463 lines
15 KiB
CFEngine3
463 lines
15 KiB
CFEngine3
# postfix config file
|
|
alias_database = hash:/etc/aliases
|
|
alias_maps = hash:/etc/aliases
|
|
|
|
# uncomment for debugging if needed
|
|
#soft_bounce=yes
|
|
|
|
# postfix main
|
|
mail_owner = postfix
|
|
mail_name = 898MTA
|
|
setgid_group = postdrop
|
|
|
|
swap_bangpath = no
|
|
biff = no
|
|
#compatibility_level = 2
|
|
swap_bangpath = no
|
|
append_dot_mydomain = no
|
|
strict_rfc821_envelopes = yes
|
|
|
|
smtp_data_init_timeout = 240s
|
|
smtp_data_xfer_timeout = 600s
|
|
queue_run_delay = 5m
|
|
minimal_backoff_time = 5m
|
|
maximal_backoff_time = 15m
|
|
default_process_limit = 200
|
|
|
|
# tarpit those bots/clients/spammers who send errors or scan for accounts
|
|
#smtpd_soft_error_limit = 1
|
|
#smtpd_hard_error_limit = 3
|
|
#smtpd_junk_command_limit = 2
|
|
|
|
# Rate Limiting
|
|
# Allow to avoid 421 error when send bulk mail
|
|
default_destination_rate_delay = 1s
|
|
default_destination_recipient_limit = 10
|
|
|
|
# parallel delivery force (local=2 and dest=20 are aggressive)
|
|
local_destination_concurrency_limit = 2
|
|
default_destination_concurrency_limit = 10
|
|
|
|
# max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
|
|
in_flow_delay = 1s
|
|
|
|
# limit the info given to outside servers
|
|
show_user_unknown_table_name = no
|
|
|
|
# user%domain != user@domain
|
|
allow_percent_hack = no
|
|
|
|
# user!domain != user@domain
|
|
swap_bangpath = no
|
|
|
|
# tarpit until RCPT TO: to reject the email for nagios compatability
|
|
smtpd_delay_reject = yes
|
|
|
|
# reject codes == 554
|
|
access_map_reject_code = 554
|
|
invalid_hostname_reject_code = 554
|
|
maps_rbl_reject_code = 554
|
|
multi_recipient_bounce_reject_code = 554
|
|
non_fqdn_reject_code = 554
|
|
plaintext_reject_code = 554
|
|
reject_code = 554
|
|
relay_domains_reject_code = 554
|
|
unknown_address_reject_code = 554
|
|
unknown_client_reject_code = 450
|
|
unknown_hostname_reject_code = 450
|
|
unknown_local_recipient_reject_code = 554
|
|
unknown_relay_recipient_reject_code = 554
|
|
unknown_virtual_alias_reject_code = 554
|
|
unknown_virtual_mailbox_reject_code = 554
|
|
unverified_recipient_reject_code = 554
|
|
unverified_sender_reject_code = 554
|
|
|
|
# display banner
|
|
smtpd_banner = $myhostname. All Spam Is Reported. ESMTP
|
|
|
|
smtpd_reject_unlisted_recipient = yes
|
|
smtpd_reject_unlisted_sender = yes
|
|
|
|
# Uncomment the next line to generate "delayed mail" warnings
|
|
delay_warning_time = 4h
|
|
maximal_queue_lifetime = 4h
|
|
bounce_queue_lifetime = 1h
|
|
|
|
|
|
# appending .domain is the MUA's job.
|
|
append_dot_mydomain = no
|
|
|
|
#bounce_template_file = /etc/postfix/bounce.cf
|
|
|
|
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
|
|
|
# postfix paths
|
|
html_directory = no
|
|
command_directory = /usr/sbin
|
|
daemon_directory = /usr/libexec/postfix
|
|
queue_directory = /var/spool/postfix
|
|
sendmail_path = /usr/sbin/sendmail.postfix
|
|
mailq_path = /usr/bin/mailq.postfix
|
|
manpage_directory = /usr/share/man
|
|
|
|
# network settings
|
|
inet_interfaces = all
|
|
inet_protocols = ipv4
|
|
mydomain = vrem.ro
|
|
myhostname = zira.898.ro
|
|
mynetworks = $config_directory/mynetworks
|
|
#mydestination = $myhostname, localhost.$mydomain, localhost
|
|
relay_domains = proxy:mysql:/etc/postfix/sql/mysql-relay_domains_maps.cf
|
|
|
|
# limits
|
|
smtpd_error_sleep_time = 1s
|
|
smtpd_soft_error_limit = 10
|
|
smtpd_hard_error_limit = 20
|
|
# number of errors a client is allowed to make without actually delivering mail to the server before postfix slows down response time
|
|
# the maximum number of errors a client is allowed to make before postfix starts to disconnect them right away
|
|
# the amount of delay postfix will set on it's responses to the client when they reach more than first limit but less than the 2nd one
|
|
|
|
smtpd_client_connection_count_limit = 10
|
|
smtpd_client_connection_rate_limit = 60
|
|
# default 50; concurrent connection limit
|
|
# default 0; this tells postfix to allow N connections per $anvil_rate_time_until (default: 60s).
|
|
|
|
smtp_destination_concurrency_limit = 10
|
|
smtp_destination_rate_delay = 1s
|
|
smtp_extra_recipient_limit = 50
|
|
|
|
# mail delivery
|
|
recipient_delimiter = +
|
|
|
|
# relay mails through sendgrid
|
|
relayhost = [smtp.sendgrid.net]:587
|
|
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
|
|
smtp_sasl_auth_enable = yes
|
|
smtp_sasl_security_options = noanonymous
|
|
smtp_sasl_tls_security_options = noanonymous
|
|
smtp_tls_security_level = encrypt
|
|
smtp_tls_fingerprint_digest = sha256
|
|
header_size_limit = 4096000
|
|
|
|
# office365 relay
|
|
#relayhost = [smtp.office365.com]:587
|
|
#smtp_sasl_password_maps = hash:/etc/postfix/office365_passwd
|
|
#smtp_generic_maps = hash:/etc/postfix/sender_canonical
|
|
#smtp_sasl_auth_enable = yes
|
|
#smtp_sasl_security_options = noanonymous
|
|
#smtp_tls_security_level = may
|
|
|
|
# mappings
|
|
alias_maps = hash:/etc/aliases
|
|
alias_database = hash:/etc/aliases
|
|
transport_maps = hash:/etc/postfix/transport
|
|
#local_recipient_maps = $alias_maps
|
|
|
|
maximal_queue_lifetime = 4h
|
|
|
|
# Disable some commands at smtp level
|
|
smtpd_forbidden_commands = CONNECT GET POST
|
|
|
|
## virtual setup
|
|
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
|
|
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
|
|
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
|
|
|
|
virtual_mailbox_base = /home/vmail
|
|
virtual_minimum_uid = 101
|
|
virtual_uid_maps = static:101
|
|
virtual_gid_maps = static:12
|
|
virtual_transport = lmtp:unix:private/dovecot-lmtp
|
|
#dovecot_destination_recipient_limit = 1
|
|
|
|
# Additional for quota support
|
|
#virtual_create_maildirsize = yes
|
|
#virtual_mailbox_extended = yes
|
|
#virtual_mailbox_limit_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf
|
|
#virtual_mailbox_limit_override = yes
|
|
#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
|
|
#virtual_overquota_bounce = yes
|
|
|
|
# debugging
|
|
debug_peer_level = 2
|
|
debugger_command =
|
|
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
|
|
xxgdb $daemon_directory/$process_name $process_id & sleep 5
|
|
|
|
# authentication
|
|
smtpd_sasl_type = dovecot
|
|
smtpd_sasl_path = private/auth
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_authenticated_header = yes
|
|
smtpd_sasl_security_options = noanonymous
|
|
smtpd_sasl_local_domain = $myhostname
|
|
broken_sasl_auth_clients = yes
|
|
|
|
# tls config
|
|
tls_preempt_cipherlist = yes
|
|
#tls_ssl_options = NO_COMPRESSION
|
|
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
smtp_use_tls = yes
|
|
smtpd_use_tls = yes
|
|
smtpd_tls_auth_only = no
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_loglevel = 1
|
|
swap_bangpath = no
|
|
|
|
smtp_tls_protocols = !SSLv2 !SSLv3
|
|
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
|
|
lmtp_tls_protocols = !SSLv2 !SSLv3
|
|
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
|
|
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtpd_tls_mandatory_ciphers = medium
|
|
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
|
|
|
|
# Fix 'The Logjam Attack'
|
|
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
|
|
smtpd_tls_dh512_param_file = /etc/postfix/dh512_param.pem
|
|
#smtpd_tls_dh1024_param_file = /etc/postfix/dh1024_param.pem
|
|
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048_param.pem
|
|
|
|
smtpd_tls_received_header = yes
|
|
smtp_tls_note_starttls_offer = yes
|
|
smtpd_tls_session_cache_timeout = 3600s
|
|
tls_random_source = dev:/dev/urandom
|
|
|
|
smtpd_tls_cert_file = /etc/letsencrypt/live/zira.898.ro/fullchain.pem
|
|
smtpd_tls_key_file = /etc/letsencrypt/live/zira.898.ro/privkey.pem
|
|
smtpd_tls_CAfile = /etc/letsencrypt/live/zira.898.ro/fullchain.pem
|
|
#smtp_tls_CAfile = /etc/letsencrypt/live/zira.898.ro/fullchain.pem
|
|
smtp_tls_CAfile = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
|
|
smtp_tls_CApath = /etc/pki/ca-trust/extracted/openssl
|
|
smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openssl
|
|
|
|
# DANE support
|
|
#smtp_dns_support_level=dnssec
|
|
smtp_host_lookup=dns
|
|
|
|
# Other options
|
|
|
|
#default mailbox limit
|
|
mailbox_size_limit = 0
|
|
|
|
disable_vrfy_command = yes
|
|
|
|
smtpd_helo_required = yes
|
|
smtpd_delay_reject = yes
|
|
|
|
maildrop_destination_concurrency_limit = 1
|
|
maildrop_destination_recipient_limit = 1
|
|
|
|
#header_checks = regexp:/etc/postfix/header_checks
|
|
#header_checks = pcre:/etc/postfix/header_checks
|
|
#mime_header_checks = regexp:/etc/postfix/mime_header_checks
|
|
#nested_header_checks = regexp:/etc/postfix/nested_header_checks
|
|
#body_checks = regexp:/etc/postfix/body_checks
|
|
owner_request_special = no
|
|
|
|
policy_time_limit = 3600
|
|
|
|
# rules restrictions
|
|
|
|
smtpd_restriction_classes = sender_white_list
|
|
sender_white_list = check_client_access hash:/etc/postfix/check_client_access, reject
|
|
|
|
# reject based on message body content
|
|
#body_checks = regexp:/etc/postfix/maps/body_checks
|
|
#body_checks = pcre:/etc/postfix/body_checks
|
|
|
|
smtpd_client_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_destination,
|
|
reject_unauth_pipelining,
|
|
reject_unknown_address,
|
|
reject_unknown_recipient_domain,
|
|
reject_unknown_sender_domain,
|
|
reject_unknown_client,
|
|
reject_non_fqdn_hostname,
|
|
reject_non_fqdn_sender,
|
|
check_client_access cidr:/etc/postfix/blacklist,
|
|
check_sender_access hash:/etc/postfix/check_sender_access,
|
|
check_client_access hash:/etc/postfix/rbl_override,
|
|
check_policy_service inet:127.0.0.1:2501,
|
|
reject_rbl_client bl.spamcop.net,
|
|
reject_rbl_client zen.spamhaus.org,
|
|
reject_rbl_client sbl.spamhaus.org,
|
|
reject_rbl_client cbl.abuseat.org,
|
|
reject_rbl_client b.barracudacentral.org,
|
|
reject_rbl_client bl.spameatingmonkey.net,
|
|
reject_rbl_client z.mailspike.net,
|
|
reject_rbl_client bl.mailspike.net
|
|
|
|
smtpd_helo_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
check_helo_access hash:/etc/postfix/skip_hello_hosts,
|
|
check_helo_access pcre:/etc/postfix/helo_access.pcre,
|
|
reject_non_fqdn_hostname,
|
|
reject_invalid_hostname,
|
|
reject_invalid_helo_hostname,
|
|
reject_non_fqdn_helo_hostname,
|
|
reject_unknown_helo_hostname,
|
|
reject_unauth_pipelining,
|
|
warn_if_reject reject_unknown_hostname,
|
|
permit
|
|
|
|
smtpd_sender_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
check_sender_access hash:/etc/postfix/check_sender_access,
|
|
reject_sender_login_mismatch,
|
|
reject_unknown_recipient_domain,
|
|
reject_unknown_sender_domain,
|
|
reject_non_fqdn_recipient,
|
|
reject_non_fqdn_sender,
|
|
reject_unlisted_sender,
|
|
reject_unauth_destination,
|
|
#check_policy_service inet:127.0.0.1:10031
|
|
permit
|
|
|
|
smtpd_etrn_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject
|
|
|
|
smtpd_recipient_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
check_client_access cidr:/etc/postfix/blacklist,
|
|
check_sender_access hash:/etc/postfix/check_sender_access,
|
|
check_client_access hash:/etc/postfix/rbl_override,
|
|
reject_invalid_helo_hostname,
|
|
reject_multi_recipient_bounce,
|
|
reject_non_fqdn_helo_hostname,
|
|
reject_non_fqdn_recipient,
|
|
reject_non_fqdn_sender,
|
|
reject_unauth_destination,
|
|
reject_unauth_pipelining,
|
|
reject_unknown_address,
|
|
reject_unknown_helo_hostname,
|
|
reject_unknown_recipient_domain
|
|
reject_unknown_recipient_domain,
|
|
reject_unknown_sender_domain,
|
|
reject_unlisted_recipient,
|
|
#check_policy_service unix:postgrey/socket,
|
|
#check_policy_service inet:127.0.0.1:10023,
|
|
check_policy_service unix:private/policy,
|
|
# check_policy_service inet:127.0.0.1:10031,
|
|
reject_unlisted_recipient,
|
|
reject_unverified_recipient,
|
|
# uncomment for realtime black list checks
|
|
reject_rbl_client bl.spamcop.net,
|
|
reject_rbl_client zen.spamhaus.org,
|
|
reject_rbl_client sbl.spamhaus.org,
|
|
reject_rbl_client cbl.abuseat.org,
|
|
reject_rbl_client b.barracudacentral.org,
|
|
reject_rbl_client bl.spameatingmonkey.net
|
|
|
|
smtpd_data_restrictions =
|
|
reject_unauth_pipelining,
|
|
reject_multi_recipient_bounce,
|
|
permit
|
|
|
|
# Error reporting
|
|
# notify_classes = bounce, delay, resource, software
|
|
notify_classes = resource, software
|
|
|
|
error_notice_recipient = admin@vrem.ro
|
|
# delay_notice_recipient = postmaster@898.ro
|
|
# bounce_notice_recipient = postmaster@898.ro
|
|
# 2bounce_notice_recipient = postmaster@898.ro
|
|
|
|
# Limit 500 emails per hour per email address
|
|
anvil_rate_time_unit = 3600s
|
|
smtpd_client_message_rate_limit = 500
|
|
|
|
# Vacation Scripts
|
|
vacation_destination_recipient_limit = 1
|
|
recipient_bcc_maps = proxy:mysql:/etc/postfix/sql/mysql-virtual_vacation.cf
|
|
|
|
## Restrictions for MUAs (Mail user agents)
|
|
#mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
|
|
#mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
|
|
#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
|
|
|
|
#smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
|
|
|
|
# POSTSCREEN
|
|
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
|
|
postscreen_discard_ehlo_keywords = silent-discard, dsn
|
|
|
|
# Drop connections from blacklisted servers with a 521 reply
|
|
postscreen_blacklist_action = enforce
|
|
|
|
# Drop connections if other server is sending too quickly
|
|
postscreen_greet_action = drop
|
|
|
|
# Clean Postscreen cache after 24h
|
|
postscreen_cache_cleanup_interval = 24h
|
|
|
|
# Postscreen dnsbl
|
|
postscreen_dnsbl_ttl = 5m
|
|
postscreen_dnsbl_threshold = 2
|
|
postscreen_dnsbl_action = enforce
|
|
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.[2..11]*2
|
|
postscreen_greet_banner = $smtpd_banner
|
|
postscreen_greet_wait = 3s
|
|
postscreen_greet_ttl = 2d
|
|
postscreen_bare_newline_enable = no
|
|
postscreen_non_smtp_command_enable = no
|
|
postscreen_pipelining_enable = no
|
|
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
|
|
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
|
|
|
|
# DKIM
|
|
smtpd_milters = inet:127.0.0.1:8891
|
|
#smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:11332, inet:localhost:8893
|
|
non_smtpd_milters = $smtpd_milters
|
|
milter_default_action = accept
|
|
#milter_protocol = 2
|
|
# if rspamd is down, don't reject mail
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
|
|
|
|
# amavis
|
|
#content_filter=amavisfeed:[127.0.0.1]:10024
|
|
|
|
#receive_override_options=no_address_mappings
|
|
non_smtpd_milters = $smtpd_milters
|
|
milter_default_action = accept
|
|
#milter_protocol = 2
|
|
# if rspamd is down, don't reject mail
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
|
|
|
|
# amavis
|
|
#content_filter=amavisfeed:[127.0.0.1]:10024
|
|
|
|
#receive_override_options=no_address_mappings
|
|
#smtp-amavis_destination_recipient_limit = 5
|
|
|
|
# Zeyple Filter (GPG Sign/Encrypt)
|
|
#content_filter = zeyple
|
|
|
|
# default postfix files
|
|
data_directory = /var/lib/postfix
|
|
|
|
#meta_directory = /etc/postfix
|
|
#shlib_directory = no
|
|
#smtputf8_enable = yes
|
|
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
|
|
readme_directory = /usr/share/doc/postfix/README_FILES
|
|
sample_directory = /usr/share/doc/postfix/samples
|
|
newaliases_path = /usr/bin/newaliases
|
|
smtp_tls_loglevel = 1
|
|
|
|
compatibility_level = 2
|
|
smtputf8_enable = no
|
|
meta_directory = /etc/postfix
|
|
shlib_directory = /usr/lib64/postfix
|