## ## Network settings ## mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 inet_interfaces = all smtp_address_preference = ipv6 myhostname = {{ mailserver_mx_domain }} ## ## Mail queue settings ## maximal_queue_lifetime = 1h bounce_queue_lifetime = 1h maximal_backoff_time = 15m minimal_backoff_time = 5m queue_run_delay = 5m ## ## TLS settings ### tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA ### Outbound SMTP connections (Postfix as sender) {% if mailserver_dovecot_enabled %} smtp_tls_security_level = may {% else %} smtp_tls_security_level = dane smtp_dns_support_level = dnssec smtp_tls_policy_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/tls-policy.cf {% endif %} smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_ciphers = high smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt ### Inbound SMTP connections smtpd_tls_security_level = may smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = high smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_key_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem smtpd_tls_cert_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/fullchain.pem smtpd_tls_dh1024_param_file = ${config_directory}/dh.pem ## ## Local mail delivery to Dovecot via LMTP ## virtual_transport = lmtp:unix:private/dovecot-lmtp {% if mailserver_rspamd_enabled %} ## ## Spam filter and DKIM signatures via Rspamd ## smtpd_milters = inet:127.0.0.1:11332 non_smtpd_milters = inet:127.0.0.1:11332 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = accept {% endif %} ## ## Server Restrictions for clients, cecipients and relaying ## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf) ## ### Conditions in which Postfix works as a relay. (for mail user clients) smtpd_relay_restrictions = reject_non_fqdn_recipient # reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination ### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions) ### check_recipient_access checks if an account is "sendonly" #smtpd_recipient_restrictions = check_recipient_access proxy:{{ mailserver_db_type }}:/etc/postfix/sql/recipient-access.cf ### Restrictions for all sending foreign servers ("SMTP clients") smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr # reject_unknown_client_hostname ### Foreign mail servers must present a valid "HELO" # Recipient address rejected: Domain not found; smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname # reject_unknown_helo_hostname # Block clients, which start sending too early smtpd_data_restrictions = reject_unauth_pipelining ## ## Restrictions for MUAs (Mail user agents) ## mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject ## ## Postscreen Filter ## ### Postscreen Whitelist / Blocklist postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop # Drop connections if other server is sending too quickly postscreen_greet_action = drop ### DNS blocklists postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2 postscreen_dnsbl_action = drop ## ## MySQL queries ## alias_maps = hash:/etc/postfix/aliases {% if mailserver_mailman_enabled %} hash:/var/lib/mailman/data/aliases {% endif %} alias_database = $alias_maps virtual_alias_maps = {% if mailserver_dovecot_enabled %} proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-maps.cf proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains-maps.cf {% endif %} {% if mailserver_mailman_enabled %} hash:/var/lib/mailman/data/virtual-mailman {% endif %} {% if mailserver_dovecot_enabled %} virtual_alias_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains.cf virtual_mailbox_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-maps.cf virtual_mailbox_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-domains.cf # List of authorized senders smtpd_sender_login_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/smtpd-sender-login-maps.cf proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-sender-maps.cf {% endif %} local_recipient_maps = $smtpd_sender_login_maps {% if mailserver_mailman_enabled %} relay_domains = hash:/var/lib/mailman/data/relay-domains {% endif %} ## ## Miscellaneous ## ### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota) mailbox_size_limit = 0 ### Maximum size of inbound e-mails (50 MB) message_size_limit = 52428800 ### Do not notify system users on new e-mail biff = no ### Users always have to provide full e-mail addresses append_dot_mydomain = no ### Delimiter for "Address Tagging" recipient_delimiter = + #------------------------------ compatibility_level = 2