Guest User

/etc/postfix/main.cf

a guest
Nov 25th, 2020
52
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. mx10:~# cat /etc/postfix/main.cf
  2. ##
  3. ## Netzwerkeinstellungen
  4. ##
  5.  
  6. myhostname = mx10.example.com
  7. mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  8. inet_interfaces = 127.0.0.1, [::1], 49.12.999.999, [2a01:4f8:9999:999::1]
  9. smtp_bind_address = 49.12.999.999
  10. smtp_bind_address6 = 2a01:4f8:9999:999::1
  11.  
  12. ##
  13. ## Mail-Queue Einstellungen
  14. ##
  15.  
  16. maximal_queue_lifetime = 1h
  17. bounce_queue_lifetime = 1h
  18. maximal_backoff_time = 15m
  19. minimal_backoff_time = 5m
  20. queue_run_delay = 5m
  21.  
  22. ##
  23. ## TLS Einstellungen
  24. ## Quelle: https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=intermediate&openssl=1.1.1d&guideline=5.4
  25. ##
  26.  
  27. ### Allgemein
  28. tls_preempt_cipherlist = no
  29. tls_ssl_options = NO_COMPRESSION
  30. tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  31.  
  32. ### Ausgehende SMTP-Verbindungen (Postfix als Sender)
  33. smtp_tls_security_level = dane
  34. smtp_dns_support_level = dnssec
  35. smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
  36. smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
  37. smtp_tls_ciphers = medium
  38. smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
  39.  
  40. ### Eingehende SMTP-Verbindungen
  41. smtpd_tls_security_level = may
  42. smtpd_tls_auth_only = yes
  43. smtpd_tls_ciphers = medium
  44. smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
  45. smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
  46. smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
  47. smtpd_tls_cert_file=/etc/letsencrypt/live/mx10.example.com/fullchain.pem
  48. smtpd_tls_key_file=/etc/letsencrypt/live/mx10.example.com/privkey.pem
  49. smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
  50.  
  51.  
  52. ##
  53. ## Lokale Mailzustellung an Dovecot
  54. ##
  55.  
  56. virtual_transport = lmtp:unix:private/dovecot-lmtp
  57.  
  58. ##
  59. ## Spamfilter und DKIM-Signaturen via Rspamd
  60. ##
  61.  
  62. smtpd_milters = inet:localhost:11332
  63. non_smtpd_milters = inet:localhost:11332
  64. milter_protocol = 6
  65. milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
  66. milter_default_action = accept
  67.  
  68. relay_domains = hash:/etc/postfix/relay
  69. transport_maps = hash:/etc/postfix/transport
  70.  
  71. ##
  72. ## Server Restrictions für Clients, Empfänger und Relaying
  73. ## (im Bezug auf S2S-Verbindungen. Mailclient-Verbindungen werden in master.cf im Submission-Bereich konfiguriert)
  74. ##
  75.  
  76. ### Bedingungen, damit Postfix als Relay arbeitet (für Clients)
  77. smtpd_relay_restrictions = reject_non_fqdn_recipient
  78. reject_unknown_recipient_domain
  79. permit_mynetworks
  80. reject_unauth_destination
  81.  
  82. ### Bedingungen, damit Postfix ankommende E-Mails als Empfängerserver entgegennimmt (zusätzlich zu relay-Bedingungen)
  83. ### check_recipient_access prüft, ob ein account sendonly ist
  84. smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/sql/recipient-access.cf
  85.  
  86.  
  87. ### Bedingungen, die SMTP-Clients erfüllen müssen (sendende Server)
  88. smtpd_client_restrictions = permit_mynetworks
  89. check_client_access hash:/etc/postfix/without_ptr
  90. reject_unknown_client_hostname
  91.  
  92.  
  93. ### Wenn fremde Server eine Verbindung herstellen, müssen sie einen gültigen Hostnamen im HELO haben.
  94. #smtpd_helo_required = yes
  95. # nur ein test
  96. smtpd_helo_required = no
  97. smtpd_helo_restrictions = permit_mynetworks
  98. reject_invalid_helo_hostname
  99. reject_non_fqdn_helo_hostname
  100. reject_unknown_helo_hostname
  101.  
  102. # Clients blockieren, wenn sie versuchen zu früh zu senden
  103. smtpd_data_restrictions = reject_unauth_pipelining
  104.  
  105.  
  106. ##
  107. ## Restrictions für MUAs (Mail user agents)
  108. ##
  109.  
  110. mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
  111. #mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
  112. mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,permit_sasl_authenticated,reject
  113. mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
  114.  
  115.  
  116. ##
  117. ## MySQL Abfragen
  118. ##
  119.  
  120. proxy_read_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
  121. proxy:mysql:/etc/postfix/sql/accounts.cf
  122. proxy:mysql:/etc/postfix/sql/domains.cf
  123. proxy:mysql:/etc/postfix/sql/recipient-access.cf
  124. proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
  125. proxy:mysql:/etc/postfix/sql/tls-policy.cf
  126.  
  127. virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
  128. virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
  129. virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
  130. local_recipient_maps = $virtual_mailbox_maps
  131.  
  132.  
  133. ##
  134. ## Sonstiges
  135. ##
  136.  
  137. ### Maximale Größe der gesamten Mailbox (soll von Dovecot festgelegt werden, 0 = unbegrenzt)
  138. mailbox_size_limit = 0
  139.  
  140. ### Maximale Größe eingehender E-Mails in Bytes (50 MB)
  141. message_size_limit = 52428800
  142.  
  143. ### Keine System-Benachrichtigung für Benutzer bei neuer E-Mail
  144. biff = no
  145.  
  146. ### Nutzer müssen immer volle E-Mail Adresse angeben - nicht nur Hostname
  147. append_dot_mydomain = no
  148.  
  149. ### Trenn-Zeichen für "Address Tagging"
  150. recipient_delimiter = +
  151.  
  152. ### Keine Rückschlüsse auf benutzte Mailadressen zulassen
  153. disable_vrfy_command = yes
RAW Paste Data