aboutsummaryrefslogtreecommitdiff
path: root/files/usr/local/etc/postfix/main.cf.smtp_server
blob: c1e40a4753b7f6bd0b86e0fbd83522282661b4cf (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
compatibility_level = 3.8

queue_directory   = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory  = /usr/local/libexec/postfix
data_directory    = /var/db/postfix
sendmail_path     = /usr/local/sbin/sendmail
newaliases_path   = /usr/local/bin/newaliases
mailq_path        = /usr/local/bin/mailq
html_directory    = no
manpage_directory = /usr/local/man
sample_directory  = /usr/local/etc/postfix
meta_directory    = /usr/local/libexec/postfix
shlib_directory   = /usr/local/lib/postfix
readme_directory  = no
mail_owner        = ${postfix_user}
setgid_group      = maildrop

import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME KRB5_KTNAME=${postfix_keytab} KRB5_CLIENT_KTNAME=${postfix_keytab}

myorigin      = ${postfix_myorigin}
myhostname    = ${postfix_public_fqdn}
mynetworks    = 127.0.0.0/8 [::1]/128 [fe80::]/64 ${postfix_mynetworks}
mydestination =

inet_interfaces = all
inet_protocols  = all

alias_database =
alias_maps     =

recipient_delimiter          = ${postfix_recipient_delimiter}
message_size_limit           = ${postfix_message_size_limit}
strict_rfc821_envelopes      = yes
allow_percent_hack           = no
swap_bangpath                = no
disable_vrfy_command         = yes
show_user_unknown_table_name = no
tls_medium_cipherlist        = ${postfix_cipherlist}
tls_preempt_cipherlist       = no

$(if [ "$postfix_public_fqdn" != "$fqdn" ]; then
cat <<EOF
smtpd_tls_chain_files =
  ${postfix_public_tls_key},
  ${postfix_public_tls_cert}
tls_server_sni_maps =
  inline:{
    { ${postfix_public_fqdn} = ${postfix_public_tls_key},${postfix_public_tls_cert} },
    { .${domain} = ${postfix_local_tls_key},${postfix_local_tls_cert} }
  }
EOF
else
cat <<EOF
smtpd_tls_chain_files =
  ${postfix_local_tls_key},
  ${postfix_local_tls_cert}
EOF
)

smtpd_tls_security_level        = may
smtpd_tls_auth_only             = yes
smtpd_tls_mandatory_protocols   = >=TLSv1.2
smtpd_tls_mandatory_ciphers     = medium
smtpd_tls_dh1024_param_file     = ${postfix_dhparams}
smtpd_tls_loglevel              = 1
smtpd_sasl_security_options     = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_helo_required             = yes

smtp_tls_CApath                 = ${system_ca_dir}
smtp_tls_security_level         = may
smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache
smtp_tls_loglevel               = 1

lmtp_tls_CApath                 = ${system_ca_dir}
lmtp_tls_security_level         = encrypt
lmtp_tls_wrappermode            = yes
lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache
smtp_tls_loglevel               = 1

smtpd_helo_required = yes
smtpd_client_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_pipelining,
  reject_unknown_reverse_client_hostname
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_unauth_pipelining
smtpd_sender_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unauth_pipelining
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination
smtpd_recipient_restrictions =
  reject_unknown_recipient_domain,
  reject_unlisted_recipient,
  reject_unauth_destination,
  check_policy_service inet:${imap_host}.${domain}:${quota_status_port},
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_unauth_pipelining
smtpd_data_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_pipelining

virtual_transport       = lmtp:inet:${imap_host}.${domain}:${lmtp_port}
virtual_mailbox_domains = ${postfix_virtual_domains}
virtual_mailbox_maps    = proxy:ldap:\$config_directory/virtual_mailboxes.cf
virtual_alias_maps      = proxy:ldap:\$config_directory/virtual_aliases.cf

milter_default_action = accept
smtpd_milters = unix:${rspamd_milter_sock}