# --------------------# VARIABLE SETTINGS PER SYSTEM## TLS settings.##

1. # --------------------
2. # VARIABLE SETTINGS PER SYSTEM
3. #
4. # TLS settings.
5. #
6. # SSL key, certificate, CA
7. #
8. smtpd_tls_key_file = /etc/ssl/private/2020.mail.intern.xxx.xxx.key
9. smtpd_tls_cert_file = /etc/ssl/certs/2020.mail.intern.xxx.xxx.crt
10. smtpd_tls_CAfile = /etc/ssl/certs/2020.mail.intern.xxx.xxx.crt
11. smtpd_tls_CApath = /etc/ssl/certs
12.  
13. # Use the same CA file as smtpd.
14. smtp_tls_CApath = /etc/ssl/certs
15. smtp_tls_CAfile = $smtpd_tls_CAfile
16. smtp_tls_note_starttls_offer = yes
17.  
18. # Virtual support.
19. virtual_minimum_uid = 2000
20. virtual_uid_maps = static:2000
21. virtual_gid_maps = static:2000
22. virtual_mailbox_base = /maildata/mailbox
23. virtual_mailbox_domains = /maildata/vhosts
24. virtual_mailbox_maps = hash:/maildata/vmaps
25.  
26. # Do not set virtual_alias_domains.
27. virtual_alias_domains =
28.  
29. # hostname
30. myhostname = bgrsld-mail0.intern.xxx.xxx
31. mydomain = mail.intern.xxx.xxx
32. myorigin = $mydomain
33.  
34. # Default message_size_limit.
35. # 15 MiB
36. message_size_limit = 15728640
37.  
38. #
39. # Lookup virtual mail accounts
40. #
41.  
42. relay_domains = $mydestination
43.  
44. #
45. # Dovecot SASL support.
46. #
47. smtpd_sasl_type = dovecot
48. smtpd_sasl_path = private/dovecot-auth
49. virtual_transport = dovecot
50. dovecot_destination_recipient_limit = 1
51.  
52. postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
53. postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
54.  
55. # --------------------
56. # INSTALL-TIME CONFIGURATION INFORMATION
57. #
58. # location of the Postfix queue. Default is /var/spool/postfix.
59. queue_directory = /var/spool/postfix
60.  
61. # location of all postXXX commands. Default is /usr/sbin.
62. command_directory = /usr/sbin
63.  
64. # location of all Postfix daemon programs (i.e. programs listed in the
65. # master.cf file). This directory must be owned by root.
66. # Default is /usr/libexec/postfix
67. daemon_directory = /usr/lib/postfix/sbin
68.  
69. # location of Postfix-writable data files (caches, random numbers).
70. # This directory must be owned by the mail_owner account (see below).
71. # Default is /var/lib/postfix.
72. data_directory = /var/lib/postfix
73.  
74. # owner of the Postfix queue and of most Postfix daemon processes.
75. # Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
76. # WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
77. # In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
78. # Default is postfix.
79. mail_owner = postfix
80.  
81. # The following parameters are used when installing a new Postfix version.
82. #
83. # sendmail_path: The full pathname of the Postfix sendmail command.
84. # This is the Sendmail-compatible mail posting interface.
85. #
86. sendmail_path = /usr/sbin/sendmail
87.  
88. # newaliases_path: The full pathname of the Postfix newaliases command.
89. # This is the Sendmail-compatible command to build alias databases.
90. #
91. newaliases_path = /usr/bin/newaliases
92.  
93. # full pathname of the Postfix mailq command. This is the Sendmail-compatible
94. # mail queue listing command.
95. mailq_path = /usr/bin/mailq
96.  
97. # group for mail submission and queue management commands.
98. # This must be a group name with a numerical group ID that is not shared with
99. # other accounts, not even with the Postfix account.
100. setgid_group = postdrop
101.  
102. # external command that is executed when a Postfix daemon program is run with
103. # the -D option.
104. #
105. # Use "command .. & sleep 5" so that the debugger can attach before
106. # the process marches on. If you use an X-based debugger, be sure to
107. # set up your XAUTHORITY environment variable before starting Postfix.
108. #
109. debugger_command =
110. PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
111. ddd $daemon_directory/$process_name $process_id & sleep 5
112.  
113. debug_peer_level = 2
114.  
115. # --------------------
116. # CUSTOM SETTINGS
117. #
118.  
119. # SMTP server response code when recipient or domain not found.
120. unknown_local_recipient_reject_code = 550
121.  
122. # Do not notify local user.
123. biff = no
124.  
125. # Disable the rewriting of "site!user" into "user@site".
126. swap_bangpath = no
127.  
128. # Disable the rewriting of the form "user%domain" to "user@domain".
129. allow_percent_hack = no
130.  
131. # Allow recipient address start with '-'.
132. allow_min_user = no
133.  
134. # Disable the SMTP VRFY command. This stops some techniques used to
135. # harvest email addresses.
136. disable_vrfy_command = yes
137.  
138. # Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
139. inet_protocols = all
140.  
141. # Enable all network interfaces.
142. inet_interfaces = all
143.  
144. #
145. # Disable SSLv2, SSLv3
146. #
147. smtpd_tls_protocols = !SSLv2 !SSLv3
148. smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
149. smtp_tls_protocols = !SSLv2 !SSLv3
150. smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
151. lmtp_tls_protocols = !SSLv2 !SSLv3
152. lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
153.  
154. #
155. # Fix 'The Logjam Attack'.
156. #
157. smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
158. smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
159. smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
160.  
161. tls_random_source = dev:/dev/urandom
162.  
163. # Log only a summary message on TLS handshake completion — no logging of client
164. # certificate trust-chain verification errors if client certificate
165. # verification is not required. With Postfix 2.8 and earlier, log the summary
166. # message, peer certificate summary information and unconditionally log
167. # trust-chain verification errors.
168. smtp_tls_loglevel = 1
169. smtpd_tls_loglevel = 1
170.  
171. # Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
172. # not require that clients use TLS encryption.
173. smtpd_tls_security_level = may
174.  
175. # Produce `Received:` message headers that include information about the
176. # protocol and cipher used, as well as the remote SMTP client CommonName and
177. # client certificate issuer CommonName.
178. # This is disabled by default, as the information may be modified in transit
179. # through other mail servers. Only information that was recorded by the final
180. # destination can be trusted.
181. #smtpd_tls_received_header = yes
182.  
183. # Opportunistic TLS, used when Postfix sends email to remote SMTP server.
184. # Use TLS if this is supported by the remote SMTP server, otherwise use
185. # plaintext.
186. # References:
187. # - http://www.postfix.org/TLS_README.html#client_tls_may
188. # - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
189. smtp_tls_security_level = may
190.  
191. # Enable long, non-repeating, queue IDs (queue file names).
192. # The benefit of non-repeating names is simpler logfile analysis and easier
193. # queue migration (there is no need to run "postsuper" to change queue file
194. # names that don't match their message file inode number).
195. enable_long_queue_ids = yes
196.  
197. # Reject unlisted sender and recipient
198. smtpd_reject_unlisted_recipient = yes
199. smtpd_reject_unlisted_sender = yes
200.  
201. # A mechanism to transform commands from remote SMTP clients.
202. # This is a last-resort tool to work around client commands that break
203. # interoperability with the Postfix SMTP server. Other uses involve fault
204. # injection to test Postfix's handling of invalid commands.
205. # Requires Postfix-2.7+.
206. smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
207.  
208. # HELO restriction
209. smtpd_helo_required = yes
210. smtpd_helo_restrictions =
211. permit_mynetworks
212. permit_sasl_authenticated
213. check_helo_access pcre:/etc/postfix/helo_access.pcre
214. reject_non_fqdn_helo_hostname
215. reject_unknown_helo_hostname
216.  
217. # Sender restrictions
218. smtpd_sender_restrictions =
219. reject_non_fqdn_sender
220. reject_unlisted_sender
221. permit_mynetworks
222. permit_sasl_authenticated
223. check_sender_access pcre:/etc/postfix/sender_access.pcre
224. reject_unknown_sender_domain
225.  
226. # Recipient restrictions
227. smtpd_recipient_restrictions =
228. reject_non_fqdn_recipient
229. reject_unlisted_recipient
230. check_policy_service inet:127.0.0.1:7777
231. permit_mynetworks
232. permit_sasl_authenticated
233. reject_unauth_destination
234. check_policy_service inet:127.0.0.1:12340
235.  
236. # END-OF-MESSAGE restrictions
237. smtpd_end_of_data_restrictions =
238. check_policy_service inet:127.0.0.1:7777
239.  
240. # Data restrictions
241. smtpd_data_restrictions = reject_unauth_pipelining
242.  
243. # SRS (Sender Rewriting Scheme) support
244. #sender_canonical_maps = tcp:127.0.0.1:7778
245. #sender_canonical_classes = envelope_sender
246. #recipient_canonical_maps = tcp:127.0.0.1:7779
247. #recipient_canonical_classes= envelope_recipient,header_recipient
248.  
249. proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
250.  
251. # Avoid duplicate recipient messages. Default is 'yes'.
252. enable_original_recipient = no
253.  
254. #
255. # Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
256. # WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
257. # be forced to submit email through port 587 instead.
258. #
259. #smtpd_sasl_auth_enable = yes
260. #smtpd_sasl_security_options = noanonymous
261. #smtpd_tls_auth_only = yes
262.  
263. # trusted SMTP clients which are allowed to relay mail through Postfix.
264. #
265. # Note: additional IP addresses/networks listed in mynetworks should be listed
266. # in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
267. # for example:
268. #
269. # MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
270. #
271. mynetworks = 127.0.0.1 [::1]
272.  
273. # Accepted local emails
274. mydestination = $myhostname, localhost, localhost.localdomain
275.  
276. # The set of characters that can separate a user name from its extension
277. # (example: user+foo), or a .forward file name from its extension (example:
278. # .forward+foo).
279. # Postfix 2.11 and later supports multiple characters.
280. recipient_delimiter = +
281.  
282. # The time after which the sender receives a copy of the message headers of
283. # mail that is still queued. Default setting is disabled (0h) by Postfix.
284. #delay_warning_time = 1h
285.  
286. # Do not display the name of the recipient table in the "User unknown" responses.
287. # The extra detail makes trouble shooting easier but also reveals information
288. # that is nobody elses business.
289. show_user_unknown_table_name = no
290. compatibility_level = 2
291.  
292. #
293. # Postscreen
294. #
295. postscreen_greet_action = drop
296. postscreen_blacklist_action = drop
297. postscreen_dnsbl_action = drop
298. postscreen_dnsbl_threshold = 2
299.  
300. # Attention:
301. # - zen.spamhaus.org free tire has 3 limits
302. # (https://www.spamhaus.org/organization/dnsblusage/):
303. #
304. # 1) Your use of the Spamhaus DNSBLs is non-commercial*, and
305. # 2) Your email traffic is less than 100,000 SMTP connections per day, and
306. # 3) Your DNSBL query volume is less than 300,000 queries per day.
307. #
308. # - FAQ: "Your DNSBL blocks nothing at all!"
309. # https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
310. #
311. # It's strongly recommended to use a local DNS server for cache.
312. #postscreen_dnsbl_sites =
313. # zen.spamhaus.org=127.0.0.[2..11]*3
314. # b.barracudacentral.org=127.0.0.2*2
315.  
316. # Require Postfix-2.11+
317. postscreen_dnsbl_whitelist_threshold = -2
318.  
319. #
320. # mlmmj - mailing list manager
321. #
322. #mlmmj_destination_recipient_limit = 1
323.  
324. #
325. # Amavisd + SpamAssassin + ClamAV
326. #
327. #content_filter = smtp-amavis:[127.0.0.1]:10024
328.  
329. # Concurrency per recipient limit.
330. #smtp-amavis_destination_recipient_limit = 1