2021-01-13 16:36:50 +00:00
|
|
|
#
|
|
|
|
# Main configuration file for Postfix.
|
|
|
|
#
|
|
|
|
|
|
|
|
# Version 2 is current for Postfix > 3.2 configuration.
|
|
|
|
compatibility_level = 2
|
|
|
|
|
2021-08-01 21:31:25 +00:00
|
|
|
# Log to standard output.
|
|
|
|
maillog_file = /dev/stdout
|
|
|
|
|
2021-01-13 16:36:50 +00:00
|
|
|
# Base hostname used for this mail-server.
|
|
|
|
myhostname = ${POSTFIX_HOST}
|
|
|
|
myorigin = $mydomain
|
|
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
|
|
|
|
|
|
# Information to show on connection.
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
|
|
|
|
|
|
|
# Disable "new mail" notifications.
|
|
|
|
biff = no
|
|
|
|
|
|
|
|
# Appending .domain is the MUA's job.
|
|
|
|
append_dot_mydomain = no
|
|
|
|
|
|
|
|
# Do not specify README files.
|
|
|
|
readme_directory = no
|
|
|
|
|
|
|
|
# Set quota for individual mailboxes.
|
|
|
|
mailbox_size_limit = 0
|
|
|
|
|
|
|
|
# Require properly formatted email addresses - prevents a lot of spam.
|
|
|
|
strict_rfc821_envelopes = yes
|
|
|
|
|
|
|
|
# Require addresses of the form "user@domain.tld".
|
|
|
|
allow_percent_hack = no
|
|
|
|
swap_bangpath = no
|
|
|
|
|
|
|
|
# Allow for email address namespacing using `+` character.
|
|
|
|
recipient_delimiter = +
|
|
|
|
|
|
|
|
# Accept conections form everwhere and only trust this machine.
|
|
|
|
inet_interfaces = all
|
|
|
|
mynetworks_style = host
|
|
|
|
|
|
|
|
# Restrict to IPv4 protocol.
|
|
|
|
inet_protocols = ipv4
|
|
|
|
|
|
|
|
# Masquerade `mail` subdomain, except for `root` user.
|
|
|
|
masquerade_domains = $myhostname
|
|
|
|
masquerade_exceptions = root
|
|
|
|
|
|
|
|
# These need to be empty for virtual domains.
|
|
|
|
local_recipient_maps =
|
|
|
|
mydestination =
|
|
|
|
|
|
|
|
# How long if undelivered before sending warning update to sender.
|
|
|
|
delay_warning_time = 4h
|
|
|
|
|
|
|
|
# Will it be a permanent or temporary error.
|
|
|
|
unknown_local_recipient_reject_code = 450
|
|
|
|
|
|
|
|
# How long to keep message on queue before return as failed.
|
|
|
|
maximal_queue_lifetime = 7d
|
|
|
|
|
|
|
|
# Max and min time in seconds between retries if connection failed.
|
|
|
|
minimal_backoff_time = 1000s
|
|
|
|
maximal_backoff_time = 8000s
|
|
|
|
|
|
|
|
# How long to wait when servers connect before receiving rest of data.
|
|
|
|
smtp_helo_timeout = 60s
|
|
|
|
|
|
|
|
# How many addresses can be used in one message.
|
|
|
|
#
|
|
|
|
# Effective stopper to mass spammers, accidental copy in whole address list
|
|
|
|
# but may restrict intentional mail shots.
|
|
|
|
smtpd_recipient_limit = 16
|
|
|
|
|
|
|
|
# How many error before back off.
|
|
|
|
smtpd_soft_error_limit = 3
|
|
|
|
|
|
|
|
# How many max errors before blocking it.
|
|
|
|
smtpd_hard_error_limit = 12
|
|
|
|
|
|
|
|
# Requirements for the HELO statement.
|
|
|
|
smtpd_helo_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
reject_invalid_helo_hostname,
|
|
|
|
reject_non_fqdn_helo_hostname,
|
|
|
|
reject_unauth_pipelining
|
|
|
|
|
|
|
|
# Requirements for the sender details.
|
|
|
|
smtpd_sender_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
reject_non_fqdn_sender,
|
|
|
|
reject_unknown_sender_domain,
|
|
|
|
reject_unauth_pipelining
|
|
|
|
|
|
|
|
# Requirements for the connecting server.
|
|
|
|
smtpd_client_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
warn_if_reject reject_unknown_reverse_client_hostname,
|
|
|
|
reject_unauth_pipelining,
|
|
|
|
reject_rbl_client sbl.spamhaus.org,
|
|
|
|
reject_rbl_client blackholes.easynet.nl
|
|
|
|
|
|
|
|
# Requirements for mail relay.
|
|
|
|
smtpd_relay_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
reject_unauth_destination
|
|
|
|
|
|
|
|
# Requirement for the recipient address.
|
|
|
|
smtpd_recipient_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
reject_unauth_pipelining,
|
|
|
|
reject_non_fqdn_recipient,
|
|
|
|
reject_unknown_recipient_domain,
|
|
|
|
reject_unauth_destination
|
|
|
|
|
|
|
|
smtpd_data_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
reject_multi_recipient_bounce,
|
|
|
|
reject_unauth_pipelining
|
|
|
|
|
|
|
|
# Require proper helo at connections.
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
|
|
|
|
# Don't give any helpful info when a mailbox doesn't exist.
|
|
|
|
show_user_unknown_table_name = no
|
|
|
|
|
|
|
|
# Waste spammers time before rejecting them.
|
|
|
|
smtpd_delay_reject = yes
|
|
|
|
disable_vrfy_command = yes
|
|
|
|
|
|
|
|
# Local aliasing.
|
|
|
|
alias_maps = hash:/etc/postfix/aliases
|
|
|
|
alias_database = hash:/etc/postfix/aliases
|
|
|
|
|
|
|
|
# Virtual mailbox transport. Defaults to 'virtual'.
|
|
|
|
virtual_transport = ${POSTFIX_MAIL_TRANSPORT_PATH}
|
|
|
|
|
|
|
|
# This specifies where the virtual mailbox folders will be located.
|
|
|
|
virtual_mailbox_base = /var/mail/virtual
|
|
|
|
|
|
|
|
# This is for the mailbox location for each user.
|
|
|
|
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf
|
|
|
|
|
|
|
|
# This is for aliases.
|
|
|
|
virtual_alias_maps = mysql:/etc/postfix/mysql-alias.cf
|
|
|
|
|
|
|
|
# This is for domain lookups.
|
|
|
|
virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf
|
|
|
|
|
|
|
|
# Owner UID and GID map.
|
|
|
|
virtual_uid_maps = static:5000
|
|
|
|
virtual_gid_maps = static:5000
|
|
|
|
|
2022-04-25 19:12:06 +00:00
|
|
|
# Pass messages through 'rspamd'.
|
2021-01-13 16:36:50 +00:00
|
|
|
smtpd_milters = ${POSTFIX_MAIL_MILTER_PATH}
|
|
|
|
milter_protocol = 6
|
|
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
|
|
|
|
# Skip mail without checks if milter dies.
|
|
|
|
milter_default_action = accept
|
|
|
|
|
|
|
|
# Enable SASL authentication.
|
|
|
|
smtpd_sasl_type = dovecot
|
|
|
|
smtpd_sasl_auth_enable = yes
|
|
|
|
smtpd_sasl_path = ${POSTFIX_MAIL_SASL_PATH}
|
|
|
|
|
|
|
|
# Do not enable support for broken email clients (such as Outlook).
|
|
|
|
broken_sasl_auth_clients = no
|
|
|
|
smtpd_sasl_local_domain =
|
|
|
|
|
|
|
|
# TLS configuration parameters for outgoing connections to other mail servers.
|
|
|
|
smtp_tls_security_level = dane
|
|
|
|
smtp_dns_support_level = dnssec
|
|
|
|
smtp_tls_note_starttls_offer = yes
|
|
|
|
|
|
|
|
# TLS configuration parameters for incoming connections.
|
|
|
|
smtpd_tls_security_level = may
|
|
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
|
|
smtpd_tls_mandatory_ciphers = high
|
|
|
|
smtpd_tls_auth_only = yes
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
smtpd_tls_received_header = yes
|
|
|
|
smtpd_tls_session_cache_timeout = 3600s
|
|
|
|
smtpd_tls_loglevel = 1
|
|
|
|
|
|
|
|
# Other TLS configuration parameters.
|
|
|
|
tls_random_source = dev:/dev/urandom
|
|
|
|
tls_ssl_options = no_ticket, no_compression
|
|
|
|
|
|
|
|
# Certificate file location.
|
2021-06-27 11:52:47 +00:00
|
|
|
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
|
|
|
|
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key
|
2021-01-13 16:36:50 +00:00
|
|
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|