Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # See /usr/share/postfix/main.cf.dist for a commented, more complete version
- # The first text sent to a connecting process.
- smtpd_banner = $myhostname ESMTP $mail_name
- biff = no
- # appending .domain is the MUA's job.
- append_dot_mydomain = no
- readme_directory = no
- # SASL parameters
- # ---------------------------------
- # Use Dovecot to authenticate.
- smtpd_sasl_type = dovecot
- # Referring to /var/spool/postfix/private/auth
- smtpd_sasl_path = private/auth
- smtpd_sasl_auth_enable = yes
- broken_sasl_auth_clients = yes
- smtpd_sasl_security_options = noanonymous
- smtpd_sasl_local_domain =
- smtpd_sasl_authenticated_header = yes
- # TLS parameters
- # ---------------------------------
- # The default snakeoil certificate. Comment if using a purchased
- # SSL certificate.
- smtpd_tls_cert_file=/etc/ssl/certs/<REDACTED>
- smtpd_tls_key_file=/etc/ssl/private/<REDACTED>
- # Uncomment if using a purchased SSL certificate.
- # smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt
- # smtpd_tls_key_file=/etc/ssl/private/example.com.key
- # The snakeoil self-signed certificate has no need for a CA file. But
- # if you are using your own SSL certificate, then you probably have
- # a CA certificate bundle from your provider. The path to that goes
- # here.
- smtpd_tls_CAfile=/etc/ssl/certs/<REDACTED>
- # Ensure we're not using no-longer-secure protocols.
- smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
- smtp_tls_note_starttls_offer = yes
- smtpd_tls_loglevel = 1
- smtpd_tls_received_header = yes
- smtpd_tls_session_cache_timeout = 3600s
- tls_random_source = dev:/dev/urandom
- #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
- #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
- # Note that forcing use of TLS is going to cause breakage - most mail servers
- # don't offer it and so delivery will fail, both incoming and outgoing. This is
- # unfortunate given what various governmental agencies are up to these days.
- #
- # Enable (but don't force) all incoming smtp connections to use TLS.
- smtpd_tls_security_level = may
- # Enable (but don't force) all outgoing smtp connections to use TLS.
- smtp_tls_security_level = may
- # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
- # information on enabling SSL in the smtp client.
- # SMTPD parameters
- # ---------------------------------
- # Uncomment the next line to generate "delayed mail" warnings
- #delay_warning_time = 4h
- # will it be a permanent error or temporary
- unknown_local_recipient_reject_code = 450
- # how long to keep message on queue before return as failed.
- # some have 3 days, I have 16 days as I am backup server for some people
- # whom go on holiday with their server switched off.
- maximal_queue_lifetime = 7d
- # max and min time in seconds between retries if connection failed
- minimal_backoff_time = 1000s
- maximal_backoff_time = 8000s
- # how long to wait when servers connect before receiving rest of data
- smtp_helo_timeout = 60s
- # how many address can be used in one message.
- # effective stopper to mass spammers, accidental copy in whole address list
- # but may restrict intentional mail shots.
- smtpd_recipient_limit = 16
- # how many error before back off.
- smtpd_soft_error_limit = 3
- # how many max errors before blocking it.
- smtpd_hard_error_limit = 12
- # This next set are important for determining who can send mail and relay mail
- # to other servers. It is very important to get this right - accidentally producing
- # an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
- #
- # You are encouraged to read up on what exactly each of these options accomplish.
- # Requirements for the HELO statement
- smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
- # Requirements for the sender details
- smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
- # Requirements for the connecting server
- smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
- # Requirement for the recipient address. Note that the entry for
- # "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
- smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
- smtpd_data_restrictions = reject_unauth_pipelining
- # This is a new option as of Postfix 2.10, and is required in addition to
- # smtpd_recipient_restrictions for things to work properly in this setup.
- smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
- # require proper helo at connections
- smtpd_helo_required = yes
- # waste spammers time before rejecting them
- smtpd_delay_reject = yes
- disable_vrfy_command = yes
- # General host and delivery info
- # ----------------------------------
- myhostname = <REDACTED>
- myorigin = /etc/hostname
- # Some people see issues when setting mydestination explicitly to the server
- # subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
- # mydestination = mail.example.com, localhost
- mydestination =
- # If you have a separate web server that sends outgoing mail through this
- # mailserver, you may want to add its IP address to the space-delimited list in
- # mynetworks, e.g. as 10.10.10.10/32.
- mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
- mailbox_size_limit = 0
- recipient_delimiter = +
- inet_interfaces = all
- mynetworks_style = host
- # This specifies where the virtual mailbox folders will be located.
- virtual_mailbox_base = /var/vmail
- # This is for the mailbox location for each user. The domainaliases
- # map allows us to make use of Postfix Admin's domain alias feature.
- virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
- # and their user id
- virtual_uid_maps = static:150
- # and group id
- virtual_gid_maps = static:8
- # This is for aliases. The domainaliases map allows us to make
- # use of Postfix Admin's domain alias feature.
- virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
- # This is for domain lookups.
- virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
- # Integration with other packages
- # ---------------------------------------
- # Tell postfix to hand off mail to the definition for dovecot in master.cf
- virtual_transport = dovecot
- dovecot_destination_recipient_limit = 1
- # Use amavis for virus and spam scanning
- #content_filter = amavis:[127.0.0.1]:10024
- # Header manipulation
- # --------------------------------------
- # Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
- header_checks = regexp:/etc/postfix/header_checks
- # getting rid of x-original-to
- enable_original_recipient = no
- # DKIM
- # --------------------------------------
- milter_default_action = accept
- milter_protocol = 2
- smtpd_milters = inet:localhost:8891
- non_smptd_milters = inet:localhost:8891
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement