Update main.cf based on chat-gpt comments

Signed-off-by: James Ketrenos <james_git@ketrenos.com>
2024-05-21 10:58:57 -07:00 · 2024-05-21 10:58:57 -07:00 · 0b2de4c8d0
commit 0b2de4c8d0
parent f333789ec9
1 changed files with 102 additions and 68 deletions
--- a/mail/etc/postfix/main.cf
+++ b/mail/etc/postfix/main.cf
@ -1,53 +1,45 @@
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version

-# Debian specific:  Specifying a file name will cause the first
-# line of that file to be used as the name.  The Debian default
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
 # is /etc/mailname.
 #myorigin = /etc/mailname
+
+# The hostname of the mail server
 myhostname = ketrenos.com
+# Alternative hostname examples
 #myhostname = static-50-126-85-202.cor02.bvtn.or.ptr.ziplyfiber.com
 #myhostname = mail.ketrenos.com

-# Logging
+# Log file location
 maillog_file = /var/log/postfix.log

+# SMTPD banner (what clients see when they connect)
 smtpd_banner = $myhostname ESMTP $mail_name

-# Enable unverified_sender_verify
-# 2022-05-26
+# Configuration for unverified senders
 unverified_sender_defer_code = 250

+# Disable the biff service (notify users of new mail)
 biff = no
-# 2020-09-16 set max size to 50M as more and more
-# messages are exceeding 32M
-#
-# 2021-05-16 set max size to 200M (2^28) as we are seeing Infuccient
-# system storage bounces.
-message_size_limit = 0

-# appending .domain is the MUA's job.
+# Set the maximum message size to 200M to handle large emails
+message_size_limit = 200M
+
+# Don't append the domain to usernames automatically
 append_dot_mydomain = no

-# Uncomment the next line to generate "delayed mail" warnings
+# Uncomment to generate "delayed mail" warnings
 #delay_warning_time = 4h

+# Disable the README directory
 readme_directory = no

-#debug_peer_list = 127.0.0.1
-
-# NOTE:
-# `smtpd` prefix is for receiving connections. `smtp` is for outbound
-# connections
-
-# TLS parameters
-#smtpd_use_tls = yes
+# TLS parameters for inbound connections
+smtpd_use_tls = yes
 smtpd_tls_auth_only = no
 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ketrenos.com/fullchain.pem
 smtpd_tls_key_file = /etc/letsencrypt/live/mail.ketrenos.com/privkey.pem
-
-# Trying to fix insufficient space
-smtpd_proxy_timeout = 240s
-
 smtpd_tls_received_header = yes
 smtpd_tls_ask_ccert = yes
 smtpd_tls_session_cache_timeout = 3600s
@ -55,38 +47,34 @@ smtpd_tls_loglevel = 1
 smtp_tls_loglevel = 1
 smtp_tls_note_starttls_offer = yes

-#Disable Poodle
+# Disable old and insecure SSL/TLS protocols
 smtp_tls_security_level = may
-smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
-smtp_tls_protocols=!SSLv2,!SSLv3
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_security_level = may
-smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
-smtpd_tls_protocols=!SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3

-# Force TLS for outgoing server connection
+# Force TLS for outgoing server connections
 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
 smtp_tls_CApath = /etc/ssl/certs/
 smtpd_tls_CApath = /etc/ssl/certs/
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

-# Changes to SSL Ciphers
+# Configure SSL ciphers
 tls_preempt_cipherlist = yes
 smtpd_tls_mandatory_ciphers = high

-# If this is used, facebook stops being able to deliver to us :(
-#tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
-
+# SMTP session cache settings
 #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
-
+# Alias maps and database
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases

-# Support multiple recipient delimers (_ and +)
+# Support multiple recipient delimiters (_ and +)
 canonical_maps = regexp:/etc/postfix/canonical
 recipient_delimiter = _
 # Example /etc/postfix/canonical:
@ -97,20 +85,30 @@ recipient_delimiter = _
 # Mailman3 support (via ketrenet-mailman-core)
 unknown_local_recipient_reject_code = 550
 owner_request_special = no
-transport_maps =
-    hash:/opt/mailman/postfix_lmtp
-local_recipient_maps =
-    hash:/opt/mailman/postfix_lmtp
-relay_domains =
-    hash:/opt/mailman/postfix_domains
+transport_maps = hash:/opt/mailman/postfix_lmtp
+local_recipient_maps = hash:/opt/mailman/postfix_lmtp
+relay_domains = hash:/opt/mailman/postfix_domains

+# Origin domain for outgoing mail
 myorigin = /etc/mailname
+
+# Define destinations for which this system is responsible
 mydestination = ketrenos.com, kiaoramassage.com, sketchitect.com, localhost, email.ketrenos.net, ketrenos.net
+
+# No relay host (direct delivery)
 relayhost =
+
+# No mailbox size limit
 mailbox_size_limit = 0
+
+# Network interfaces and protocols
 inet_interfaces = all
 inet_protocols = ipv4
+
+# Mailbox format
 home_mailbox = Maildir/
+
+# SASL authentication settings
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth_client
@ -123,50 +121,86 @@ smtpd_sasl_local_domain =
 smtpd_helo_required = yes
 broken_sasl_auth_clients = yes

-mynetworks = 127.0.0.0/8 192.168.0.0/16
+# Network configuration
+mynetworks = 127.0.0.0/8, 192.168.0.0/16

+# Mailbox command (for Dovecot delivery)
 mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}" -a "${RECIPIENT}"
+
+# Random number source for TLS
 tls_random_source = dev:/dev/urandom
+
+# Content filter (Amavis)
 content_filter = smtp-amavis:[127.0.0.1]:10024
+
+# Relay domains (repeat for clarity, should match previous definition)
 relay_domains = ketrenos.com, email.ketrenos.net, webserver.ketrenos.net
-#transport_maps = hash:/etc/postfix/transport
+
+# Mailman destination recipient limit
 mailman_destination_recipient_limit = 1

-# smtpd_client_restrictions =
+# SMTPD client restrictions
+#smtpd_client_restrictions =
 #  permit_mynetworks 
 #  reject_plaintext_session

+# SMTPD recipient restrictions
 smtpd_recipient_restrictions =
-  permit_mynetworks
-  check_recipient_access hash:/etc/postfix/recipient_restrictions
-  permit_sasl_authenticated
-  reject_unauth_destination
-  reject_rbl_client
-  zen.spamhaus.org=127.0.0.[2..11],
-  check_sender_access hash:/etc/postfix/sender_checks
-  check_policy_service unix:private/policy-spf
-  reject_unknown_sender_domain 
+  permit_mynetworks,
+  check_recipient_access hash:/etc/postfix/recipient_restrictions,
+  permit_sasl_authenticated,
+  reject_unauth_destination,
+  reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
+  check_sender_access hash:/etc/postfix/sender_checks,
+  check_policy_service unix:private/policy-spf,
+  reject_unknown_sender_domain,
  warn_if_reject reject_unverified_sender

+# SMTPD sender restrictions
 smtpd_sender_restrictions =
-  permit_mynetworks
+  permit_mynetworks,
  reject_unknown_sender_domain

-# Added check_sender_access to block all spoofed root@ketrenos.com email sends
+# SMTPD relay restrictions (to block spoofed root@ketrenos.com)
 smtpd_relay_restrictions =
-  permit_mynetworks
-  check_sender_access hash:/etc/postfix/sender_restrictions
-  check_recipient_access hash:/etc/postfix/recipient_restrictions
-  permit_sasl_authenticated
+  permit_mynetworks,
+  check_sender_access hash:/etc/postfix/sender_restrictions,
+  check_recipient_access hash:/etc/postfix/recipient_restrictions,
+  permit_sasl_authenticated,
  reject_unauth_destination
-milter_connect_macros = i b j _ {daemon_name} {if_name} {client_addr}
-# https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
+
+# Milter settings (greylisting and DKIM)
+# This macro definition helps the milters (greylisting and DKIM) by providing
+# specific connection details that can be used to make filtering decisions.
+# The provided macros include:
+#   - i: Queue ID
+#   - b: Blog ID
+#   - j: The message's destination hostname
+#   - _: The client address in numeric form
+#   - {daemon_name}: The name of the daemon
+#   - {if_name}: The name of the network interface
+#   - {client_addr}: The client's IP address
+# This detailed information helps improve the accuracy and effectiveness of the milters.
+milter_connect_macros = i, b, j, _, {daemon_name}, {if_name}, {client_addr}
+
+# Specify the milter protocol version
 milter_protocol = 2
+
+# Set the default action if a milter fails (accept the mail)
 milter_default_action = accept
+
+# Specify the paths to the milter sockets
 smtpd_milters = unix:milter-greylist/milter-greylist.sock, local:opendkim/opendkim.sock 
-#smtpd_milters = unix:/milter-greylist/milter-greylist.sock
-non_smtpd_milters = $smtpd_milters milter_default_action = accept
+
+# Apply the same milters to non-SMTPD traffic
+non_smtpd_milters = $smtpd_milters
+
+# TLS usage settings
 smtpd_use_tls = yes
 smtp_use_tls = no
+
+# SPF policy time limit
 policy-spf_time_limit = 3600s
+
+# Compatibility level
 compatibility_level = 3.6