# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname # The hostname of the mail server myhostname = ketrenos.com # Alternative hostname examples #myhostname = static-50-126-85-202.cor02.bvtn.or.ptr.ziplyfiber.com #myhostname = mail.ketrenos.com # Log file location maillog_file = /var/log/postfix.log # SMTPD banner (what clients see when they connect) smtpd_banner = $myhostname ESMTP $mail_name # Configuration for unverified senders unverified_sender_defer_code = 250 # Disable the biff service (notify users of new mail) biff = no # Set the maximum message size to 200MB (in bytes) message_size_limit = 209715200 # Don't append the domain to usernames automatically append_dot_mydomain = no # Uncomment to generate "delayed mail" warnings #delay_warning_time = 4h # Disable the README directory readme_directory = no # TLS parameters for inbound connections smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ketrenos.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.ketrenos.com/privkey.pem smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes # Disable old and insecure SSL/TLS protocols smtp_tls_security_level = may smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 # Force TLS for outgoing server connections smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_CApath = /etc/ssl/certs/ smtpd_tls_CApath = /etc/ssl/certs/ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt # Configure SSL ciphers tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = high # SMTP session cache settings #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # Alias maps and database alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases # Support multiple recipient delimiters (_ and +) canonical_maps = regexp:/etc/postfix/canonical recipient_delimiter = _ # Example /etc/postfix/canonical: # /^([^@]+)\+(.*)@ketrenos\.com$/ ${1}_${2}@ketrenos.com # sudo postmap /etc/postfix/canonical # sudo systemctl restart postfix # Mailman3 support (via ketrenet-mailman-core) unknown_local_recipient_reject_code = 550 owner_request_special = no transport_maps = regexp:/opt/mailman/postfix_lmtp local_recipient_maps = regexp:/opt/mailman/postfix_lmtp # relay_domains is set for more than just mailman ketrenos.com # relay_domains = hash:/opt/mailman/postfix_domains # Origin domain for outgoing mail myorigin = /etc/mailname # Define destinations for which this system is responsible mydestination = ketrenos.com, kiaoramassage.com, sketchitect.com, localhost, email.ketrenos.net, ketrenos.net # No relay host (direct delivery) relayhost = # No mailbox size limit mailbox_size_limit = 0 # Network interfaces and protocols inet_interfaces = all inet_protocols = ipv4 # Mailbox format home_mailbox = Maildir/ # SASL authentication settings smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth_client smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtpd_sasl_local_domain = smtpd_helo_required = yes broken_sasl_auth_clients = yes # Network configuration mynetworks = 127.0.0.0/8, 192.168.0.0/16 # Mailbox command (for Dovecot delivery) mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}" -a "${RECIPIENT}" # Random number source for TLS tls_random_source = dev:/dev/urandom # Content filter (Amavis) content_filter = smtp-amavis:[127.0.0.1]:10024 # Relay domains (repeat for clarity, should match previous definition) relay_domains = ketrenos.com, email.ketrenos.net, webserver.ketrenos.net # Mailman destination recipient limit mailman_destination_recipient_limit = 1 # SMTPD client restrictions #smtpd_client_restrictions = # permit_mynetworks # reject_plaintext_session # SMTPD recipient restrictions smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_restrictions, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11], check_sender_access hash:/etc/postfix/sender_checks, check_policy_service unix:private/policy-spf, reject_unknown_sender_domain, warn_if_reject reject_unverified_sender # SMTPD sender restrictions smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain # SMTPD relay restrictions (to block spoofed root@ketrenos.com) smtpd_relay_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_restrictions, check_recipient_access hash:/etc/postfix/recipient_restrictions, permit_sasl_authenticated, reject_unauth_destination # Milter settings (greylisting and DKIM) # This macro definition helps the milters (greylisting and DKIM) by providing # specific connection details that can be used to make filtering decisions. # The provided macros include: # - i: Queue ID # - b: Blog ID # - j: The message's destination hostname # - _: The client address in numeric form # - {daemon_name}: The name of the daemon # - {if_name}: The name of the network interface # - {client_addr}: The client's IP address # This detailed information helps improve the accuracy and effectiveness of the milters. milter_connect_macros = i, b, j, _, {daemon_name}, {if_name}, {client_addr} # Specify the milter protocol version milter_protocol = 2 # Set the default action if a milter fails (accept the mail) milter_default_action = accept # Specify the paths to the milter sockets smtpd_milters = unix:milter-greylist/milter-greylist.sock, local:opendkim/opendkim.sock # Apply the same milters to non-SMTPD traffic non_smtpd_milters = $smtpd_milters # TLS usage settings smtpd_use_tls = yes smtp_use_tls = no # SPF policy time limit policy-spf_time_limit = 3600s # Compatibility level compatibility_level = 3.6