Guest User

Untitled

a guest
Jul 17th, 2020
118
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # --------------------
  2. # VARIABLE SETTINGS PER SYSTEM
  3. #
  4. # TLS settings.
  5. #
  6. # SSL key, certificate, CA
  7. #
  8. smtpd_tls_key_file = /etc/ssl/private/2020.mail.intern.xxx.xxx.key
  9. smtpd_tls_cert_file = /etc/ssl/certs/2020.mail.intern.xxx.xxx.crt
  10. smtpd_tls_CAfile = /etc/ssl/certs/2020.mail.intern.xxx.xxx.crt
  11. smtpd_tls_CApath = /etc/ssl/certs
  12.  
  13. # Use the same CA file as smtpd.
  14. smtp_tls_CApath = /etc/ssl/certs
  15. smtp_tls_CAfile = $smtpd_tls_CAfile
  16. smtp_tls_note_starttls_offer = yes
  17.  
  18. # Virtual support.
  19. virtual_minimum_uid = 2000
  20. virtual_uid_maps = static:2000
  21. virtual_gid_maps = static:2000
  22. virtual_mailbox_base = /maildata/mailbox
  23. virtual_mailbox_domains = /maildata/vhosts
  24. virtual_mailbox_maps = hash:/maildata/vmaps
  25.  
  26. # Do not set virtual_alias_domains.
  27. virtual_alias_domains =
  28.  
  29. # hostname
  30. myhostname = bgrsld-mail0.intern.xxx.xxx
  31. mydomain = mail.intern.xxx.xxx
  32. myorigin = $mydomain
  33.  
  34. # Default message_size_limit.
  35. # 15 MiB
  36. message_size_limit = 15728640
  37.  
  38. #
  39. # Lookup virtual mail accounts
  40. #
  41.  
  42. relay_domains = $mydestination
  43.  
  44. #
  45. # Dovecot SASL support.
  46. #
  47. smtpd_sasl_type = dovecot
  48. smtpd_sasl_path = private/dovecot-auth
  49. virtual_transport = dovecot
  50. dovecot_destination_recipient_limit = 1
  51.  
  52. postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
  53. postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
  54.  
  55. # --------------------
  56. # INSTALL-TIME CONFIGURATION INFORMATION
  57. #
  58. # location of the Postfix queue. Default is /var/spool/postfix.
  59. queue_directory = /var/spool/postfix
  60.  
  61. # location of all postXXX commands. Default is /usr/sbin.
  62. command_directory = /usr/sbin
  63.  
  64. # location of all Postfix daemon programs (i.e. programs listed in the
  65. # master.cf file). This directory must be owned by root.
  66. # Default is /usr/libexec/postfix
  67. daemon_directory = /usr/lib/postfix/sbin
  68.  
  69. # location of Postfix-writable data files (caches, random numbers).
  70. # This directory must be owned by the mail_owner account (see below).
  71. # Default is /var/lib/postfix.
  72. data_directory = /var/lib/postfix
  73.  
  74. # owner of the Postfix queue and of most Postfix daemon processes.
  75. # Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
  76. # WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
  77. # In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
  78. # Default is postfix.
  79. mail_owner = postfix
  80.  
  81. # The following parameters are used when installing a new Postfix version.
  82. #
  83. # sendmail_path: The full pathname of the Postfix sendmail command.
  84. # This is the Sendmail-compatible mail posting interface.
  85. #
  86. sendmail_path = /usr/sbin/sendmail
  87.  
  88. # newaliases_path: The full pathname of the Postfix newaliases command.
  89. # This is the Sendmail-compatible command to build alias databases.
  90. #
  91. newaliases_path = /usr/bin/newaliases
  92.  
  93. # full pathname of the Postfix mailq command. This is the Sendmail-compatible
  94. # mail queue listing command.
  95. mailq_path = /usr/bin/mailq
  96.  
  97. # group for mail submission and queue management commands.
  98. # This must be a group name with a numerical group ID that is not shared with
  99. # other accounts, not even with the Postfix account.
  100. setgid_group = postdrop
  101.  
  102. # external command that is executed when a Postfix daemon program is run with
  103. # the -D option.
  104. #
  105. # Use "command .. & sleep 5" so that the debugger can attach before
  106. # the process marches on. If you use an X-based debugger, be sure to
  107. # set up your XAUTHORITY environment variable before starting Postfix.
  108. #
  109. debugger_command =
  110. PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  111. ddd $daemon_directory/$process_name $process_id & sleep 5
  112.  
  113. debug_peer_level = 2
  114.  
  115. # --------------------
  116. # CUSTOM SETTINGS
  117. #
  118.  
  119. # SMTP server response code when recipient or domain not found.
  120. unknown_local_recipient_reject_code = 550
  121.  
  122. # Do not notify local user.
  123. biff = no
  124.  
  125. # Disable the rewriting of "site!user" into "user@site".
  126. swap_bangpath = no
  127.  
  128. # Disable the rewriting of the form "user%domain" to "user@domain".
  129. allow_percent_hack = no
  130.  
  131. # Allow recipient address start with '-'.
  132. allow_min_user = no
  133.  
  134. # Disable the SMTP VRFY command. This stops some techniques used to
  135. # harvest email addresses.
  136. disable_vrfy_command = yes
  137.  
  138. # Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
  139. inet_protocols = all
  140.  
  141. # Enable all network interfaces.
  142. inet_interfaces = all
  143.  
  144. #
  145. # Disable SSLv2, SSLv3
  146. #
  147. smtpd_tls_protocols = !SSLv2 !SSLv3
  148. smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
  149. smtp_tls_protocols = !SSLv2 !SSLv3
  150. smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
  151. lmtp_tls_protocols = !SSLv2 !SSLv3
  152. lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
  153.  
  154. #
  155. # Fix 'The Logjam Attack'.
  156. #
  157. smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
  158. smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
  159. smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
  160.  
  161. tls_random_source = dev:/dev/urandom
  162.  
  163. # Log only a summary message on TLS handshake completion — no logging of client
  164. # certificate trust-chain verification errors if client certificate
  165. # verification is not required. With Postfix 2.8 and earlier, log the summary
  166. # message, peer certificate summary information and unconditionally log
  167. # trust-chain verification errors.
  168. smtp_tls_loglevel = 1
  169. smtpd_tls_loglevel = 1
  170.  
  171. # Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
  172. # not require that clients use TLS encryption.
  173. smtpd_tls_security_level = may
  174.  
  175. # Produce `Received:` message headers that include information about the
  176. # protocol and cipher used, as well as the remote SMTP client CommonName and
  177. # client certificate issuer CommonName.
  178. # This is disabled by default, as the information may be modified in transit
  179. # through other mail servers. Only information that was recorded by the final
  180. # destination can be trusted.
  181. #smtpd_tls_received_header = yes
  182.  
  183. # Opportunistic TLS, used when Postfix sends email to remote SMTP server.
  184. # Use TLS if this is supported by the remote SMTP server, otherwise use
  185. # plaintext.
  186. # References:
  187. # - http://www.postfix.org/TLS_README.html#client_tls_may
  188. # - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
  189. smtp_tls_security_level = may
  190.  
  191. # Enable long, non-repeating, queue IDs (queue file names).
  192. # The benefit of non-repeating names is simpler logfile analysis and easier
  193. # queue migration (there is no need to run "postsuper" to change queue file
  194. # names that don't match their message file inode number).
  195. enable_long_queue_ids = yes
  196.  
  197. # Reject unlisted sender and recipient
  198. smtpd_reject_unlisted_recipient = yes
  199. smtpd_reject_unlisted_sender = yes
  200.  
  201. # A mechanism to transform commands from remote SMTP clients.
  202. # This is a last-resort tool to work around client commands that break
  203. # interoperability with the Postfix SMTP server. Other uses involve fault
  204. # injection to test Postfix's handling of invalid commands.
  205. # Requires Postfix-2.7+.
  206. smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
  207.  
  208. # HELO restriction
  209. smtpd_helo_required = yes
  210. smtpd_helo_restrictions =
  211. permit_mynetworks
  212. permit_sasl_authenticated
  213. check_helo_access pcre:/etc/postfix/helo_access.pcre
  214. reject_non_fqdn_helo_hostname
  215. reject_unknown_helo_hostname
  216.  
  217. # Sender restrictions
  218. smtpd_sender_restrictions =
  219. reject_non_fqdn_sender
  220. reject_unlisted_sender
  221. permit_mynetworks
  222. permit_sasl_authenticated
  223. check_sender_access pcre:/etc/postfix/sender_access.pcre
  224. reject_unknown_sender_domain
  225.  
  226. # Recipient restrictions
  227. smtpd_recipient_restrictions =
  228. reject_non_fqdn_recipient
  229. reject_unlisted_recipient
  230. check_policy_service inet:127.0.0.1:7777
  231. permit_mynetworks
  232. permit_sasl_authenticated
  233. reject_unauth_destination
  234. check_policy_service inet:127.0.0.1:12340
  235.  
  236. # END-OF-MESSAGE restrictions
  237. smtpd_end_of_data_restrictions =
  238. check_policy_service inet:127.0.0.1:7777
  239.  
  240. # Data restrictions
  241. smtpd_data_restrictions = reject_unauth_pipelining
  242.  
  243. # SRS (Sender Rewriting Scheme) support
  244. #sender_canonical_maps = tcp:127.0.0.1:7778
  245. #sender_canonical_classes = envelope_sender
  246. #recipient_canonical_maps = tcp:127.0.0.1:7779
  247. #recipient_canonical_classes= envelope_recipient,header_recipient
  248.  
  249. proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
  250.  
  251. # Avoid duplicate recipient messages. Default is 'yes'.
  252. enable_original_recipient = no
  253.  
  254. #
  255. # Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
  256. # WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
  257. # be forced to submit email through port 587 instead.
  258. #
  259. #smtpd_sasl_auth_enable = yes
  260. #smtpd_sasl_security_options = noanonymous
  261. #smtpd_tls_auth_only = yes
  262.  
  263. # trusted SMTP clients which are allowed to relay mail through Postfix.
  264. #
  265. # Note: additional IP addresses/networks listed in mynetworks should be listed
  266. # in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
  267. # for example:
  268. #
  269. # MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
  270. #
  271. mynetworks = 127.0.0.1 [::1]
  272.  
  273. # Accepted local emails
  274. mydestination = $myhostname, localhost, localhost.localdomain
  275.  
  276. # The set of characters that can separate a user name from its extension
  277. # (example: user+foo), or a .forward file name from its extension (example:
  278. # .forward+foo).
  279. # Postfix 2.11 and later supports multiple characters.
  280. recipient_delimiter = +
  281.  
  282. # The time after which the sender receives a copy of the message headers of
  283. # mail that is still queued. Default setting is disabled (0h) by Postfix.
  284. #delay_warning_time = 1h
  285.  
  286. # Do not display the name of the recipient table in the "User unknown" responses.
  287. # The extra detail makes trouble shooting easier but also reveals information
  288. # that is nobody elses business.
  289. show_user_unknown_table_name = no
  290. compatibility_level = 2
  291.  
  292. #
  293. # Postscreen
  294. #
  295. postscreen_greet_action = drop
  296. postscreen_blacklist_action = drop
  297. postscreen_dnsbl_action = drop
  298. postscreen_dnsbl_threshold = 2
  299.  
  300. # Attention:
  301. # - zen.spamhaus.org free tire has 3 limits
  302. # (https://www.spamhaus.org/organization/dnsblusage/):
  303. #
  304. # 1) Your use of the Spamhaus DNSBLs is non-commercial*, and
  305. # 2) Your email traffic is less than 100,000 SMTP connections per day, and
  306. # 3) Your DNSBL query volume is less than 300,000 queries per day.
  307. #
  308. # - FAQ: "Your DNSBL blocks nothing at all!"
  309. # https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
  310. #
  311. # It's strongly recommended to use a local DNS server for cache.
  312. #postscreen_dnsbl_sites =
  313. # zen.spamhaus.org=127.0.0.[2..11]*3
  314. # b.barracudacentral.org=127.0.0.2*2
  315.  
  316. # Require Postfix-2.11+
  317. postscreen_dnsbl_whitelist_threshold = -2
  318.  
  319. #
  320. # mlmmj - mailing list manager
  321. #
  322. #mlmmj_destination_recipient_limit = 1
  323.  
  324. #
  325. # Amavisd + SpamAssassin + ClamAV
  326. #
  327. #content_filter = smtp-amavis:[127.0.0.1]:10024
  328.  
  329. # Concurrency per recipient limit.
  330. #smtp-amavis_destination_recipient_limit = 1
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×