost
smtp_address_preference = any
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
smtp_sasl_security_options =
smtp_sasl_mechanism_filter = plain, login
smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre
mail_name = Postcow
# local_transport map catches local destinations and prevents routing local dests when the next map would route "*"
# Use custom_transport.pcre for custom transports
transport_maps = pcre:/opt/postfix/conf/custom_transport.pcre,
  pcre:/opt/postfix/conf/local_transport,
  proxy:mysql:/opt/postfix/conf/sql/mysql_relay_ne.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf
smtp_sasl_auth_soft_bounce = no
postscreen_discard_ehlo_keywords = silent-discard, dsn
compatibility_level = 2
smtputf8_enable = no
# Define protocols for SMTPS and submission service
submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients

# DO NOT EDIT ANYTHING BELOW #
# User overrides #

myhostname = mail.unixuser.de

smtp_tls_protocols = !SSLv2, !SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3,!TLSv1,!TLSv1.1
lmtp_tls_protocols = !SSLv2, !SSLv3,!TLSv1,!TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3,!TLSv1,!TLSv1.1
# SSL/TLS supported ciphers
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256
smtpd_tls_eecdh_grade = ultra

master.cf

# inter-mx with postscreen on 25/tcp
smtp       inet  n       -       n       -       1       postscreen
10025      inet  n       -       n       -       1       postscreen
  -o postscreen_upstream_proxy_protocol=haproxy
  -o syslog_name=haproxy
smtpd      pass  -       -       n       -       -       smtpd
  -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
  -o smtpd_sasl_auth_enable=no
  -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain

# smtpd tls-wrapped (smtps) on 465/tcp
# TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf
smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/smtps
10465    inet  n       -       n       -       -       smtpd
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/smtps-haproxy

# smtpd with starttls on 587/tcp
# TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
submission inet n       -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/submission
10587      inet n       -       n       -       -       smtpd
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/submission-haproxy

# used by SOGo
# smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function
588 inet n      -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/sogo

# used to reinject quarantine mails
590 inet n      -       n       -       -       smtpd
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_milters=
  -o non_smtpd_milters=
  -o syslog_name=postfix/quarantine

# used to send bcc mails
591 inet n      -       n       -       -       smtpd
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_milters=
  -o non_smtpd_milters=
  -o syslog_name=postfix/bcc

# enforced smtp connector
smtp_enforced_tls      unix  -       -       n       -       -       smtp
  -o smtp_tls_security_level=encrypt
  -o syslog_name=enforced-tls-smtp
  -o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter

# smtp connector used, when a transport map matched
# this helps to have different sasl maps than we have with sender dependent transport maps
smtp_via_transport_maps      unix  -       -       n       -       -       smtp
  -o smtp_sasl_password_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf

tlsproxy   unix  -       -       n       -       0       tlsproxy
dnsblog    unix  -       -       n       -       0       dnsblog
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}

# used to anonymize sender IP
smtp_sender_cleanup unix n - y - 0 cleanup
  -o header_checks=$smtp_header_checks

# start whitelist_fwd
127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh
# end whitelist_fwd

# start watchdog-specific
# logs to local7 (hidden)
589 inet n      -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o syslog_name=watchdog
  -o syslog_facility=local7
  -o smtpd_milters=
  -o cleanup_service_name=watchdog_cleanup
  -o non_smtpd_milters=
watchdog_cleanup unix  n       -       n       -       0       cleanup
  -o syslog_name=watchdog
  -o syslog_facility=local7
  -o queue_service_name=watchdog_qmgr
watchdog_qmgr fifo  n       -       n       300     1       qmgr
  -o syslog_facility=local7
  -o syslog_name=watchdog
  -o rewrite_service_name=watchdog_rewrite
watchdog_rewrite    unix  -       -       n       -       -       trivial-rewrite
   -o syslog_facility=local7
   -o syslog_name=watchdog
   -o local_transport=watchdog_discard
watchdog_discard    unix  -       -       n       -       -       discard
   -o syslog_facility=local7
   -o syslog_name=watchdog
# end watchdog-specific

Of course, this explains why simply nothing changed after changing the configuration.

Phew…hopefully not too many people read this :=)