# See /usr/share/postfix/main.cf.dist for a commented, more complete version

1. # See /usr/share/postfix/main.cf.dist for a commented, more complete version
2.  
3. # Debian specific: Specifying a file name will cause the first
4. # line of that file to be used as the name. The Debian default
5. # is /etc/mailname.
6. myorigin = /etc/mailname
7.  
8. smtpd_banner = SMTPD Ready.
9. biff = no
10. recipient_delimiter = +
11. luser_relay =
12.  
13. # appending .domain is the MUA's job.
14. append_dot_mydomain = no
15. append_at_myorigin = yes
16.  
17. readme_directory = no
18.  
19. # Si vous avez plusieurs interfaces des réseaux différents
20. #smtp_bind_address=A.B.C.D
21. #smtp_bind_address6=AAAA:BBBB:CCCC:DDDD
22.  
23. # important dans le cas de résolutions local via /etc/hosts (et la présence de denyhost)
24. #smtp_host_lookup = native, dns
25.  
26. # TLS SMTP
27. smtp_tls_security_level = may
28. smtp_tls_ciphers = high
29. smtp_tls_protocols = !SSLv2, !SSLv3
30. #smtp_tls_CAfile = /etc/ssl/certs/cacert.org.pem # Utilisez CACERT ! http://www.cacert.org
31. smtp_tls_key_file = /etc/nginx/cert.key
32. smtp_tls_cert_file = /etc/nginx/cert.crt
33. smtp_tls_session_cache_timeout = 3600s
34. smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
35.  
36. myhostname = maildude.be
37. alias_maps = hash:/etc/aliases
38. alias_database = hash:/etc/aliases
39. mydestination = nextu.be, localhost.nextu.be, localhost
40. relayhost =
41. mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
42. mailbox_command = procmail -a "$EXTENSION"
43. mailbox_size_limit = 0
44. recipient_delimiter = +
45. inet_interfaces = all
46. inet_protocols = all
47.  
48. # CONTROL DELIVER
49. default_destination_concurrency_limit = 20
50. local_destination_concurrency_limit = 2
51. in_flow_delay = 1s
52.  
53. message_size_limit = 102400000
54. bounce_size_limit = 1000
55.  
56. # CONTROL DELIVRANCE
57. allow_untrusted_routing = no
58. smtp_recipient_limit = 25
59. disable_vrfy_command = yes
60. strict_rfc821_envelopes = yes
61. show_user_unknown_table_name = no
62. allow_percent_hack = no
63. swap_bangpath = no
64.  
65. ### Tarpit jusqu'au RCPT TO:
66. smtpd_delay_reject = yes
67.  
68. ### Tarpit bots/clients/spammers
69. smtpd_error_sleep_time = 15
70. smtpd_soft_error_limit = 1
71. smtpd_hard_error_limit = 3
72. smtpd_junk_command_limit = 2
73.  
74. ### Reject codes == 554
75. access_map_reject_code = 554
76. invalid_hostname_reject_code = 554
77. maps_rbl_reject_code = 554
78. multi_recipient_bounce_reject_code = 554
79. non_fqdn_reject_code = 554
80. plaintext_reject_code = 554
81. reject_code = 554
82. relay_domains_reject_code = 554
83. unknown_address_reject_code = 554
84. unknown_client_reject_code = 450
85. unknown_hostname_reject_code = 450
86. unknown_local_recipient_reject_code = 554
87. unknown_relay_recipient_reject_code = 554
88. unknown_virtual_alias_reject_code = 554
89. unknown_virtual_mailbox_reject_code = 554
90. unverified_recipient_reject_code = 554
91. unverified_sender_reject_code = 554
92.  
93. # header_checks = regexp:/etc/postfix/maps/header_checks
94. # body_checks = regexp:/etc/postfix/maps/body_checks
95.  
96. smtpd_client_restrictions = permit_mynetworks
97. reject_invalid_hostname
98. reject_unknown_client
99. permit
100.  
101. smtpd_helo_required = yes
102.  
103. # Obligation pour l'emetteur
104. smtpd_sender_restrictions = permit_sasl_authenticated
105. permit_mynetworks
106. reject_unauth_destination
107. reject_non_fqdn_sender
108. reject_unknown_sender_domain
109. reject_unknown_address
110. reject_rhsbl_sender dsn.rfc-ignorant.org
111. permit
112.  
113. smtpd_etrn_restrictions = permit_mynetworks
114. reject
115.  
116. smtpd_data_restrictions = reject_unauth_pipelining
117. reject_multi_recipient_bounce
118. permit
119.  
120. smtpd_recipient_restrictions = reject_invalid_hostname
121. reject_non_fqdn_sender
122. reject_non_fqdn_recipient
123. permit_mynetworks
124. permit_sasl_authenticated
125. reject_unauth_pipelining
126. reject_unknown_sender_domain
127. reject_unknown_recipient_domain
128. reject_unauth_destination
129. reject_unknown_client
130. reject_rbl_client zen.spamhaus.org
131. reject_rbl_client cbl.abuseat.org
132. reject_rhsbl_client multi.surbl.org
133. reject_rhsbl_sender multi.surbl.org
134. reject_rhsbl_sender dbl.spamhaus.org
135. reject_rhsbl_client dbl.spamhaus.org
136. reject_rhsbl_sender dsn.rfc-ignorant.org
137. permit
138.  
139. # SASL
140. smtpd_use_tls=yes
141. smtpd_tls_security_level = may
142. smtpd_tls_mandatory_ciphers = high
143. smtpd_tls_mandatory_protocols = !SSLv2
144. #smtpd_tls_ask_ccert = yes
145. #smtpd_tls_CAfile = /etc/nginx/cert.crt
146. smtpd_tls_key_file = /etc/nginx/cert.key
147. smtpd_tls_cert_file = /etc/nginx/cert.crt
148. smtpd_tls_loglevel = 0
149. smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
150. smtpd_tls_session_cache_timeout = 3600s
151.  
152. broken_sasl_auth_clients = yes
153. smtpd_sasl_auth_enable = yes
154. smtpd_sasl_local_domain = $myhostname
155. #smtpd_sasl_application_name = smtpd
156. #smtpd_sasl_security_options = noanonymous, noplaintext
157. #smtpd_sasl_tls_security_options = noanonymous
158. #smtpd_tls_auth_only = yes
159.  
160. #smtpd_sasl_authenticated_header = no
161.  
162. relay_domains = proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf
163. virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
164. virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
165. virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
166. virtual_mailbox_base = /srv/vmail
167. virtual_mailbox_limit = 512000000
168. virtual_minimum_uid = 1999
169. virtual_transport = virtual
170. virtual_uid_maps = static:2000
171. virtual_gid_maps = static:2000
172. local_transport = virtual
173. local_recipient_maps = $virtual_mailbox_maps
174. # Plutard pour la gestion du répondeur même si le répondeur est une très mauvaise idée, sauf pour les spammeurs.
175. # transport_maps = hash:/etc/postfix/transport