compatibility_level = 3.8
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
readme_directory = no
mail_owner = ${postfix_user}
setgid_group = maildrop
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME KRB5_KTNAME=${postfix_keytab} KRB5_CLIENT_KTNAME=${postfix_keytab}
myorigin = ${postfix_myorigin}
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 ${postfix_mynetworks}
mydestination =
inet_interfaces = all
inet_protocols = all
alias_database =
alias_maps =
recipient_delimiter = ${postfix_recipient_delimiter}
message_size_limit = ${postfix_message_size_limit}
strict_rfc821_envelopes = yes
allow_percent_hack = no
swap_bangpath = no
disable_vrfy_command = yes
show_user_unknown_table_name = no
tls_medium_cipherlist = ${postfix_cipherlist}
tls_preempt_cipherlist = no
always_add_missing_headers = yes
local_header_rewrite_clients = permit_inet_interfaces, permit_mynetworks
$(if [ "$postfix_public_fqdn" != "$fqdn" ]; then
cat <<EOF
smtpd_tls_chain_files =
${postfix_public_tls_key},
${postfix_public_tls_cert}
tls_server_sni_maps =
inline:{
{ ${postfix_public_fqdn} = ${postfix_public_tls_key},${postfix_public_tls_cert} },
{ .${domain} = ${postfix_local_tls_key},${postfix_local_tls_cert} }
}
EOF
else
cat <<EOF
smtpd_tls_chain_files =
${postfix_local_tls_key},
${postfix_local_tls_cert}
EOF
fi)
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_loglevel = 1
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_helo_required = yes
smtp_tls_CApath = ${system_cadir_path}
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache
smtp_tls_loglevel = 1
lmtp_tls_CAfile = ${site_cacert_path}
lmtp_tls_security_level = encrypt
lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache
smtp_tls_loglevel = 1
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_unknown_reverse_client_hostname
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unauth_pipelining
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unauth_destination,
check_policy_service inet:${imap_host}.${domain}:${quota_status_port},
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unauth_pipelining
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining
virtual_transport = lmtp:inet:${imap_host}.${domain}:${lmtp_port}
virtual_mailbox_domains = ${postfix_virtual_domains}
virtual_mailbox_maps = proxy:ldap:\$config_directory/virtual_mailboxes.cf
virtual_alias_maps = proxy:ldap:\$config_directory/virtual_aliases.cf
milter_default_action = accept
smtpd_milters = unix:${rspamd_milter_sock}
