/etc/postfix/main.cf

1. #-------------------------
2. postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
3. #-------------------------
4.  
5. sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre
6.  
7. # --------------------
8. # INSTALL-TIME CONFIGURATION INFORMATION
9. #
10. # location of the Postfix queue. Default is /var/spool/postfix.
11. queue_directory = /var/spool/postfix
12.  
13. # location of all postXXX commands. Default is /usr/sbin.
14. command_directory = /usr/sbin
15.  
16. # location of all Postfix daemon programs (i.e. programs listed in the
17. # master.cf file). This directory must be owned by root.
18. # Default is /usr/libexec/postfix
19. daemon_directory = /usr/lib/postfix/sbin
20.  
21. # location of Postfix-writable data files (caches, random numbers).
22. # This directory must be owned by the mail_owner account (see below).
23. # Default is /var/lib/postfix.
24. data_directory = /var/lib/postfix
25.  
26. # owner of the Postfix queue and of most Postfix daemon processes.
27. # Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
28. # WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
29. # In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
30. # Default is postfix.
31. mail_owner = postfix
32.  
33. # The following parameters are used when installing a new Postfix version.
34. #
35. # sendmail_path: The full pathname of the Postfix sendmail command.
36. # This is the Sendmail-compatible mail posting interface.
37. #
38. sendmail_path = /usr/sbin/sendmail
39.  
40. # newaliases_path: The full pathname of the Postfix newaliases command.
41. # This is the Sendmail-compatible command to build alias databases.
42. #
43. newaliases_path = /usr/bin/newaliases
44.  
45. # full pathname of the Postfix mailq command.  This is the Sendmail-compatible
46. # mail queue listing command.
47. mailq_path = /usr/bin/mailq
48.  
49. # group for mail submission and queue management commands.
50. # This must be a group name with a numerical group ID that is not shared with
51. # other accounts, not even with the Postfix account.
52. setgid_group = postdrop
53.  
54. # external command that is executed when a Postfix daemon program is run with
55. # the -D option.
56. #
57. # Use "command .. & sleep 5" so that the debugger can attach before
58. # the process marches on. If you use an X-based debugger, be sure to
59. # set up your XAUTHORITY environment variable before starting Postfix.
60. #
61. debugger_command =
62.     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
63.     ddd $daemon_directory/$process_name $process_id & sleep 5
64.  
65. debug_peer_level = 2
66.  
67. # --------------------
68. # CUSTOM SETTINGS
69. #
70.  
71. # SMTP server response code when recipient or domain not found.
72. unknown_local_recipient_reject_code = 550
73.  
74. # Do not notify local user.
75. biff = no
76.  
77. # Disable the rewriting of "site!user" into "user@site".
78. swap_bangpath = no
79.  
80. # Disable the rewriting of the form "user%domain" to "user@domain".
81. allow_percent_hack = no
82.  
83. # Allow recipient address start with '-'.
84. allow_min_user = no
85.  
86. # Disable the SMTP VRFY command. This stops some techniques used to
87. # harvest email addresses.
88. disable_vrfy_command = yes
89.  
90. # Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
91. inet_protocols = all
92.  
93. # Enable all network interfaces.
94. inet_interfaces = 127.0.0.1, 192.168.11.104, 192.168.11.204, 192.168.11.205, 192.168.11.206, 192.168.11.207
95.  
96. #
97. # TLS settings.
98. #
99. # SSL key, certificate, CA
100. #
101. smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
102. smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
103. smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
104. smtpd_tls_CApath = /etc/ssl/certs
105.  
106. #
107. # Disable SSLv2, SSLv3
108. #
109. smtpd_tls_protocols = !SSLv2 !SSLv3
110. smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
111. smtp_tls_protocols = !SSLv2 !SSLv3
112. smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
113. lmtp_tls_protocols = !SSLv2 !SSLv3
114. lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
115.  
116. #
117. # Fix 'The Logjam Attack'.
118. #
119. smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
120. smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
121. smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
122.  
123. tls_random_source = dev:/dev/urandom
124.  
125. # Log only a summary message on TLS handshake completion — no logging of client
126. # certificate trust-chain verification errors if client certificate
127. # verification is not required. With Postfix 2.8 and earlier, log the summary
128. # message, peer certificate summary information and unconditionally log
129. # trust-chain verification errors.
130. smtp_tls_loglevel = 1
131. smtpd_tls_loglevel = 1
132.  
133. # Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
134. # not require that clients use TLS encryption.
135. smtpd_tls_security_level = may
136.  
137. # Produce `Received:` message headers that include information about the
138. # protocol and cipher used, as well as the remote SMTP client CommonName and
139. # client certificate issuer CommonName.
140. # This is disabled by default, as the information may be modified in transit
141. # through other mail servers. Only information that was recorded by the final
142. # destination can be trusted.
143. #smtpd_tls_received_header = yes
144.  
145. # Opportunistic TLS, used when Postfix sends email to remote SMTP server.
146. # Use TLS if this is supported by the remote SMTP server, otherwise use
147. # plaintext.
148. # References:
149. #   - http://www.postfix.org/TLS_README.html#client_tls_may
150. #   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
151. smtp_tls_security_level = may
152.  
153. # Use the same CA file as smtpd.
154. smtp_tls_CApath = /etc/ssl/certs
155. smtp_tls_CAfile = $smtpd_tls_CAfile
156. smtp_tls_note_starttls_offer = yes
157.  
158. # Enable long, non-repeating, queue IDs (queue file names).
159. # The benefit of non-repeating names is simpler logfile analysis and easier
160. # queue migration (there is no need to run "postsuper" to change queue file
161. # names that don't match their message file inode number).
162. #enable_long_queue_ids = yes
163.  
164. # Reject unlisted sender and recipient
165. smtpd_reject_unlisted_recipient = yes
166. smtpd_reject_unlisted_sender = yes
167.  
168. # Header and body checks with PCRE table
169. smtp_header_checks = regexp:/etc/postfix/header_checks
170. body_checks = pcre:/etc/postfix/body_checks.pcre
171. mime_header_checks = regexp:/etc/postfix/mime_header_checks
172.  
173. # A mechanism to transform commands from remote SMTP clients.
174. # This is a last-resort tool to work around client commands that break
175. # interoperability with the Postfix SMTP server. Other uses involve fault
176. # injection to test Postfix's handling of invalid commands.
177. # Requires Postfix-2.7+.
178. #smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
179.  
180. # HELO restriction
181. smtpd_helo_required = yes
182. smtpd_helo_restrictions =
183.     permit_mynetworks
184.     permit_sasl_authenticated
185.     check_helo_access pcre:/etc/postfix/helo_access.pcre
186. # один комп отправляет в качестве hostname свое название и оно не проходит по данным ограничениям
187. # причем это происходит на разных почтовиках
188. # не понятно что с этим делать на клиентской стороне, по этому отключаю на серверной
189. #    reject_non_fqdn_helo_hostname
190. #    reject_unknown_helo_hostname
191.  
192. # Sender restrictions
193. smtpd_sender_restrictions =
194.     reject_unknown_sender_domain
195.     reject_non_fqdn_sender
196.     reject_unlisted_sender
197.     permit_mynetworks
198.     permit_sasl_authenticated
199.     check_sender_access pcre:/etc/postfix/sender_access.pcre
200.  
201. # Recipient restrictions
202. smtpd_recipient_restrictions =
203.     reject_non_fqdn_recipient
204.     reject_unlisted_recipient
205.     #check_policy_service inet:127.0.0.1:7777
206.     permit_mynetworks
207.     permit_sasl_authenticated
208.     reject_unauth_destination
209.  
210. # END-OF-MESSAGE restrictions
211. #smtpd_end_of_data_restrictions =
212. #    check_policy_service inet:127.0.0.1:7777
213.  
214. # Data restrictions
215. smtpd_data_restrictions = reject_unauth_pipelining
216.  
217. proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
218.  
219. # Avoid duplicate recipient messages. Default is 'yes'.
220. enable_original_recipient = no
221.  
222. # Virtual support.
223. virtual_minimum_uid = 2000
224. virtual_uid_maps = static:2000
225. virtual_gid_maps = static:2000
226. virtual_mailbox_base = /var/vmail
227.  
228. # Do not set virtual_alias_domains.
229. virtual_alias_domains =
230.  
231. #
232. # Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
233. # WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
234. #          be forced to submit email through port 587 instead.
235. #
236. #smtpd_sasl_auth_enable = yes
237. #smtpd_sasl_security_options = noanonymous
238. #smtpd_tls_auth_only = yes
239.  
240. # hostname
241. myhostname = mail02.test.com
242. myorigin = mail02.test.com
243. mydomain = mail02.test.com
244.  
245. # trusted SMTP clients which are allowed to relay mail through Postfix.
246. #
247. # Note: additional IP addresses/networks listed in mynetworks should be listed
248. #       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
249. #       for example:
250. #
251. #       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
252. #
253. mynetworks = 127.0.0.1 [::1]
254.  
255. # Accepted local emails
256. mydestination = $myhostname, localhost, localhost.localdomain, aa.bb.cc.dd
257.  
258. alias_maps = hash:/etc/postfix/aliases
259. alias_database = hash:/etc/postfix/aliases
260.  
261. # Default message_size_limit.
262. message_size_limit = 15728640
263.  
264. # The set of characters that can separate a user name from its extension
265. # (example: user+foo), or a .forward file name from its extension (example:
266. # .forward+foo).
267. # Postfix 2.11 and later supports multiple characters.
268. recipient_delimiter = +
269.  
270. # The time after which the sender receives a copy of the message headers of
271. # mail that is still queued. Default setting is disabled (0h) by Postfix.
272. #delay_warning_time = 1h
273. compatibility_level = 2
274. #
275. # Lookup virtual mail accounts
276. #
277. transport_maps =
278.     proxy:pgsql:/etc/postfix/pgsql/transport_maps_user.cf
279.     proxy:pgsql:/etc/postfix/pgsql/transport_maps_maillist.cf
280.     proxy:pgsql:/etc/postfix/pgsql/transport_maps_domain.cf
281.  
282. sender_dependent_relayhost_maps =
283.     proxy:pgsql:/etc/postfix/pgsql/sender_dependent_relayhost_maps.cf
284.  
285. # Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
286. smtpd_sender_login_maps =
287.     proxy:pgsql:/etc/postfix/pgsql/sender_login_maps.cf
288.  
289. virtual_mailbox_domains =
290.     proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_domains.cf
291.  
292. relay_domains =
293.     $mydestination
294.     proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf
295.  
296. virtual_mailbox_maps =
297.     proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
298.  
299. virtual_alias_maps =
300.     regexp:/etc/postfix/virtual-map
301.     proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
302.     proxy:pgsql:/etc/postfix/pgsql/domain_alias_maps.cf
303.     proxy:pgsql:/etc/postfix/pgsql/catchall_maps.cf
304.     proxy:pgsql:/etc/postfix/pgsql/domain_alias_catchall_maps.cf
305.  
306. sender_bcc_maps =
307.     proxy:pgsql:/etc/postfix/pgsql/sender_bcc_maps_user.cf
308.     proxy:pgsql:/etc/postfix/pgsql/sender_bcc_maps_domain.cf
309.  
310. recipient_bcc_maps =
311.     proxy:pgsql:/etc/postfix/pgsql/recipient_bcc_maps_user.cf
312.     proxy:pgsql:/etc/postfix/pgsql/recipient_bcc_maps_domain.cf
313.  
314. #
315. # Postscreen
316. #
317. postscreen_greet_action = enforce
318. postscreen_blacklist_action = enforce
319. postscreen_dnsbl_action = enforce
320. postscreen_dnsbl_threshold = 2
321. postscreen_dnsbl_sites =
322.     zen.spamhaus.org=127.0.0.[2..11]*3
323.     b.barracudacentral.org=127.0.0.2*2
324.  
325. postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
326. postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
327.  
328. # Require Postfix-2.11+
329. postscreen_dnsbl_whitelist_threshold = -2
330. #
331. # Dovecot SASL support.
332. #
333. smtpd_sasl_type = dovecot
334. smtpd_sasl_path = private/dovecot-auth
335. virtual_transport = dovecot
336. dovecot_destination_recipient_limit = 1
337.  
338. #
339. # mlmmj - mailing list manager
340. #
341. mlmmj_destination_recipient_limit = 1
342.  
343. #
344. # Amavisd + SpamAssassin + ClamAV
345. #
346. content_filter = smtp-amavis:[127.0.0.1]:10024
347.  
348. # Concurrency per recipient limit.
349. smtp-amavis_destination_recipient_limit = 1