mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 21:50:46 +00:00
Alex Palaistras
1801b7d8aa
This is lower than most other services (e.g. Gmail allows for receiving up to 50MB and sending up to 25MB) but more than most will need.
204 lines
5.6 KiB
Plaintext
204 lines
5.6 KiB
Plaintext
#
|
|
# Main configuration file for Postfix.
|
|
#
|
|
|
|
# Version 2 is current for Postfix > 3.2 configuration.
|
|
compatibility_level = 2
|
|
|
|
# Log to standard output.
|
|
maillog_file = /dev/stdout
|
|
|
|
# Base hostname used for this mail-server.
|
|
myhostname = ${POSTFIX_HOST}
|
|
myorigin = $mydomain
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
|
|
# Information to show on connection.
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
|
|
|
# Disable "new mail" notifications.
|
|
biff = no
|
|
|
|
# Appending .domain is the MUA's job.
|
|
append_dot_mydomain = no
|
|
|
|
# Do not specify README files.
|
|
readme_directory = no
|
|
|
|
# Set quota for individual mailboxes.
|
|
mailbox_size_limit = 0
|
|
|
|
# Require properly formatted email addresses - prevents a lot of spam.
|
|
strict_rfc821_envelopes = yes
|
|
|
|
# Require addresses of the form "user@domain.tld".
|
|
allow_percent_hack = no
|
|
swap_bangpath = no
|
|
|
|
# Allow for email address namespacing using `+` character.
|
|
recipient_delimiter = +
|
|
|
|
# Accept conections form everwhere and only trust this machine.
|
|
inet_interfaces = all
|
|
mynetworks_style = host
|
|
|
|
# Restrict to IPv4 protocol.
|
|
inet_protocols = ipv4
|
|
|
|
# Masquerade `mail` subdomain, except for `root` user.
|
|
masquerade_domains = $myhostname
|
|
masquerade_exceptions = root
|
|
|
|
# These need to be empty for virtual domains.
|
|
local_recipient_maps =
|
|
mydestination =
|
|
|
|
# How long if undelivered before sending warning update to sender.
|
|
delay_warning_time = 4h
|
|
|
|
# Will it be a permanent or temporary error.
|
|
unknown_local_recipient_reject_code = 450
|
|
|
|
# How long to keep message on queue before return as failed.
|
|
maximal_queue_lifetime = 7d
|
|
|
|
# Max and min time in seconds between retries if connection failed.
|
|
minimal_backoff_time = 1000s
|
|
maximal_backoff_time = 8000s
|
|
|
|
# Set maximum message size (with attachments) in bytes.
|
|
message_size_limit = 20480000
|
|
|
|
# How long to wait when servers connect before receiving rest of data.
|
|
smtp_helo_timeout = 60s
|
|
|
|
# How many addresses can be used in one message.
|
|
#
|
|
# Effective stopper to mass spammers, accidental copy in whole address list
|
|
# but may restrict intentional mail shots.
|
|
smtpd_recipient_limit = 16
|
|
|
|
# How many error before back off.
|
|
smtpd_soft_error_limit = 3
|
|
|
|
# How many max errors before blocking it.
|
|
smtpd_hard_error_limit = 12
|
|
|
|
# Requirements for the HELO statement.
|
|
smtpd_helo_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_invalid_helo_hostname,
|
|
reject_non_fqdn_helo_hostname,
|
|
reject_unauth_pipelining
|
|
|
|
# Requirements for the sender details.
|
|
smtpd_sender_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
reject_unauth_pipelining
|
|
|
|
# Requirements for the connecting server.
|
|
smtpd_client_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
warn_if_reject reject_unknown_reverse_client_hostname,
|
|
reject_unauth_pipelining
|
|
|
|
# Requirements for mail relay.
|
|
smtpd_relay_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_destination
|
|
|
|
# Requirement for the recipient address.
|
|
smtpd_recipient_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_pipelining,
|
|
reject_non_fqdn_recipient,
|
|
reject_unknown_recipient_domain,
|
|
reject_unauth_destination
|
|
|
|
smtpd_data_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_multi_recipient_bounce,
|
|
reject_unauth_pipelining
|
|
|
|
# Require proper helo at connections.
|
|
smtpd_helo_required = yes
|
|
|
|
# Don't give any helpful info when a mailbox doesn't exist.
|
|
show_user_unknown_table_name = no
|
|
|
|
# Waste spammers time before rejecting them.
|
|
smtpd_delay_reject = yes
|
|
disable_vrfy_command = yes
|
|
|
|
# Local aliasing.
|
|
alias_maps = hash:/etc/postfix/aliases
|
|
alias_database = hash:/etc/postfix/aliases
|
|
|
|
# Virtual mailbox transport. Defaults to 'virtual'.
|
|
virtual_transport = ${POSTFIX_MAIL_TRANSPORT_PATH}
|
|
|
|
# This specifies where the virtual mailbox folders will be located.
|
|
virtual_mailbox_base = /var/mail/virtual
|
|
|
|
# This is for the mailbox location for each user.
|
|
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf
|
|
|
|
# This is for aliases.
|
|
virtual_alias_maps = mysql:/etc/postfix/mysql-alias.cf
|
|
|
|
# This is for domain lookups.
|
|
virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf
|
|
|
|
# Owner UID and GID map.
|
|
virtual_uid_maps = static:5000
|
|
virtual_gid_maps = static:5000
|
|
|
|
# Pass messages through 'rspamd'.
|
|
smtpd_milters = ${POSTFIX_MAIL_MILTER_PATH}
|
|
milter_protocol = 6
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
# Skip mail without checks if milter dies.
|
|
milter_default_action = accept
|
|
|
|
# Enable SASL authentication.
|
|
smtpd_sasl_type = dovecot
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_path = ${POSTFIX_MAIL_SASL_PATH}
|
|
|
|
# Do not enable support for broken email clients (such as Outlook).
|
|
broken_sasl_auth_clients = no
|
|
smtpd_sasl_local_domain =
|
|
|
|
# TLS configuration parameters for outgoing connections to other mail servers.
|
|
smtp_tls_security_level = dane
|
|
smtp_dns_support_level = dnssec
|
|
smtp_tls_note_starttls_offer = yes
|
|
|
|
# TLS configuration parameters for incoming connections.
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
smtpd_tls_mandatory_ciphers = high
|
|
smtpd_tls_auth_only = yes
|
|
smtpd_helo_required = yes
|
|
smtpd_tls_received_header = yes
|
|
smtpd_tls_session_cache_timeout = 3600s
|
|
smtpd_tls_loglevel = 1
|
|
|
|
# Other TLS configuration parameters.
|
|
tls_random_source = dev:/dev/urandom
|
|
tls_ssl_options = no_ticket, no_compression
|
|
|
|
# Certificate file location.
|
|
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
|
|
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key
|
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|