I’m setting up a new postfix based on sources (via MacPorts) and master has this configuration snippet:

smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
-o receive_override_options=no_address_mappings
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy

My certificates live outside the chroot jail, but I expected tlsproxy to handle it (and it is not chrooted). Instead, my log says:

Oct 05 11:35:21 mail postfix/smtpd[2218]: cannot load Certification Authority data, CAfile="/etc/certificates/": disabling TLS support

Does chrooting smtpd require a local copy of certificates inside the chroot jail? Or can this be ignored because I use postscreen to handle port 25? But then, why does my log say:

Oct 05 11:41:50 mail postfix/smtpd[2338]: connect from unknown[]

instead of

Oct 05 11:41:50 mail postscreen[2338]: connect from unknown[]

if I connect to port 25 from another machine? How do I know I’m connected to postscreen, not to smtpd?

(Note, syslog is completely broken on macOS, so I depend on logging to mail log files). I’m running postfix 3.4.6.

Gerben Wierda
Chess and the Art of Enterprise Architecture <>
Mastering ArchiMate <>
Architecture for Real Enterprises <> at InfoWorld
On Slippery Ice <> at EAPJ