# This file was automatically installed on 2022-05-02T14:37:30.062679inet_inte

1. # This file was automatically installed on 2022-05-02T14:37:30.062679
2. inet_interfaces = all
3. inet_protocols = all
4. myhostname = mail.hgwc.tit
5. myorigin = $myhostname
6. mydestination = $myhostname
7. mynetworks = 127.0.0.0/8
8. smtpd_banner = $myhostname ESMTP
9. biff = no
10. unknown_local_recipient_reject_code = 550
11. unverified_recipient_reject_code = 550
12.  
13. # appending .domain is the MUA's job.
14. append_dot_mydomain = no
15.  
16. readme_directory = no
17.  
18. mailbox_size_limit = 0
19. message_size_limit = 11534336
20. recipient_delimiter = +
21.  
22. alias_maps = hash:/etc/aliases
23. alias_database = hash:/etc/aliases
24.  
25. ## Proxy maps
26. proxy_read_maps =
27. proxy:unix:passwd.byname
28. proxy:mysql:/etc/postfix-hgwc/sql-domains.cf
29. proxy:mysql:/etc/postfix-hgwc/sql-domain-aliases.cf
30. proxy:mysql:/etc/postfix-hgwc/sql-aliases.cf
31. proxy:mysql:/etc/postfix-hgwc/sql-relaydomains.cf
32. proxy:mysql:/etc/postfix-hgwc/sql-maintain.cf
33. proxy:mysql:/etc/postfix-hgwc/sql-relay-recipient-verification.cf
34. proxy:mysql:/etc/postfix-hgwc/sql-sender-login-map.cf
35. proxy:mysql:/etc/postfix-hgwc/sql-spliteddomains-transport.cf
36. proxy:mysql:/etc/postfix-hgwc/sql-transport.cf
37.  
38. ## TLS settings
39. #
40. smtpd_use_tls = yes
41. smtpd_tls_auth_only = no
42. smtpd_tls_CApath = /etc/ssl/certs
43. smtpd_tls_key_file = san
44. smtpd_tls_cert_file = san
45. smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
46. smtpd_tls_loglevel = 1
47. smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
48. smtpd_tls_security_level = may
49. smtpd_tls_received_header = yes
50.  
51. # Disallow SSLv2 and SSLv3, only accept secure ciphers
52. smtpd_tls_protocols = !SSLv2, !SSLv3
53. smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
54. smtpd_tls_mandatory_ciphers = high
55. smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
56. smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
57.  
58. # Enable elliptic curve cryptography
59. smtpd_tls_eecdh_grade = strong
60.  
61. # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
62. smtp_tls_CApath = /etc/ssl/certs
63. smtp_tls_security_level = may
64. smtp_tls_loglevel = 1
65. smtp_tls_exclude_ciphers = EXPORT, LOW
66.  
67. ## Virtual transport settings
68. #
69. virtual_transport = lmtp:unix:private/dovecot-lmtp
70.  
71. virtual_mailbox_domains = proxy:mysql:/etc/postfix-hgwc/sql-domains.cf
72. # Define the domain list as hash file or as list in the config file.
73. virtual_alias_domains =
74. #hash:/etc/postfix-hgwc/virtual_domains
75. proxy:mysql:/etc/postfix-hgwc/sql-domain-aliases.cf
76. virtual_alias_maps =
77. # Define the domain list as hash file or as list in the config file.
78. #virtual_alias_domains = hash:/etc/postfix-hgwc/virtual_domains
79. proxy:mysql:/etc/postfix-hgwc/sql-aliases.cf
80.  
81. ## Relay domains
82. #
83. relay_domains =
84. proxy:mysql:/etc/postfix-hgwc/sql-relaydomains.cf
85. transport_maps =
86. #hash:/etc/postfix-hgwc/sender_map
87. proxy:mysql:/etc/postfix-hgwc/sql-transport.cf
88. proxy:mysql:/etc/postfix-hgwc/sql-spliteddomains-transport.cf
89.  
90. ## SASL authentication through Dovecot
91. #
92. smtpd_sasl_type = dovecot
93. smtpd_sasl_path = private/auth
94. smtpd_sasl_auth_enable = yes
95. broken_sasl_auth_clients = yes
96. smtpd_sasl_security_options = noanonymous
97.  
98. ## SMTP session policies
99. #
100.  
101. # We require HELO to check it later
102. smtpd_helo_required = yes
103.  
104. # We do not let others find out which recipients are valid
105. disable_vrfy_command = yes
106.  
107. # MTA to MTA communication on Port 25. We expect (!) the other party to
108. # specify messages as required by RFC 821.
109. strict_rfc821_envelopes = yes
110.  
111. # Verify cache setup
112. address_verify_map = proxy:btree:$
113. directory/verify_cache =
114.  
115. proxy_write_maps =
116. $smtp_sasl_auth_cache_name
117. $lmtp_sasl_auth_cache_name
118. $address_verify_map
119.  
120. # OpenDKIM setup
121. smtpd_milters = inet:127.0.0.1:12345
122. non_smtpd_milters = inet:127.0.0.1:12345
123. milter_default_action = accept
124. milter_content_timeout = 30s
125.  
126. # List of authorized senders
127. smtpd_sender_login_maps =
128. proxy:mysql:/etc/postfix-hgwc/sql-sender-login-map.cf
129.  
130. # Recipient restriction rules
131. smtpd_recipient_restrictions =
132. check_policy_service inet:127.0.0.1:9999
133. permit_mynetworks
134. permit_sasl_authenticated
135. check_recipient_access
136. proxy:mysql:/etc/postfix-hgwc/sql-maintain.cf
137. proxy:mysql:/etc/postfix-hgwc/sql-relay-recipient-verification.cf
138. reject_unverified_recipient
139. reject_unauth_destination
140. reject_non_fqdn_sender
141. reject_non_fqdn_recipient
142. reject_non_fqdn_helo_hostname
143.  
144. ## Postcreen settings
145. #
146. postscreen_access_list =
147. permit_mynetworks
148. cidr:/etc/postfix-hgwc/postscreen_spf_whitelist.cidr
149. postscreen_blacklist_action = enforce
150.  
151. # Use some DNSBL
152. postscreen_dnsbl_sites =
153. zen.spamhaus.org*3
154. bl.spameatingmonkey.net*2
155. bl.spamcop.net
156. dnsbl.sorbs.net
157. postscreen_dnsbl_threshold = 3
158. postscreen_dnsbl_action = enforce
159.  
160. postscreen_greet_banner = Welcome, please wait...
161. postscreen_greet_action = enforce
162.  
163. master_service_disable = inet
164. authorized_submit_users = root
165. queue_directory = /var/spool/postfix-hgwc
166. data_directory = /var/lib/postfix-hgwc
167. multi_instance_name = postfix-hgwc
168. multi_instance_enable = no
169.