main.cf.j2 5.49 KB
Newer Older
Florian Pritz's avatar
Florian Pritz committed
1
2
3
4
5
6
7
compatibility_level = 2

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

append_dot_mydomain = no

8
9
10
11
12
{% if postfix_server %}
smtpd_tls_cert_file = /etc/letsencrypt/live/{{inventory_hostname}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{inventory_hostname}}/privkey.pem
{% endif %}

Florian Pritz's avatar
Florian Pritz committed
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = ultra
tls_preempt_cipherlist = yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
tls_ssl_options = NO_COMPRESSION

smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAA

smtp_tls_loglevel = 1
smtp_tls_security_level = may

smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

smtp_use_tls = yes
smtp_tls_CApath = /etc/ssl/certs
36
37

# TODO: daemon_directory should be the same as the default. drop it
Florian Pritz's avatar
Florian Pritz committed
38
39
40
41
daemon_directory = /usr/lib/postfix/bin
mydomain = {{inventory_hostname}}
myhostname = {{inventory_hostname}}
myorigin = archlinux.org
42
43
44
{% if postfix_server %}
mydestination = archlinux.org
{% else %}
Florian Pritz's avatar
Florian Pritz committed
45
mydestination =
46
{% endif %}
Florian Pritz's avatar
Florian Pritz committed
47
48
49
50

default_database_type=btree
indexed = ${default_database_type}:${config_directory}

51
52
53
54
55
56
57
58
59
60
61
62
63
mynetworks =
  127.0.0.1
  [::ffff:127.0.0.0]/104
  [::1]/128
mailbox_transport = lmtp:unix:private/dovecot-lmtp
lmtp_destination_recipient_limit=1
mailbox_size_limit = 0
message_size_limit = 104857600
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
Florian Pritz's avatar
Florian Pritz committed
64
65
66
67
68
69
70
71
72
73

# enable for testing new config
soft_bounce = no
debug_peer_list =

smtp_connection_cache_on_demand = yes

smtpd_milters=unix:/var/spool/opendkim/opendkim
non_smtpd_milters=unix:/var/spool/opendkim/opendkim

74
75
76
77
78
79
80
81
82
83
84
85
# custom restriction classes
policy_check =
# postfwd
{% if postfix_server %}
  check_policy_service inet:127.0.0.1:10040
{% endif %}

submission_recipient_restrictions=
# allow postmaster
  check_recipient_access btree:/etc/postfix/access_recipient,
  permit_sasl_authenticated,
  reject
Florian Pritz's avatar
Florian Pritz committed
86
87
88

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
smtpd_recipient_restrictions =
# policy services
  $policy_check,
# white-/blacklisting
  check_recipient_access btree:/etc/postfix/access_recipient,
  check_client_access btree:/etc/postfix/access_client,
  check_helo_access btree:/etc/postfix/access_helo,
  check_sender_access btree:/etc/postfix/access_sender,
# reject unclean mails
  reject_unauth_pipelining,
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_recipient_domain,
  reject_unknown_sender_domain,
# allow our users
  reject_authenticated_sender_login_mismatch,
  permit_sasl_authenticated,
  permit_mynetworks,
# reject mailservers without proper rDNS and hostname->IP
  #warn_if_reject reject_unknown_client_hostname,
# check RBLs
# check the HELO
  #warn_if_reject reject_invalid_helo_hostname,
# reject relaying
  reject_unauth_destination,
# cache if recipient exists
  #reject_unverified_recipient,
  #permit_mx_backup,
  permit

# some rate limiting rules only work after data so check it again
smtpd_end_of_data_restrictions =
  $policy_check

# needed to put our users on HOLD
post_queue_smtpd_recipient_restrictions =
  check_sender_access btree:/etc/postfix/access_sender-post-filter,
  permit_mynetworks,
  reject

address_verify_map = ${default_database_type}:/var/lib/postfix/verify_cache

unverified_recipient_reject_code = 550
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550

smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime) and client ($client_address).

smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes

smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_tls_received_header = yes
# needed for SA
smtpd_sasl_authenticated_header = yes

{% if postfix_server %}
smtpd_sender_login_maps =
  btree:/etc/postfix/smtp_sender_map,
  btree:/etc/postfix/users
{% endif %}
smtpd_helo_required = yes

smtpd_client_connection_rate_limit = 400
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500

alias_maps =
  btree:/etc/postfix/aliases
alias_database = $alias_maps

{% if postfix_server %}
virtual_alias_maps =
  btree:/etc/postfix/users
  btree:/etc/postfix/mailman_compat
virtual_alias_domains =  btree:/etc/postfix/domains
{% endif %}

{% if postfix_server %}
# reject mails to system users (nobody looks in those mailboxes)
local_recipient_maps =
  btree:/etc/postfix/users
  $alias_maps
  btree:/etc/postfix/mailman_compat
  #btree:/etc/postfix/temporary_mailman_maps
  btree:/etc/postfix/compat_maps
relocated_maps = btree:/etc/postfix/relocated
{% endif %}

transport_maps =
  btree:/etc/postfix/transport
  btree:/etc/postfix/compat_maps
  #btree:/etc/postfix/temporary_mailman_maps

authorized_mailq_users = root

header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks

delay_warning_time = 4h

# vim: set ft=pfmain: