mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 21:50:46 +00:00
Alex Palaistras
f877a72e83
This commit contains a fairly large diff for a fairly small change: moving the `config/common` directory to `host/base` to better reflect its intended use, and promoting `config/service` to the root directory. These changes unlock some improvements in `coreos-home-server-update` processes, which will (assuming `/etc/coreos-home-server/base` exists) keep host-wide systemd services in sync in addition to service-specific ones. Changes have been make to the `Makefile` and a few other places where `config/common` was referenced, but most of this work is renames that are not intended to break compatibility with new or running servers.
203 lines
5.6 KiB
Plaintext
203 lines
5.6 KiB
Plaintext
#
|
|
# Main configuration file for Postfix.
|
|
#
|
|
|
|
# Version 2 is current for Postfix > 3.2 configuration.
|
|
compatibility_level = 2
|
|
|
|
# Log to standard output.
|
|
maillog_file = /dev/stdout
|
|
|
|
# Base hostname used for this mail-server.
|
|
myhostname = ${POSTFIX_HOST}
|
|
myorigin = $mydomain
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
|
|
# Information to show on connection.
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
|
|
|
# Disable "new mail" notifications.
|
|
biff = no
|
|
|
|
# Appending .domain is the MUA's job.
|
|
append_dot_mydomain = no
|
|
|
|
# Do not specify README files.
|
|
readme_directory = no
|
|
|
|
# Set quota for individual mailboxes.
|
|
mailbox_size_limit = 0
|
|
|
|
# Require properly formatted email addresses - prevents a lot of spam.
|
|
strict_rfc821_envelopes = yes
|
|
|
|
# Require addresses of the form "user@domain.tld".
|
|
allow_percent_hack = no
|
|
swap_bangpath = no
|
|
|
|
# Allow for email address namespacing using `+` character.
|
|
recipient_delimiter = +
|
|
|
|
# Accept conections form everwhere and only trust this machine.
|
|
inet_interfaces = all
|
|
mynetworks_style = host
|
|
|
|
# Restrict to IPv4 protocol.
|
|
inet_protocols = ipv4
|
|
|
|
# Masquerade `mail` subdomain, except for `root` user.
|
|
masquerade_domains = $myhostname
|
|
masquerade_exceptions = root
|
|
|
|
# These need to be empty for virtual domains.
|
|
local_recipient_maps =
|
|
mydestination =
|
|
|
|
# How long if undelivered before sending warning update to sender.
|
|
delay_warning_time = 4h
|
|
|
|
# Will it be a permanent or temporary error.
|
|
unknown_local_recipient_reject_code = 450
|
|
|
|
# How long to keep message on queue before return as failed.
|
|
maximal_queue_lifetime = 7d
|
|
|
|
# Max and min time in seconds between retries if connection failed.
|
|
minimal_backoff_time = 1000s
|
|
maximal_backoff_time = 8000s
|
|
|
|
# How long to wait when servers connect before receiving rest of data.
|
|
smtp_helo_timeout = 60s
|
|
|
|
# How many addresses can be used in one message.
|
|
#
|
|
# Effective stopper to mass spammers, accidental copy in whole address list
|
|
# but may restrict intentional mail shots.
|
|
smtpd_recipient_limit = 16
|
|
|
|
# How many error before back off.
|
|
smtpd_soft_error_limit = 3
|
|
|
|
# How many max errors before blocking it.
|
|
smtpd_hard_error_limit = 12
|
|
|
|
# Requirements for the HELO statement.
|
|
smtpd_helo_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_invalid_helo_hostname,
|
|
reject_non_fqdn_helo_hostname,
|
|
reject_unauth_pipelining
|
|
|
|
# Requirements for the sender details.
|
|
smtpd_sender_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
reject_unauth_pipelining
|
|
|
|
# Requirements for the connecting server.
|
|
smtpd_client_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
warn_if_reject reject_unknown_reverse_client_hostname,
|
|
reject_unauth_pipelining,
|
|
reject_rbl_client sbl.spamhaus.org,
|
|
reject_rbl_client blackholes.easynet.nl
|
|
|
|
# Requirements for mail relay.
|
|
smtpd_relay_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_destination
|
|
|
|
# Requirement for the recipient address.
|
|
smtpd_recipient_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_pipelining,
|
|
reject_non_fqdn_recipient,
|
|
reject_unknown_recipient_domain,
|
|
reject_unauth_destination
|
|
|
|
smtpd_data_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_multi_recipient_bounce,
|
|
reject_unauth_pipelining
|
|
|
|
# Require proper helo at connections.
|
|
smtpd_helo_required = yes
|
|
|
|
# Don't give any helpful info when a mailbox doesn't exist.
|
|
show_user_unknown_table_name = no
|
|
|
|
# Waste spammers time before rejecting them.
|
|
smtpd_delay_reject = yes
|
|
disable_vrfy_command = yes
|
|
|
|
# Local aliasing.
|
|
alias_maps = hash:/etc/postfix/aliases
|
|
alias_database = hash:/etc/postfix/aliases
|
|
|
|
# Virtual mailbox transport. Defaults to 'virtual'.
|
|
virtual_transport = ${POSTFIX_MAIL_TRANSPORT_PATH}
|
|
|
|
# This specifies where the virtual mailbox folders will be located.
|
|
virtual_mailbox_base = /var/mail/virtual
|
|
|
|
# This is for the mailbox location for each user.
|
|
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf
|
|
|
|
# This is for aliases.
|
|
virtual_alias_maps = mysql:/etc/postfix/mysql-alias.cf
|
|
|
|
# This is for domain lookups.
|
|
virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf
|
|
|
|
# Owner UID and GID map.
|
|
virtual_uid_maps = static:5000
|
|
virtual_gid_maps = static:5000
|
|
|
|
# Pass messages through 'opendkim' and 'rmilter'.
|
|
smtpd_milters = ${POSTFIX_MAIL_MILTER_PATH}
|
|
milter_protocol = 6
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
# Skip mail without checks if milter dies.
|
|
milter_default_action = accept
|
|
|
|
# Enable SASL authentication.
|
|
smtpd_sasl_type = dovecot
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_path = ${POSTFIX_MAIL_SASL_PATH}
|
|
|
|
# Do not enable support for broken email clients (such as Outlook).
|
|
broken_sasl_auth_clients = no
|
|
smtpd_sasl_local_domain =
|
|
|
|
# TLS configuration parameters for outgoing connections to other mail servers.
|
|
smtp_tls_security_level = dane
|
|
smtp_dns_support_level = dnssec
|
|
smtp_tls_note_starttls_offer = yes
|
|
|
|
# TLS configuration parameters for incoming connections.
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
smtpd_tls_mandatory_ciphers = high
|
|
smtpd_tls_auth_only = yes
|
|
smtpd_helo_required = yes
|
|
smtpd_tls_received_header = yes
|
|
smtpd_tls_session_cache_timeout = 3600s
|
|
smtpd_tls_loglevel = 1
|
|
|
|
# Other TLS configuration parameters.
|
|
tls_random_source = dev:/dev/urandom
|
|
tls_ssl_options = no_ticket, no_compression
|
|
|
|
# Certificate file location.
|
|
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
|
|
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key
|
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|