208 lines
6.4 KiB
CFEngine3
208 lines
6.4 KiB
CFEngine3
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
|
|
|
# Debian specific: Specifying a file name will cause the first
|
|
# line of that file to be used as the name. The Debian default
|
|
# is /etc/mailname.
|
|
#myorigin = /etc/mailname
|
|
|
|
# The hostname of the mail server
|
|
myhostname = ketrenos.com
|
|
# Alternative hostname examples
|
|
#myhostname = static-50-126-85-202.cor02.bvtn.or.ptr.ziplyfiber.com
|
|
#myhostname = mail.ketrenos.com
|
|
|
|
# Log file location
|
|
maillog_file = /var/log/postfix.log
|
|
|
|
# SMTPD banner (what clients see when they connect)
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
|
|
|
# Configuration for unverified senders
|
|
unverified_sender_defer_code = 250
|
|
|
|
# Disable the biff service (notify users of new mail)
|
|
biff = no
|
|
|
|
# Set the maximum message size to 200MB (in bytes)
|
|
message_size_limit = 209715200
|
|
|
|
# Don't append the domain to usernames automatically
|
|
append_dot_mydomain = no
|
|
|
|
# Uncomment to generate "delayed mail" warnings
|
|
#delay_warning_time = 4h
|
|
|
|
# Disable the README directory
|
|
readme_directory = no
|
|
|
|
# TLS parameters for inbound connections
|
|
smtpd_use_tls = yes
|
|
smtpd_tls_auth_only = no
|
|
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ketrenos.com/fullchain.pem
|
|
smtpd_tls_key_file = /etc/letsencrypt/live/mail.ketrenos.com/privkey.pem
|
|
smtpd_tls_received_header = yes
|
|
smtpd_tls_ask_ccert = yes
|
|
smtpd_tls_session_cache_timeout = 3600s
|
|
smtpd_tls_loglevel = 1
|
|
smtp_tls_loglevel = 1
|
|
smtp_tls_note_starttls_offer = yes
|
|
|
|
# Disable old and insecure SSL/TLS protocols
|
|
smtp_tls_security_level = may
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
smtp_tls_protocols = !SSLv2, !SSLv3
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
smtpd_tls_protocols = !SSLv2, !SSLv3
|
|
|
|
# Force TLS for outgoing server connections
|
|
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
|
|
smtp_tls_CApath = /etc/ssl/certs/
|
|
smtpd_tls_CApath = /etc/ssl/certs/
|
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
|
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
|
|
|
# Configure SSL ciphers
|
|
tls_preempt_cipherlist = yes
|
|
smtpd_tls_mandatory_ciphers = high
|
|
|
|
# SMTP session cache settings
|
|
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
|
|
# Alias maps and database
|
|
alias_maps = hash:/etc/postfix/aliases
|
|
alias_database = hash:/etc/postfix/aliases
|
|
|
|
# Support multiple recipient delimiters (_ and +)
|
|
canonical_maps = regexp:/etc/postfix/canonical
|
|
recipient_delimiter = _
|
|
# Example /etc/postfix/canonical:
|
|
# /^([^@]+)\+(.*)@ketrenos\.com$/ ${1}_${2}@ketrenos.com
|
|
# sudo postmap /etc/postfix/canonical
|
|
# sudo systemctl restart postfix
|
|
|
|
# Mailman3 support (via ketrenet-mailman-core)
|
|
unknown_local_recipient_reject_code = 550
|
|
owner_request_special = no
|
|
transport_maps = regexp:/opt/mailman/postfix_lmtp
|
|
local_recipient_maps = regexp:/opt/mailman/postfix_lmtp
|
|
# relay_domains is set for more than just mailman ketrenos.com
|
|
# relay_domains = hash:/opt/mailman/postfix_domains
|
|
|
|
# Origin domain for outgoing mail
|
|
myorigin = /etc/mailname
|
|
|
|
# Define destinations for which this system is responsible
|
|
mydestination = ketrenos.com, kiaoramassage.com, sketchitect.com, localhost, email.ketrenos.net, ketrenos.net
|
|
|
|
# No relay host (direct delivery)
|
|
relayhost =
|
|
|
|
# No mailbox size limit
|
|
mailbox_size_limit = 0
|
|
|
|
# Network interfaces and protocols
|
|
inet_interfaces = all
|
|
inet_protocols = ipv4
|
|
|
|
# Mailbox format
|
|
home_mailbox = Maildir/
|
|
|
|
# SASL authentication settings
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_type = dovecot
|
|
smtpd_sasl_path = private/auth_client
|
|
smtpd_sasl_authenticated_header = yes
|
|
smtpd_sasl_security_options = noanonymous
|
|
smtpd_sasl_tls_security_options = noanonymous
|
|
smtp_sasl_security_options = noanonymous
|
|
smtp_sasl_tls_security_options = noanonymous
|
|
smtpd_sasl_local_domain =
|
|
smtpd_helo_required = yes
|
|
broken_sasl_auth_clients = yes
|
|
|
|
# Network configuration
|
|
mynetworks = 127.0.0.0/8, 192.168.0.0/16
|
|
|
|
# Mailbox command (for Dovecot delivery)
|
|
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}" -a "${RECIPIENT}"
|
|
|
|
# Random number source for TLS
|
|
tls_random_source = dev:/dev/urandom
|
|
|
|
# Content filter (Amavis)
|
|
content_filter = smtp-amavis:[127.0.0.1]:10024
|
|
|
|
# Relay domains (repeat for clarity, should match previous definition)
|
|
relay_domains = ketrenos.com, email.ketrenos.net, webserver.ketrenos.net
|
|
|
|
# Mailman destination recipient limit
|
|
mailman_destination_recipient_limit = 1
|
|
|
|
# SMTPD client restrictions
|
|
#smtpd_client_restrictions =
|
|
# permit_mynetworks
|
|
# reject_plaintext_session
|
|
|
|
# SMTPD recipient restrictions
|
|
smtpd_recipient_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_destination,
|
|
check_recipient_access hash:/etc/postfix/recipient_restrictions,
|
|
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
|
|
check_sender_access hash:/etc/postfix/sender_checks,
|
|
check_policy_service unix:private/policy-spf,
|
|
reject_unknown_sender_domain,
|
|
warn_if_reject reject_unverified_sender
|
|
|
|
# SMTPD sender restrictions
|
|
smtpd_sender_restrictions =
|
|
permit_mynetworks,
|
|
reject_unknown_sender_domain
|
|
|
|
# SMTPD relay restrictions (to block spoofed root@ketrenos.com)
|
|
smtpd_relay_restrictions =
|
|
permit_mynetworks,
|
|
check_sender_access hash:/etc/postfix/sender_restrictions,
|
|
check_recipient_access hash:/etc/postfix/recipient_restrictions,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_destination
|
|
|
|
# Milter settings (greylisting and DKIM)
|
|
# This macro definition helps the milters (greylisting and DKIM) by providing
|
|
# specific connection details that can be used to make filtering decisions.
|
|
# The provided macros include:
|
|
# - i: Queue ID
|
|
# - b: Blog ID
|
|
# - j: The message's destination hostname
|
|
# - _: The client address in numeric form
|
|
# - {daemon_name}: The name of the daemon
|
|
# - {if_name}: The name of the network interface
|
|
# - {client_addr}: The client's IP address
|
|
# This detailed information helps improve the accuracy and effectiveness of the milters.
|
|
milter_connect_macros = i, b, j, _, {daemon_name}, {if_name}, {client_addr}
|
|
|
|
# Specify the milter protocol version
|
|
milter_protocol = 2
|
|
|
|
# Set the default action if a milter fails (accept the mail)
|
|
milter_default_action = accept
|
|
|
|
# Specify the paths to the milter sockets
|
|
smtpd_milters = unix:milter-greylist/milter-greylist.sock, local:opendkim/opendkim.sock
|
|
|
|
# Apply the same milters to non-SMTPD traffic
|
|
non_smtpd_milters = $smtpd_milters
|
|
|
|
# TLS usage settings
|
|
smtpd_use_tls = yes
|
|
smtp_use_tls = no
|
|
|
|
# SPF policy time limit
|
|
policy-spf_time_limit = 3600s
|
|
|
|
# Compatibility level
|
|
compatibility_level = 3.6
|