From 0b2de4c8d00e6a2bbe02f048f5e59c3d07388413 Mon Sep 17 00:00:00 2001 From: James Ketrenos Date: Tue, 21 May 2024 10:58:57 -0700 Subject: [PATCH] Update main.cf based on chat-gpt comments Signed-off-by: James Ketrenos --- mail/etc/postfix/main.cf | 170 +++++++++++++++++++++++---------------- 1 file changed, 102 insertions(+), 68 deletions(-) diff --git a/mail/etc/postfix/main.cf b/mail/etc/postfix/main.cf index 0ca9c86..1d0484e 100644 --- a/mail/etc/postfix/main.cf +++ b/mail/etc/postfix/main.cf @@ -1,53 +1,45 @@ # See /usr/share/postfix/main.cf.dist for a commented, more complete version -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname + +# The hostname of the mail server myhostname = ketrenos.com +# Alternative hostname examples #myhostname = static-50-126-85-202.cor02.bvtn.or.ptr.ziplyfiber.com #myhostname = mail.ketrenos.com -# Logging +# Log file location maillog_file = /var/log/postfix.log +# SMTPD banner (what clients see when they connect) smtpd_banner = $myhostname ESMTP $mail_name -# Enable unverified_sender_verify -# 2022-05-26 +# Configuration for unverified senders unverified_sender_defer_code = 250 +# Disable the biff service (notify users of new mail) biff = no -# 2020-09-16 set max size to 50M as more and more -# messages are exceeding 32M -# -# 2021-05-16 set max size to 200M (2^28) as we are seeing Infuccient -# system storage bounces. -message_size_limit = 0 -# appending .domain is the MUA's job. +# Set the maximum message size to 200M to handle large emails +message_size_limit = 200M + +# Don't append the domain to usernames automatically append_dot_mydomain = no -# Uncomment the next line to generate "delayed mail" warnings +# Uncomment to generate "delayed mail" warnings #delay_warning_time = 4h +# Disable the README directory readme_directory = no -#debug_peer_list = 127.0.0.1 - -# NOTE: -# `smtpd` prefix is for receiving connections. `smtp` is for outbound -# connections - -# TLS parameters -#smtpd_use_tls = yes +# TLS parameters for inbound connections +smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ketrenos.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.ketrenos.com/privkey.pem - -# Trying to fix insufficient space -smtpd_proxy_timeout = 240s - smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s @@ -55,38 +47,34 @@ smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes -#Disable Poodle +# Disable old and insecure SSL/TLS protocols smtp_tls_security_level = may -smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 -smtp_tls_protocols=!SSLv2,!SSLv3 +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may -smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 -smtpd_tls_protocols=!SSLv2,!SSLv3 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtpd_tls_protocols = !SSLv2, !SSLv3 -# Force TLS for outgoing server connection +# Force TLS for outgoing server connections smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_CApath = /etc/ssl/certs/ smtpd_tls_CApath = /etc/ssl/certs/ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -# Changes to SSL Ciphers +# Configure SSL ciphers tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = high -# If this is used, facebook stops being able to deliver to us :( -#tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256 - +# SMTP session cache settings #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - +# Alias maps and database alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases -# Support multiple recipient delimers (_ and +) +# Support multiple recipient delimiters (_ and +) canonical_maps = regexp:/etc/postfix/canonical recipient_delimiter = _ # Example /etc/postfix/canonical: @@ -97,20 +85,30 @@ recipient_delimiter = _ # Mailman3 support (via ketrenet-mailman-core) unknown_local_recipient_reject_code = 550 owner_request_special = no -transport_maps = - hash:/opt/mailman/postfix_lmtp -local_recipient_maps = - hash:/opt/mailman/postfix_lmtp -relay_domains = - hash:/opt/mailman/postfix_domains +transport_maps = hash:/opt/mailman/postfix_lmtp +local_recipient_maps = hash:/opt/mailman/postfix_lmtp +relay_domains = hash:/opt/mailman/postfix_domains +# Origin domain for outgoing mail myorigin = /etc/mailname + +# Define destinations for which this system is responsible mydestination = ketrenos.com, kiaoramassage.com, sketchitect.com, localhost, email.ketrenos.net, ketrenos.net + +# No relay host (direct delivery) relayhost = + +# No mailbox size limit mailbox_size_limit = 0 + +# Network interfaces and protocols inet_interfaces = all inet_protocols = ipv4 + +# Mailbox format home_mailbox = Maildir/ + +# SASL authentication settings smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth_client @@ -123,50 +121,86 @@ smtpd_sasl_local_domain = smtpd_helo_required = yes broken_sasl_auth_clients = yes -mynetworks = 127.0.0.0/8 192.168.0.0/16 +# Network configuration +mynetworks = 127.0.0.0/8, 192.168.0.0/16 +# Mailbox command (for Dovecot delivery) mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}" -a "${RECIPIENT}" + +# Random number source for TLS tls_random_source = dev:/dev/urandom + +# Content filter (Amavis) content_filter = smtp-amavis:[127.0.0.1]:10024 + +# Relay domains (repeat for clarity, should match previous definition) relay_domains = ketrenos.com, email.ketrenos.net, webserver.ketrenos.net -#transport_maps = hash:/etc/postfix/transport + +# Mailman destination recipient limit mailman_destination_recipient_limit = 1 -# smtpd_client_restrictions = +# SMTPD client restrictions +#smtpd_client_restrictions = # permit_mynetworks # reject_plaintext_session +# SMTPD recipient restrictions smtpd_recipient_restrictions = - permit_mynetworks - check_recipient_access hash:/etc/postfix/recipient_restrictions - permit_sasl_authenticated - reject_unauth_destination - reject_rbl_client - zen.spamhaus.org=127.0.0.[2..11], - check_sender_access hash:/etc/postfix/sender_checks - check_policy_service unix:private/policy-spf - reject_unknown_sender_domain - warn_if_reject reject_unverified_sender + permit_mynetworks, + check_recipient_access hash:/etc/postfix/recipient_restrictions, + permit_sasl_authenticated, + reject_unauth_destination, + reject_rbl_client zen.spamhaus.org=127.0.0.[2..11], + check_sender_access hash:/etc/postfix/sender_checks, + check_policy_service unix:private/policy-spf, + reject_unknown_sender_domain, + warn_if_reject reject_unverified_sender +# SMTPD sender restrictions smtpd_sender_restrictions = - permit_mynetworks + permit_mynetworks, reject_unknown_sender_domain -# Added check_sender_access to block all spoofed root@ketrenos.com email sends +# SMTPD relay restrictions (to block spoofed root@ketrenos.com) smtpd_relay_restrictions = - permit_mynetworks - check_sender_access hash:/etc/postfix/sender_restrictions - check_recipient_access hash:/etc/postfix/recipient_restrictions - permit_sasl_authenticated + permit_mynetworks, + check_sender_access hash:/etc/postfix/sender_restrictions, + check_recipient_access hash:/etc/postfix/recipient_restrictions, + permit_sasl_authenticated, reject_unauth_destination -milter_connect_macros = i b j _ {daemon_name} {if_name} {client_addr} -# https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy + +# Milter settings (greylisting and DKIM) +# This macro definition helps the milters (greylisting and DKIM) by providing +# specific connection details that can be used to make filtering decisions. +# The provided macros include: +# - i: Queue ID +# - b: Blog ID +# - j: The message's destination hostname +# - _: The client address in numeric form +# - {daemon_name}: The name of the daemon +# - {if_name}: The name of the network interface +# - {client_addr}: The client's IP address +# This detailed information helps improve the accuracy and effectiveness of the milters. +milter_connect_macros = i, b, j, _, {daemon_name}, {if_name}, {client_addr} + +# Specify the milter protocol version milter_protocol = 2 + +# Set the default action if a milter fails (accept the mail) milter_default_action = accept + +# Specify the paths to the milter sockets smtpd_milters = unix:milter-greylist/milter-greylist.sock, local:opendkim/opendkim.sock -#smtpd_milters = unix:/milter-greylist/milter-greylist.sock -non_smtpd_milters = $smtpd_milters milter_default_action = accept + +# Apply the same milters to non-SMTPD traffic +non_smtpd_milters = $smtpd_milters + +# TLS usage settings smtpd_use_tls = yes smtp_use_tls = no + +# SPF policy time limit policy-spf_time_limit = 3600s + +# Compatibility level compatibility_level = 3.6