# --------------------# INSTALL-TIME CONFIGURATION INFORMATION## location

1. # --------------------
2. # INSTALL-TIME CONFIGURATION INFORMATION
3. #
4. # location of the Postfix queue. Default is /var/spool/postfix.
5. queue_directory = /var/spool/postfix
6.  
7. # location of all postXXX commands. Default is /usr/sbin.
8. command_directory = /usr/sbin
9.  
10. # location of all Postfix daemon programs (i.e. programs listed in the
11. # master.cf file). This directory must be owned by root.
12. # Default is /usr/libexec/postfix
13. daemon_directory = /usr/libexec/postfix
14.  
15. # location of Postfix-writable data files (caches, random numbers).
16. # This directory must be owned by the mail_owner account (see below).
17. # Default is /var/lib/postfix.
18. data_directory = /var/lib/postfix
19.  
20. # owner of the Postfix queue and of most Postfix daemon processes.
21. # Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
22. # WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
23. # In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
24. # Default is postfix.
25. mail_owner = postfix
26.  
27. # The following parameters are used when installing a new Postfix version.
28. #
29. # sendmail_path: The full pathname of the Postfix sendmail command.
30. # This is the Sendmail-compatible mail posting interface.
31. #
32. sendmail_path = /usr/sbin/sendmail.postfix
33.  
34. # newaliases_path: The full pathname of the Postfix newaliases command.
35. # This is the Sendmail-compatible command to build alias databases.
36. #
37. newaliases_path = /usr/bin/newaliases.postfix
38.  
39. # full pathname of the Postfix mailq command. This is the Sendmail-compatible
40. # mail queue listing command.
41. mailq_path = /usr/bin/mailq.postfix
42.  
43. # group for mail submission and queue management commands.
44. # This must be a group name with a numerical group ID that is not shared with
45. # other accounts, not even with the Postfix account.
46. setgid_group = postdrop
47.  
48. # external command that is executed when a Postfix daemon program is run with
49. # the -D option.
50. #
51. # Use "command .. & sleep 5" so that the debugger can attach before
52. # the process marches on. If you use an X-based debugger, be sure to
53. # set up your XAUTHORITY environment variable before starting Postfix.
54. #
55. debugger_command =
56. PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
57. ddd $daemon_directory/$process_name $process_id & sleep 5
58.  
59. debug_peer_level = 2
60.  
61. # --------------------
62. # CUSTOM SETTINGS
63. #
64.  
65. # SMTP server response code when recipient or domain not found.
66. unknown_local_recipient_reject_code = 550
67.  
68. # Do not notify local user.
69. biff = no
70.  
71. # Disable the rewriting of "site!user" into "user@site".
72. swap_bangpath = no
73.  
74. # Disable the rewriting of the form "user%domain" to "user@domain".
75. allow_percent_hack = no
76.  
77. # Allow recipient address start with '-'.
78. allow_min_user = no
79.  
80. # Disable the SMTP VRFY command. This stops some techniques used to
81. # harvest email addresses.
82. disable_vrfy_command = yes
83.  
84. # Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
85. inet_protocols = all
86.  
87. # Enable all network interfaces.
88. inet_interfaces = all
89.  
90. #
91. # TLS settings.
92. #
93. # SSL key, certificate, CA
94. #
95. smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
96. smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail.crt
97. smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail.crt
98. smtpd_tls_CApath = /etc/pki/tls/certs
99.  
100. #
101. # Disable SSLv2, SSLv3
102. #
103. smtpd_tls_protocols = !SSLv2 !SSLv3
104. smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
105. smtp_tls_protocols = !SSLv2 !SSLv3
106. smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
107. lmtp_tls_protocols = !SSLv2 !SSLv3
108. lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
109.  
110. #
111. # Fix 'The Logjam Attack'.
112. #
113. smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
114. smtpd_tls_dh512_param_file = /etc/pki/tls/dh512_param.pem
115. smtpd_tls_dh1024_param_file = /etc/pki/tls/dh2048_param.pem
116.  
117. tls_random_source = dev:/dev/urandom
118.  
119. # Log only a summary message on TLS handshake completion — no logging of client
120. # certificate trust-chain verification errors if client certificate
121. # verification is not required. With Postfix 2.8 and earlier, log the summary
122. # message, peer certificate summary information and unconditionally log
123. # trust-chain verification errors.
124. smtp_tls_loglevel = 1
125. smtpd_tls_loglevel = 1
126.  
127. # Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
128. # not require that clients use TLS encryption.
129. smtpd_tls_security_level = may
130.  
131. # Produce `Received:` message headers that include information about the
132. # protocol and cipher used, as well as the remote SMTP client CommonName and
133. # client certificate issuer CommonName.
134. # This is disabled by default, as the information may be modified in transit
135. # through other mail servers. Only information that was recorded by the final
136. # destination can be trusted.
137. #smtpd_tls_received_header = yes
138.  
139. # Opportunistic TLS, used when Postfix sends email to remote SMTP server.
140. # Use TLS if this is supported by the remote SMTP server, otherwise use
141. # plaintext.
142. # References:
143. # - http://www.postfix.org/TLS_README.html#client_tls_may
144. # - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
145. smtp_tls_security_level = may
146.  
147. # Use the same CA file as smtpd.
148. smtp_tls_CApath = /etc/pki/tls/certs
149. smtp_tls_CAfile = $smtpd_tls_CAfile
150. smtp_tls_note_starttls_offer = yes
151.  
152. # Enable long, non-repeating, queue IDs (queue file names).
153. # The benefit of non-repeating names is simpler logfile analysis and easier
154. # queue migration (there is no need to run "postsuper" to change queue file
155. # names that don't match their message file inode number).
156. enable_long_queue_ids = yes
157.  
158. # Reject unlisted sender and recipient
159. smtpd_reject_unlisted_recipient = yes
160. smtpd_reject_unlisted_sender = yes
161.  
162. # Header and body checks with PCRE table
163. header_checks = pcre:/etc/postfix/header_checks
164. body_checks = pcre:/etc/postfix/body_checks.pcre
165.  
166. # A mechanism to transform commands from remote SMTP clients.
167. # This is a last-resort tool to work around client commands that break
168. # interoperability with the Postfix SMTP server. Other uses involve fault
169. # injection to test Postfix's handling of invalid commands.
170. # Requires Postfix-2.7+.
171. smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
172.  
173. # HELO restriction
174. smtpd_helo_required = yes
175. smtpd_helo_restrictions =
176. permit_mynetworks
177. permit_sasl_authenticated
178. check_helo_access pcre:/etc/postfix/helo_access.pcre
179. reject_non_fqdn_helo_hostname
180. reject_unknown_helo_hostname
181.  
182. # Sender restrictions
183. smtpd_sender_restrictions =
184. reject_unknown_sender_domain
185. reject_non_fqdn_sender
186. reject_unlisted_sender
187. permit_mynetworks
188. permit_sasl_authenticated
189. check_sender_access pcre:/etc/postfix/sender_access.pcre
190.  
191. # Recipient restrictions
192. smtpd_recipient_restrictions =
193. reject_non_fqdn_recipient
194. reject_unlisted_recipient
195. check_policy_service inet:127.0.0.1:7777
196. permit_mynetworks
197. permit_sasl_authenticated
198. reject_unauth_destination
199.  
200. # END-OF-MESSAGE restrictions
201. smtpd_end_of_data_restrictions =
202. check_policy_service inet:127.0.0.1:7777
203.  
204. # Data restrictions
205. smtpd_data_restrictions = reject_unauth_pipelining
206.  
207. # SRS (Sender Rewriting Scheme) support
208. #sender_canonical_maps = tcp:127.0.0.1:7778
209. #sender_canonical_classes = envelope_sender
210. #recipient_canonical_maps = tcp:127.0.0.1:7779
211. #recipient_canonical_classes= envelope_recipient,header_recipient
212.  
213. proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
214.  
215. # Avoid duplicate recipient messages. Default is 'yes'.
216. enable_original_recipient = no
217.  
218. # Virtual support.
219. virtual_minimum_uid = 2000
220. virtual_uid_maps = static:2000
221. virtual_gid_maps = static:2000
222. virtual_mailbox_base = /var/vmail
223.  
224. # Do not set virtual_alias_domains.
225. virtual_alias_domains =
226.  
227. #
228. # Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
229. # WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
230. # be forced to submit email through port 587 instead.
231. #
232. #smtpd_sasl_auth_enable = yes
233. #smtpd_sasl_security_options = noanonymous
234. #smtpd_tls_auth_only = yes
235.  
236. # hostname
237. myhostname = mail.xxx.ru
238. myorigin = $mydomain
239. mydomain = xxx.ru
240.  
241. # trusted SMTP clients which are allowed to relay mail through Postfix.
242. #
243. # Note: additional IP addresses/networks listed in mynetworks should be listed
244. # in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
245. # for example:
246. #
247. # MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
248. #
249. mynetworks = 127.0.0.1 [::1] , 192.168.20.0/24
250.  
251. # Accepted local emails
252. mydestination = $myhostname, localhost, localhost.localdomain
253.  
254. alias_maps = hash:/etc/postfix/aliases
255. alias_database = hash:/etc/postfix/aliases
256.  
257. # Default message_size_limit.
258. message_size_limit = 15728640
259.  
260. # The set of characters that can separate a user name from its extension
261. # (example: user+foo), or a .forward file name from its extension (example:
262. # .forward+foo).
263. # Postfix 2.11 and later supports multiple characters.
264. recipient_delimiter = +
265.  
266. # The time after which the sender receives a copy of the message headers of
267. # mail that is still queued. Default setting is disabled (0h) by Postfix.
268. #delay_warning_time = 1h
269. #
270. # Lookup virtual mail accounts
271. #
272. transport_maps =
273. proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
274. proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
275. proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
276.  
277. sender_dependent_relayhost_maps =
278. proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
279.  
280. # Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
281. smtpd_sender_login_maps =
282. proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
283.  
284. virtual_mailbox_domains =
285. proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
286.  
287. relay_domains =
288. $mydestination
289. proxy:mysql:/etc/postfix/mysql/relay_domains.cf
290.  
291. virtual_mailbox_maps =
292. proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
293.  
294. virtual_alias_maps =
295. proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
296. proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
297. proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
298. proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
299.  
300. sender_bcc_maps =
301. proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
302. proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
303.  
304. recipient_bcc_maps =
305. proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
306. proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
307.  
308. #
309. # Postscreen
310. #
311. postscreen_greet_action = drop
312. postscreen_blacklist_action = drop
313. postscreen_dnsbl_action = drop
314. postscreen_dnsbl_threshold = 2
315.  
316. # Attention:
317. # - zen.spamhaus.org free tire has 3 limits
318. # (https://www.spamhaus.org/organization/dnsblusage/):
319. #
320. # 1) Your use of the Spamhaus DNSBLs is non-commercial*, and
321. # 2) Your email traffic is less than 100,000 SMTP connections per day, and
322. # 3) Your DNSBL query volume is less than 300,000 queries per day.
323. #
324. # - FAQ: "Your DNSBL blocks nothing at all!"
325. # https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
326. #
327. # It's strongly recommended to use a local DNS server for cache.
328. postscreen_dnsbl_sites =
329. zen.spamhaus.org=127.0.0.[2..11]*3
330. b.barracudacentral.org=127.0.0.2*2
331.  
332. postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
333. postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
334.  
335. # Require Postfix-2.11+
336. #postscreen_dnsbl_whitelist_threshold = -2
337. #
338. # Dovecot SASL support.
339. #
340. smtpd_sasl_type = dovecot
341. smtpd_sasl_path = private/dovecot-auth
342. virtual_transport = dovecot
343. dovecot_destination_recipient_limit = 1
344.  
345. #
346. # mlmmj - mailing list manager
347. #
348. mlmmj_destination_recipient_limit = 1
349.  
350. #
351. # Amavisd + SpamAssassin + ClamAV
352. #
353. content_filter = smtp-amavis:[127.0.0.1]:10024
354.  
355. # Concurrency per recipient limit.
356. smtp-amavis_destination_recipient_limit = 1