diff options
Diffstat (limited to 'postfix-lmdb/main-addon.cf')
| -rw-r--r-- | postfix-lmdb/main-addon.cf | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/postfix-lmdb/main-addon.cf b/postfix-lmdb/main-addon.cf index 729916ac3..dd8bc9d91 100644 --- a/postfix-lmdb/main-addon.cf +++ b/postfix-lmdb/main-addon.cf @@ -40,6 +40,7 @@ mailbox_size_limit = 100000000 message_size_limit = 442000 ## TLSPROXY(8) (where diverging from daemon / client) + tls_append_default_CA = no ## POSTFIX DAEMON @@ -141,17 +142,19 @@ smtpd_per_record_deadline = yes smtpd_timeout = 15s smtpd_starttls_timeout = 15s smtpd_junk_command_limit = 5 -smtpd_log_access_permit_actions = 1 -smtpd_client_connection_rate_limit = 20 -smtpd_client_connection_count_limit = 2 +#smtpd_log_access_permit_actions = +# permit_tls_clientcerts, +# permit_sasl_authenticated +#smtpd_client_connection_rate_limit = 20 +#smtpd_client_connection_count_limit = 2 +#TLS Do not forget to look into master.cf! # That one is for client certificates! #smtpd_tls_CAfile = /etc/dovecot/cert.pem #TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem #TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem -#TLS smtpd_tls_security_level = may -#TLS comment out next; usually enabled per-service in master.cf! -smtpd_tls_security_level = none +# This are managed per-service in master.cf! +#smtpd_tls_security_level = none #RELAY smtpd_tls_ask_ccert = yes smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes @@ -161,7 +164,6 @@ smtpd_tls_received_header = no smtpd_tls_fingerprint_digest = sha256 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols -#SMART When only relaying to smarthost, the next can be =high !?! smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, @@ -169,6 +171,8 @@ smtpd_tls_mandatory_exclude_ciphers = smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtpd_tls_connection_reuse = yes +smtpd_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtpd_scache +smtpd_tls_session_cache_timeout = 3600s # Usually enabled per-service in master.cf! #smtpd_sasl_auth_enable = yes @@ -181,20 +185,22 @@ smtpd_sasl_tls_security_options = noanonymous ## POSTFIX CLIENT -#TLS smtp_tls_security_level = $smtpd_tls_security_level #TLS comment out next +#SMART comment out next smtp_tls_security_level = may +# To always go directly SMTPS/SUBMISSIONS #smtp_tls_wrappermode = yes smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_protocols = $smtpd_tls_protocols +#SMART When only relaying to smarthost, the next can be =high !?! smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtp_tls_ciphers = $smtpd_tls_ciphers smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers smtp_tls_connection_reuse = $smtpd_tls_connection_reuse smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache -smtp_tls_session_cache_timeout = 3600s +smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable #smtp_sasl_type = $smtpd_sasl_type @@ -208,13 +214,17 @@ smtp_tls_session_cache_timeout = 3600s # One or more destinations in the form of a domain name, hostname, # hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port, # separated by comma or whitespace. The form [hostname] turns off MX lookups +# check man(5) postconf -> local_header_rewrite_clients; +# "Or", i.e., for mail(1): use "-r myname@mydesired.host" #SMART relayhost = [HOST]:submissions +#SMART Next only when going directly SMTPS/SUBMISSIONS #SMART smtp_tls_wrappermode = yes #SMART smtp_tls_chain_files = $smtpd_tls_chain_files +#SMART EITHER these three #SMART smtp_tls_security_level = verify -# This requires a full chain, otherwise look around verify_depth #SMART smtp_tls_CAfile = /etc/ssl/cert.pem -#SMART therefore OR (better, maybe) +#SMART smtp_tls_scert_verifydepth = 9 +#SMART OR these two #SMART smtp_tls_security_level = fingerprint #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT # The following is not tested, really, and may not work with default config @@ -237,3 +247,9 @@ smtp_tls_session_cache_timeout = 3600s # user1@example.com [mail.example.com]:submission # user2@example.net [mail.example.net] +# Permanently (to _destinations) instead if this is "no" +smtp_connection_cache_on_demand = yes +# $relayhost WITHOUT [] and : etc.!! +smtp_connection_cache_destinations = $relayhost +smtp_connection_cache_time_limit = 10s +smtp_connection_reuse_count_limit = 242 |