mail_owner = postfixsetgid_group = postdropcommand_directory = /usr/sbindaem

1. mail_owner = postfix
2. setgid_group = postdrop
3.  
4. command_directory = /usr/sbin
5. daemon_directory = /usr/libexec/postfix
6. data_directory = /var/lib/postfix
7. manpage_directory = /usr/share/man
8. queue_directory = /var/spool/postfix
9.  
10. mailq_path = /usr/bin/mailq.postfix
11. newaliases_path = /usr/bin/newaliases.postfix
12. sendmail_path = /usr/sbin/sendmail.postfix
13.  
14. ##############################################################################
15.  
16. # Before anything else, define who we are to the rest of the world.
17.  
18. inet_interfaces = 208.82.102.85, 127.0.0.1
19. inet_protocols = all
20. myhostname = mail.johnwiegley.com
21. mydestination =
22. mail.johnwiegley.com,
23. johnwiegley.com,
24. newartisans.com
25. mynetworks =
26. relay_domains =
27.  
28. # Our first line of defense against spammers is postscreen, which checks for
29. # many common problem signs. This is supported in master.cf with these lines:
30. #
31. # smtp inet n - n - 1 postscreen
32. # smtpd pass - - n - - smtpd -o ...
33. # dnsblog unix - - n - 0 dnsblog
34. # tlsproxy unix - - n - 0 tlsproxy
35.  
36. postscreen_greet_banner = New Artisans LLC -- please wait
37. postscreen_greet_action = enforce
38.  
39. postscreen_pipelining_enable = no
40. postscreen_pipelining_action = enforce
41.  
42. postscreen_non_smtp_command_enable = no
43. postscreen_non_smtp_command_action = enforce
44.  
45. postscreen_bare_newline_enable = no
46. postscreen_bare_newline_action = enforce
47. postscreen_bare_newline_ttl = 30d
48.  
49. disable_vrfy_command = no
50. postscreen_disable_vrfy_command = yes
51. postscreen_forbidden_commands = VRFY, $smtpd_forbidden_commands
52.  
53. postscreen_access_list = permit_mynetworks
54. postscreen_blacklist_action = drop
55. postscreen_dnsbl_action = enforce
56. postscreen_dnsbl_ttl = 1d
57. postscreen_dnsbl_threshold = 3
58. postscreen_dnsbl_sites =
59. zen.spamhaus.org*2
60. dnsbl.sorbs.net=127.0.0.[2..12],
61. dnsbl.dronebl.org=127.0.0.[1..30],
62. bl.spamcop.net
63. b.barracudacentral.org
64.  
65. # If anything gets past postcreen, it might be legitimate mail. We impose many
66. # restrictions on the submitter at this point. Note the 'check_policy_service'
67. # that uses postgrey. This will soft reject any mail from an unknown sender
68. # the first time for 60 seconds, accepting it later if it is sent again --
69. # since most spammers never attempt but once.
70.  
71. smtpd_helo_required = yes
72. smtpd_helo_restrictions =
73. reject_invalid_hostname,
74. reject_invalid_helo_hostname,
75. reject_non_fqdn_helo_hostname,
76. reject_unknown_helo_hostname,
77. permit
78. smtpd_client_restrictions =
79. reject_unauth_destination
80. smtpd_recipient_restrictions =
81. permit_sasl_authenticated,
82. reject_invalid_helo_hostname,
83. reject_invalid_hostname,
84. reject_non_fqdn_helo_hostname,
85. reject_non_fqdn_recipient,
86. reject_non_fqdn_sender,
87. reject_unauth_destination,
88. reject_unauth_pipelining,
89. reject_unknown_recipient_domain,
90. # reject_unknown_reverse_client_hostname,
91. reject_unknown_sender_domain,
92. check_client_access pcre:/etc/postfix/client_access,
93. check_recipient_access hash:/etc/postfix/denied_recipients,
94. check_policy_service unix:/var/spool/postfix/postgrey/socket,
95. permit
96. smtpd_relay_restrictions =
97. reject_unauth_destination
98.  
99. # If the mail reaches here, impose further limits on the sender.
100.  
101. smtpd_error_sleep_time = 5s
102. smtpd_soft_error_limit = 10
103. smtpd_hard_error_limit = 20
104. smtpd_client_connection_count_limit = 10
105. smtpd_client_connection_rate_limit = 60
106.  
107. # Apply any milters, for further mail checking. We are checking DKIM and
108. # DMARC.
109.  
110. milter_default_action = tempfail
111. smtpd_milters = inet:localhost:8891, inet:localhost:8893
112. non_smtpd_milters = inet:localhost:8891, inet:localhost:8893
113.  
114. # Set some strictness settings. After the mail has been queued, perform header
115. # checks (for example, checking headers added by SpamAssassin) to further
116. # clear out junk mail.
117.  
118. strict_rfc821_envelopes = yes
119. unknown_address_reject_code = 554
120. unknown_client_reject_code = 554
121. unknown_hostname_reject_code = 554
122. unknown_local_recipient_reject_code = 550
123. header_checks = pcre:/etc/postfix/header_checks
124.  
125. # Identify the mail addresses we receive for, and what their destinations are,
126. # whether local or remote.
127.  
128. alias_maps = hash:/etc/aliases
129. alias_database = hash:/etc/aliases
130. virtual_alias_maps = hash:/etc/postfix/virtual
131.  
132. # If not destined for us, quickly reject any mail not from us
133.  
134. smtpd_sender_login_maps = hash:/etc/postfix/login_maps
135. smtpd_sender_restrictions =
136. reject_unknown_sender_domain,
137. reject_sender_login_mismatch
138.  
139. # For truly local mail (going to a file), specify limits.
140.  
141. mail_spool_directory = /var/spool/mail/
142. mailbox_command =
143. mailbox_size_limit = 1073741824
144. message_size_limit = 52428800
145.  
146. # For outbound mail from this server, use TLS when connecting to certain
147. # destinations.
148.  
149. smtp_use_tls = yes
150. smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
151.  
152. # Also use rate limiting when sending to Gmail, since they have a tendency to
153. # blacklist us if we send too often.
154.  
155. transport_maps = pcre:/etc/postfix/transport
156.  
157. smtp-gmail_destination_rate_delay = 12s
158. smtp-gmail_destination_concurrency_limit = 1
159. smtp-gmail_destination_recipient_limit = 2
160. smtp-gmail_initial_destination_concurrency = 1
161.  
162. # SMTPD TLS settings
163.  
164. smtpd_tls_CAfile = /etc/pki/tls/certs/ca.crt
165. smtpd_use_tls = yes
166. smtpd_tls_auth_only = yes
167. smtpd_tls_cert_file = /etc/pki/tls/certs/mail.johnwiegley.com.crt
168. smtpd_tls_key_file = /etc/pki/tls/private/mail.johnwiegley.com.key
169. smtpd_tls_loglevel = 1
170. smtpd_tls_security_level = may
171.  
172. # Mail Server DNS
173. #
174. # johnwiegley.com
175. #
176. # TXT mail.johnwiegley.com v=DMARC1 p=none fo=1 rua=mailto:jwiegley@gmail.comruf=mailto:jwiegley@gmail.com 86400
177. # TXT johnwiegley.com v=DMARC1 p=none fo=1 rua=mailto:jwiegley@gmail.comruf=mailto:jwiegley@gmail.com 86400
178. # TXT mail.johnwiegley.com google-site-verification=FAs6ff9vmjBZgw7A7D7IAnkLMEX5hT4SGSdlozMHeNc 86400
179. # TXT mail.johnwiegley.com v=DKIM1 k=rsa p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcZpTVz3AKFoxLXA6UrXkepXxzZTkLvYZdRmNnwlTPNLV+fHmmXz/el0jeOuCNHpOzdxnSLrz5piDkit8WMI5EGowWCV0g+IEvnAF23wIogbi2s6vtAeCcSDInXsg5gJQNj5R6iKmjQeYfzBazXwJs6/50tS8B5gRlNSyreiWyzQIDAQAB 86400
180. # TXT default._domainkey.johnwiegley.com v=DKIM1 k=rsa p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcZpTVz3AKFoxLXA6UrXkepXxzZTkLvYZdRmNnwlTPNLV+fHmmXz/el0jeOuCNHpOzdxnSLrz5piDkit8WMI5EGowWCV0g+IEvnAF23wIogbi2s6vtAeCcSDInXsg5gJQNj5R6iKmjQeYfzBazXwJs6/50tS8B5gRlNSyreiWyzQIDAQAB 86400
181. # TXT mail._domainkey.johnwiegley.com =DKIM1 k=rsa p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcZpTVz3AKFoxLXA6UrXkepXxzZTkLvYZdRmNnwlTPNLV+fHmmXz/el0jeOuCNHpOzdxnSLrz5piDkit8WMI5EGowWCV0g+IEvnAF23wIogbi2s6vtAeCcSDInXsg5gJQNj5R6iKmjQeYfzBazXwJs6/50tS8B5gRlNSyreiWyzQIDAQAB 86400
182. # TXT mail v=DMARC1 p=none fo=1 rua=mailto:jwiegley@gmail.comruf=mailto:jwiegley@gmail.com 86400
183. # TXT mail.johnwiegley.com v=spf1 a mx a:mail.johnwiegley.com include:_spf.google.com ip4:208.82.102.85 ~all 86400
184. # SOA johnwiegley.com ns1.dnsptr.net dnsadmin.serveraxis.com 1 10800 3600 86400 3600 86400
185. # NS johnwiegley.com ns2.dnsptr.net 86400
186. # NS johnwiegley.com ns1.dnsptr.net 86400
187. # MX johnwiegley.com mail.johnwiegley.com 86400 5
188. # MX johnwiegley.com mail.johnwiegley.com 86400 10
189. # CNAME www.johnwiegley.com johnwiegley.com 86400
190. # AAAA johnwiegley.com 2607:f2e0:f:712::2 86400
191. # AAAA mail.johnwiegley.com 2607:f2e0:f:712::2 86400
192. # A mail.johnwiegley.com 208.82.102.85 86400
193. # A johnwiegley.com 208.82.102.85 86400
194. #
195. # newartisans.com
196. #
197. # TXT google._domainkey.newartisans.com v=DKIM1 k=rsa p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcZpTVz3AKFoxLXA6UrXkepXxzZTkLvYZdRmNnwlTPNLV+fHmmXz/el0jeOuCNHpOzdxnSLrz5piDkit8WMI5EGowWCV0g+IEvnAF23wIogbi2s6vtAeCcSDInXsg5gJQNj5R6iKmjQeYfzBazXwJs6/50tS8B5gRlNSyreiWyzQIDAQAB 86400
198. # TXT default._domainkey.newartisans.com v=DKIM1 k=rsa p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcZpTVz3AKFoxLXA6UrXkepXxzZTkLvYZdRmNnwlTPNLV+fHmmXz/el0jeOuCNHpOzdxnSLrz5piDkit8WMI5EGowWCV0g+IEvnAF23wIogbi2s6vtAeCcSDInXsg5gJQNj5R6iKmjQeYfzBazXwJs6/50tS8B5gRlNSyreiWyzQIDAQAB 86400
199. # TXT newartisans.com google-site-verification=lAc7zvsKnx017J7VvTys76z-NPnMh74cC8RYYswmHl0 86400
200. # TXT newartisans.com v=DKIM1 k=rsa p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcZpTVz3AKFoxLXA6UrXkepXxzZTkLvYZdRmNnwlTPNLV+fHmmXz/el0jeOuCNHpOzdxnSLrz5piDkit8WMI5EGowWCV0g+IEvnAF23wIogbi2s6vtAeCcSDInXsg5gJQNj5R6iKmjQeYfzBazXwJs6/50tS8B5gRlNSyreiWyzQIDAQAB 86400
201. # TXT newartisans.com v=spf1 a mx a:mail.johnwiegley.com include:_spf.google.com ip4:208.82.102.85 ~all 86400
202. # TXT newartisans.com v=DMARC1 p=none fo=1 rua=mailto:jwiegley@gmail.comruf=mailto:jwiegley@gmail.com 86400
203. # SOA newartisans.com ns1.dnsptr.net dnsadmin.serveraxis.com 1 10800 3600 86400 3600 86400
204. # NS newartisans.com ns1.dnsptr.net 86400
205. # NS newartisans.com ns2.dnsptr.net 86400
206. # MX newartisans.com mail.johnwiegley.com 86400 5
207. # MX newartisans.com mail.johnwiegley.com 86400 10
208. # CNAME www.newartisans.com newartisans.com 86400
209. # CNAME ftp.newartisans.com newartisans.com 86400
210. # AAAA newartisans.com 2607:f2e0:f:712::2 86400
211. # A newartisans.com 208.82.102.85 86400
212. #
213. # Reverse DNS
214. #
215. # 208.82.102.85 mail.johnwiegley.com 86400
216. # 2607:f2e0:f:712::2 mail.johnwiegley.com 86400