Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- mx10:~# cat /etc/postfix/main.cf
- ##
- ## Netzwerkeinstellungen
- ##
- myhostname = mx10.example.com
- mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
- inet_interfaces = 127.0.0.1, [::1], 49.12.999.999, [2a01:4f8:9999:999::1]
- smtp_bind_address = 49.12.999.999
- smtp_bind_address6 = 2a01:4f8:9999:999::1
- ##
- ## Mail-Queue Einstellungen
- ##
- maximal_queue_lifetime = 1h
- bounce_queue_lifetime = 1h
- maximal_backoff_time = 15m
- minimal_backoff_time = 5m
- queue_run_delay = 5m
- ##
- ## TLS Einstellungen
- ## Quelle: https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=intermediate&openssl=1.1.1d&guideline=5.4
- ##
- ### Allgemein
- tls_preempt_cipherlist = no
- tls_ssl_options = NO_COMPRESSION
- tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
- ### Ausgehende SMTP-Verbindungen (Postfix als Sender)
- smtp_tls_security_level = dane
- smtp_dns_support_level = dnssec
- smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
- smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
- smtp_tls_ciphers = medium
- smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
- ### Eingehende SMTP-Verbindungen
- smtpd_tls_security_level = may
- smtpd_tls_auth_only = yes
- smtpd_tls_ciphers = medium
- smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
- smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
- smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
- smtpd_tls_cert_file=/etc/letsencrypt/live/mx10.example.com/fullchain.pem
- smtpd_tls_key_file=/etc/letsencrypt/live/mx10.example.com/privkey.pem
- smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
- ##
- ## Lokale Mailzustellung an Dovecot
- ##
- virtual_transport = lmtp:unix:private/dovecot-lmtp
- ##
- ## Spamfilter und DKIM-Signaturen via Rspamd
- ##
- smtpd_milters = inet:localhost:11332
- non_smtpd_milters = inet:localhost:11332
- milter_protocol = 6
- milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
- milter_default_action = accept
- relay_domains = hash:/etc/postfix/relay
- transport_maps = hash:/etc/postfix/transport
- ##
- ## Server Restrictions für Clients, Empfänger und Relaying
- ## (im Bezug auf S2S-Verbindungen. Mailclient-Verbindungen werden in master.cf im Submission-Bereich konfiguriert)
- ##
- ### Bedingungen, damit Postfix als Relay arbeitet (für Clients)
- smtpd_relay_restrictions = reject_non_fqdn_recipient
- reject_unknown_recipient_domain
- permit_mynetworks
- reject_unauth_destination
- ### Bedingungen, damit Postfix ankommende E-Mails als Empfängerserver entgegennimmt (zusätzlich zu relay-Bedingungen)
- ### check_recipient_access prüft, ob ein account sendonly ist
- smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/sql/recipient-access.cf
- ### Bedingungen, die SMTP-Clients erfüllen müssen (sendende Server)
- smtpd_client_restrictions = permit_mynetworks
- check_client_access hash:/etc/postfix/without_ptr
- reject_unknown_client_hostname
- ### Wenn fremde Server eine Verbindung herstellen, müssen sie einen gültigen Hostnamen im HELO haben.
- #smtpd_helo_required = yes
- # nur ein test
- smtpd_helo_required = no
- smtpd_helo_restrictions = permit_mynetworks
- reject_invalid_helo_hostname
- reject_non_fqdn_helo_hostname
- reject_unknown_helo_hostname
- # Clients blockieren, wenn sie versuchen zu früh zu senden
- smtpd_data_restrictions = reject_unauth_pipelining
- ##
- ## Restrictions für MUAs (Mail user agents)
- ##
- mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
- #mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
- mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,permit_sasl_authenticated,reject
- mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
- ##
- ## MySQL Abfragen
- ##
- proxy_read_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
- proxy:mysql:/etc/postfix/sql/accounts.cf
- proxy:mysql:/etc/postfix/sql/domains.cf
- proxy:mysql:/etc/postfix/sql/recipient-access.cf
- proxy:mysql:/etc/postfix/sql/sender-login-maps.cf
- proxy:mysql:/etc/postfix/sql/tls-policy.cf
- virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
- virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
- virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
- local_recipient_maps = $virtual_mailbox_maps
- ##
- ## Sonstiges
- ##
- ### Maximale Größe der gesamten Mailbox (soll von Dovecot festgelegt werden, 0 = unbegrenzt)
- mailbox_size_limit = 0
- ### Maximale Größe eingehender E-Mails in Bytes (50 MB)
- message_size_limit = 52428800
- ### Keine System-Benachrichtigung für Benutzer bei neuer E-Mail
- biff = no
- ### Nutzer müssen immer volle E-Mail Adresse angeben - nicht nur Hostname
- append_dot_mydomain = no
- ### Trenn-Zeichen für "Address Tagging"
- recipient_delimiter = +
- ### Keine Rückschlüsse auf benutzte Mailadressen zulassen
- disable_vrfy_command = yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement