# R0NAM1's Lean, mean and clean mail relay config file!# https://serverfault.c

1. # R0NAM1's Lean, mean and clean mail relay config file!
2. # https://serverfault.com/questions/536001/how-to-route-mail-in-postifix-based-on-recipient-address
3.  
4. # The banner shown at login, test it with telnet!
5. smtpd_banner = Postfix! \ $mail_name, $myhostname
6.  
7. # Meant for upgrades, oldest version this config is compatable with.
8. #compatibility_level = 3.6
9.  
10. # The actual hostname of the system.
11. myhostname=private-relay.my.domain
12. # St SMTPD settings
13. smtpd_delay_reject = yes
14. smtpd_helo_required = yes
15. smtpd_helo_restrictions =
16. permit_mynetworks,
17. # Normally should be defined, but as these servers are private and under NAT, this option is mitigated by just IP blocking all other connections, even then not a big deal for now.
18. # reject_non_fqdn_helo_hostname,
19. # reject_invalid_helo_hostname,
20. permit
21.  
22. # Aliasing emails,
23. virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
24.  
25. # All domains I am allowed to relay.
26. relay_domains = $mydestination
27.  
28. # Based on domain take incoming email and forward it to these servers, the actual domain mail servers:
29. transport_maps = hash:/etc/postfix/relay_maps
30. # Change to lmdb when in docker container
31.  
32. # Which networks am I allowed to communicate with?
33. mynetworks= 0.0.0.0/0
34.  
35. # VERY Useful for debugging, tells you everything it possibly could.
36. #debug_peer_level = 10
37. #debug_peer_list=google.com
38.  
39. # Mail log
40. maillog_file=/var/log/postfix.log
41.  
42. # Can be native (nsswitch.conf, or equivalent mechanism), or reach out to DNS, or both.
43. smtp_host_lookup = dns
44.  
45. # Where does outgoing mail appear from? My domain of course! Toasty.cafe!
46. myorigin = $mydomain
47. #
48. debugger_command =
49. PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
50. ddd $daemon_directory/$process_name $process_id & sleep 5
51.  
52. inet_protocols = ipv4
53.  
54. ####CUSTOM
55.  
56. #Enable SASL authentication
57. smtpd_sasl_auth_enable = yes
58.  
59. #Also advertize "AUTH PLAIN=" along with "AUTH PLAIN " to support broken clients esp outlook
60. broken_sasl_auth_clients = yes
61.  
62. #Do not allow anonymous access for SASL. Very important
63. #If SSL or TLS is configured then perhaps noplaintext over
64. #non-encryption channel can also be configured
65. #smtpd_sasl_security_options = noanonymous
66.  
67. smtpd_sasl_security_options = noanonymous, noplaintext
68.  
69. #Do not allow anonymous access for SASL over TLS/SSL. Here
70. #plaintext auth should not be a problem
71. smtpd_sasl_tls_security_options = noanonymous
72.  
73. #Allow relay for anybody sending to mydomain and allow relay from trusted networks.
74. #Further allow relay to any destination from anywhere for authenticated clients
75. smtpd_relay_restrictions = check_recipient_access hash:/etc/postfix/recipient_domains, permit_sasl_authenticate
76.  
77. # Specify which clients we can deliver mail to.
78. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticate, reject_unauth_destination, reject_unknown_recipient_domain, reject_unverified_recipient, check_policy_service unix:private/policyd-spf
79.  
80. #check_policy_service unix:private/policyd-spf is to check for an spf record.
81.  
82. ##STARTTLS
83.  
84. smtpd_use_tls = yes
85. smtpd_tls_cert_file = /etc/letsencrypt/live/private-relay.my.domain/fullchain.pem
86. smtpd_tls_key_file = /etc/letsencrypt/live/private-relay.my.domain/privkey.pem
87. smtpd_tls_security_level = encrypt
88. # SMTP TLS configuration for outgoing connections
89. smtp_use_tls = yes
90. smtp_tls_cert_file = /etc/letsencrypt/live/private-relay.my.domain/fullchain.pem
91. smtp_tls_key_file = /etc/letsencrypt/live/private-relay.my.domain/privkey.pem
92. smtp_tls_security_level = encrypt
93.  
94.  
95. # SPF Authentication for incoming mail
96.  
97. policyd-spf_time_limit = 3600