API tools faq
paste
mindlesstux

Postfix: main.cf

mindlesstux
Oct 8th, 2023
190
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.34 KB | None | 0 0
raw download clone embed print report
  1. # What networks are mine/will I send mail from
  2. mynetworks = 192.168.1.0/24, 192.168.2.0/24
  3. # What is my IP
  4. relay_domains = mindlesstux.com
  5.  
  6. # I dont map anything for store'n'forward
  7. relay_recipient_maps =
  8. virtual_alias_domains =
  9. virtual_mailbox_domains =
  10.  
  11. # Send all mail to:
  12. # https://www.postfix.org/postconf.5.html#best_mx_transport
  13. best_mx_transport = smtp:10.120.1.248:25
  14.  
  15. # VPS DNS name
  16. smtp_helo_name = eos.mindlesstux.com
  17.  
  18. # Do some basic things
  19. smtpd_helo_required = yes
  20.  
  21. # Helo restrictions https://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
  22. # ... Check local file for cidrs
  23. # ... reject_unauth_pipelining: Drop clients sending cmds out of sequence, probably does not need to be here
  24. # ... reject_non_fqdn_helo_hostname: Match HELO/EHLO domain, drop otherwise
  25. # ... reject_invalid_helo_hostname: Reject invaild HELO/EHLO syntax
  26. # ... reject_unknown_helo_hostname: Reject when HELO/EHLO have no A/MX DNS Record
  27. # ... reject_rhsbl_helo: Checks RBLs (Yes I check several)
  28. smtpd_helo_restrictions =
  29. check_helo_access cidr:/etc/postfix/checks/check_helo_access,
  30. reject_unauth_pipelining,
  31. reject_non_fqdn_helo_hostname,
  32. reject_invalid_helo_hostname,
  33. reject_unknown_helo_hostname,
  34. reject_rhsbl_helo zen.spamhaus.org
  35. reject_rhsbl_helo dnsbl.dronebl.org,
  36. reject_rhsbl_helo dnsbl.sorbs.net,
  37. reject_rhsbl_helo bl.spamcop.net,
  38. reject_rhsbl_helo cbl.abuseat.org,
  39. reject_rhsbl_helo b.barracudacentral.org,
  40.  
  41. # Sender restrictions https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
  42. # ... Check local file for cidrs
  43. # ... reject_unauth_pipelining: Drop clients sending cmds out of sequence, probably does not need to be here
  44. # ... reject_non_fqdn_sender: If FROM is not up to RFC, drop
  45. # ... reject_unlisted_sender: If FROM is not listed in a list of valid recipients (domain(s))
  46. # ... reject_unknown_sender_domain: see man page, to long to summarize
  47. # ... reject_rhsbl_sender: Check RBLs
  48. # ... Check a blacklist file
  49. smtpd_sender_restrictions =
  50. check_sender_access cidr:/etc/postfix/checks/client_sender_checks,
  51. reject_unauth_pipelining,
  52. reject_non_fqdn_sender,
  53. reject_unlisted_sender,
  54. reject_unknown_sender_domain,
  55. reject_rhsbl_sender zen.spamhaus.org
  56. reject_rhsbl_sender dnsbl.dronebl.org,
  57. reject_rhsbl_sender dnsbl.sorbs.net,
  58. reject_rhsbl_sender bl.spamcop.net,
  59. reject_rhsbl_sender cbl.abuseat.org,
  60. reject_rhsbl_sender b.barracudacentral.org,
  61. check_sender_access hash:/etc/postfix/checks/blacklisted_recipient_domains,
  62.  
  63. # Recipient Restrictions https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
  64. # ... permit_mynetworks: Allow my ip/cidrs and domain(s)
  65. # ... reject_unauth_pipelining: Drop clients sending cmds out of sequence, probably does not need to be here
  66. # ... reject_non_fqdn_recipient: Reject when RCPT TO is not in line with RFC
  67. # ... reject_invalid_hostname: HELO/EHLO hostname syntax check (older cfg thing, check version and man page)
  68. # ... reject_unauth_destination: Reject reasons, check man page
  69. # ... reject_rbl_client: Check RBLs
  70. # ... check_recipient_access: Check blacklist file
  71. # ... check_policy_service: Hand off to program to check SPF records (omit unless you have)
  72. smtpd_recipient_restrictions =
  73. permit_mynetworks,
  74. reject_unauth_pipelining,
  75. reject_non_fqdn_recipient,
  76. reject_invalid_hostname,
  77. reject_unauth_destination
  78. reject_rbl_client zen.spamhaus.org,
  79. reject_rbl_client dnsbl.sorbs.net,
  80. reject_rbl_client dnsbl.dronebl.org,
  81. reject_rbl_client bl.spamcop.net,
  82. reject_rbl_client cbl.abuseat.org,
  83. reject_rbl_client b.barracudacentral.org,
  84. check_recipient_access hash:/etc/postfix/checks/blacklisted_recipient_domains,
  85. check_policy_service unix:private/policyd-spf,
  86.  
  87. # Client Restrictions https://www.postfix.org/postconf.5.html#smtpd_client_restrictions
  88. # ... permit_mynetworks: Allow my ip/cidrs and domain(s)
  89. # ... check_client_access: Check file for what clients could access
  90. # ... reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping.
  91. # ... reject_unauth_pipelining: Drop clients sending cmds out of sequence, probably does not need to be here
  92. # ... Allow
  93. smtpd_client_restrictions =
  94. permit_mynetworks,
  95. check_client_access cidr:/etc/postfix/checks/client_sender_checks,
  96. reject_unknown_reverse_client_hostname,
  97. reject_unauth_pipelining
  98. permit
  99.  
  100. # Relay Restrictions https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
  101. # ... permit_mynetworks: Match mynetworks
  102. # ... permit_sasl_authenticated: Permit when client is authenticated (I should probably drop this)
  103. # ... reject_unauth_destination: Reject unless... https://www.postfix.org/postconf.5.html#reject_unauth_destination
  104. smtpd_relay_restrictions =
  105. permit_mynetworks,
  106. permit_sasl_authenticated,
  107. reject_unauth_destination
  108.  
  109. # SSL/TLS certificates (done via LE)
  110. smtp_tls_key_file = /etc/letsencrypt/live/mindlesstux.com/privkey.pem
  111. smtp_tls_cert_file = /etc/letsencrypt/live/mindlesstux.com/fullchain.pem
  112. #smtp_tls_CAfile = /etc/letsencrypt/live/mindlesstux.com/fullchain.pem
  113. smtp_tls_loglevel = 1
  114. smtp_tls_security_level = may
  115. smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
  116. smtp_tls_protocols=!SSLv2,!SSLv3
  117.  
  118. smtp_tls_note_starttls_offer = yes
  119.  
  120. smtpd_tls_received_header = yes
  121. smtpd_delay_reject = yes
  122. smtpd_tls_key_file = /etc/letsencrypt/live/mindlesstux.com/privkey.pem
  123. smtpd_tls_cert_file = /etc/letsencrypt/live/mindlesstux.com/fullchain.pem
  124. #smtpd_tls_CAfile = /etc/letsencrypt/live/mindlesstux.com/fullchain.pem
  125. smtpd_tls_loglevel = 1
  126. smtpd_tls_security_level = may
  127. smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
  128. smtpd_tls_protocols=!SSLv2,!SSLv3
  129.  
  130. # Send mail to other programs to handle mail filtering/checking
  131. # https://www.postfix.org/postconf.5.html#smtpd_milters
  132. smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
  133. # https://www.postfix.org/postconf.5.html#milter_protocol
  134. milter_protocol = 6
  135. # https://www.postfix.org/postconf.5.html#non_smtpd_milters
  136. non_smtpd_milters = $smtpd_milters
  137. # https://www.postfix.org/postconf.5.html#milter_default_action
  138. milter_default_action = accept
  139.  
Tags: configuration postfix
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!