1
2 ### CRUX-ADDON
3
4 default_privs = _postfix_xlocal
5 setgid_group = _postfix_queue
6 mail_spool_directory = /var/spool/mail
7 alias_database = lmdb:$meta_directory/aliases
8 alias_maps = $alias_database
9 # all # or ipv4, ipv6 or ipv4 or ipv6
10 inet_protocols = all
11
12 #myhostname = crux-box # default: gethostname
13 #mydomain = localdomain # default: $myhostname less one component
14 #myorigin = $mydomain
15 # , lists.$myhostname
16 mydestination = $myhostname, localhost.$mydomain, localhost
17 mynetworks_style = host
18
19 # mynetworks: which addresses we treat as belonging to "our network".
20 # RFC 1918 defines several "address ranges for private internets",
21 # one class A, 16 class B, 256 class C networks:
22 # 10.0.0.0 - 10.255.255.255 (10/8 prefix)
23 # 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
24 # 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
25 # In practice these are used by WLAN and other such networks, which is not
26 # "our" per se. RFC 5737 defines several blocks "reserved for documentation"
27 # that SHOULD NOT occur on the public internet, so they should be blocked on
28 # ingress and better not leave on egress, but they can be assigned to local
29 # namespaces etc., and be used within VPNs:
30 # 192.0.2.0 - 192.0.2.255 (192.0.2.0/24, TEST-NET-1, from RFC 1166)
31 # 198.51.100.0 - 198.51.100.255 (198.51.100.0/24, TEST-NET-2)
32 # 203.0.113.0 - 203.0.113.255 (203.0.113.0/24, TEST-NET-3)
33 # Dunno how to specify IPv6 link-local and site-local
34 #mynetworks = 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 127.0.0.0/8
35 mynetworks = 127.0.0.0/8
36
37 #inet_interfaces = localhost
38 #inet_interfaces = $myhostname, localhost
39 inet_interfaces = all
40 #debug_peer_list = localhost
41
42 smtputf8_enable = no
43 disable_vrfy_command = yes
44 default_verp_delimiters = -=
45 verp_delimiter_filter = -=
46 recipient_delimiter = +
47
48 default_process_limit = 8
49 anvil_rate_time_unit = 60s
50 anvil_status_update_time = 3600s
51 #n_flow_delay = 1s
52 body_checks_size_limit = 102400
53 bounce_size_limit = 50000
54 #header_size_limit = 102400
55 mailbox_size_limit = 100000000
56 message_size_limit = 442000
57
58 ## TLSPROXY(8) (where diverging from daemon / client)
59
60 tls_append_default_CA = no
61
62 ## POSTFIX DAEMON
63
64 # Calculate:
65 # openssl x509 -noout -sha256 -fingerprint < CERT.pem
66 # OR
67 # openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
68 # Put the hash only in relay_clientcerts, right hand value is not inspected:
69 # FINGERPRINT-HERE whatever value
70 # Search #RELAY for this, uncomment
71 #RELAY relay_clientcerts = lmdb:$meta_directory/relay_clientcerts
72 # relay_domains <-> reject_unauth_destination,permit_auth_destination
73 # eg lmdb:$meta_directory/transport
74 transport_maps =
75 relay_domains = $mynetworks,$transport_maps
76
77 # Only localhost for mailing-lists etc.; maybe $mynetworks?
78 smtpd_authorized_verp_clients = 127.0.0.1
79
80 # Clients connection checks
81 smtpd_client_restrictions =
82 # permit_inet_interfaces, OR
83 permit_mynetworks,
84 #RELAY permit_tls_clientcerts,
85 #[RELAY] permit_sasl_authenticated,
86 check_client_access lmdb:$meta_directory/client_restrict,
87 reject_unknown_client_hostname,
88 # in case you want reject DNS blacklists rather than greylist them,
89 # exchange sleep (maybe) and uncomment the lines below
90 sleep 1,
91 #reject_rbl_client cbl.abuseat.org,
92 #reject_rbl_client sbl.spamhaus.org,
93 #DNSDL reject_rbl_client zen.spamhaus.org,
94 #DNSDL reject_rbl_client dnsbl.sorbs.net,
95 #reject_rbl_client bl.spamcop.net,
96 #reject_rbl_client list.dsbl.org,
97 reject_unauth_pipelining,
98 #reject
99 permit
100
101 smtpd_data_restrictions =
102 reject_unauth_pipelining,
103 permit
104
105 smtpd_helo_restrictions =
106 # permit_inet_interfaces, OR
107 permit_mynetworks,
108 #RELAY permit_tls_clientcerts,
109 #[RELAY] permit_sasl_authenticated,
110 reject_invalid_helo_hostname,
111 reject_non_fqdn_helo_hostname,
112 reject_unknown_helo_hostname,
113 permit
114
115 # MAIL FROM Checks
116 smtpd_sender_restrictions =
117 # permit_inet_interfaces, OR
118 permit_mynetworks,
119 #RELAY reject_authenticated_sender_login_mismatch,
120 #RELAY permit_tls_clientcerts,
121 #[RELAY] permit_sasl_authenticated,
122 reject_non_fqdn_sender,
123 # Total no-goes database, eg: qq.com reject
124 check_sender_access lmdb:$meta_directory/sender_restrict,
125 reject_unknown_sender_domain,
126 reject_unknown_reverse_client_hostname,
127 #GRAY: with --focus-sender only! And --msg-allow=permit
128 #GRAY check_policy_service unix:private/postgray,
129 #VERIFY(..then) reject_unverified_sender,
130 permit
131
132 smtpd_relay_before_recipient_restrictions = yes
133
134 # RCPT TO checks, relay policy
135 # Local clients and authenticated clients may specify any destination domain
136 smtpd_relay_restrictions =
137 # permit_inet_interfaces, OR
138 permit_mynetworks,
139 #RELAY permit_tls_clientcerts,
140 #[RELAY] permit_sasl_authenticated,
141 reject_non_fqdn_recipient,
142 #permit_auth_destination,
143 #reject
144 reject_unauth_destination,
145 permit
146
147 # RCPT TO checks, spam blocking policy
148 # Match fast for $mynetworks and authenticated clients.
149 smtpd_recipient_restrictions =
150 # permit_inet_interfaces, OR
151 permit_mynetworks,
152 #RELAY permit_tls_clientcerts,
153 #[RELAY] permit_sasl_authenticated,
154 reject_unknown_recipient_domain,
155 # DB of MAIL FROM's without policy server checks (one way, or another)
156 check_sender_access lmdb:$meta_directory/sender_access,
157 #check_policy_service inet:127.0.0.1:5525,
158 #GRAY: without --focus-sender
159 #GRAY check_policy_service unix:private/postgray,
160 #VERIFY(..then) reject_unverified_sender,
161 #(VERIFY would not) reject_unverified_recipient,
162 permit
163
164 # i would turn that on..
165 #smtpd_delay_reject = no
166 smtpd_helo_required = yes
167 smtpd_hard_error_limit = 2
168 smtpd_soft_error_limit = 1
169 smtpd_per_record_deadline = yes
170 smtpd_timeout = 15s
171 smtpd_starttls_timeout = 15s
172 smtpd_junk_command_limit = 5
173 #smtpd_log_access_permit_actions =
174 # permit_tls_clientcerts,
175 # permit_sasl_authenticated
176 #smtpd_client_connection_rate_limit = 20
177 #smtpd_client_connection_count_limit = 2
178
179 #VERIFY address_verify_map = lmdb:$data_directory/verify_cache
180 #VERIFY address_verify_cache_cleanup_interval = 86400s
181
182 #TLS Do not forget to look into master.cf!
183 # That one is for client certificates!
184 #smtpd_tls_CAfile = /etc/dovecot/cert.pem
185 #TLS smtpd_tls_chain_files = $meta_directory/key_and_cert.pem
186 #TLS smtpd_tls_dh1024_param_file = $meta_directory/dh2048.pem
187 # This are managed per-service in master.cf!
188 #smtpd_tls_security_level = none
189 #RELAY smtpd_tls_ask_ccert = yes
190 smtpd_tls_ask_ccert = no
191 smtpd_tls_auth_only = yes
192 smtpd_tls_loglevel = 1
193 #SMART The next is usually nice but when using client certificates
194 smtpd_tls_received_header = no
195 smtpd_tls_fingerprint_digest = sha256
196 smtpd_tls_mandatory_protocols = >=TLSv1.2
197 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
198 smtpd_tls_mandatory_ciphers = medium
199 smtpd_tls_mandatory_exclude_ciphers =
200 aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
201 EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
202 smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
203 smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
204 smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache
205 smtpd_tls_session_cache_timeout = 3600s
206
207 # Usually enabled per-service in master.cf!
208 #smtpd_sasl_auth_enable = yes
209 smtpd_sasl_auth_enable = no
210 smtpd_sasl_type = dovecot
211 smtpd_sasl_path = private/auth
212 smtpd_sasl_local_domain = $myhostname
213 smtpd_sasl_security_options = noanonymous, noplaintext
214 smtpd_sasl_tls_security_options = noanonymous
215
216 ## POSTFIX CLIENT
217
218 #TLS comment out next
219 #SMART comment out next
220 smtp_tls_security_level = may
221 # To always go directly SMTPS/SUBMISSIONS
222 #smtp_tls_wrappermode = yes
223 smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
224 smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
225 smtp_tls_protocols = $smtpd_tls_protocols
226 #SMART When only relaying to smarthost, the next should be =high
227 #SMART smtp_tls_mandatory_ciphers = high
228 smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
229 smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
230 smtp_tls_ciphers = $smtpd_tls_ciphers
231 smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
232 smtp_tls_connection_reuse = yes
233 smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache
234 smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
235
236 #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
237 #smtp_sasl_type = $smtpd_sasl_type
238 #smtp_sasl_path = $smtpd_sasl_path
239 #smtp_sasl_mechanism_filter = !external
240 #smtp_sasl_security_options = $smtpd_sasl_security_options
241 #smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options
242 #smtp_sasl_mechanism_filter = plain, login
243
244 # For laptops etc, rely on smarthost to do real delivery.
245 # One or more destinations in the form of a domain name, hostname,
246 # hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port,
247 # separated by comma or whitespace. The form [hostname] turns off MX lookups
248 # check man(5) postconf -> local_header_rewrite_clients;
249 # "Or", i.e., for mail(1): use "-r myname@mydesired.host"
250 #SMART relayhost = [HOST]:submissions
251 #SMART Next only when going directly SMTPS/SUBMISSIONS
252 #SMART smtp_tls_wrappermode = yes
253 #SMART smtp_tls_chain_files = $smtpd_tls_chain_files
254 #SMART EITHER these three
255 #SMART smtp_tls_security_level = verify
256 #SMART smtp_tls_CAfile = /etc/ssl/cert.pem
257 #SMART smtp_tls_scert_verifydepth = 9
258 #SMART OR these two
259 #SMART smtp_tls_security_level = fingerprint
260 #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
261 # The following is not tested, really, and may not work with default config
262 #SMART disable_dns_lookups = yes
263 #SMART Authentication like that not tried, this from postfix SASL_README:
264 #smtp_sasl_auth_enable = yes
265 #smtp_sasl_tls_security_options = noanonymous
266 #smtp_sasl_password_maps = lmdb:$meta_directory/sasl_passwd
267 # $meta_directory/sasl_passwd:
268 # # destination credentials
269 # #user1@example.com username1:password1
270 # #user2@example.net username2:password2
271 # [mail.isp.example] username:password
272 # # Alternative form:
273 # # [mail.isp.example]:submission username:password
274 #SMART Even sender-specific, uncomment the user1 user2 entries above then
275 # sender_dependent_relayhost_maps = lmdb:$meta_directory/sender_relay
276 # $meta_directory/sender_relay:
277 # # Per-sender provider; see also $meta_directory/sasl_passwd.
278 # user1@example.com [mail.example.com]:submission
279 # user2@example.net [mail.example.net]
280
281 # Permanently (to _destinations) instead if this is "no"
282 smtp_connection_cache_on_demand = yes
283 # $relayhost WITHOUT [] and : etc.!!
284 smtp_connection_cache_destinations = $relayhost
285 smtp_connection_cache_time_limit = 10s
286 smtp_connection_reuse_count_limit = 242
|
