# postfix config file alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases # uncomment for debugging if needed #soft_bounce=yes # postfix main mail_owner = postfix mail_name = 898MTA setgid_group = postdrop swap_bangpath = no biff = no #compatibility_level = 2 swap_bangpath = no append_dot_mydomain = no strict_rfc821_envelopes = yes smtp_data_init_timeout = 240s smtp_data_xfer_timeout = 600s queue_run_delay = 5m minimal_backoff_time = 5m maximal_backoff_time = 15m default_process_limit = 200 # tarpit those bots/clients/spammers who send errors or scan for accounts #smtpd_soft_error_limit = 1 #smtpd_hard_error_limit = 3 #smtpd_junk_command_limit = 2 # Rate Limiting # Allow to avoid 421 error when send bulk mail default_destination_rate_delay = 1s default_destination_recipient_limit = 10 # parallel delivery force (local=2 and dest=20 are aggressive) local_destination_concurrency_limit = 2 default_destination_concurrency_limit = 10 # max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec) in_flow_delay = 1s # limit the info given to outside servers show_user_unknown_table_name = no # user%domain != user@domain allow_percent_hack = no # user!domain != user@domain swap_bangpath = no # tarpit until RCPT TO: to reject the email for nagios compatability smtpd_delay_reject = yes # reject codes == 554 access_map_reject_code = 554 invalid_hostname_reject_code = 554 maps_rbl_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 plaintext_reject_code = 554 reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 450 unknown_hostname_reject_code = 450 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 # display banner smtpd_banner = $myhostname. All Spam Is Reported. ESMTP smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = yes # Uncomment the next line to generate "delayed mail" warnings delay_warning_time = 4h maximal_queue_lifetime = 4h bounce_queue_lifetime = 1h # appending .domain is the MUA's job. append_dot_mydomain = no #bounce_template_file = /etc/postfix/bounce.cf smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated defer_unauth_destination # postfix paths html_directory = no command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix queue_directory = /var/spool/postfix sendmail_path = /usr/sbin/sendmail.postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man # network settings inet_interfaces = all inet_protocols = ipv4 mydomain = vrem.ro myhostname = zira.898.ro mynetworks = $config_directory/mynetworks #mydestination = $myhostname, localhost.$mydomain, localhost relay_domains = proxy:mysql:/etc/postfix/sql/mysql-relay_domains_maps.cf # limits smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 # number of errors a client is allowed to make without actually delivering mail to the server before postfix slows down response time # the maximum number of errors a client is allowed to make before postfix starts to disconnect them right away # the amount of delay postfix will set on it's responses to the client when they reach more than first limit but less than the 2nd one smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 60 # default 50; concurrent connection limit # default 0; this tells postfix to allow N connections per $anvil_rate_time_until (default: 60s). smtp_destination_concurrency_limit = 10 smtp_destination_rate_delay = 1s smtp_extra_recipient_limit = 50 # mail delivery recipient_delimiter = + # relay mails through sendgrid relayhost = [smtp.sendgrid.net]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_security_level = encrypt smtp_tls_fingerprint_digest = sha256 header_size_limit = 4096000 # office365 relay #relayhost = [smtp.office365.com]:587 #smtp_sasl_password_maps = hash:/etc/postfix/office365_passwd #smtp_generic_maps = hash:/etc/postfix/sender_canonical #smtp_sasl_auth_enable = yes #smtp_sasl_security_options = noanonymous #smtp_tls_security_level = may # mappings alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases transport_maps = hash:/etc/postfix/transport #local_recipient_maps = $alias_maps maximal_queue_lifetime = 4h # Disable some commands at smtp level smtpd_forbidden_commands = CONNECT GET POST ## virtual setup virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf virtual_mailbox_base = /home/vmail virtual_minimum_uid = 101 virtual_uid_maps = static:101 virtual_gid_maps = static:12 virtual_transport = lmtp:unix:private/dovecot-lmtp #dovecot_destination_recipient_limit = 1 # Additional for quota support #virtual_create_maildirsize = yes #virtual_mailbox_extended = yes #virtual_mailbox_limit_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf #virtual_mailbox_limit_override = yes #virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later. #virtual_overquota_bounce = yes # debugging debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 # authentication smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes # tls config tls_preempt_cipherlist = yes #tls_ssl_options = NO_COMPRESSION tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_security_level = may smtpd_tls_loglevel = 1 swap_bangpath = no smtp_tls_protocols = !SSLv2 !SSLv3 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = AES128+EECDH:AES128+EDH # Fix 'The Logjam Attack' smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_dh512_param_file = /etc/postfix/dh512_param.pem #smtpd_tls_dh1024_param_file = /etc/postfix/dh1024_param.pem smtpd_tls_dh1024_param_file = /etc/postfix/dh2048_param.pem smtpd_tls_received_header = yes smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_cert_file = /etc/letsencrypt/live/zira.898.ro/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/zira.898.ro/privkey.pem smtpd_tls_CAfile = /etc/letsencrypt/live/zira.898.ro/fullchain.pem #smtp_tls_CAfile = /etc/letsencrypt/live/zira.898.ro/fullchain.pem smtp_tls_CAfile = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt smtp_tls_CApath = /etc/pki/ca-trust/extracted/openssl smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openssl # DANE support #smtp_dns_support_level=dnssec smtp_host_lookup=dns # Other options #default mailbox limit mailbox_size_limit = 0 disable_vrfy_command = yes smtpd_helo_required = yes smtpd_delay_reject = yes maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 #header_checks = regexp:/etc/postfix/header_checks #header_checks = pcre:/etc/postfix/header_checks #mime_header_checks = regexp:/etc/postfix/mime_header_checks #nested_header_checks = regexp:/etc/postfix/nested_header_checks #body_checks = regexp:/etc/postfix/body_checks owner_request_special = no policy_time_limit = 3600 # rules restrictions smtpd_restriction_classes = sender_white_list sender_white_list = check_client_access hash:/etc/postfix/check_client_access, reject # reject based on message body content #body_checks = regexp:/etc/postfix/maps/body_checks #body_checks = pcre:/etc/postfix/body_checks smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_address, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unknown_client, reject_non_fqdn_hostname, reject_non_fqdn_sender, check_client_access cidr:/etc/postfix/blacklist, check_sender_access hash:/etc/postfix/check_sender_access, check_client_access hash:/etc/postfix/rbl_override, check_policy_service inet:127.0.0.1:2501, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client z.mailspike.net, reject_rbl_client bl.mailspike.net smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/skip_hello_hosts, check_helo_access pcre:/etc/postfix/helo_access.pcre, reject_non_fqdn_hostname, reject_invalid_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unauth_pipelining, warn_if_reject reject_unknown_hostname, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/check_sender_access, reject_sender_login_mismatch, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_sender, reject_unauth_destination, #check_policy_service inet:127.0.0.1:10031 permit smtpd_etrn_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access cidr:/etc/postfix/blacklist, check_sender_access hash:/etc/postfix/check_sender_access, check_client_access hash:/etc/postfix/rbl_override, reject_invalid_helo_hostname, reject_multi_recipient_bounce, reject_non_fqdn_helo_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_address, reject_unknown_helo_hostname, reject_unknown_recipient_domain reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unlisted_recipient, #check_policy_service unix:postgrey/socket, #check_policy_service inet:127.0.0.1:10023, check_policy_service unix:private/policy, # check_policy_service inet:127.0.0.1:10031, reject_unlisted_recipient, reject_unverified_recipient, # uncomment for realtime black list checks reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spameatingmonkey.net smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit # Error reporting # notify_classes = bounce, delay, resource, software notify_classes = resource, software error_notice_recipient = admin@vrem.ro # delay_notice_recipient = postmaster@898.ro # bounce_notice_recipient = postmaster@898.ro # 2bounce_notice_recipient = postmaster@898.ro # Limit 500 emails per hour per email address anvil_rate_time_unit = 3600s smtpd_client_message_rate_limit = 500 # Vacation Scripts vacation_destination_recipient_limit = 1 recipient_bcc_maps = proxy:mysql:/etc/postfix/sql/mysql-virtual_vacation.cf ## Restrictions for MUAs (Mail user agents) #mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject #mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject #mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject #smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 # POSTSCREEN postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_discard_ehlo_keywords = silent-discard, dsn # Drop connections from blacklisted servers with a 521 reply postscreen_blacklist_action = enforce # Drop connections if other server is sending too quickly postscreen_greet_action = drop # Clean Postscreen cache after 24h postscreen_cache_cleanup_interval = 24h # Postscreen dnsbl postscreen_dnsbl_ttl = 5m postscreen_dnsbl_threshold = 2 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.[2..11]*2 postscreen_greet_banner = $smtpd_banner postscreen_greet_wait = 3s postscreen_greet_ttl = 2d postscreen_bare_newline_enable = no postscreen_non_smtp_command_enable = no postscreen_pipelining_enable = no postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply # DKIM smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:11332, inet:localhost:8893 non_smtpd_milters = $smtpd_milters milter_default_action = accept #milter_protocol = 2 # if rspamd is down, don't reject mail milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type} # amavis content_filter=amavisfeed:[127.0.0.1]:10024 #receive_override_options=no_address_mappings #smtp-amavis_destination_recipient_limit = 5 # Zeyple Filter (GPG Sign/Encrypt) #content_filter = zeyple # default postfix files data_directory = /var/lib/postfix #meta_directory = /etc/postfix #shlib_directory = no #smtputf8_enable = yes postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples newaliases_path = /usr/bin/newaliases smtp_tls_loglevel = 1 compatibility_level = 2 smtputf8_enable = no meta_directory = /etc/postfix shlib_directory = /usr/lib64/postfix