main.cf (17-01-17)

1. # ---------------------------------------------------------
2. # See /usr/share/postfix/main.cf.dist for a commented, more complete version
3. # ---------------------------------------------------------
4. # Debian specific:  Specifying a file name will cause the first
5. # line of that file to be used as the name.  The Debian default
6. # is /etc/mailname.
7.  
8. # 29/12/2016: Optimisation Postfix
9. # http://postfix.traduc.org/index.php/TUNING_README.html
10.  
11.  
12. #myorigin = /etc/mailname
13. smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
14. biff = no
15.  
16. # Limite de taille pour 1 EMAIL
17. message_size_limit = 51200000
18.  
19. # appending .domain is the MUA's job.
20. append_dot_mydomain = no
21.  
22. # Uncomment the next line to generate "delayed mail" warnings
23. #delay_warning_time = 4h
24.  
25. # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
26. # information on enabling SSL in the smtp client.
27.  
28. myhostname = apollo.kerv.fr
29. alias_maps = hash:/etc/aliases,hash:/etc/mail/sympa/aliases
30. alias_database = hash:/etc/aliases,hash:/etc/mail/sympa/aliases
31. myorigin = /etc/mailname
32. mydestination = localhost
33. relayhost =
34. mynetworks = 127.0.0.0/8 99.000.000.111 99.000.000.222
35. mailbox_command =
36. mailbox_size_limit = 0
37. inet_interfaces = all
38.  
39. readme_directory = no
40.  
41.  
42. # Ajout de quelques drectives
43. # http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
44. #
45. disable_vrfy_command = yes
46.  
47. # ---------------------------------------------------------
48. # default
49. # ---------------------------------------------------------
50. default_destination_recipient_limit = 100
51. #default_process_limit = 10
52. default_process_limit = 30
53.  
54. # https://www.skyminds.net/serveur-dedie-ajouter-lauthentification-spf-sender-id-et-dkim-a-postfix-et-bind9-avec-opendkim/
55. # This means that postfix will up to two concurrent
56. # connections per receiving domains. The default value is 20.
57. #default_destination_concurrency_limit = 5
58.  
59. # Postfix will add a delay between each message to the same receiving domain.
60. # default_destination_rate_delay = 5s
61.  
62. # Limit the number of recipients of each message.
63. # If a message had 20 recipients on the same domain, postfix will break it out
64. #default_extra_recipient_limit = 3
65.  
66.  
67.  
68. # ---------------------------------------------------------
69. # Slow
70. # ---------------------------------------------------------
71. slow_destination_recipient_limit = 20
72. slow_destination_concurrency_limit = 2
73. transport_maps = hash:/etc/postfix/transport
74.  
75.  
76. # ---------------------------------------------------------
77. # POSTSCREEN
78. # ---------------------------------------------------------
79. # == https://effraie.org/doc/serveur/archi_mail#combattre_le_spampostscreen_amavis_spamassassin_et_clamav
80. postscreen_access_list = permit_mynetworks
81.  
82. postscreen_dnsbl_sites = zen.spamhaus.org*3
83.                          b.barracudacentral.org*2
84.                          bl.spameatingmonkey.net*2
85.                          dnsbl.ahbl.org*2
86.                          bl.spamcop.net
87.                          dnsbl.sorbs.net
88.                          psbl.surriel.com
89.                          bl.mailspike.net
90.                          swl.spamhaus.org*-4
91.                          list.dnswl.org=127.[0..255].[0..255].0*-2
92.                          list.dnswl.org=127.[0..255].[0..255].1*-3
93.                          list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
94. postscreen_dnsbl_threshold = 3
95. postscreen_dnsbl_action = enforce
96.  
97. postscreen_greet_banner = You have to respect RFCs
98. postscreen_greet_action = enforce
99.  
100.  
101. # ========== Il semble queles règles sont passées l'une après l'autre donc l'ordre à une importance
102. # ========== https://effraie.org/doc/serveur/archi_mail#combattre_le_spampostscreen_amavis_spamassassin_et_clamav
103. # Restrictions smtpd
104.  
105. # http://postfix.traduc.org/index.php/SMTPD_ACCESS_README.html
106. # smtpd_sender_restrictions = reject_unknown_sender_domain
107.  
108. smtpd_recipient_restrictions =
109. # Whitelist & Blacklist
110.    check_client_access hash:/etc/postfix/client_checks,
111.    check_sender_access hash:/etc/postfix/sender_checks,
112. # --- ces régles sont pour tous:  
113.     # reject_non_fqdn_recipient,
114.     reject_non_fqdn_sender,
115.     reject_unknown_recipient_domain,
116.     reject_unknown_sender_domain,
117.     reject_unauth_pipelining,
118. # --- mes utilisateurs:
119.     permit_mynetworks,
120.     permit_sasl_authenticated,
121. # --- Bloquer quand il n'y a pas de reverse DNS
122.     reject_unknown_reverse_client_hostname,
123. # --- Bloquer quand le HELO/EHLO-hostnames est mal configuré
124.     reject_non_fqdn_hostname,
125.     # 15/10/2015-01:09= remis en fonction:  reject_invalid_hostname,
126.     reject_invalid_hostname,
127.     reject_invalid_helo_hostname,
128. # --- Test des RBL List
129.     # reject_rbl_client list.dsbl.org, # warning: 187.126.227.212.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=187.126.227.212.list.dsbl.org type=A: Host not found
130.     reject_rbl_client sbl.spamhaus.org,
131.     reject_rbl_client cbl.abuseat.org,
132.     reject_rbl_client dul.dnsbl.sorbs.net,
133. # --- Je ne suis pas responsable de ça :
134.     reject_unauth_destination,
135. # --- SPF - POLICY - postfix-policyd-spf-perl
136. # https://www.howtoforge.com/postfix_spf
137.     check_policy_service unix:private/policy,
138.  
139. # --- Greylisting
140. # 15/09/16 supprimé car le service deconne - de toute manière, je voulais l'enlever !
141.     # check_policy_service inet:127.0.0.1:10023,
142. # 15/09/16 (TEST) Suite MAJ postgrey qui prend en charge l'IP v6
143. # http://serverfault.com/questions/471581/postfix-warning-connect-to-127-0-0-110023-connection-refused-not-receiving
144. # 15/09/16 : ne fonctionne toujours pas
145.     # check_policy_service inet:11.22.33.44:10023,
146. # --- Si tous ça est ok,
147.     # permit
148. # ----------------------------------------------------
149.  
150.  
151. # ---------------------------------------------------------
152. # SYMPA - Mailing List
153. # 26/11/2016
154. # ---------------------------------------------------------
155. transport_maps = regexp:/etc/postfix/transport_regexp
156. sympa_destination_recipient_limit = 1
157. sympabounce_destination_recipient_limit = 1
158. recipient_delimiter = +
159.  
160. # ---------------------------------------------------------
161. # DOVECOT
162. # ---------------------------------------------------------
163. virtual_transport = dovecot
164. dovecot_destination_recipient_limit = 1
165.  
166. # virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
167. # virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
168. # virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
169.  
170. virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
171. virtual_alias_maps =
172.    proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
173.    proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
174.    proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
175.    #hash:/etc/mail/sympa/aliases
176. virtual_mailbox_maps =
177.    proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
178.    proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
179.  
180.  
181.    
182. # ---------------------------------------------------------
183. # Additional for quota support
184. # ---------------------------------------------------------
185. # virtual_create_maildirsize = yes
186. # virtual_mailbox_extended = yes
187. # virtual_mailbox_limit_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf
188. # virtual_mailbox_limit_override = yes
189. # virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
190. # virtual_overquota_bounce = yes
191.  
192.  
193. # http://debian-facile.org/doc:reseau:postfix ==> uniquement si PAS DOVECOT
194. # virtual_uid_maps = static:5000
195. # virtual_gid_maps = static:5000
196. # virtual_mailbox_base = /home/vmail
197.  
198.  
199. # ---------------------------------------------------------
200. # OPENDKIM
201. # ---------------------------------------------------------
202. # http://lea-linux.org/documentations/DKIM_SPF_Postfix
203. # Déplacé pour éviter la double signature dans master.cf   -o smtpd_milters=inet:localhost:12345
204. # double signature : http://serverfault.com/questions/475416/is-there-a-reason-why-dkim-signs-every-mail-twice
205. # double signature : http://david.mercereau.info/motclef/postfix/
206. # La ligne vide ci-dessous est indispensable
207.  
208. # milter_default_action = accept
209. # milter_protocol = 6
210. # smtpd_milters =
211. # smtpd_milters = inet:localhost:12345
212. # non_smtpd_milters = inet:localhost:12345
213.  
214.  
215. # ---------------------------------------------------------
216. # SASL parameters
217. # ---------------------------------------------------------
218. # En commun avec le tutoriel= http://www.tictech.info/post/mail_postfix
219.  
220. # Use Dovecot to authenticate.
221. smtpd_sasl_type = dovecot
222.  
223. # Referring to /var/spool/postfix/private/auth
224. smtpd_sasl_path = private/auth
225. smtpd_sasl_auth_enable = yes
226. broken_sasl_auth_clients = yes
227. smtpd_sasl_security_options = noanonymous
228. smtpd_sasl_local_domain =
229. smtpd_sasl_authenticated_header = yes
230.  
231.  
232. # ---------------------------------------------------------
233. # TLS parameters
234. # ---------------------------------------------------------
235. # smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
236. # smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
237. # smtpd_use_tls=yes
238. smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
239. smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
240.  
241. # Replace this with your SSL certificate path if you are using one.
242. #smtpd_tls_cert_file=/etc/openssl/CERTIFICATES/monserveur.mail.fr_cert.cert
243. #smtpd_tls_key_file=/etc/openssl/PRIVATE_KEYS/monserveur.mail.fr_key.pem
244.  
245. # 28/12/2016: LetsEncrypt
246. smtpd_tls_cert_file=/etc/letsencrypt/live/monserveur.mail.fr/fullchain.pem
247. smtpd_tls_key_file=/etc/letsencrypt/live/monserveur.mail.fr/privkey.pem
248.  
249. # The snakeoil self-signed certificate has no need for a CA file. But
250. # if you are using your own SSL certificate, then you probably have
251. # a CA certificate bundle from your provider. The path to that goes
252. # here.
253. #smtpd_tls_CAfile=/path/to/ca/file
254. smtpd_use_tls                   = yes
255. smtp_tls_security_level         = may
256. smtpd_tls_security_level        = may
257. smtpd_tls_auth_only             = yes
258. smtp_tls_note_starttls_offer    = yes
259. smtpd_tls_loglevel              = 1
260. smtpd_tls_received_header       = yes
261. smtpd_tls_session_cache_timeout = 3600s
262.  
263. tls_random_source = dev:/dev/urandom
264. #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
265. #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
266. inet_protocols = ipv4
267.  
268.  
269. # ---------------------------------------------------------
270. # Header manipulation
271. # ---------------------------------------------------------
272. enable_original_recipient = yes
273.  
274. # https://www.debian-administration.org/article/168/Greylisting_with_Postfix_and_other_antispam_stuff.
275. # That single one line change is estimated to stop 60% of spam!
276. header_checks = regexp:/etc/postfix/header_checks.cf
277. # ---------------------------------------------------------
278. mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf
279. # ---------------------------------------------------------
280. # Body manipulation
281. # ---------------------------------------------------------
282. body_checks = regexp:/etc/postfix/body_checks.cf
283. # ---------------------------------------------------------
284.  
285.  
286. # ---------------------------------------------------------
287. # smtp_helo_restrictions
288. # ---------------------------------------------------------
289. # http://www.unixwiz.net/techtips/postfix-HELO.html
290.  
291. smtpd_delay_reject = yes
292. smtpd_helo_required = yes
293. smtpd_helo_restrictions =
294.         permit_mynetworks,
295.         # reject_unknown_helo_hostname,
296.         check_helo_access hash:/etc/postfix/helo_access,
297.         permit
298.  
299. # Rejeter le courrier provenant d'une adresse inexistante. Cette forme de filtrage aide à ralentir les vers et autres
300. # logiciels malfaisant mais peut poser problème avec les applications maison qui envoient du courrier avec une adresse
301. # inexistante. Pour cette raison, cette fonctionnalité est désactivée par défaut
302. smtpd_reject_unlisted_sender = no
303.  
304. # Rejeter le courrier à destination d'une adresse inexsistante. Cette forme de filtrage aide à garder la file d'attente
305. # vide des messages non livrables MAILER-DAEMON messages. Cette fonctionnalité est activée par défaut
306. smtpd_reject_unlisted_recipient = no
307.  
308. # ---------------------------------------------------------
309. # DMARC
310. # ---------------------------------------------------------
311.  
312. milter_default_action = accept
313. milter_protocol = 6
314. smtpd_milters = inet:127.0.0.1:8893
315. non_smtpd_milters = inet:127.0.0.1:8893
316. # non_smtpd_milters = $smtpd_milters
317.  
318. # ---------------------------------------------------------
319. # AMAVIS
320. # ---------------------------------------------------------
321.  
322. content_filter = amavis:[127.0.0.1]:10024
323. receive_override_options = no_address_mappings
324.  
325.  
326. # ---------------------------------------------------------