Update main.cf based on chat-gpt comments

Signed-off-by: James Ketrenos <james_git@ketrenos.com>
2024-05-21 10:58:57 -07:00 · 2024-05-21 10:58:57 -07:00 · 0b2de4c8d0
commit 0b2de4c8d0
parent f333789ec9
1 changed files with 102 additions and 68 deletions
--- a/mail/etc/postfix/main.cf
+++ b/mail/etc/postfix/main.cf
@ -1,53 +1,45 @@
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
-# Debian specific:  Specifying a file name will cause the first
+# Debian specific: Specifying a file name will cause the first
-# line of that file to be used as the name.  The Debian default
+# line of that file to be used as the name. The Debian default
 # is /etc/mailname.
 #myorigin = /etc/mailname
 # The hostname of the mail server
 myhostname = ketrenos.com
 # Alternative hostname examples
 #myhostname = static-50-126-85-202.cor02.bvtn.or.ptr.ziplyfiber.com
 #myhostname = mail.ketrenos.com
-# Logging
+# Log file location
 maillog_file = /var/log/postfix.log
 # SMTPD banner (what clients see when they connect)
 smtpd_banner = $myhostname ESMTP $mail_name
-# Enable unverified_sender_verify
+# Configuration for unverified senders
 # 2022-05-26
 unverified_sender_defer_code = 250
 # Disable the biff service (notify users of new mail)
 biff = no
 # 2020-09-16 set max size to 50M as more and more
 # messages are exceeding 32M
 #
 # 2021-05-16 set max size to 200M (2^28) as we are seeing Infuccient
 # system storage bounces.
 message_size_limit = 0
-# appending .domain is the MUA's job.
+# Set the maximum message size to 200M to handle large emails
 message_size_limit = 200M
 # Don't append the domain to usernames automatically
 append_dot_mydomain = no
-# Uncomment the next line to generate "delayed mail" warnings
+# Uncomment to generate "delayed mail" warnings
 #delay_warning_time = 4h
 # Disable the README directory
 readme_directory = no
-#debug_peer_list = 127.0.0.1
+# TLS parameters for inbound connections
-
+smtpd_use_tls = yes
 # NOTE:
 # `smtpd` prefix is for receiving connections. `smtp` is for outbound
 # connections
 # TLS parameters
 #smtpd_use_tls = yes
 smtpd_tls_auth_only = no
 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ketrenos.com/fullchain.pem
 smtpd_tls_key_file = /etc/letsencrypt/live/mail.ketrenos.com/privkey.pem
 # Trying to fix insufficient space
 smtpd_proxy_timeout = 240s
 smtpd_tls_received_header = yes
 smtpd_tls_ask_ccert = yes
 smtpd_tls_session_cache_timeout = 3600s
@ -55,38 +47,34 @@ smtpd_tls_loglevel = 1
 smtp_tls_loglevel = 1
 smtp_tls_note_starttls_offer = yes
-#Disable Poodle
+# Disable old and insecure SSL/TLS protocols
 smtp_tls_security_level = may
-smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtp_tls_protocols=!SSLv2,!SSLv3
+smtp_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_security_level = may
-smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols=!SSLv2,!SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3
-# Force TLS for outgoing server connection
+# Force TLS for outgoing server connections
 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
 smtp_tls_CApath = /etc/ssl/certs/
 smtpd_tls_CApath = /etc/ssl/certs/
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-# Changes to SSL Ciphers
+# Configure SSL ciphers
 tls_preempt_cipherlist = yes
 smtpd_tls_mandatory_ciphers = high
-# If this is used, facebook stops being able to deliver to us :(
+# SMTP session cache settings
 #tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
 #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# Alias maps and database
 # information on enabling SSL in the smtp client.
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
-# Support multiple recipient delimers (_ and +)
+# Support multiple recipient delimiters (_ and +)
 canonical_maps = regexp:/etc/postfix/canonical
 recipient_delimiter = _
 # Example /etc/postfix/canonical:
@ -97,20 +85,30 @@ recipient_delimiter = _
 # Mailman3 support (via ketrenet-mailman-core)
 unknown_local_recipient_reject_code = 550
 owner_request_special = no
-transport_maps =
+transport_maps = hash:/opt/mailman/postfix_lmtp
-    hash:/opt/mailman/postfix_lmtp
+local_recipient_maps = hash:/opt/mailman/postfix_lmtp
-local_recipient_maps =
+relay_domains = hash:/opt/mailman/postfix_domains
    hash:/opt/mailman/postfix_lmtp
 relay_domains =
    hash:/opt/mailman/postfix_domains
 # Origin domain for outgoing mail
 myorigin = /etc/mailname
 # Define destinations for which this system is responsible
 mydestination = ketrenos.com, kiaoramassage.com, sketchitect.com, localhost, email.ketrenos.net, ketrenos.net
 # No relay host (direct delivery)
 relayhost =
 # No mailbox size limit
 mailbox_size_limit = 0
 # Network interfaces and protocols
 inet_interfaces = all
 inet_protocols = ipv4
 # Mailbox format
 home_mailbox = Maildir/
 # SASL authentication settings
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth_client
@ -123,50 +121,86 @@ smtpd_sasl_local_domain =
 smtpd_helo_required = yes
 broken_sasl_auth_clients = yes
-mynetworks = 127.0.0.0/8 192.168.0.0/16
+# Network configuration
 mynetworks = 127.0.0.0/8, 192.168.0.0/16
 # Mailbox command (for Dovecot delivery)
 mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}" -a "${RECIPIENT}"
 # Random number source for TLS
 tls_random_source = dev:/dev/urandom
 # Content filter (Amavis)
 content_filter = smtp-amavis:[127.0.0.1]:10024
 # Relay domains (repeat for clarity, should match previous definition)
 relay_domains = ketrenos.com, email.ketrenos.net, webserver.ketrenos.net
-#transport_maps = hash:/etc/postfix/transport
+
 # Mailman destination recipient limit
 mailman_destination_recipient_limit = 1
-# smtpd_client_restrictions =
+# SMTPD client restrictions
 #smtpd_client_restrictions =
 #  permit_mynetworks 
 #  reject_plaintext_session
 # SMTPD recipient restrictions
 smtpd_recipient_restrictions =
-  permit_mynetworks
+  permit_mynetworks,
-  check_recipient_access hash:/etc/postfix/recipient_restrictions
+  check_recipient_access hash:/etc/postfix/recipient_restrictions,
-  permit_sasl_authenticated
+  permit_sasl_authenticated,
-  reject_unauth_destination
+  reject_unauth_destination,
-  reject_rbl_client
+  reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
-  zen.spamhaus.org=127.0.0.[2..11],
+  check_sender_access hash:/etc/postfix/sender_checks,
-  check_sender_access hash:/etc/postfix/sender_checks
+  check_policy_service unix:private/policy-spf,
-  check_policy_service unix:private/policy-spf
+  reject_unknown_sender_domain,
-  reject_unknown_sender_domain 
+  warn_if_reject reject_unverified_sender
  warn_if_reject reject_unverified_sender 
 # SMTPD sender restrictions
 smtpd_sender_restrictions =
-  permit_mynetworks
+  permit_mynetworks,
  reject_unknown_sender_domain
-# Added check_sender_access to block all spoofed root@ketrenos.com email sends
+# SMTPD relay restrictions (to block spoofed root@ketrenos.com)
 smtpd_relay_restrictions =
-  permit_mynetworks
+  permit_mynetworks,
-  check_sender_access hash:/etc/postfix/sender_restrictions
+  check_sender_access hash:/etc/postfix/sender_restrictions,
-  check_recipient_access hash:/etc/postfix/recipient_restrictions
+  check_recipient_access hash:/etc/postfix/recipient_restrictions,
-  permit_sasl_authenticated
+  permit_sasl_authenticated,
  reject_unauth_destination
-milter_connect_macros = i b j _ {daemon_name} {if_name} {client_addr}
+
-# https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
+# Milter settings (greylisting and DKIM)
 # This macro definition helps the milters (greylisting and DKIM) by providing
 # specific connection details that can be used to make filtering decisions.
 # The provided macros include:
 #   - i: Queue ID
 #   - b: Blog ID
 #   - j: The message's destination hostname
 #   - _: The client address in numeric form
 #   - {daemon_name}: The name of the daemon
 #   - {if_name}: The name of the network interface
 #   - {client_addr}: The client's IP address
 # This detailed information helps improve the accuracy and effectiveness of the milters.
 milter_connect_macros = i, b, j, _, {daemon_name}, {if_name}, {client_addr}
 # Specify the milter protocol version
 milter_protocol = 2
 # Set the default action if a milter fails (accept the mail)
 milter_default_action = accept
 # Specify the paths to the milter sockets
 smtpd_milters = unix:milter-greylist/milter-greylist.sock, local:opendkim/opendkim.sock 
-#smtpd_milters = unix:/milter-greylist/milter-greylist.sock
+
-non_smtpd_milters = $smtpd_milters milter_default_action = accept
+# Apply the same milters to non-SMTPD traffic
 non_smtpd_milters = $smtpd_milters
 # TLS usage settings
 smtpd_use_tls = yes
 smtp_use_tls = no
 # SPF policy time limit
 policy-spf_time_limit = 3600s
 # Compatibility level
 compatibility_level = 3.6