main.cf

1. # See /usr/share/postfix/main.cf.dist for a commented, more complete version
2.  
3. # The first text sent to a connecting process.
4. smtpd_banner = $myhostname ESMTP $mail_name
5. biff = no
6. # appending .domain is the MUA's job.
7. append_dot_mydomain = no
8. readme_directory = no
9.  
10. # SASL parameters
11. # ---------------------------------
12.  
13. # Use Dovecot to authenticate.
14. smtpd_sasl_type = dovecot
15. # Referring to /var/spool/postfix/private/auth
16. smtpd_sasl_path = private/auth
17. smtpd_sasl_auth_enable = yes
18. broken_sasl_auth_clients = yes
19. smtpd_sasl_security_options = noanonymous
20. smtpd_sasl_local_domain =
21. smtpd_sasl_authenticated_header = yes
22.  
23. # TLS parameters
24. # ---------------------------------
25.  
26. # The default snakeoil certificate. Comment if using a purchased
27. # SSL certificate.
28. smtpd_tls_cert_file=/etc/ssl/certs/<REDACTED>
29. smtpd_tls_key_file=/etc/ssl/private/<REDACTED>
30.  
31. # Uncomment if using a purchased SSL certificate.
32. # smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt
33. # smtpd_tls_key_file=/etc/ssl/private/example.com.key
34.  
35. # The snakeoil self-signed certificate has no need for a CA file. But
36. # if you are using your own SSL certificate, then you probably have
37. # a CA certificate bundle from your provider. The path to that goes
38. # here.
39. smtpd_tls_CAfile=/etc/ssl/certs/<REDACTED>
40.  
41. # Ensure we're not using no-longer-secure protocols.
42. smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
43.  
44. smtp_tls_note_starttls_offer = yes
45. smtpd_tls_loglevel = 1
46. smtpd_tls_received_header = yes
47. smtpd_tls_session_cache_timeout = 3600s
48. tls_random_source = dev:/dev/urandom
49. #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
50. #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
51.  
52. # Note that forcing use of TLS is going to cause breakage - most mail servers
53. # don't offer it and so delivery will fail, both incoming and outgoing. This is
54. # unfortunate given what various governmental agencies are up to these days.
55. #
56. # Enable (but don't force) all incoming smtp connections to use TLS.
57. smtpd_tls_security_level = may
58. # Enable (but don't force) all outgoing smtp connections to use TLS.
59. smtp_tls_security_level = may
60.  
61. # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
62. # information on enabling SSL in the smtp client.
63.  
64. # SMTPD parameters
65. # ---------------------------------
66.  
67. # Uncomment the next line to generate "delayed mail" warnings
68. #delay_warning_time = 4h
69. # will it be a permanent error or temporary
70. unknown_local_recipient_reject_code = 450
71. # how long to keep message on queue before return as failed.
72. # some have 3 days, I have 16 days as I am backup server for some people
73. # whom go on holiday with their server switched off.
74. maximal_queue_lifetime = 7d
75. # max and min time in seconds between retries if connection failed
76. minimal_backoff_time = 1000s
77. maximal_backoff_time = 8000s
78. # how long to wait when servers connect before receiving rest of data
79. smtp_helo_timeout = 60s
80. # how many address can be used in one message.
81. # effective stopper to mass spammers, accidental copy in whole address list
82. # but may restrict intentional mail shots.
83. smtpd_recipient_limit = 16
84. # how many error before back off.
85. smtpd_soft_error_limit = 3
86. # how many max errors before blocking it.
87. smtpd_hard_error_limit = 12
88.  
89. # This next set are important for determining who can send mail and relay mail
90. # to other servers. It is very important to get this right - accidentally producing
91. # an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
92. #
93. # You are encouraged to read up on what exactly each of these options accomplish.
94.  
95. # Requirements for the HELO statement
96. smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
97. # Requirements for the sender details
98. smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
99. # Requirements for the connecting server
100. smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
101. # Requirement for the recipient address. Note that the entry for
102. # "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
103. smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
104. smtpd_data_restrictions = reject_unauth_pipelining
105. # This is a new option as of Postfix 2.10, and is required in addition to
106. # smtpd_recipient_restrictions for things to work properly in this setup.
107. smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
108.  
109. # require proper helo at connections
110. smtpd_helo_required = yes
111. # waste spammers time before rejecting them
112. smtpd_delay_reject = yes
113. disable_vrfy_command = yes
114.  
115. # General host and delivery info
116. # ----------------------------------
117.  
118. myhostname = <REDACTED>
119. myorigin = /etc/hostname
120. # Some people see issues when setting mydestination explicitly to the server
121. # subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
122. # mydestination = mail.example.com, localhost
123. mydestination =
124. # If you have a separate web server that sends outgoing mail through this
125. # mailserver, you may want to add its IP address to the space-delimited list in
126. # mynetworks, e.g. as 10.10.10.10/32.
127. mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
128. mailbox_size_limit = 0
129. recipient_delimiter = +
130. inet_interfaces = all
131. mynetworks_style = host
132.  
133. # This specifies where the virtual mailbox folders will be located.
134. virtual_mailbox_base = /var/vmail
135. # This is for the mailbox location for each user. The domainaliases
136. # map allows us to make use of Postfix Admin's domain alias feature.
137. virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
138. # and their user id
139. virtual_uid_maps = static:150
140. # and group id
141. virtual_gid_maps = static:8
142. # This is for aliases. The domainaliases map allows us to make
143. # use of Postfix Admin's domain alias feature.
144. virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
145. # This is for domain lookups.
146. virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
147.  
148. # Integration with other packages
149. # ---------------------------------------
150.  
151. # Tell postfix to hand off mail to the definition for dovecot in master.cf
152. virtual_transport = dovecot
153. dovecot_destination_recipient_limit = 1
154.  
155. # Use amavis for virus and spam scanning
156. #content_filter = amavis:[127.0.0.1]:10024
157.  
158. # Header manipulation
159. # --------------------------------------
160.  
161. # Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
162. header_checks = regexp:/etc/postfix/header_checks
163. # getting rid of x-original-to
164. enable_original_recipient = no
165.  
166. # DKIM
167. # --------------------------------------
168. milter_default_action = accept
169. milter_protocol = 2
170. smtpd_milters = inet:localhost:8891
171. non_smptd_milters = inet:localhost:8891