Architecture Map (tahoestores.org)
FreeBSD · Postfix · Amavis · OpenDKIM · SPF · ClamAV · SpamAssassin · Dovecot (IMAP/LMTP) · Apache HTTP Server · pf · Fail2Ban · CleanTalk · Shield Security · Wordfence
Overview
Production architecture for Postfix on FreeBSD with Amavis (ClamAV/SpamAssassin), OpenDKIM, SPF, pf/Fail2Ban, plus Dovecot (IMAP/LMTP), Apache HTTP Server, and WordPress security hardening.
AV (ClamAV) and AS (SpamAssassin) operate inside Amavis during content filtering. Perimeter controls use pf and Fail2Ban. Application-layer protections include CleanTalk, Shield Security, and Wordfence on the WordPress tier. Apache HTTP Server terminates TLS and serves WordPress with optional reverse proxy to internal services.
Key Listeners & Components
| Endpoint/Name | Role | Notes |
|---|---|---|
| :25 / smtpd | Public inbound SMTP | HELO/recipient hygiene; DKIM/SPF milters; hands off to Amavis. |
| 127.0.0.1:10024 | Amavis inbound | Invokes ClamAV and SpamAssassin; annotates headers. |
| 127.0.0.1:10025 | Postfix reinjection | No milters; prevents re-verify/resign after Amavis. |
| :587 / submission | Client submission | TLS required; SASL auth; relaxed HELO checks. |
| :465 / smtps | Legacy SMTPS | Implicit TLS; same policy as 587. |
| inet:127.0.0.1:8891 | OpenDKIM milter | Mode sv (sign+verify). |
| pyspf-milter.sock | SPF milter | SPF evaluation (replaces policyd-spf). |
| 3310 / ClamAV | Antivirus daemon | clamd (via amavisd); scans attachments for malware. |
| 783 / SpamAssassin | Spam filter daemon | spamd (via amavisd); scores messages for spam. |
| 143 / 993 — IMAP (Dovecot) | Mailbox access | STARTTLS on 143, SSL on 993; client retrieval. |
| LMTP — Dovecot | Local delivery | Unix socket private/dovecot-lmtp (preferred) or TCP (e.g., 24xx). |
| 80 / 443 — Apache HTTP Server | Web / API gateway | TLS termination (Let’s Encrypt); serves WordPress; mod_security & mod_evasive; optional reverse proxy. |
| Fail2Ban | Intrusion prevention | Dynamic bans pushed to pf; protects Postfix/Dovecot/587. |
| CleanTalk | Cloud anti-spam | WordPress/API; blocks form spam before it reaches mail. |
| pf | Firewall | Kernel ACLs; integrates with Fail2Ban actions. |
| Shield Security | WP app firewall | Login protection, 2FA, file change detection. |
| Wordfence | WP WAF & malware scan | Reputation IP blocking, integrity checks, live monitor. |