Guest User

Untitled

a guest
Jul 17th, 2020
92
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # --------------------
  2. # VARIABLE SETTINGS PER SYSTEM
  3. #
  4. # TLS settings.
  5. #
  6. # SSL key, certificate, CA
  7. #
  8. smtpd_tls_key_file = /etc/ssl/private/2020.mail.intern.xxx.xxx.key
  9. smtpd_tls_cert_file = /etc/ssl/certs/2020.mail.intern.xxx.xxx.crt
  10. smtpd_tls_CAfile = /etc/ssl/certs/2020.mail.intern.xxx.xxx.crt
  11. smtpd_tls_CApath = /etc/ssl/certs
  12.  
  13. # Use the same CA file as smtpd.
  14. smtp_tls_CApath = /etc/ssl/certs
  15. smtp_tls_CAfile = $smtpd_tls_CAfile
  16. smtp_tls_note_starttls_offer = yes
  17.  
  18. # Virtual support.
  19. virtual_minimum_uid = 2000
  20. virtual_uid_maps = static:2000
  21. virtual_gid_maps = static:2000
  22. virtual_mailbox_base = /maildata/mailbox
  23. virtual_mailbox_domains = /maildata/vhosts
  24. virtual_mailbox_maps = hash:/maildata/vmaps
  25.  
  26. # Do not set virtual_alias_domains.
  27. virtual_alias_domains =
  28.  
  29. # hostname
  30. myhostname = bgrsld-mail0.intern.xxx.xxx
  31. mydomain = mail.intern.xxx.xxx
  32. myorigin = $mydomain
  33.  
  34. # Default message_size_limit.
  35. # 15 MiB
  36. message_size_limit = 15728640
  37.  
  38. #
  39. # Lookup virtual mail accounts
  40. #
  41.  
  42. relay_domains = $mydestination
  43.  
  44. #
  45. # Dovecot SASL support.
  46. #
  47. smtpd_sasl_type = dovecot
  48. smtpd_sasl_path = private/dovecot-auth
  49. virtual_transport = dovecot
  50. dovecot_destination_recipient_limit = 1
  51.  
  52. postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
  53. postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
  54.  
  55. # --------------------
  56. # INSTALL-TIME CONFIGURATION INFORMATION
  57. #
  58. # location of the Postfix queue. Default is /var/spool/postfix.
  59. queue_directory = /var/spool/postfix
  60.  
  61. # location of all postXXX commands. Default is /usr/sbin.
  62. command_directory = /usr/sbin
  63.  
  64. # location of all Postfix daemon programs (i.e. programs listed in the
  65. # master.cf file). This directory must be owned by root.
  66. # Default is /usr/libexec/postfix
  67. daemon_directory = /usr/lib/postfix/sbin
  68.  
  69. # location of Postfix-writable data files (caches, random numbers).
  70. # This directory must be owned by the mail_owner account (see below).
  71. # Default is /var/lib/postfix.
  72. data_directory = /var/lib/postfix
  73.  
  74. # owner of the Postfix queue and of most Postfix daemon processes.
  75. # Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
  76. # WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
  77. # In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
  78. # Default is postfix.
  79. mail_owner = postfix
  80.  
  81. # The following parameters are used when installing a new Postfix version.
  82. #
  83. # sendmail_path: The full pathname of the Postfix sendmail command.
  84. # This is the Sendmail-compatible mail posting interface.
  85. #
  86. sendmail_path = /usr/sbin/sendmail
  87.  
  88. # newaliases_path: The full pathname of the Postfix newaliases command.
  89. # This is the Sendmail-compatible command to build alias databases.
  90. #
  91. newaliases_path = /usr/bin/newaliases
  92.  
  93. # full pathname of the Postfix mailq command. This is the Sendmail-compatible
  94. # mail queue listing command.
  95. mailq_path = /usr/bin/mailq
  96.  
  97. # group for mail submission and queue management commands.
  98. # This must be a group name with a numerical group ID that is not shared with
  99. # other accounts, not even with the Postfix account.
  100. setgid_group = postdrop
  101.  
  102. # external command that is executed when a Postfix daemon program is run with
  103. # the -D option.
  104. #
  105. # Use "command .. & sleep 5" so that the debugger can attach before
  106. # the process marches on. If you use an X-based debugger, be sure to
  107. # set up your XAUTHORITY environment variable before starting Postfix.
  108. #
  109. debugger_command =
  110. PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  111. ddd $daemon_directory/$process_name $process_id & sleep 5
  112.  
  113. debug_peer_level = 2
  114.  
  115. # --------------------
  116. # CUSTOM SETTINGS
  117. #
  118.  
  119. # SMTP server response code when recipient or domain not found.
  120. unknown_local_recipient_reject_code = 550
  121.  
  122. # Do not notify local user.
  123. biff = no
  124.  
  125. # Disable the rewriting of "site!user" into "user@site".
  126. swap_bangpath = no
  127.  
  128. # Disable the rewriting of the form "user%domain" to "user@domain".
  129. allow_percent_hack = no
  130.  
  131. # Allow recipient address start with '-'.
  132. allow_min_user = no
  133.  
  134. # Disable the SMTP VRFY command. This stops some techniques used to
  135. # harvest email addresses.
  136. disable_vrfy_command = yes
  137.  
  138. # Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
  139. inet_protocols = all
  140.  
  141. # Enable all network interfaces.
  142. inet_interfaces = all
  143.  
  144. #
  145. # Disable SSLv2, SSLv3
  146. #
  147. smtpd_tls_protocols = !SSLv2 !SSLv3
  148. smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
  149. smtp_tls_protocols = !SSLv2 !SSLv3
  150. smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
  151. lmtp_tls_protocols = !SSLv2 !SSLv3
  152. lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
  153.  
  154. #
  155. # Fix 'The Logjam Attack'.
  156. #
  157. smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
  158. smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
  159. smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
  160.  
  161. tls_random_source = dev:/dev/urandom
  162.  
  163. # Log only a summary message on TLS handshake completion — no logging of client
  164. # certificate trust-chain verification errors if client certificate
  165. # verification is not required. With Postfix 2.8 and earlier, log the summary
  166. # message, peer certificate summary information and unconditionally log
  167. # trust-chain verification errors.
  168. smtp_tls_loglevel = 1
  169. smtpd_tls_loglevel = 1
  170.  
  171. # Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
  172. # not require that clients use TLS encryption.
  173. smtpd_tls_security_level = may
  174.  
  175. # Produce `Received:` message headers that include information about the
  176. # protocol and cipher used, as well as the remote SMTP client CommonName and
  177. # client certificate issuer CommonName.
  178. # This is disabled by default, as the information may be modified in transit
  179. # through other mail servers. Only information that was recorded by the final
  180. # destination can be trusted.
  181. #smtpd_tls_received_header = yes
  182.  
  183. # Opportunistic TLS, used when Postfix sends email to remote SMTP server.
  184. # Use TLS if this is supported by the remote SMTP server, otherwise use
  185. # plaintext.
  186. # References:
  187. # - http://www.postfix.org/TLS_README.html#client_tls_may
  188. # - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
  189. smtp_tls_security_level = may
  190.  
  191. # Enable long, non-repeating, queue IDs (queue file names).
  192. # The benefit of non-repeating names is simpler logfile analysis and easier
  193. # queue migration (there is no need to run "postsuper" to change queue file
  194. # names that don't match their message file inode number).
  195. enable_long_queue_ids = yes
  196.  
  197. # Reject unlisted sender and recipient
  198. smtpd_reject_unlisted_recipient = yes
  199. smtpd_reject_unlisted_sender = yes
  200.  
  201. # A mechanism to transform commands from remote SMTP clients.
  202. # This is a last-resort tool to work around client commands that break
  203. # interoperability with the Postfix SMTP server. Other uses involve fault
  204. # injection to test Postfix's handling of invalid commands.
  205. # Requires Postfix-2.7+.
  206. smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
  207.  
  208. # HELO restriction
  209. smtpd_helo_required = yes
  210. smtpd_helo_restrictions =
  211. permit_mynetworks
  212. permit_sasl_authenticated
  213. check_helo_access pcre:/etc/postfix/helo_access.pcre
  214. reject_non_fqdn_helo_hostname
  215. reject_unknown_helo_hostname
  216.  
  217. # Sender restrictions
  218. smtpd_sender_restrictions =
  219. reject_non_fqdn_sender
  220. reject_unlisted_sender
  221. permit_mynetworks
  222. permit_sasl_authenticated
  223. check_sender_access pcre:/etc/postfix/sender_access.pcre
  224. reject_unknown_sender_domain
  225.  
  226. # Recipient restrictions
  227. smtpd_recipient_restrictions =
  228. reject_non_fqdn_recipient
  229. reject_unlisted_recipient
  230. check_policy_service inet:127.0.0.1:7777
  231. permit_mynetworks
  232. permit_sasl_authenticated
  233. reject_unauth_destination
  234. check_policy_service inet:127.0.0.1:12340
  235.  
  236. # END-OF-MESSAGE restrictions
  237. smtpd_end_of_data_restrictions =
  238. check_policy_service inet:127.0.0.1:7777
  239.  
  240. # Data restrictions
  241. smtpd_data_restrictions = reject_unauth_pipelining
  242.  
  243. # SRS (Sender Rewriting Scheme) support
  244. #sender_canonical_maps = tcp:127.0.0.1:7778
  245. #sender_canonical_classes = envelope_sender
  246. #recipient_canonical_maps = tcp:127.0.0.1:7779
  247. #recipient_canonical_classes= envelope_recipient,header_recipient
  248.  
  249. proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
  250.  
  251. # Avoid duplicate recipient messages. Default is 'yes'.
  252. enable_original_recipient = no
  253.  
  254. #
  255. # Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
  256. # WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
  257. # be forced to submit email through port 587 instead.
  258. #
  259. #smtpd_sasl_auth_enable = yes
  260. #smtpd_sasl_security_options = noanonymous
  261. #smtpd_tls_auth_only = yes
  262.  
  263. # trusted SMTP clients which are allowed to relay mail through Postfix.
  264. #
  265. # Note: additional IP addresses/networks listed in mynetworks should be listed
  266. # in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
  267. # for example:
  268. #
  269. # MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
  270. #
  271. mynetworks = 127.0.0.1 [::1]
  272.  
  273. # Accepted local emails
  274. mydestination = $myhostname, localhost, localhost.localdomain
  275.  
  276. # The set of characters that can separate a user name from its extension
  277. # (example: user+foo), or a .forward file name from its extension (example:
  278. # .forward+foo).
  279. # Postfix 2.11 and later supports multiple characters.
  280. recipient_delimiter = +
  281.  
  282. # The time after which the sender receives a copy of the message headers of
  283. # mail that is still queued. Default setting is disabled (0h) by Postfix.
  284. #delay_warning_time = 1h
  285.  
  286. # Do not display the name of the recipient table in the "User unknown" responses.
  287. # The extra detail makes trouble shooting easier but also reveals information
  288. # that is nobody elses business.
  289. show_user_unknown_table_name = no
  290. compatibility_level = 2
  291.  
  292. #
  293. # Postscreen
  294. #
  295. postscreen_greet_action = drop
  296. postscreen_blacklist_action = drop
  297. postscreen_dnsbl_action = drop
  298. postscreen_dnsbl_threshold = 2
  299.  
  300. # Attention:
  301. # - zen.spamhaus.org free tire has 3 limits
  302. # (https://www.spamhaus.org/organization/dnsblusage/):
  303. #
  304. # 1) Your use of the Spamhaus DNSBLs is non-commercial*, and
  305. # 2) Your email traffic is less than 100,000 SMTP connections per day, and
  306. # 3) Your DNSBL query volume is less than 300,000 queries per day.
  307. #
  308. # - FAQ: "Your DNSBL blocks nothing at all!"
  309. # https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
  310. #
  311. # It's strongly recommended to use a local DNS server for cache.
  312. #postscreen_dnsbl_sites =
  313. # zen.spamhaus.org=127.0.0.[2..11]*3
  314. # b.barracudacentral.org=127.0.0.2*2
  315.  
  316. # Require Postfix-2.11+
  317. postscreen_dnsbl_whitelist_threshold = -2
  318.  
  319. #
  320. # mlmmj - mailing list manager
  321. #
  322. #mlmmj_destination_recipient_limit = 1
  323.  
  324. #
  325. # Amavisd + SpamAssassin + ClamAV
  326. #
  327. #content_filter = smtp-amavis:[127.0.0.1]:10024
  328.  
  329. # Concurrency per recipient limit.
  330. #smtp-amavis_destination_recipient_limit = 1
RAW Paste Data