1
2 ### CRUX-ADDON
3
4 default_privs = _postfix_xlocal
5 setgid_group = _postfix_queue
6 mail_spool_directory = /var/spool/mail
7 alias_database = lmdb:/etc/postfix-lmdb/aliases
8 alias_maps = $alias_database
9 # all # or ipv4, ipv6 or ipv4 or ipv6
10 inet_protocols = all
11
12 #myhostname = crux-0306 # default: gethostname
13 #mydomain = localdomain # default: $myhostname less one component
14 #myorigin = $mydomain
15 # , lists.$myhostname
16 mydestination = $myhostname, localhost.$mydomain, localhost
17 mynetworks_style = host
18 # One class A, 16 class B, 256 class C networks; loopback
19 # Dunno how to specify IPv6 link-local and site-local
20 mynetworks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8
21 #inet_interfaces = localhost
22 #inet_interfaces = $myhostname, localhost
23 inet_interfaces = all
24 #debug_peer_list = 10.0.0.1
25
26 smtputf8_enable = no
27 disable_vrfy_command = yes
28 default_verp_delimiters = -=
29 verp_delimiter_filter = -=
30 recipient_delimiter = +
31
32 default_process_limit = 8
33 anvil_rate_time_unit = 60s
34 anvil_status_update_time = 3600s
35 #n_flow_delay = 1s
36 body_checks_size_limit = 102400
37 bounce_size_limit = 50000
38 #header_size_limit = 102400
39 mailbox_size_limit = 100000000
40 message_size_limit = 442000
41
42 ## TLSPROXY(8) (where diverging from daemon / client)
43
44 tls_append_default_CA = no
45
46 ## POSTFIX DAEMON
47
48 # Calculate:
49 # openssl x509 -noout -sha256 -fingerprint < CERT.pem
50 # OR
51 # openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
52 # Put the hash only in relay_clientcerts, right hand value is not inspected:
53 # FINGERPRINT-HERE whatever value
54 # Search #RELAY for this, uncomment
55 #RELAY relay_clientcerts = lmdb:/etc/postfix-lmdb/relay_clientcerts
56 # relay_domains <-> reject_unauth_destination,permit_auth_destination
57 # eg lmdb:/etc/postfix-lmdb/transport
58 transport_maps =
59 relay_domains = $mynetworks,$transport_maps
60
61 # Only localhost for mailing-lists etc.; maybe $mynetworks?
62 smtpd_authorized_verp_clients = 127.0.0.1
63
64 # Clients which are allowed to invoke commands
65 smtpd_client_restrictions =
66 # permit_inet_interfaces, OR
67 permit_mynetworks,
68 #RELAY permit_tls_clientcerts,
69 # permit_sasl_authenticated,
70 reject_unknown_client_hostname,
71 # in case you want reject DNS blacklists rather than greylist them
72 # with gross, exchange sleep (maybe) and uncomment the lines below
73 sleep 1,
74 #reject_rbl_client cbl.abuseat.org,
75 #reject_rbl_client sbl.spamhaus.org,
76 #DNSDL reject_rbl_client zen.spamhaus.org,
77 #DNSDL reject_rbl_client dnsbl.sorbs.net,
78 #reject_rbl_client bl.spamcop.net,
79 #reject_rbl_client list.dsbl.org,
80 reject_unauth_pipelining,
81 #reject
82 permit
83
84 smtpd_data_restrictions =
85 reject_unauth_pipelining,
86 permit
87
88 smtpd_helo_restrictions =
89 # permit_inet_interfaces, OR
90 permit_mynetworks,
91 #RELAY permit_tls_clientcerts,
92 # permit_sasl_authenticated,
93 reject_invalid_helo_hostname,
94 reject_non_fqdn_helo_hostname,
95 reject_unknown_helo_hostname
96
97 smtpd_relay_before_recipient_restrictions = yes
98
99 # RCPT TO checks, relay policy
100 # Local clients and authenticated clients may specify any destination domain
101 smtpd_relay_restrictions =
102 # permit_inet_interfaces, OR
103 permit_mynetworks,
104 #RELAY permit_tls_clientcerts,
105 #[RELAY] permit_sasl_authenticated,
106 reject_non_fqdn_sender,
107 reject_non_fqdn_recipient,
108 #permit_auth_destination,
109 #reject
110 reject_unauth_destination,
111 permit
112
113 # RCPT TO checks, spam blocking policy
114 # Match fast for $mynetworks and authenticated clients.
115 smtpd_recipient_restrictions =
116 # permit_inet_interfaces, OR
117 permit_mynetworks,
118 #RELAY permit_tls_clientcerts,
119 #[RELAY] permit_sasl_authenticated,
120 reject_unknown_sender_domain,
121 reject_unknown_reverse_client_hostname,
122 reject_unknown_recipient_domain,
123 reject_unauth_destination,
124 # better not reject_unverified_sender,
125 #check_policy_service inet:127.0.0.1:5525,
126 permit
127
128 # MAIL FROM Checks
129 smtpd_sender_restrictions =
130 # permit_inet_interfaces, OR
131 permit_mynetworks,
132 #RELAY permit_tls_clientcerts,
133 #[RELAY] permit_sasl_authenticated,
134 # Eg: qq.com reject
135 lmdb:/etc/postfix-lmdb/sender_restrict,
136 reject_unknown_sender_domain,
137 permit
138
139 # i would turn that on..
140 #smtpd_delay_reject = no
141 smtpd_helo_required = yes
142 smtpd_hard_error_limit = 1
143 smtpd_soft_error_limit = 1
144 smtpd_per_record_deadline = yes
145 smtpd_timeout = 15s
146 smtpd_starttls_timeout = 15s
147 smtpd_junk_command_limit = 5
148 #smtpd_log_access_permit_actions =
149 # permit_tls_clientcerts,
150 # permit_sasl_authenticated
151 #smtpd_client_connection_rate_limit = 20
152 #smtpd_client_connection_count_limit = 2
153
154 #TLS Do not forget to look into master.cf!
155 # That one is for client certificates!
156 #smtpd_tls_CAfile = /etc/dovecot/cert.pem
157 #TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem
158 #TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem
159 # This are managed per-service in master.cf!
160 #smtpd_tls_security_level = none
161 #RELAY smtpd_tls_ask_ccert = yes
162 smtpd_tls_ask_ccert = no
163 smtpd_tls_auth_only = yes
164 smtpd_tls_loglevel = 1
165 #SMART The next is usually nice but when using client certificates
166 smtpd_tls_received_header = no
167 smtpd_tls_fingerprint_digest = sha256
168 smtpd_tls_mandatory_protocols = >=TLSv1.2
169 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
170 smtpd_tls_mandatory_ciphers = medium
171 smtpd_tls_mandatory_exclude_ciphers =
172 aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
173 EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
174 smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
175 smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
176 smtpd_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtpd_scache
177 smtpd_tls_session_cache_timeout = 3600s
178
179 # Usually enabled per-service in master.cf!
180 #smtpd_sasl_auth_enable = yes
181 smtpd_sasl_auth_enable = no
182 smtpd_sasl_type = dovecot
183 smtpd_sasl_path = private/auth
184 smtpd_sasl_local_domain = $myhostname
185 smtpd_sasl_security_options = noanonymous, noplaintext
186 smtpd_sasl_tls_security_options = noanonymous
187
188 ## POSTFIX CLIENT
189
190 #TLS comment out next
191 #SMART comment out next
192 smtp_tls_security_level = may
193 # To always go directly SMTPS/SUBMISSIONS
194 #smtp_tls_wrappermode = yes
195 smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
196 smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
197 smtp_tls_protocols = $smtpd_tls_protocols
198 #SMART When only relaying to smarthost, the next can be =high !?!
199 smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
200 smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
201 smtp_tls_ciphers = $smtpd_tls_ciphers
202 smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
203 smtp_tls_connection_reuse = yes
204 smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache
205 smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
206
207 #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
208 #smtp_sasl_type = $smtpd_sasl_type
209 #smtp_sasl_path = $smtpd_sasl_path
210 #smtp_sasl_mechanism_filter = !external
211 #smtp_sasl_security_options = $smtpd_sasl_security_options
212 #smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options
213 #smtp_sasl_mechanism_filter = plain, login
214
215 # For laptops etc, rely on smarthost to do real delivery.
216 # One or more destinations in the form of a domain name, hostname,
217 # hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port,
218 # separated by comma or whitespace. The form [hostname] turns off MX lookups
219 # check man(5) postconf -> local_header_rewrite_clients;
220 # "Or", i.e., for mail(1): use "-r myname@mydesired.host"
221 #SMART relayhost = [HOST]:submissions
222 #SMART Next only when going directly SMTPS/SUBMISSIONS
223 #SMART smtp_tls_wrappermode = yes
224 #SMART smtp_tls_chain_files = $smtpd_tls_chain_files
225 #SMART EITHER these three
226 #SMART smtp_tls_security_level = verify
227 #SMART smtp_tls_CAfile = /etc/ssl/cert.pem
228 #SMART smtp_tls_scert_verifydepth = 9
229 #SMART OR these two
230 #SMART smtp_tls_security_level = fingerprint
231 #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
232 # The following is not tested, really, and may not work with default config
233 #SMART disable_dns_lookups = yes
234 #SMART Authentication like that not tried, this from postfix SASL_README:
235 #smtp_sasl_auth_enable = yes
236 #smtp_sasl_tls_security_options = noanonymous
237 #smtp_sasl_password_maps = lmdb:/etc/postfix-lmdb/sasl_passwd
238 # /etc/postfix-lmdb/sasl_passwd:
239 # # destination credentials
240 # #user1@example.com username1:password1
241 # #user2@example.net username2:password2
242 # [mail.isp.example] username:password
243 # # Alternative form:
244 # # [mail.isp.example]:submission username:password
245 #SMART Even sender-specific, uncomment the user1 user2 entries above then
246 # sender_dependent_relayhost_maps = lmdb:/etc/postfix/sender_relay
247 # /etc/postfix/sender_relay:
248 # # Per-sender provider; see also /etc/postfix/sasl_passwd.
249 # user1@example.com [mail.example.com]:submission
250 # user2@example.net [mail.example.net]
251
252 # Permanently (to _destinations) instead if this is "no"
253 smtp_connection_cache_on_demand = yes
254 # $relayhost WITHOUT [] and : etc.!!
255 smtp_connection_cache_destinations = $relayhost
256 smtp_connection_cache_time_limit = 10s
257 smtp_connection_reuse_count_limit = 242
|
