Initial commit.

2021-05-24 22:18:33 +03:00
commit e2954d55f4
3701 changed files with 330017 additions and 0 deletions
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -0,0 +1,449 @@
+# postfix config file
+alias_database = hash:/etc/aliases
+alias_maps = hash:/etc/aliases
+
+# uncomment for debugging if needed
+#soft_bounce=yes
+
+# postfix main
+mail_owner = postfix
+mail_name = 898MTA
+setgid_group = postdrop
+
+swap_bangpath = no
+biff = no
+#compatibility_level = 2
+swap_bangpath = no
+append_dot_mydomain = no
+strict_rfc821_envelopes = yes
+
+smtp_data_init_timeout = 240s
+smtp_data_xfer_timeout = 600s
+queue_run_delay = 5m
+minimal_backoff_time = 5m
+maximal_backoff_time = 15m
+default_process_limit = 200
+
+# tarpit those bots/clients/spammers who send errors or scan for accounts
+#smtpd_soft_error_limit = 1
+#smtpd_hard_error_limit = 3
+#smtpd_junk_command_limit = 2
+
+# Rate Limiting
+# Allow to avoid 421 error when send bulk mail
+default_destination_rate_delay = 1s
+default_destination_recipient_limit = 10
+
+# parallel delivery force (local=2 and dest=20 are aggressive)
+local_destination_concurrency_limit = 2
+default_destination_concurrency_limit = 10
+
+# max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
+in_flow_delay = 1s
+
+# limit the info given to outside servers
+show_user_unknown_table_name = no
+
+# user%domain != user@domain
+allow_percent_hack = no
+
+# user!domain != user@domain
+swap_bangpath = no
+
+# tarpit until RCPT TO: to reject the email for nagios compatability
+smtpd_delay_reject = yes
+
+# reject codes == 554
+access_map_reject_code = 554
+invalid_hostname_reject_code = 554
+maps_rbl_reject_code = 554
+multi_recipient_bounce_reject_code = 554
+non_fqdn_reject_code = 554
+plaintext_reject_code = 554
+reject_code = 554
+relay_domains_reject_code = 554
+unknown_address_reject_code = 554
+unknown_client_reject_code = 450
+unknown_hostname_reject_code = 450
+unknown_local_recipient_reject_code = 554
+unknown_relay_recipient_reject_code = 554
+unknown_virtual_alias_reject_code = 554
+unknown_virtual_mailbox_reject_code = 554
+unverified_recipient_reject_code = 554
+unverified_sender_reject_code = 554
+
+# display banner
+smtpd_banner = $myhostname. All Spam Is Reported. ESMTP
+
+smtpd_reject_unlisted_recipient = yes
+smtpd_reject_unlisted_sender = yes
+
+# Uncomment the next line to generate "delayed mail" warnings
+delay_warning_time = 4h
+maximal_queue_lifetime = 4h
+bounce_queue_lifetime = 1h
+
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+#bounce_template_file = /etc/postfix/bounce.cf
+
+smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+# postfix paths
+html_directory = no
+command_directory = /usr/sbin
+daemon_directory = /usr/libexec/postfix
+queue_directory = /var/spool/postfix
+sendmail_path = /usr/sbin/sendmail.postfix
+mailq_path = /usr/bin/mailq.postfix
+manpage_directory = /usr/share/man
+
+# network settings
+inet_interfaces = all
+inet_protocols = ipv4
+mydomain = vrem.ro
+myhostname = zira.898.ro
+mynetworks = $config_directory/mynetworks
+#mydestination = $myhostname, localhost.$mydomain, localhost
+relay_domains = proxy:mysql:/etc/postfix/sql/mysql-relay_domains_maps.cf
+
+# limits
+smtpd_error_sleep_time = 1s
+smtpd_soft_error_limit = 10
+smtpd_hard_error_limit = 20
+# number of errors a client is allowed to make without actually delivering mail to the server before postfix slows down response time
+# the maximum number of errors a client is allowed to make before postfix starts to disconnect them right away
+# the amount of delay postfix will set on it's responses to the client when they reach more than first limit but less than the 2nd one
+
+smtpd_client_connection_count_limit = 10
+smtpd_client_connection_rate_limit = 60
+# default 50; concurrent connection limit
+# default 0; this tells postfix to allow N connections per $anvil_rate_time_until (default: 60s).
+
+smtp_destination_concurrency_limit = 10
+smtp_destination_rate_delay = 1s
+smtp_extra_recipient_limit = 50
+
+# mail delivery
+recipient_delimiter = +
+
+# relay mails through sendgrid
+relayhost = [smtp.sendgrid.net]:587
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_auth_enable = yes
+smtp_sasl_security_options = noanonymous
+smtp_sasl_tls_security_options = noanonymous
+smtp_tls_security_level = encrypt
+smtp_tls_fingerprint_digest = sha256
+header_size_limit = 4096000
+
+# office365 relay
+#relayhost = [smtp.office365.com]:587
+#smtp_sasl_password_maps = hash:/etc/postfix/office365_passwd
+#smtp_generic_maps = hash:/etc/postfix/sender_canonical
+#smtp_sasl_auth_enable = yes
+#smtp_sasl_security_options = noanonymous
+#smtp_tls_security_level = may
+
+# mappings
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+transport_maps = hash:/etc/postfix/transport
+#local_recipient_maps = $alias_maps
+
+maximal_queue_lifetime = 4h
+
+# Disable some commands at smtp level
+smtpd_forbidden_commands = CONNECT GET POST
+
+## virtual setup
+virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
+virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
+virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
+
+virtual_mailbox_base = /home/vmail
+virtual_minimum_uid = 101
+virtual_uid_maps = static:101
+virtual_gid_maps = static:12
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+#dovecot_destination_recipient_limit = 1
+
+# Additional for quota support
+#virtual_create_maildirsize = yes
+#virtual_mailbox_extended = yes
+#virtual_mailbox_limit_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf
+#virtual_mailbox_limit_override = yes
+#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
+#virtual_overquota_bounce = yes
+
+# debugging
+debug_peer_level = 2
+debugger_command =
+         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+         xxgdb $daemon_directory/$process_name $process_id & sleep 5
+
+# authentication
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_authenticated_header = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = $myhostname
+broken_sasl_auth_clients = yes
+
+# tls config
+tls_preempt_cipherlist = yes
+#tls_ssl_options = NO_COMPRESSION
+tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_use_tls = yes
+smtpd_use_tls = yes
+smtpd_tls_auth_only = no
+smtpd_tls_security_level = may
+smtpd_tls_loglevel = 1
+swap_bangpath = no
+
+smtp_tls_protocols = !SSLv2 !SSLv3
+smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
+lmtp_tls_protocols = !SSLv2 !SSLv3
+lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
+smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = AES128+EECDH:AES128+EDH
+
+# Fix 'The Logjam Attack'
+smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
+smtpd_tls_dh512_param_file = /etc/postfix/dh512_param.pem
+#smtpd_tls_dh1024_param_file = /etc/postfix/dh1024_param.pem
+smtpd_tls_dh1024_param_file = /etc/postfix/dh2048_param.pem
+
+smtpd_tls_received_header = yes
+smtp_tls_note_starttls_offer = yes
+smtpd_tls_session_cache_timeout = 3600s
+tls_random_source = dev:/dev/urandom
+
+smtpd_tls_cert_file = /etc/letsencrypt/live/zira.898.ro/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/zira.898.ro/privkey.pem
+smtpd_tls_CAfile = /etc/letsencrypt/live/zira.898.ro/fullchain.pem
+#smtp_tls_CAfile = /etc/letsencrypt/live/zira.898.ro/fullchain.pem
+smtp_tls_CAfile = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
+smtp_tls_CApath = /etc/pki/ca-trust/extracted/openssl
+smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openssl
+
+# DANE support
+#smtp_dns_support_level=dnssec 
+smtp_host_lookup=dns
+
+# Other	options
+
+#default mailbox limit
+mailbox_size_limit = 0
+
+disable_vrfy_command = yes
+
+smtpd_helo_required = yes
+smtpd_delay_reject = yes
+
+maildrop_destination_concurrency_limit = 1
+maildrop_destination_recipient_limit = 1
+
+#header_checks = regexp:/etc/postfix/header_checks
+#header_checks = pcre:/etc/postfix/header_checks
+#mime_header_checks = regexp:/etc/postfix/mime_header_checks
+#nested_header_checks = regexp:/etc/postfix/nested_header_checks
+#body_checks = regexp:/etc/postfix/body_checks
+owner_request_special = no
+
+policy_time_limit = 3600
+
+# rules restrictions
+
+smtpd_restriction_classes = sender_white_list
+sender_white_list = check_client_access hash:/etc/postfix/check_client_access, reject
+
+# reject based on message body content
+#body_checks = regexp:/etc/postfix/maps/body_checks
+#body_checks = pcre:/etc/postfix/body_checks
+
+smtpd_client_restrictions =
+	permit_mynetworks,
+    permit_sasl_authenticated,
+   	reject_unauth_destination,
+	reject_unauth_pipelining,
+	reject_unknown_address,
+	reject_unknown_recipient_domain,
+	reject_unknown_sender_domain,
+	reject_unknown_client,
+	reject_non_fqdn_hostname,
+	reject_non_fqdn_sender,
+    check_client_access cidr:/etc/postfix/blacklist,
+	check_sender_access hash:/etc/postfix/check_sender_access,
+    check_client_access hash:/etc/postfix/rbl_override,
+    check_policy_service inet:127.0.0.1:2501,
+    reject_rbl_client bl.spamcop.net,
+    reject_rbl_client zen.spamhaus.org,
+    reject_rbl_client sbl.spamhaus.org,
+    reject_rbl_client cbl.abuseat.org,
+    reject_rbl_client b.barracudacentral.org,
+    reject_rbl_client bl.spameatingmonkey.net,
+    reject_rbl_client z.mailspike.net,
+    reject_rbl_client bl.mailspike.net
+
+smtpd_helo_restrictions =
+	permit_mynetworks,
+    permit_sasl_authenticated,
+	check_helo_access hash:/etc/postfix/skip_hello_hosts,
+	check_helo_access pcre:/etc/postfix/helo_access.pcre,
+	reject_non_fqdn_hostname,
+	reject_invalid_hostname,
+	reject_invalid_helo_hostname,
+	reject_non_fqdn_helo_hostname,
+	reject_unknown_helo_hostname,
+	reject_unauth_pipelining,
+    warn_if_reject reject_unknown_hostname,
+	permit
+
+smtpd_sender_restrictions =
+	permit_mynetworks,
+    permit_sasl_authenticated,
+	check_sender_access hash:/etc/postfix/check_sender_access,
+	reject_sender_login_mismatch,
+	reject_unknown_recipient_domain,
+	reject_unknown_sender_domain,
+	reject_non_fqdn_recipient,
+	reject_non_fqdn_sender,
+	reject_unlisted_sender,
+	reject_unauth_destination,
+	#check_policy_service inet:127.0.0.1:10031
+	permit
+
+smtpd_etrn_restrictions =
+	permit_mynetworks,
+	permit_sasl_authenticated,
+    reject
+
+smtpd_recipient_restrictions =
+	permit_mynetworks,
+    permit_sasl_authenticated,
+    check_client_access cidr:/etc/postfix/blacklist,
+	check_sender_access hash:/etc/postfix/check_sender_access,
+    check_client_access hash:/etc/postfix/rbl_override,
+	reject_invalid_helo_hostname,
+	reject_multi_recipient_bounce,
+	reject_non_fqdn_helo_hostname,
+	reject_non_fqdn_recipient,
+	reject_non_fqdn_sender,
+	reject_unauth_destination,
+	reject_unauth_pipelining,
+	reject_unknown_address,
+	reject_unknown_helo_hostname,
+	reject_unknown_recipient_domain
+	reject_unknown_recipient_domain,
+	reject_unknown_sender_domain,
+	reject_unlisted_recipient,
+	#check_policy_service unix:postgrey/socket,
+	#check_policy_service inet:127.0.0.1:10023,
+	check_policy_service unix:private/policy,
+#	check_policy_service inet:127.0.0.1:10031,
+	reject_unlisted_recipient,
+	reject_unverified_recipient,
+	# uncomment for realtime black list checks
+    reject_rbl_client bl.spamcop.net,
+	reject_rbl_client zen.spamhaus.org,
+	reject_rbl_client sbl.spamhaus.org,
+	reject_rbl_client cbl.abuseat.org,
+	reject_rbl_client b.barracudacentral.org,
+	reject_rbl_client bl.spameatingmonkey.net
+
+smtpd_data_restrictions =
+	reject_unauth_pipelining,
+    reject_multi_recipient_bounce,
+	permit
+
+# Error reporting
+# notify_classes = bounce, delay, resource, software
+notify_classes = resource, software
+
+error_notice_recipient     = admin@vrem.ro
+# delay_notice_recipient   = postmaster@898.ro
+# bounce_notice_recipient  = postmaster@898.ro
+# 2bounce_notice_recipient = postmaster@898.ro
+
+# Limit 500 emails per hour per email address
+anvil_rate_time_unit = 3600s
+smtpd_client_message_rate_limit = 500
+
+# Vacation Scripts
+vacation_destination_recipient_limit = 1
+recipient_bcc_maps = proxy:mysql:/etc/postfix/sql/mysql-virtual_vacation.cf
+
+## Restrictions for MUAs (Mail user agents)
+#mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
+#mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
+#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
+
+#smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
+
+# POSTSCREEN
+postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
+postscreen_discard_ehlo_keywords = silent-discard, dsn
+
+# Drop connections from blacklisted servers with a 521 reply
+postscreen_blacklist_action = enforce
+
+# Drop connections if other server is sending too quickly
+postscreen_greet_action = drop
+
+# Clean Postscreen cache after 24h
+postscreen_cache_cleanup_interval = 24h
+
+# Postscreen dnsbl
+postscreen_dnsbl_ttl = 5m
+postscreen_dnsbl_threshold = 2
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.[2..11]*2
+postscreen_greet_banner = $smtpd_banner
+postscreen_greet_wait = 3s
+postscreen_greet_ttl = 2d
+postscreen_bare_newline_enable = no
+postscreen_non_smtp_command_enable = no
+postscreen_pipelining_enable = no
+postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
+postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
+
+# DKIM
+smtpd_milters           = inet:127.0.0.1:8891, inet:127.0.0.1:11332, inet:localhost:8893
+non_smtpd_milters       = $smtpd_milters
+milter_default_action   = accept
+#milter_protocol         = 2
+# if rspamd is down, don't reject mail
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
+
+# amavis
+content_filter=amavisfeed:[127.0.0.1]:10024
+
+#receive_override_options=no_address_mappings
+#smtp-amavis_destination_recipient_limit = 5
+
+# Zeyple Filter (GPG Sign/Encrypt)
+#content_filter = zeyple
+
+# default postfix files
+data_directory = /var/lib/postfix
+
+#meta_directory = /etc/postfix
+#shlib_directory = no
+#smtputf8_enable = yes
+postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
+readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
+sample_directory = /usr/share/doc/postfix-2.10.1/samples
+newaliases_path = /usr/bin/newaliases
+smtp_tls_loglevel = 1
+
+compatibility_level = 2
+smtputf8_enable = no