Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Apr 4 14:45:52 vps380342 dovecot: managesieve-login: Error: read(anvil) failed: EOF
- Apr 4 14:45:52 vps380342 dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
- status=deferred (delivery temporarily suspended: TLS is required, but was not offered by host [private/dovecot-lmtp])
- Apr 4 14:39:46 vps380342 postfix/smtpd[2127]: Anonymous TLS connection established from xxxl.de[217.182.129.14]: TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
- auth_mechanisms = plain login
- disable_plaintext_auth = yes
- login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
- mail_home = /var/vmail/%d/%n
- mail_location = maildir:~/Maildir:LAYOUT=fs
- mail_uid = vmail
- mail_gid = vmail
- # notify wird von mail_log benötigt. mail_log informiert in diesem Fall über DELETE und EXPUNGE (weiter unten)
- mail_plugins = quota acl mail_log notify
- auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
- ssl_protocols = !SSLv2 !SSLv3
- ssl_cipher_list = AES128+EECDH:AES128+EDH
- ssl_prefer_server_ciphers = yes
- log_timestamp = "%Y-%m-%d %H:%M:%S "
- passdb {
- args = /etc/dovecot/dovecot-mysql.conf
- driver = sql
- }
- # Der "namespace separator" sollte "/" lauten, da es zusammen mit der ACL zu Konflikten käme, wenn der Benutzername das Zeichen "." enthält.
- namespace inbox {
- inbox = yes
- location =
- separator = /
- mailbox Trash {
- auto = subscribe
- special_use = Trash
- }
- mailbox "Deleted Messages" {
- special_use = Trash
- }
- mailbox "Gelöschte Objekte" {
- special_use = Trash
- }
- mailbox "Papierkorb" {
- special_use = Trash
- }
- mailbox Archive {
- auto = subscribe
- special_use = Archive
- }
- mailbox Archiv {
- special_use = Archive
- }
- mailbox Sent {
- auto = subscribe
- special_use = Sent
- }
- mailbox "Sent Messages" {
- special_use = Sent
- }
- mailbox "Gesendet" {
- special_use = Sent
- }
- mailbox Drafts {
- auto = subscribe
- special_use = Drafts
- }
- mailbox Entwürfe {
- special_use = Drafts
- }
- mailbox Junk {
- auto = subscribe
- special_use = Junk
- }
- prefix =
- }
- # Dieser Namespace wird für die ACL Erweiterung benötigt.
- # Freigegebene Ordner erscheinen automatisch in der Ordnerliste.
- namespace {
- type = shared
- separator = /
- prefix = Shared/%%u/
- location = maildir:%%h/Maildir:LAYOUT=fs:INDEXPVT=~/Maildir/Shared/%%u
- subscriptions = yes
- list = yes
- }
- protocols = imap sieve lmtp
- service dict {
- unix_listener dict {
- mode = 0660
- user = vmail
- group = vmail
- }
- }
- service auth {
- unix_listener /var/spool/postfix/private/auth_dovecot {
- group = postfix
- mode = 0660
- user = postfix
- }
- unix_listener auth-master {
- mode = 0600
- user = vmail
- }
- unix_listener auth-userdb {
- mode = 0600
- user = vmail
- }
- user = root
- }
- service managesieve-login {
- inet_listener sieve {
- port = 4190
- }
- service_count = 1
- process_min_avail = 2
- vsz_limit = 128M
- }
- service managesieve {
- process_limit = 256
- }
- service lmtp {
- unix_listener /var/spool/postfix/private/dovecot-lmtp {
- group = postfix
- mode = 0600
- user = postfix
- }
- user = vmail
- }
- listen = *
- ssl_cert = </etc/nginx/ssl/$MYDOMAIN.pem
- ssl_key = </etc/nginx/ssl/$MYDOMAIN.key.pem
- userdb {
- args = /etc/dovecot/dovecot-mysql.conf
- driver = sql
- }
- protocol imap {
- mail_plugins = quota imap_quota imap_acl acl mail_log notify
- }
- protocol lmtp {
- mail_plugins = quota sieve acl notify
- auth_socket_path = /var/run/dovecot/auth-master
- postmaster_address = postmaster@$MYDOMAIN
- }
- protocol sieve {
- managesieve_logout_format = bytes=%i/%o
- }
- protocol lda {
- mail_plugins = sieve quota acl notify
- postmaster_address = postmaster@$MYDOMAIN
- }
- plugin {
- mail_log_events = delete undelete expunge
- # Um quasi-öffentliche Ordner für authentifizierte Benutzer via ACL zu erstellen
- acl_anyone = allow
- # Wird automatisch verwaltet und beinhaltet eine Übersicht der Freigaben
- acl_shared_dict = file:/var/vmail/shared-mailboxes.db
- # In jeder Mailbox wird von Dovecot eine Datei gepflegt, die die Freigaben regelt
- acl = vfile
- quota = maildir:User quota
- # Die Ordner Trash und Sent erhalten +10% auf die Quota
- quota_rule = Trash:storage=+10%%
- quota_rule = Sent:storage=+10%%
- # Eigene Sieve Filter liegen im Heimverzeichnis
- sieve = ~/sieve/dovecot.sieve
- sieve_dir = ~/sieve
- # Der globale Filter außerhalb
- sieve_before = /var/vmail/before.sieve
- sieve_max_script_size = 1M
- sieve_quota_max_scripts = 0
- sieve_quota_max_storage = 0
- # Auch dann weitermachen, wenn die Quota nicht ermittelt werden kann
- # Gilt für den von Dovecot bereitgestellten Postfix policy service
- quota_status_success = DUNNO
- quota_status_nouser = DUNNO
- quota_status_overquota = "552 5.2.2 Mailbox is over quota"
- }
- service quota-status {
- executable = quota-status -p postfix
- unix_listener /var/spool/postfix/private/quota-status {
- group = postfix
- mode = 0660
- user = postfix
- }
- client_limit = 1
- }
- driver = mysql
- connect = "host=localhost dbname=vimbadmin user=vimbadmin password=$VIMB_MYSQL_PASS"
- default_pass_scheme = SHA512-CRYPT
- password_query = SELECT username as user, password as password,
- homedir AS home,
- maildir AS mail, uid, gid,
- concat('*:bytes=', quota) as quota_rule
- FROM mailbox WHERE username = '%Lu' AND active = '1'
- AND ( access_restriction = 'ALL' OR LOCATE( '%Us', access_restriction ) > 0 )
- user_query = SELECT homedir AS home,
- maildir AS mail, uid, gid,
- concat('*:bytes=', quota) as quota_rule
- FROM mailbox WHERE username = '%u'
- iterate_query = SELECT username FROM mailbox;
- /etc/postfix/main.cf
- # SMTPd greeting banner: You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
- smtpd_banner = $myhostname
- # Disable local biff service
- biff = no
- # Do not append the string $mydomain to -locally- submitted email.
- append_dot_mydomain = no
- # Readme directory
- readme_directory = /usr/share/doc/postfix
- # HTML directory
- html_directory = /usr/share/doc/postfix/html
- # Certificates
- smtpd_tls_cert_file = /etc/nginx/ssl/domain.tld.pem
- smtpd_tls_key_file = /etc/nginx/ssl/domain.tld.key.pem
- # Opportunistic TLS. TLS auth only.
- smtpd_tls_security_level=may
- smtpd_tls_auth_only=yes
- # TLS session cache for SMTPd
- smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
- # Disallow SSLv2 and SSLv3, only accept secure ciphers
- smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
- smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
- smtpd_tls_mandatory_ciphers=medium
- tls_medium_cipherlist = AES128+EECDH:AES128+EDH
- # Log TLS handling
- smtpd_tls_loglevel = 1
- smtp_tls_loglevel = 1
- # Delay reject until RCPT TO
- smtpd_delay_reject = yes
- # Enable elliptic curve cryptography, "ultra" needs more cpu time
- smtpd_tls_eecdh_grade = strong
- # Sender, recipient, client and data restrictions
- # !! non-FQDN HELOs are rejected on Port 25 only, see master.cf
- # Auth. Benutzer dürfen auch innerhalb der "mynetworks" nur von den Adressen senden, die ihnen zugehörig sind.
- smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
- # Erst jetzt werden "mynetworks" zugelassen
- # Unauth. Benutzer wie der Cron-Dienst können so weiterhin Mails versenden, etwa
- # als cron@fqdn
- permit_mynetworks,
- # Anderen unauth. Benutzern das Benutzen jeder Adresse verbieten.
- reject_sender_login_mismatch,
- # Alle auth. jetzt zulassen.
- permit_sasl_authenticated,
- # Nicht im System vorhandene Absender jetzt ablehnen
- reject_unlisted_sender,
- # Ablehnen, wenn die Sender-Domäne nicht existiert
- reject_unknown_sender_domain
- # Akzeptiere alle Empfänger, die ein authentifizierter Absender oder ein Absender aus "mynetworks" angibt
- smtpd_recipient_restrictions = permit_sasl_authenticated,
- permit_mynetworks,
- # Schnittstelle zu Dovecot, um die Quota live zu überprüfen (verhindert Bounces)
- check_policy_service unix:private/quota-status,
- # Ablehnen, wenn der HELO FQDN nicht aufzulösen ist
- reject_unknown_helo_hostname,
- # Ablehnen, wenn KEIN PTR zu dieser IP existiert
- # Verhindert nicht, dass ein FALSCHER PTR abgelehnt wird!
- # Hierfür würde "reject_unknown_client_hostname" verwendet.
- reject_unknown_reverse_client_hostname,
- # Kein offenes Relay
- reject_unauth_destination
- # Unauth. Benutzer dürfen ihre Befehle nicht "pipen"
- smtpd_data_restrictions =
- reject_unauth_pipelining,
- permit
- # Eine Art Tabelle mit vorhanden Identitäten und ihren Zugehörigkeiten
- smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_alias_maps.cf
- # Certificates
- smtp_tls_cert_file = /etc/nginx/ssl/domain.tld.pem
- smtp_tls_key_file = /etc/nginx/ssl/domain.tld.key.pem
- # Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
- smtp_tls_security_level=may
- # TLS session cache for SMTP
- smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
- # A custom list with secure ciphers.
- tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
- # Use the FQDN for the local hostname!
- myhostname = mail.domain.tld
- # Alias maps and database for -local- delivery only
- alias_maps = hash:/etc/aliases
- alias_database = hash:/etc/aliases
- # The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to.
- myorigin = mail.domain.tld
- # The list of domains that are delivered via the -local- mail delivery transport. No external domains like "domain.tld" belong here! "mail.domain.tld" is fine.
- mydestination = mail.domain.tld, localhost
- # We lookup MX records to send non-local mail, so this stays empty
- relayhost =
- # Trusted SMTP clients with more privileges. Trusted clients can relay mail.
- mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
- # The maximal size of any -local- individual mailbox
- mailbox_size_limit = 0
- # The maximal size of any -virtual- individual mailbox
- virtual_mailbox_limit = 0
- # Handle Postfix-style extensions
- recipient_delimiter = +
- # The network interface addresses that this mail system receives mail on.
- inet_interfaces = all
- # Specifies what protocols Postfix will use when it makes or accepts network connections, and also controls what DNS lookups Postfix will use when it makes network connections.
- inet_protocols = ipv4
- # VRFY command is not really needed anymore
- disable_vrfy_command = yes
- # Please say hello first...
- smtpd_helo_required = yes
- # The SASL plug-in type that the Postfix SMTP server should use for authentication.
- smtpd_sasl_type=dovecot
- # Where to passthrough our authentication information for the above plug-in
- smtpd_sasl_path=private/auth_dovecot
- # Enable SASL authentication in the Postfix SMTP server.
- smtpd_sasl_auth_enable = yes
- # Report the SASL authenticated user name in the smtpd Received message header.
- smtpd_sasl_authenticated_header = yes
- # Have Postfix advertise AUTH support in a non-standard way.
- broken_sasl_auth_clients = yes
- # The lookup tables that the proxymap server is allowed to access for the read-only service.
- proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
- ## Virtual transport configuration
- # A prefix that the virtual delivery agent prepends to all pathname results from $virtual_mailbox_maps
- virtual_mailbox_base = /
- # THIS contains a list of domains we are the final destination for (unlike "mydestination").
- virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_domains_maps.cf
- # Alias specific mail addresses or domains to other local or remote address.
- virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_alias_maps.cf
- # Specify a left-hand side of "@domain.tld" to match any user in the specified domain
- virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/postfix-mysql-virtual_mailbox_maps.cf
- # The minimum user ID value that the virtual delivery agent accepts
- virtual_minimum_uid = 5000
- # We use "vmail" user with UID/GID 5000 to lookup tables
- virtual_uid_maps = static:5000
- virtual_gid_maps = static:5000
- # The default mail delivery transport and next-hop destination for final delivery to domains listed with "virtual_mailbox_domains"
- virtual_transport = lmtps:unix:private/dovecot-lmtp
- transport_maps = mysql:/etc/postfix/mysql/postfix-mysql-virtual_transport_maps.cf
- ## Queue configuration
- # Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
- maximal_queue_lifetime = 1d
- # Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
- bounce_queue_lifetime = 1d
- # The time between deferred queue scans by the queue manager.
- queue_run_delay = 300s
- # The maximal/minimal time between attempts to deliver a deferred message.
- maximal_backoff_time = 1800s
- minimal_backoff_time = 300s
- # Maximum mail size (500 MiB)
- message_size_limit = 524288000
- # This tarpits a client after 3 erroneous commands for 10s
- smtpd_soft_error_limit = 3
- smtpd_error_sleep_time = 10s
- smtpd_hard_error_limit = ${stress?1}${stress:5}
- postscreen_access_list = permit_mynetworks
- # Drop connections from blacklisted servers with a 521 reply
- postscreen_blacklist_action = drop
- # Clean Postscreen cache after 24h
- postscreen_cache_cleanup_interval = 24h
- postscreen_dnsbl_ttl = 5m
- postscreen_dnsbl_threshold = 8
- postscreen_dnsbl_action = enforce
- postscreen_dnsbl_sites =
- b.barracudacentral.org=127.0.0.2*7
- dnsbl.inps.de=127.0.0.2*7
- bl.mailspike.net=127.0.0.2*5
- bl.mailspike.net=127.0.0.[10;11;12]*4
- dnsbl.sorbs.net=127.0.0.10*8
- dnsbl.sorbs.net=127.0.0.5*6
- dnsbl.sorbs.net=127.0.0.7*3
- dnsbl.sorbs.net=127.0.0.8*2
- dnsbl.sorbs.net=127.0.0.6*2
- dnsbl.sorbs.net=127.0.0.9*2
- zen.spamhaus.org=127.0.0.[10;11]*8
- zen.spamhaus.org=127.0.0.[4..7]*6
- zen.spamhaus.org=127.0.0.3*4
- zen.spamhaus.org=127.0.0.2*3
- hostkarma.junkemailfilter.com=127.0.0.2*3
- hostkarma.junkemailfilter.com=127.0.0.4*1
- hostkarma.junkemailfilter.com=127.0.1.2*1
- wl.mailspike.net=127.0.0.[18;19;20]*-2
- hostkarma.junkemailfilter.com=127.0.0.1*-2
- postscreen_greet_banner = $smtpd_banner
- postscreen_greet_action = enforce
- postscreen_greet_wait = 3s
- postscreen_greet_ttl = 2d
- postscreen_bare_newline_enable = no
- postscreen_non_smtp_command_enable = no
- postscreen_pipelining_enable = no
- postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
- # Postscreen passes sane clients to the real SMTP daemon here.
- smtpd pass - - n - - smtpd
- # Reject non-FQDN HELOs on Port 25 (after passing postscreen process)
- -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
- -o smtpd_proxy_filter=127.0.0.1:10024
- -o smtpd_client_connection_count_limit=10
- -o smtpd_proxy_options=speed_adjust
- # For mail submitting users. Authenticated clients and known networks only.
- submission inet n - - - - smtpd
- -o smtpd_client_restrictions=permit_sasl_authenticated,reject
- -o smtpd_proxy_filter=127.0.0.1:10025
- -o smtpd_client_connection_count_limit=10
- -o smtpd_proxy_options=speed_adjust
- # Handles TLS connections for postscreen to make them readable
- tlsproxy unix - - n - 0 tlsproxy
- # This implements an ad-hoc DNS white/blacklist lookup service
- dnsblog unix - - n - 0 dnsblog
- pickup fifo n - - 60 1 pickup
- cleanup unix n - - - 0 cleanup
- qmgr fifo n - n 300 1 qmgr
- tlsmgr unix - - - 1000? 1 tlsmgr
- rewrite unix - - - - - trivial-rewrite
- bounce unix - - - - 0 bounce
- defer unix - - - - 0 bounce
- trace unix - - - - 0 bounce
- verify unix - - - - 1 verify
- flush unix n - - 1000? 0 flush
- proxymap unix - - n - - proxymap
- proxywrite unix - - n - 1 proxymap
- smtp unix - - - - - smtp
- relay unix - - - - - smtp
- showq unix n - - - - showq
- error unix - - - - - error
- retry unix - - - - - error
- discard unix - - - - - discard
- local unix - n n - - local
- virtual unix - n n - - virtual
- lmtp unix - - - - - lmtp
- anvil unix - - - - 1 anvil
- scache unix - - - - 1 scache
- # LMTP with STARTTLS support, needs newer Dovecot versions
- lmtps unix - - - - - lmtp
- -o lmtp_use_tls=yes
- -o lmtp_tls_loglevel=1
- -o lmtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
- -o lmtp_enforce_tls=yes
- -o lmtp_tls_mandatory_protocols=!SSLv2,!SSLv3
- -o lmtp_tls_protocols=!SSLv2,!SSLv3
- -o lmtp_tls_mandatory_ciphers=high
- -o lmtp_tls_ciphers=high
- -o lmtp_send_xforward_command=yes
- -o lmtp_tls_security_level=encrypt
- -o lmtp_tls_note_starttls_offer=yes
- # Amavis reinjection, maximal 5 smtpd Prozesse, muss den Amavis Prozessen entsprechen!
- 127.0.0.1:10035 inet n - - - 5 smtpd
- -o smtpd_authorized_xforward_hosts=127.0.0.0/8
- -o smtpd_client_restrictions=
- -o smtpd_helo_restrictions=
- -o smtpd_sender_restrictions=
- -o smtpd_recipient_restrictions=permit_mynetworks,reject
- -o smtpd_data_restrictions=
- -o mynetworks=127.0.0.0/8
- -o receive_override_options=no_unknown_recipient_checks
- user = vimbadmin
- password = $VIMB_MYSQL_PASS
- hosts = 127.0.0.1
- dbname = vimbadmin
- query = SELECT goto FROM alias WHERE address = '%s' AND active = '1'
- > user = vimbadmin password = $VIMB_MYSQL_PASS hosts = 127.0.0.1 dbname
- > = vimbadmin query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'
- user = vimbadmin
- password = $VIMB_MYSQL_PASS
- hosts = 127.0.0.1
- dbname = vimbadmin
- table = mailbox
- select_field = maildir
- where_field = username
- user = vimbadmin
- password = $VIMB_MYSQL_PASS
- hosts = 127.0.0.1
- dbname = vimbadmin
- table = domain
- select_field = transport
- where_field = domain
- additional_conditions = and backupmx = '0' and active = '1'
Add Comment
Please, Sign In to add comment