main.cf

#soft_bounce = yes
smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 3h

readme_directory = no
html_directory = no

myorigin = $myhostname
# mta MUST accept mail for localhost, localhost.$mydomain
mydestination = $myhostname, localhost.$mydomain, localhost

myhostname = host.domain.tld

# Yes...please exchange it :-)
mail_name = Exchange Microsoft

# Use only if you have trouble sending mail. It breaks "sender address verification"
#fallback_relay = [smtp.*.net]

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

sender_canonical_maps = hash:/etc/postfix/canonical_sender
recipient_canonical_maps = hash:/etc/postfix/canonical_recipient

allow_percent_hack = no
swap_bangpath = no

virtual_maps = hash:/etc/postfix/virtual

local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname

#slow-transport (3 smtp connections at a time)
slow_destination-concurrency_limit = 3

TLS Sections

# TLS parameters
smtp_tls_security_level=may
#obsoletes smtp_use_tls smtp_enforce_tls  smtp_tls_enforce_peername
smtp_tls_note_starttls_offer=yes

smtp_tls_CApath = /etc/ssl/certs

smtpd_tls_security_level=may
#obsoletes  smtpd_use_tls smtpd_enforce_tls

smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

# debuging tls
smtp_tls_loglevel = 0
smtpd_tls_loglevel = 0

smtpd_tls_auth_only=yes
smtpd_tls_received_header=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

tls_random_source = dev:/dev/urandom

###smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
###smtpd_tls_ask_ccert = yes
###smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop

smtp_tls_note_starttls_offer = yes
#smtp_tls_enforce_peername = no

smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_exceptions_networks = $mynetworks


 smtpd_sasl_authenticated_header = no
#unverified_sender_reject_code = 550

relayhost =
mynetworks = 127.0.0.0/8 192.168.10.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender

permissive = permit

rblcheck =
        check_recipient_access hash:/etc/postfix/whitelist_rbl_recipient,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client psbl.surriel.com,
        reject_rhsbl_sender bogusmx.rfc-ignorant.org

greylisting =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_recipient_access hash:/etc/postfix/whitelist_greylist_recipient,
        check_policy_service inet:127.0.0.1:60000

nodynamic_client =
        warn_if_reject reject_unknown_client_hostname,
        check_client_access pcre:/etc/postfix/no_dynamic.pcre

check_policyd_weight =
        check_client_access hash:/etc/postfix/whitelist_policydweight_clients
        check_recipient_access hash:/etc/postfix/whitelist_policydweight_recipient,
        check_policy_service inet:127.0.0.1:12525

verify_sender =
        check_sender_access hash:/etc/postfix/whitelist_verify_sender,
        check_recipient_access hash:/etc/postfix/whitelist_verify_recipient,
        reject_unverified_sender

# Don't offer ETRN nor VRFY
smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY

smtpd_discard_ehlo_keyword_address_maps =
        hash:/etc/postfix/discard_ehelo_map

smtpd_helo_restrictions =
        check_client_access hash:/etc/postfix/whitelist_helo_clients
        hash:/etc/postfix/helo_checks
        permit_sasl_authenticated
        permit_mynetworks
        warn_if_reject reject_invalid_hostname
        warn_if_reject reject_non_fqdn_hostname
        warn_if_reject reject_unknown_hostname

smtpd_etrn_restrictions=
        permit_mynetworks,
        reject

#smtpd_sender_login_maps =  ldap:ldap_accounts, ldap:ldap_alias

#smtpd_sender_restrictions = reject_sender_login_mismatch

smtpd_recipient_restrictions =
        greylisting,
        reject_unlisted_recipient,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        check_sender_mx_access cidr:/etc/postfix/bogon_networks,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        rblcheck,
        check_policyd_weight,
        nodynamic_client,
        verify_sender
#       reject_unverified_recipient

smtpd_data_restrictions =
                reject_multi_recipient_bounce
                reject_unauth_pipelining
                permit

content_filter = smtp-amavis:[127.0.0.1]:10024

#already in master.cf:
#lmtp_send_xforward_command = yes
#smtp_send_xforward_command = yes

hash_queue_depth = 1

# /etc/aliases - add postar!
address_verify_sender = postar
address_verify_map = btree:$(data_directory)/verify


home_mailbox = Maildir/
message_size_limit = 70480000

# ABKO
disable_vrfy_command = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes

unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

smtpd_error_sleep_time = 3s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10

# Mailman feature
owner_request_special = yes
show_user_unknown_table_name = no

# testing purposed
# smtpd_delay_reject = no

# DEBUG
# debug_peer_level = 1
#debug_peer_list = 193.77.x.x/32
remote_header_rewrite_domain = domain.invalid

/etc/postfix/helo_checks

<FQDN>	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
<IP>	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
[<IP>]	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.

/etc/postfix/no_dynamic.pcre

/\.static\./    OK
/\.dynamic\./   REJECT Get static IP or use your ISP SMTP server
/\-dynamic\./   REJECT Get static IP or use your ISP SMTP server
/\-dynamicIP\./   REJECT Get static IP or use your ISP SMTP server
/\-dynamicip\./   REJECT Get static IP or use your ISP SMTP server
/\.dsl\./       REJECT Get static IP or use your ISP SMTP server
/\.adsl\./      REJECT Get static IP or use your ISP SMTP server


/etc/postfix/whitelist_rbl_recipient

root@           OK
admin@          OK
postmaster@     OK
abuse@          OK
postar@         OK

/etc/postfix/whitelist_greylist_recipient

root@           OK
admin@          OK
postmaster@     OK
abuse@          OK
postar@         OK

/etc/postfix/whitelist_policydweight_recipient FIXME

/etc/postfix/whitelist_verify_sender

nevtron.si              OK
www-data@               OK
finance-on.net          OK
uni-mb.si               OK
mailer.mojedelo.com     OK

/etc/postfix/whitelist_verify_recipient

root@           OK
admin@          OK
postmaster@     OK
abuse@          OK
postar@         OK

/etc/postfix/bogon_networks

# http://www.cymru.com/Documents/bogon-bn-agg.txt
0.0.0.0/8       REJECT IP address of MX host is a bogus address
5.0.0.0/8       REJECT IP address of MX host is a bogus address
10.0.0.0/8      REJECT IP address of MX host is a bogus address
14.0.0.0/8      REJECT IP address of MX host is a bogus address
23.0.0.0/8      REJECT IP address of MX host is a bogus address
31.0.0.0/8      REJECT IP address of MX host is a bogus address
36.0.0.0/7      REJECT IP address of MX host is a bogus address
39.0.0.0/8      REJECT IP address of MX host is a bogus address
42.0.0.0/8      REJECT IP address of MX host is a bogus address
49.0.0.0/8      REJECT IP address of MX host is a bogus address
100.0.0.0/6     REJECT IP address of MX host is a bogus address
104.0.0.0/7     REJECT IP address of MX host is a bogus address
106.0.0.0/8     REJECT IP address of MX host is a bogus address
127.0.0.0/8     REJECT IP address of MX host is a bogus address
169.254.0.0/16  REJECT IP address of MX host is a bogus address
172.16.0.0/12   REJECT IP address of MX host is a bogus address
176.0.0.0/7     REJECT IP address of MX host is a bogus address
179.0.0.0/8     REJECT IP address of MX host is a bogus address
181.0.0.0/8     REJECT IP address of MX host is a bogus address
185.0.0.0/8     REJECT IP address of MX host is a bogus address
192.0.2.0/24    REJECT IP address of MX host is a bogus address
192.168.0.0/16  REJECT IP address of MX host is a bogus address
198.18.0.0/15   REJECT IP address of MX host is a bogus address
198.51.100.0/24 REJECT IP address of MX host is a bogus address
203.0.113.0/24  REJECT IP address of MX host is a bogus address
223.0.0.0/8     REJECT IP address of MX host is a bogus address
224.0.0.0/3     REJECT IP address of MX host is a bogus address

/etc/postfix/discard_ehelo_map

# borken_tls_smtp_host  starttls, silent-discard
193.189.160.1     starttls, silent-discard

/etc/postfix/canonical_recipient

username@mydomain      myemail

/etc/postfix/whitelist_helo_clients 127.0.0.1 OK
localhost OK
host.domain.tld OK

/etc/postfix/master.cf submission inet n - - - - smtpd

  1. o smtpd_tls_security_level=encrypt
  2. o smtpd_sasl_auth_enable=yes
  3. o smtpd_client_restrictions=permit_sasl_authenticated,reject
  4. o milter_macro_daemon_name=ORIGINATING

-o syslog_name=postfix-submission
smtps inet n - - - - smtpd

  1. o smtpd_tls_wrappermode=yes
  2. o smtpd_sasl_auth_enable=yes
  3. o smtpd_client_restrictions=permit_sasl_authenticated,reject
  4. o milter_macro_daemon_name=ORIGINATING
postfix/optimized-configuration.txt · Last modified: 2013/09/12 15:40 by zagi
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready