2020-07-24 12:42:59 +02:00
|
|
|
##
|
|
|
|
## Network settings
|
|
|
|
##
|
|
|
|
|
|
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
|
|
inet_interfaces = all
|
|
|
|
smtp_address_preference = ipv6
|
|
|
|
myhostname = {{ mailserver_mx_domain }}
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
## Mail queue settings
|
|
|
|
##
|
|
|
|
|
|
|
|
maximal_queue_lifetime = 1h
|
|
|
|
bounce_queue_lifetime = 1h
|
|
|
|
maximal_backoff_time = 15m
|
|
|
|
minimal_backoff_time = 5m
|
|
|
|
queue_run_delay = 5m
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
## TLS settings
|
|
|
|
###
|
|
|
|
|
2021-01-14 23:35:02 +01:00
|
|
|
tls_preempt_cipherlist = no
|
2020-07-24 12:42:59 +02:00
|
|
|
tls_ssl_options = NO_COMPRESSION
|
2021-01-14 23:35:02 +01:00
|
|
|
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
2020-07-24 12:42:59 +02:00
|
|
|
|
|
|
|
### Outbound SMTP connections (Postfix as sender)
|
|
|
|
|
|
|
|
{% if mailserver_dovecot_enabled %}
|
|
|
|
smtp_tls_security_level = may
|
|
|
|
{% else %}
|
|
|
|
smtp_tls_security_level = dane
|
|
|
|
smtp_dns_support_level = dnssec
|
|
|
|
smtp_tls_policy_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/tls-policy.cf
|
|
|
|
{% endif %}
|
|
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
|
|
smtp_tls_protocols = !SSLv2, !SSLv3
|
|
|
|
smtp_tls_ciphers = high
|
|
|
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
|
|
|
|
|
|
|
|
|
|
|
### Inbound SMTP connections
|
|
|
|
smtpd_tls_security_level = may
|
2021-01-14 23:35:02 +01:00
|
|
|
smtpd_tls_auth_only = yes
|
|
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
|
|
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
|
|
smtpd_tls_mandatory_ciphers = medium
|
2020-07-24 12:42:59 +02:00
|
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
|
|
|
|
|
|
smtpd_tls_key_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem
|
|
|
|
smtpd_tls_cert_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/fullchain.pem
|
|
|
|
smtpd_tls_dh1024_param_file = ${config_directory}/dh.pem
|
|
|
|
|
|
|
|
##
|
|
|
|
## Local mail delivery to Dovecot via LMTP
|
|
|
|
##
|
|
|
|
|
|
|
|
virtual_transport = lmtp:unix:private/dovecot-lmtp
|
|
|
|
|
|
|
|
{% if mailserver_rspamd_enabled %}
|
|
|
|
##
|
|
|
|
## Spam filter and DKIM signatures via Rspamd
|
|
|
|
##
|
|
|
|
|
|
|
|
smtpd_milters = inet:127.0.0.1:11332
|
|
|
|
non_smtpd_milters = inet:127.0.0.1:11332
|
|
|
|
milter_protocol = 6
|
|
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
milter_default_action = accept
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
## Server Restrictions for clients, cecipients and relaying
|
|
|
|
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
|
|
|
|
##
|
|
|
|
|
|
|
|
### Conditions in which Postfix works as a relay. (for mail user clients)
|
|
|
|
smtpd_relay_restrictions = reject_non_fqdn_recipient
|
|
|
|
# reject_unknown_recipient_domain
|
|
|
|
permit_mynetworks
|
|
|
|
reject_unauth_destination
|
|
|
|
|
|
|
|
|
|
|
|
### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
|
|
|
|
### check_recipient_access checks if an account is "sendonly"
|
|
|
|
#smtpd_recipient_restrictions = check_recipient_access proxy:{{ mailserver_db_type }}:/etc/postfix/sql/recipient-access.cf
|
|
|
|
|
|
|
|
|
|
|
|
### Restrictions for all sending foreign servers ("SMTP clients")
|
|
|
|
smtpd_client_restrictions = permit_mynetworks
|
2020-07-24 17:07:52 +02:00
|
|
|
# check_client_access hash:/etc/postfix/without_ptr
|
2020-07-24 12:42:59 +02:00
|
|
|
# reject_unknown_client_hostname
|
|
|
|
|
|
|
|
|
|
|
|
### Foreign mail servers must present a valid "HELO"
|
|
|
|
# Recipient address rejected: Domain not found;
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
smtpd_helo_restrictions = permit_mynetworks
|
|
|
|
reject_invalid_helo_hostname
|
|
|
|
reject_non_fqdn_helo_hostname
|
|
|
|
# reject_unknown_helo_hostname
|
|
|
|
|
|
|
|
# Block clients, which start sending too early
|
|
|
|
smtpd_data_restrictions = reject_unauth_pipelining
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
## Restrictions for MUAs (Mail user agents)
|
|
|
|
##
|
|
|
|
|
|
|
|
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
|
|
|
|
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
|
|
|
|
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
## Postscreen Filter
|
|
|
|
##
|
|
|
|
|
|
|
|
### Postscreen Whitelist / Blocklist
|
|
|
|
postscreen_access_list = permit_mynetworks
|
2020-07-24 17:07:52 +02:00
|
|
|
# cidr:/etc/postfix/postscreen_access
|
2020-07-24 12:42:59 +02:00
|
|
|
postscreen_blacklist_action = drop
|
|
|
|
|
|
|
|
|
|
|
|
# Drop connections if other server is sending too quickly
|
|
|
|
postscreen_greet_action = drop
|
|
|
|
|
|
|
|
|
|
|
|
### DNS blocklists
|
|
|
|
postscreen_dnsbl_threshold = 2
|
|
|
|
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2
|
|
|
|
zen.spamhaus.org*2
|
|
|
|
postscreen_dnsbl_action = drop
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
## MySQL queries
|
|
|
|
##
|
|
|
|
alias_maps =
|
|
|
|
hash:/etc/postfix/aliases
|
|
|
|
{% if mailserver_mailman_enabled %}
|
|
|
|
hash:/var/lib/mailman/data/aliases
|
|
|
|
{% endif %}
|
|
|
|
alias_database = $alias_maps
|
|
|
|
|
|
|
|
virtual_alias_maps =
|
|
|
|
{% if mailserver_dovecot_enabled %}
|
|
|
|
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-maps.cf
|
|
|
|
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains-maps.cf
|
|
|
|
{% endif %}
|
|
|
|
{% if mailserver_mailman_enabled %}
|
|
|
|
hash:/var/lib/mailman/data/virtual-mailman
|
|
|
|
{% endif %}
|
|
|
|
{% if mailserver_dovecot_enabled %}
|
|
|
|
virtual_alias_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains.cf
|
|
|
|
virtual_mailbox_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-maps.cf
|
|
|
|
virtual_mailbox_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-domains.cf
|
|
|
|
|
|
|
|
# List of authorized senders
|
|
|
|
smtpd_sender_login_maps =
|
|
|
|
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/smtpd-sender-login-maps.cf
|
|
|
|
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-sender-maps.cf
|
|
|
|
{% endif %}
|
|
|
|
local_recipient_maps = $smtpd_sender_login_maps
|
|
|
|
|
|
|
|
{% if mailserver_mailman_enabled %}
|
|
|
|
relay_domains =
|
|
|
|
hash:/var/lib/mailman/data/relay-domains
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
##
|
|
|
|
## Miscellaneous
|
|
|
|
##
|
|
|
|
|
|
|
|
### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
|
|
|
|
mailbox_size_limit = 0
|
|
|
|
|
|
|
|
### Maximum size of inbound e-mails (50 MB)
|
|
|
|
message_size_limit = 52428800
|
|
|
|
|
|
|
|
### Do not notify system users on new e-mail
|
|
|
|
biff = no
|
|
|
|
|
|
|
|
### Users always have to provide full e-mail addresses
|
|
|
|
append_dot_mydomain = no
|
|
|
|
|
|
|
|
### Delimiter for "Address Tagging"
|
|
|
|
recipient_delimiter = +
|
|
|
|
|
|
|
|
#------------------------------
|
|
|
|
compatibility_level = 2
|