coreos-home-server/service/postfix/container/config/main.cf.template

#
# Main configuration file for Postfix.
#

# Version 2 is current for Postfix > 3.2 configuration.
compatibility_level = 2

# Log to standard output.
maillog_file = /dev/stdout

# Base hostname used for this mail-server.
myhostname = ${POSTFIX_HOST}
myorigin = $mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# Information to show on connection.
smtpd_banner = $myhostname ESMTP $mail_name

# Disable "new mail" notifications.
biff = no

# Appending .domain is the MUA's job.
append_dot_mydomain = no

# Do not specify README files.
readme_directory = no

# Set quota for individual mailboxes.
mailbox_size_limit = 0

# Require properly formatted email addresses - prevents a lot of spam.
strict_rfc821_envelopes = yes

# Require addresses of the form "user@domain.tld".
allow_percent_hack = no
swap_bangpath = no

# Allow for email address namespacing using `+` character.
recipient_delimiter = +

# Accept conections form everwhere and only trust this machine.
inet_interfaces = all
mynetworks_style = host

# Restrict to IPv4 protocol.
inet_protocols = ipv4

# Masquerade `mail` subdomain, except for `root` user.
masquerade_domains = $myhostname
masquerade_exceptions = root

# These need to be empty for virtual domains.
local_recipient_maps =
mydestination =

# How long if undelivered before sending warning update to sender.
delay_warning_time = 4h

# Will it be a permanent or temporary error.
unknown_local_recipient_reject_code = 450

# How long to keep message on queue before return as failed.
maximal_queue_lifetime = 7d

# Max and min time in seconds between retries if connection failed.
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s

# How long to wait when servers connect before receiving rest of data.
smtp_helo_timeout = 60s

# How many addresses can be used in one message.
#
# Effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
smtpd_recipient_limit = 16

# How many error before back off.
smtpd_soft_error_limit = 3

# How many max errors before blocking it.
smtpd_hard_error_limit = 12

# Requirements for the HELO statement.
smtpd_helo_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unauth_pipelining

# Requirements for the sender details.
smtpd_sender_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unauth_pipelining

# Requirements for the connecting server.
smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    warn_if_reject reject_unknown_reverse_client_hostname,
    reject_unauth_pipelining,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client blackholes.easynet.nl

# Requirements for mail relay.
smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

# Requirement for the recipient address.
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination

smtpd_data_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_multi_recipient_bounce,
    reject_unauth_pipelining

# Require proper helo at connections.
smtpd_helo_required = yes

# Don't give any helpful info when a mailbox doesn't exist.
show_user_unknown_table_name = no

# Waste spammers time before rejecting them.
smtpd_delay_reject = yes
disable_vrfy_command = yes

# Local aliasing.
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

# Virtual mailbox transport. Defaults to 'virtual'.
virtual_transport = ${POSTFIX_MAIL_TRANSPORT_PATH}

# This specifies where the virtual mailbox folders will be located.
virtual_mailbox_base = /var/mail/virtual

# This is for the mailbox location for each user.
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf

# This is for aliases.
virtual_alias_maps = mysql:/etc/postfix/mysql-alias.cf

# This is for domain lookups.
virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf

# Owner UID and GID map.
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

# Pass messages through 'rspamd'.
smtpd_milters = ${POSTFIX_MAIL_MILTER_PATH}
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

# Skip mail without checks if milter dies.
milter_default_action = accept

# Enable SASL authentication.
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = ${POSTFIX_MAIL_SASL_PATH}

# Do not enable support for broken email clients (such as Outlook).
broken_sasl_auth_clients = no
smtpd_sasl_local_domain =

# TLS configuration parameters for outgoing connections to other mail servers.
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_note_starttls_offer = yes

# TLS configuration parameters for incoming connections.
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_auth_only = yes
smtpd_helo_required = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_loglevel = 1

# Other TLS configuration parameters.
tls_random_source = dev:/dev/urandom
tls_ssl_options = no_ticket, no_compression

# Certificate file location.
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt