-
Notifications
You must be signed in to change notification settings - Fork 12
/
main.cf
152 lines (139 loc) · 4.35 KB
/
main.cf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
### MAIN
mydomain = example.tld
myhostname = mail.$mydomain
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
home_mailbox = Maildir/
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
message_size_limit = 2097152
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
address_verify_sender = mailer-daemon@$mydomain
address_verify_sender_ttl = 8h
strict_rfc821_envelopes = yes
show_user_unknown_table_name = no
### SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
### TLS
smtp_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
lmtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
smtpd_tls_exclude_ciphers =
aNULL,
eNULL,
EXPORT,
DES,
RC4,
MD5,
PSK,
aECDH,
EDH-DSS-DES-CBC3-SHA,
EDH-RSA-DES-CDC3-SHA,
KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file=/etc/ssl/certs/exampleMail.crt
smtpd_tls_key_file=/etc/ssl/private/exampleMail.key
smtpd_tls_CAfile = /etc/ssl/certs/exampleMail.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database =
btree:${data_directory}/smtp_scache
smtpd_sasl_local_domain = $mydomain
### VIRTUAL ENVIRONMENT
virtual_minimum_uid = 5000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = $mydomain
### DOVECOT INTEGRATION
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
local_transport = virtual
virtual_transport = lmtp:unix:private/dovecot-lmtp
dovecot_destination_recipient_limit = 1
### SAMBA AD DC INTREGRATION
virtual_mailbox_maps =
proxy:ldap:/etc/postfix/virtual_mailbox_maps.cf
virtual_alias_maps =
proxy:ldap:/etc/postfix/virtual_list_maps.cf
proxy:ldap:/etc/postfix/virtual_alias_maps.cf
local_recipient_maps = $virtual_mailbox_maps
### SMTPD CLIENT RESTRICTIONS
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
### SMTPD RELAY RESTRICTIONS
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
### SMTPD UNLISTED RESTRICTIONS
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
### SMTPD HELO RESTRICTIONS
smtpd_helo_required = yes
smtp_helo_name = $mydomain
smtpd_helo_restrictions =
permit_mynetworks
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
reject_invalid_helo_hostname
reject_invalid_hostname
permit_sasl_authenticated
### SMTPD SENDER RESTRICTIONS
smtpd_sender_login_maps =
proxy:ldap:/etc/postfix/virtual_sender_login_maps.cf
smtpd_sender_restrictions =
permit_mynetworks
reject_sender_login_mismatch
reject_unknown_sender_domain
warn_if_reject reject_unverified_sender
reject_non_fqdn_sender
reject_unlisted_sender
permit_sasl_authenticated
unverified_sender_reject_reason = Address verification failed
### SMTPD RECIPIENT RESTRICTIONS
smtpd_recipient_limit = 10
smtpd_recipient_overshoot_limit = $smtpd_recipient_limit
smtpd_recipient_restrictions =
reject_unauth_pipelining
reject_unknown_recipient_domain
reject_non_fqdn_recipient
reject_unlisted_recipient
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
permit
unverified_recipient_reject_reason = Address lookup failed
### SMTPD DATA RESTRICTIONS
smtpd_data_restrictions =
reject_unauth_pipelining
### BCC
enable_original_recipient = no
always_bcc = [email protected]