main.cf
#soft_bounce = yes smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 3h readme_directory = no html_directory = no myorigin = $myhostname # mta MUST accept mail for localhost, localhost.$mydomain mydestination = $myhostname, localhost.$mydomain, localhost myhostname = host.domain.tld # Yes...please exchange it :-) mail_name = Exchange Microsoft # Use only if you have trouble sending mail. It breaks "sender address verification" #fallback_relay = [smtp.*.net] alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases sender_canonical_maps = hash:/etc/postfix/canonical_sender recipient_canonical_maps = hash:/etc/postfix/canonical_recipient allow_percent_hack = no swap_bangpath = no virtual_maps = hash:/etc/postfix/virtual local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname #slow-transport (3 smtp connections at a time) slow_destination-concurrency_limit = 3
TLS Sections
# TLS parameters smtp_tls_security_level=may #obsoletes smtp_use_tls smtp_enforce_tls smtp_tls_enforce_peername smtp_tls_note_starttls_offer=yes smtp_tls_CApath = /etc/ssl/certs smtpd_tls_security_level=may #obsoletes smtpd_use_tls smtpd_enforce_tls smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key # debuging tls smtp_tls_loglevel = 0 smtpd_tls_loglevel = 0 smtpd_tls_auth_only=yes smtpd_tls_received_header=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache tls_random_source = dev:/dev/urandom ###smtp_tls_policy_maps = hash:/etc/postfix/tls_policy ###smtpd_tls_ask_ccert = yes ###smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop smtp_tls_note_starttls_offer = yes #smtp_tls_enforce_peername = no smtpd_sasl_local_domain = $myhostname smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_authenticated_header = no
#unverified_sender_reject_code = 550 relayhost = mynetworks = 127.0.0.0/8 192.168.10.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender permissive = permit rblcheck = check_recipient_access hash:/etc/postfix/whitelist_rbl_recipient, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client psbl.surriel.com, reject_rhsbl_sender bogusmx.rfc-ignorant.org greylisting = permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/whitelist_greylist_recipient, check_policy_service inet:127.0.0.1:60000 nodynamic_client = warn_if_reject reject_unknown_client_hostname, check_client_access pcre:/etc/postfix/no_dynamic.pcre check_policyd_weight = check_client_access hash:/etc/postfix/whitelist_policydweight_clients check_recipient_access hash:/etc/postfix/whitelist_policydweight_recipient, check_policy_service inet:127.0.0.1:12525 verify_sender = check_sender_access hash:/etc/postfix/whitelist_verify_sender, check_recipient_access hash:/etc/postfix/whitelist_verify_recipient, reject_unverified_sender # Don't offer ETRN nor VRFY smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehelo_map smtpd_helo_restrictions = check_client_access hash:/etc/postfix/whitelist_helo_clients hash:/etc/postfix/helo_checks permit_sasl_authenticated permit_mynetworks warn_if_reject reject_invalid_hostname warn_if_reject reject_non_fqdn_hostname warn_if_reject reject_unknown_hostname smtpd_etrn_restrictions= permit_mynetworks, reject #smtpd_sender_login_maps = ldap:ldap_accounts, ldap:ldap_alias #smtpd_sender_restrictions = reject_sender_login_mismatch smtpd_recipient_restrictions = greylisting, reject_unlisted_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_sender_mx_access cidr:/etc/postfix/bogon_networks, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, rblcheck, check_policyd_weight, nodynamic_client, verify_sender # reject_unverified_recipient smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining permit content_filter = smtp-amavis:[127.0.0.1]:10024 #already in master.cf: #lmtp_send_xforward_command = yes #smtp_send_xforward_command = yes hash_queue_depth = 1 # /etc/aliases - add postar! address_verify_sender = postar address_verify_map = btree:$(data_directory)/verify home_mailbox = Maildir/ message_size_limit = 70480000 # ABKO disable_vrfy_command = yes smtpd_helo_required = yes strict_rfc821_envelopes = yes unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 smtpd_error_sleep_time = 3s smtpd_soft_error_limit = 5 smtpd_hard_error_limit = 10 # Mailman feature owner_request_special = yes show_user_unknown_table_name = no # testing purposed # smtpd_delay_reject = no # DEBUG # debug_peer_level = 1 #debug_peer_list = 193.77.x.x/32 remote_header_rewrite_domain = domain.invalid
/etc/postfix/helo_checks
<FQDN> 551 Spammer comes to me. Greets me with my own IP. His mail I shall not see. <IP> 551 Spammer comes to me. Greets me with my own IP. His mail I shall not see. [<IP>] 551 Spammer comes to me. Greets me with my own IP. His mail I shall not see.
/etc/postfix/no_dynamic.pcre
/\.static\./ OK /\.dynamic\./ REJECT Get static IP or use your ISP SMTP server /\-dynamic\./ REJECT Get static IP or use your ISP SMTP server /\-dynamicIP\./ REJECT Get static IP or use your ISP SMTP server /\-dynamicip\./ REJECT Get static IP or use your ISP SMTP server /\.dsl\./ REJECT Get static IP or use your ISP SMTP server /\.adsl\./ REJECT Get static IP or use your ISP SMTP server
/etc/postfix/whitelist_rbl_recipient
root@ OK admin@ OK postmaster@ OK abuse@ OK postar@ OK
/etc/postfix/whitelist_greylist_recipient
root@ OK admin@ OK postmaster@ OK abuse@ OK postar@ OK
/etc/postfix/whitelist_policydweight_recipient
/etc/postfix/whitelist_verify_sender
nevtron.si OK www-data@ OK finance-on.net OK uni-mb.si OK mailer.mojedelo.com OK
/etc/postfix/whitelist_verify_recipient
root@ OK admin@ OK postmaster@ OK abuse@ OK postar@ OK
/etc/postfix/bogon_networks
# http://www.cymru.com/Documents/bogon-bn-agg.txt 0.0.0.0/8 REJECT IP address of MX host is a bogus address 5.0.0.0/8 REJECT IP address of MX host is a bogus address 10.0.0.0/8 REJECT IP address of MX host is a bogus address 14.0.0.0/8 REJECT IP address of MX host is a bogus address 23.0.0.0/8 REJECT IP address of MX host is a bogus address 31.0.0.0/8 REJECT IP address of MX host is a bogus address 36.0.0.0/7 REJECT IP address of MX host is a bogus address 39.0.0.0/8 REJECT IP address of MX host is a bogus address 42.0.0.0/8 REJECT IP address of MX host is a bogus address 49.0.0.0/8 REJECT IP address of MX host is a bogus address 100.0.0.0/6 REJECT IP address of MX host is a bogus address 104.0.0.0/7 REJECT IP address of MX host is a bogus address 106.0.0.0/8 REJECT IP address of MX host is a bogus address 127.0.0.0/8 REJECT IP address of MX host is a bogus address 169.254.0.0/16 REJECT IP address of MX host is a bogus address 172.16.0.0/12 REJECT IP address of MX host is a bogus address 176.0.0.0/7 REJECT IP address of MX host is a bogus address 179.0.0.0/8 REJECT IP address of MX host is a bogus address 181.0.0.0/8 REJECT IP address of MX host is a bogus address 185.0.0.0/8 REJECT IP address of MX host is a bogus address 192.0.2.0/24 REJECT IP address of MX host is a bogus address 192.168.0.0/16 REJECT IP address of MX host is a bogus address 198.18.0.0/15 REJECT IP address of MX host is a bogus address 198.51.100.0/24 REJECT IP address of MX host is a bogus address 203.0.113.0/24 REJECT IP address of MX host is a bogus address 223.0.0.0/8 REJECT IP address of MX host is a bogus address 224.0.0.0/3 REJECT IP address of MX host is a bogus address
/etc/postfix/discard_ehelo_map
# borken_tls_smtp_host starttls, silent-discard 193.189.160.1 starttls, silent-discard
/etc/postfix/canonical_recipient
username@mydomain myemail
/etc/postfix/whitelist_helo_clients
127.0.0.1 OK
localhost OK
host.domain.tld OK
/etc/postfix/master.cf
submission inet n - - - - smtpd
- o smtpd_tls_security_level=encrypt
- o smtpd_sasl_auth_enable=yes
- o smtpd_client_restrictions=permit_sasl_authenticated,reject
- o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix-submission
smtps inet n - - - - smtpd
- o smtpd_tls_wrappermode=yes
- o smtpd_sasl_auth_enable=yes
- o smtpd_client_restrictions=permit_sasl_authenticated,reject
- o milter_macro_daemon_name=ORIGINATING