# # Main configuration file for Postfix. # # Version 6 is current for Postfix > 3.6 configuration. compatibility_level = 3.6 # Log to standard output. maillog_file = /dev/stdout # Base hostname used for this mail-server. myhostname = ${POSTFIX_HOST} myorigin = $mydomain mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 # Information to show on connection. smtpd_banner = $myhostname ESMTP $mail_name # Disable "new mail" notifications. biff = no # Appending .domain is the MUA's job. append_dot_mydomain = no # Do not specify README files. readme_directory = no # Set quota for individual mailboxes. mailbox_size_limit = 0 # Require properly formatted email addresses - prevents a lot of spam. strict_rfc821_envelopes = yes # Require addresses of the form "user@domain.tld". allow_percent_hack = no swap_bangpath = no # Allow for email address namespacing using `+` character. recipient_delimiter = + # Accept conections form everwhere and only trust this machine. inet_interfaces = all mynetworks_style = host # Restrict to IPv4 protocol. inet_protocols = ipv4 # Masquerade `mail` subdomain, except for `root` user. masquerade_domains = $myhostname masquerade_exceptions = root # These need to be empty for virtual domains. local_recipient_maps = mydestination = # How long if undelivered before sending warning update to sender. delay_warning_time = 4h # Will it be a permanent or temporary error. unknown_local_recipient_reject_code = 450 # How long to keep message on queue before return as failed. maximal_queue_lifetime = 7d # Max and min time in seconds between retries if connection failed. minimal_backoff_time = 1000s maximal_backoff_time = 8000s # Set maximum message size (with attachments) in bytes. message_size_limit = 20480000 # How long to wait when servers connect before receiving rest of data. smtp_helo_timeout = 60s # How many addresses can be used in one message. # # Effective stopper to mass spammers, accidental copy in whole address list # but may restrict intentional mail shots. smtpd_recipient_limit = 16 # How many error before back off. smtpd_soft_error_limit = 3 # How many max errors before blocking it. smtpd_hard_error_limit = 12 # Requirements for the HELO statement. smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_pipelining # Requirements for the sender details. smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining # Requirements for the connecting server. smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, warn_if_reject reject_unknown_reverse_client_hostname, reject_unauth_pipelining # Requirements for mail relay. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination # Requirement for the recipient address. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce, reject_unauth_pipelining # Require proper helo at connections. smtpd_helo_required = yes # Don't give any helpful info when a mailbox doesn't exist. show_user_unknown_table_name = no # Waste spammers time before rejecting them. smtpd_delay_reject = yes disable_vrfy_command = yes # Local aliasing. alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases # Virtual mailbox transport. Defaults to 'virtual'. virtual_transport = ${POSTFIX_MAIL_TRANSPORT_PATH} # This specifies where the virtual mailbox folders will be located. virtual_mailbox_base = /var/mail/virtual # This is for the mailbox location for each user. virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf # This is for aliases. virtual_alias_maps = mysql:/etc/postfix/mysql-alias.cf # This is for domain lookups. virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf # Owner UID and GID map. virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 # Pass messages through 'rspamd'. smtpd_milters = ${POSTFIX_MAIL_MILTER_PATH} milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} # Skip mail without checks if milter dies. milter_default_action = accept # Enable SASL authentication. smtpd_sasl_type = dovecot smtpd_sasl_auth_enable = yes smtpd_sasl_path = ${POSTFIX_MAIL_SASL_PATH} # Do not enable support for broken email clients (such as Outlook). broken_sasl_auth_clients = no smtpd_sasl_local_domain = # TLS configuration parameters for outgoing connections to other mail servers. smtp_tls_security_level = dane smtp_dns_support_level = dnssec smtp_tls_note_starttls_offer = yes # TLS configuration parameters for incoming connections. smtpd_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_ciphers = high smtpd_tls_auth_only = yes smtpd_helo_required = yes smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_loglevel = 1 # Other TLS configuration parameters. tls_random_source = dev:/dev/urandom tls_ssl_options = no_ticket, no_compression # Certificate file location. smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt