1
2 ### CRUX-ADDON
3
4 default_privs = _postfix_xlocal
5 setgid_group = _postfix_queue
6 mail_spool_directory = /var/spool/mail
7 alias_database = lmdb:/etc/postfix-lmdb/aliases
8 alias_maps = $alias_database
9 # all # or ipv4, ipv6 or ipv4 or ipv6
10 inet_protocols = all
11
12 #myhostname = arch-2020 # default: gethostname
13 #mydomain = localdomain # default: $myhostname less one component
14 #myorigin = $mydomain
15 # , lists.$myhostname
16 mydestination = $myhostname, localhost.$mydomain, localhost
17 mynetworks_style = host
18 # One class A, 16 class B, 256 class C networks; loopback
19 # Dunno how to specify IPv6 link-local and site-local
20 mynetworks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8
21 #inet_interfaces = localhost
22 #inet_interfaces = $myhostname, localhost
23 inet_interfaces = all
24 #debug_peer_list = 10.0.0.1
25
26 smtputf8_enable = no
27 disable_vrfy_command = yes
28 default_verp_delimiters = -=
29 verp_delimiter_filter = -=
30 recipient_delimiter = +
31 # Only localhost for mailing-lists etc.; maybe $mynetworks?
32 smtpd_authorized_verp_clients = 127.0.0.1
33
34 default_process_limit = 8
35 anvil_rate_time_unit = 60s
36 anvil_status_update_time = 3600s
37 #n_flow_delay = 1s
38 body_checks_size_limit = 102400
39 bounce_size_limit = 50000
40 #header_size_limit = 102400
41 mailbox_size_limit = 100000000
42 message_size_limit = 442000
43
44 # Calculate:
45 # openssl x509 -noout -sha256 -fingerprint < CERT.pem
46 # OR
47 # openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
48 # Put the hash only in relay_clientcerts, right hand value is not inspected:
49 # FINGERPRINT-HERE whatever value
50 # Search #RELAY for this, uncomment
51 #RELAY relay_clientcerts = lmdb:/etc/postfix-lmdb/relay_clientcerts
52 # relay_domains <-> reject_unauth_destination,permit_auth_destination
53 # eg lmdb:/etc/postfix-lmdb/transport
54 transport_maps =
55 relay_domains = $mynetworks,$transport_maps
56
57 # Clients which are allowed to invoke commands
58 smtpd_client_restrictions =
59 # permit_tls_clientcerts,
60 # permit_sasl_authenticated,
61 permit_mynetworks,
62 # in case you want reject DNS blacklists rather than greylist them
63 # with gross, exchange sleep (maybe) and uncomment the lines below
64 sleep 1,
65 #reject_rbl_client cbl.abuseat.org,
66 #reject_rbl_client sbl.spamhaus.org,
67 #DNSBL reject_rbl_client zen.spamhaus.org,
68 #DNSBL reject_rbl_client dnsbl.sorbs.net,
69 #reject_rbl_client bl.spamcop.net,
70 #reject_rbl_client list.dsbl.org,
71 reject_unauth_pipelining,
72 #reject
73 permit
74
75 smtpd_data_restrictions =
76 reject_unauth_pipelining,
77 permit
78
79 smtpd_helo_restrictions =
80 #RELAY permit_tls_clientcerts,
81 # permit_sasl_authenticated,
82 permit_mynetworks,
83 reject_invalid_helo_hostname,
84 reject_non_fqdn_helo_hostname,
85 reject_unknown_helo_hostname
86
87 # RCPT TO checks, spam blocking policy
88 # Match fast for $mynetworks and authenticated clients.
89 smtpd_recipient_restrictions =
90 #RELAY permit_tls_clientcerts,
91 # permit_sasl_authenticated,
92 permit_mynetworks,
93 reject_unknown_sender_domain,
94 reject_unknown_reverse_client_hostname,
95 reject_unknown_recipient_domain,
96 reject_unauth_destination,
97 # better not reject_unverified_sender,
98 #check_policy_service inet:127.0.0.1:5525,
99 permit
100
101 # RCPT TO checks, relay policy
102 # Local clients and authenticated clients may specify any destination domain
103 smtpd_relay_restrictions =
104 #RELAY permit_tls_clientcerts,
105 # permit_sasl_authenticated,
106 permit_mynetworks,
107 reject_non_fqdn_sender,
108 reject_non_fqdn_recipient,
109 #permit_auth_destination,
110 #reject
111 reject_unauth_destination,
112 permit
113
114 # MAIL FROM Checks
115 smtpd_sender_restrictions =
116 #RELAY permit_tls_clientcerts,
117 # permit_sasl_authenticated,
118 permit_mynetworks,
119 # Eg: qq.com reject
120 lmdb:/etc/postfix-lmdb/sender_restrict,
121 reject_unknown_sender_domain,
122 permit
123
124 # i would turn that on..
125 #smtpd_delay_reject = no
126 smtpd_helo_required = yes
127 smtpd_hard_error_limit = 1
128 smtpd_soft_error_limit = 1
129 smtpd_per_record_deadline = yes
130 smtpd_timeout = 15s
131 smtpd_starttls_timeout = 15s
132 smtpd_junk_command_limit = 5
133 smtpd_log_access_permit_actions = 1
134 smtpd_client_connection_rate_limit = 20
135 smtpd_client_connection_count_limit = 2
136
137 # TLS see CRUX-README.txt for this
138 tls_append_default_CA = no
139 # That one is for client certificates!
140 #smtpd_tls_CAfile = /etc/dovecot/cert.pem
141 #TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem
142 #TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem
143 #TLS smtpd_tls_security_level = may
144 #TLS comment out next; see master.cf, too!
145 smtpd_tls_security_level = none
146 #RELAY smtpd_tls_ask_ccert = yes
147 smtpd_tls_ask_ccert = no
148 smtpd_tls_auth_only = yes
149 smtpd_tls_loglevel = 1
150 smtpd_tls_received_header = yes
151 smtpd_tls_fingerprint_digest = sha256
152 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
153 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
154 smtpd_tls_mandatory_ciphers = medium
155 smtpd_tls_mandatory_exclude_ciphers =
156 aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
157 EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
158 smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
159 smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
160 smtpd_tls_connection_reuse = yes
161
162 #TLS smtp_tls_security_level = $smtpd_tls_security_level
163 #TLS comment out next
164 smtp_tls_security_level = may
165 #smtp_tls_wrappermode = yes
166 smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
167 smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
168 smtp_tls_protocols = $smtpd_tls_protocols
169 smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
170 smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
171 smtp_tls_ciphers = $smtpd_tls_ciphers
172 smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
173 smtp_tls_connection_reuse = $smtpd_tls_connection_reuse
174 smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache
175 smtp_tls_session_cache_timeout = 3600s
176
177 #smtpd_sasl_auth_enable = yes
178 smtpd_sasl_auth_enable = no
179 smtpd_sasl_type = dovecot
180 smtpd_sasl_path = private/auth
181 smtpd_sasl_local_domain = $myhostname
182 smtpd_sasl_security_options = noanonymous, noplaintext
183 smtpd_sasl_tls_security_options = noanonymous
184
185 #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
186 #smtp_sasl_type = $smtpd_sasl_type
187 #smtp_sasl_path = $smtpd_sasl_path
188 #smtp_sasl_mechanism_filter = !external
189 #smtp_sasl_security_options = $smtpd_sasl_security_options
190 #smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options
191 #smtp_sasl_mechanism_filter = plain, login
192
193 # For laptops etc, rely on smarthost to do real delivery.
194 # One or more destinations in the form of a domain name, hostname,
195 # hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port,
196 # separated by comma or whitespace. The form [hostname] turns off MX lookups
197 #SMART relayhost = [HOST]:submissions
198 #SMART smtp_tls_wrappermode = yes
199 #SMART smtp_tls_chain_files = $smtpd_tls_chain_files
200 #SMART smtp_tls_security_level = verify
201 # This requires a full chain, otherwise look around verify_depth
202 #SMART smtp_tls_CAfile = /etc/ssl/cert.pem
203 #SMART therefore OR (better, maybe)
204 #SMART smtp_tls_security_level = fingerprint
205 #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
206 # The following is not tested, really, and may not work with default config
207 #SMART disable_dns_lookups = yes
208 #SMART Authentication like that not tried, this from postfix SASL_README:
209 #smtp_sasl_auth_enable = yes
210 #smtp_sasl_tls_security_options = noanonymous
211 #smtp_sasl_password_maps = lmdb:/etc/postfix-lmdb/sasl_passwd
212 # /etc/postfix-lmdb/sasl_passwd:
213 # # destination credentials
214 # #user1@example.com username1:password1
215 # #user2@example.net username2:password2
216 # [mail.isp.example] username:password
217 # # Alternative form:
218 # # [mail.isp.example]:submission username:password
219 #SMART Even sender-specific, uncomment the user1 user2 entries above then
220 # sender_dependent_relayhost_maps = lmdb:/etc/postfix/sender_relay
221 # /etc/postfix/sender_relay:
222 # # Per-sender provider; see also /etc/postfix/sasl_passwd.
223 # user1@example.com [mail.example.com]:submission
224 # user2@example.net [mail.example.net]
|