Untitled

# SMTPd greeting banner: You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
smtpd_banner = $myhostname

# Disable local biff service
biff = no

# Do not append the string $mydomain to -locally- submitted email.
append_dot_mydomain = no

# Readme directory
readme_directory = /usr/share/doc/postfix

# HTML directory
html_directory = /usr/share/doc/postfix/html

# Certificates
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
smtpd_tls_key_file = /etc/ssl/mail/mail.key

# Opportunistic TLS. TLS auth only.
smtpd_tls_security_level=may
smtpd_tls_auth_only=yes

# DH parameters, actually 2048 bit long
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem

# CA path for SMTP client connections to external servers
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# TLS session cache for SMTPd
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# Disallow SSLv2 and SSLv3, only accept secure ciphers
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA

# Log TLS handling
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

# Delay reject until RCPT TO
smtpd_delay_reject = yes

# Enable elliptic curve cryptography, "ultra" needs more cpu time
smtpd_tls_eecdh_grade = strong

# Default: Anonymize outgoing mail headers
smtp_header_checks = pcre:/etc/postfix/mailcow_anonymize_headers.pcre

# Sender, recipient, client and data restrictions
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
   permit_mynetworks,
   #reject_sender_login_mismatch,
   #permit_sasl_authenticated,
   #reject_unlisted_sender,
   #reject_unknown_sender_domain

smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf,
   permit_sasl_authenticated,
   permit_mynetworks,
   reject_invalid_helo_hostname,
   reject_unknown_reverse_client_hostname,
   reject_unauth_destination

smtpd_data_restrictions =
   reject_unauth_pipelining,
   permit

smtpd_restriction_classes = greylist

greylist = permit_dnswl_client list.dnswl.org,
   check_policy_service inet:127.0.0.1:10023

# Determine valid MAIL FROM addresses for a SASL authenticated user.
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf

# Sender dependent smtp service for TLS enforced connections
sender_dependent_default_transport_maps = proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf

# Certificates
smtp_tls_cert_file = /etc/ssl/mail/mail.crt
smtp_tls_key_file = /etc/ssl/mail/mail.key

# Set a higher timeout for connecting, sending and receiving information from/to a proxy (FuGlu)
smtpd_proxy_timeout = 600s

# Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
smtp_tls_security_level=may

# TLS session cache for SMTP
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# A custom list with secure ciphers.
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

# Use the FQDN for the local hostname!
myhostname = mail.rocketshops.eu

# Alias maps and database for -local- delivery only
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to.
myorigin = /etc/mailname

# The list of domains that are delivered via the -local- mail delivery transport. No external domains like "rocketshops.eu" belong here! "mail.rocketshops.eu" is fine.
mydestination = mail.rocketshops.eu, localhost.rocketshops.eu, localhost

# We lookup MX records to send non-local mail, so this stays empty
relayhost =

# We relay for these domains
relay_domains= proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf

# Relay only for these accounts
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_relay_recipient_maps.cf

# Trusted SMTP clients with more privileges. Trusted clients can relay mail.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# The maximal size of any -local- individual mailbox
mailbox_size_limit = 0

# Handle Postfix-style extensions
recipient_delimiter = +

# The network interface addresses that this mail system receives mail on.
inet_interfaces = all

# Specifies what protocols Postfix will use when it makes or accepts network connections, and also controls what DNS lookups Postfix will use when it makes network connections.
inet_protocols = all

# VRFY command is not really needed anymore
disable_vrfy_command = yes

# Please say hello first...
smtpd_helo_required = yes

# The SASL plug-in type that the Postfix SMTP server should use for authentication.
smtpd_sasl_type=dovecot

# Where to passthrough our authentication information for the above plug-in
smtpd_sasl_path=private/auth_dovecot

# Enable SASL authentication in the Postfix SMTP server.
smtpd_sasl_auth_enable = yes

# Report the SASL authenticated user name in the smtpd Received message header.
smtpd_sasl_authenticated_header = yes

# Have Postfix advertise AUTH support in a non-standard way.
broken_sasl_auth_clients = yes

# The lookup tables that the proxymap server is allowed to access for the read-only service.
proxy_read_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf, proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf, $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps

## Virtual transport configuration
# A prefix that the virtual delivery agent prepends to all pathname results from $virtual_mailbox_maps
virtual_mailbox_base = /var/vmail/

# THIS contains a list of domains we are the final destination for (unlike "mydestination").
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf

# Alias specific mail addresses or domains to other local or remote address.
virtual_alias_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

# Specify a left-hand side of "@rocketshops.eu" to match any user in the specified domain
virtual_mailbox_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

# The minimum user ID value that the virtual delivery agent accepts
virtual_minimum_uid = 104

# We use "vmail" user with UID/GID 5000 to lookup tables
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

# The default mail delivery transport and next-hop destination for final delivery to domains listed with "virtual_mailbox_domains"
virtual_transport = lmtp:unix:private/dovecot-lmtp

## Queue configuration
# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
maximal_queue_lifetime = 1d

# Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
bounce_queue_lifetime = 1d

# The time between deferred queue scans by the queue manager.
queue_run_delay = 300s

# The maximal/minimal time between attempts to deliver a deferred message.
maximal_backoff_time = 1800s
minimal_backoff_time = 300s

# Maximum mail size
message_size_limit = 26214400

# This tarpits a client after 3 erroneous commands for 10s
smtpd_soft_error_limit = 3
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}

# Feel free to maintain a white-/blacklist for Postscreen
postscreen_access_list = permit_mynetworks,
  cidr:/etc/postfix/postscreen_access.cidr

# Drop connections from blacklisted servers with a 521 reply
postscreen_blacklist_action = drop

# Clean Postscreen cache after 24h
postscreen_cache_cleanup_interval = 24h

postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.2*3
  hostkarma.junkemailfilter.com=127.0.0.4*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_greet_banner = $smtpd_banner
postscreen_greet_action = enforce
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_bare_newline_enable = no
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache

# We need milter support for OpenDKIM
milter_protocol = 6
milter_default_action = accept

# Hard-fail missing TLS when enabled for a user
plaintext_reject_code = 550