Differences

This shows you the differences between two versions of the page.

--- postfix:optimized-configuration [2009/03/25 11:07]
greebo
+++ postfix:optimized-configuration [2013/09/12 15:40] (current)
zagi
@@ Line 1: / Line 1: @@
-soft_bounce = yes\\
+**main.cf**
-\\
+<code>
-smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html\\
+#soft_bounce = yes
-\\
+smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html
-biff = no\\
+biff = no
-\\
-# appending .domain is the MUA's job.\\
+# appending .domain is the MUA's job.
-append_dot_mydomain = no\\
+append_dot_mydomain = no
-\\
-# Uncomment the next line to generate "delayed mail" warnings\\
+# Uncomment the next line to generate "delayed mail" warnings
-delay_warning_time = 3h\\
+#delay_warning_time = 3h
-\\
-readme_directory = no\\
+readme_directory = no
-#sample_directory\\
+html_directory = no
-\\
-myorigin = $myhostname\\
+myorigin = $myhostname
-# mta MUST accept mail for localhost, localhost.$mydomain\\
+# mta MUST accept mail for localhost, localhost.$mydomain
-mydestination = $myhostname, localhost.$mydomain, localhost\\
+mydestination = $myhostname, localhost.$mydomain, localhost
-\\
-myhostname = host.domain.tld\\
+myhostname = host.domain.tld
-\\
-# Yes...please exchange it :-)\\
+# Yes...please exchange it :-)
-mail_name = Exchange Microsoft\\
+mail_name = Exchange Microsoft
-\\
-# Use only if you have trouble sending mail. It breaks "sender address verification"\\
+# Use only if you have trouble sending mail. It breaks "sender address verification"
-#fallback_relay = [smtp.*.net]\\
+#fallback_relay = [smtp.*.net]
-\\
-alias_maps = hash:/etc/aliases\\
+alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases\\
+alias_database = hash:/etc/aliases
-\\
-virtual_maps = hash:/etc/postfix/virtual\\
+sender_canonical_maps = hash:/etc/postfix/canonical_sender
-\\
+recipient_canonical_maps = hash:/etc/postfix/canonical_recipient
-local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname\\
-\\
+allow_percent_hack = no
-#slow-transport (3 smtp connections at a time)\\
+swap_bangpath = no
-slow_destination-concurrency_limit = 3\\
-\\
+virtual_maps = hash:/etc/postfix/virtual
-# TLS parameters\\
-tls_random_source = dev:/dev/urandom\\
+local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname
-\\
-smtpd_tls_cert_file=/etc/ssl/certs/server.crt\\
+#slow-transport (3 smtp connections at a time)
-smtpd_tls_key_file=/etc/ssl/private/server.key\\
+slow_destination-concurrency_limit = 3
-\\
+</code>
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache\\
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache\\
+**TLS Sections**
-\\
+<code>
-###smtp_tls_policy_maps = hash:/etc/postfix/tls_policy\\
+# TLS parameters
-smtp_tls_security_level = may\\
+smtp_tls_security_level=may
-smtpd_tls_security_level = may\\
+#obsoletes smtp_use_tls smtp_enforce_tls  smtp_tls_enforce_peername
-\\
+smtp_tls_note_starttls_offer=yes
-###smtpd_tls_ask_ccert = yes\\
-\\
+smtp_tls_CApath = /etc/ssl/certs
-###smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop\\
-\\
+smtpd_tls_security_level=may
+#obsoletes  smtpd_use_tls smtpd_enforce_tls
+smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 # debuging tls
-# smtpd_tls_loglevel = 3\\
+smtp_tls_loglevel = 0
-\\
+smtpd_tls_loglevel = 0
-#obsolete#smtpd_use_tls=yes\\
-\\
+smtpd_tls_auth_only=yes
-smtp_tls_note_starttls_offer = yes\\
+smtpd_tls_received_header=yes
-#smtp_tls_enforce_peername = no\\
-\\
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtpd_sasl_local_domain = $myhostname\\
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtpd_sasl_application_name = smtpd\\
-smtpd_sasl_auth_enable = yes\\
+tls_random_source = dev:/dev/urandom
-smtpd_sasl_security_options = noanonymous\\
-broken_sasl_auth_clients = yes\\
+###smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
-smtpd_sasl_exceptions_networks = $mynetworks\\
+###smtpd_tls_ask_ccert = yes
-\\
+###smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
-smtpd_tls_auth_only = yes\\
-smtpd_tls_received_header = yes\\
+smtp_tls_note_starttls_offer = yes
-\\
+#smtp_tls_enforce_peername = no
-#unverified_sender_reject_code = 550\\
-\\
+smtpd_sasl_local_domain = $myhostname
-relayhost =\\
+smtpd_sasl_application_name = smtpd
-mynetworks = 127.0.0.0/8 192.168.10.0/24\\
+smtpd_sasl_auth_enable = yes
-mailbox_size_limit = 0\\
+smtpd_sasl_security_options = noanonymous
-recipient_delimiter = +\\
+broken_sasl_auth_clients = yes
-inet_interfaces = all\\
+smtpd_sasl_exceptions_networks = $mynetworks
-inet_protocols = ipv4\\
-\\
-smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender\\
+ smtpd_sasl_authenticated_header = no
-\\
+</code>
-permissive = permit\\
-\\
+<code>
-rblcheck =\\
+#unverified_sender_reject_code = 550
+relayhost =
+mynetworks = 127.0.0.0/8 192.168.10.0/24
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender
+permissive = permit
+rblcheck =
         check_recipient_access hash:/etc/postfix/whitelist_rbl_recipient,
         reject_rbl_client zen.spamhaus.org,
@@ Line 90: / Line 111: @@
         reject_rbl_client psbl.surriel.com,
         reject_rhsbl_sender bogusmx.rfc-ignorant.org
-\\
-greylisting =\\
+greylisting =
         permit_mynetworks,
+        permit_sasl_authenticated,
         check_recipient_access hash:/etc/postfix/whitelist_greylist_recipient,
         check_policy_service inet:127.0.0.1:60000
-\\
-nodynamic_client =\\
+nodynamic_client =
         warn_if_reject reject_unknown_client_hostname,
         check_client_access pcre:/etc/postfix/no_dynamic.pcre
-\\
-check_policyd_weight =\\
+check_policyd_weight =
+        check_client_access hash:/etc/postfix/whitelist_policydweight_clients
         check_recipient_access hash:/etc/postfix/whitelist_policydweight_recipient,
         check_policy_service inet:127.0.0.1:12525
-\\
-verify_sender =\\
+verify_sender =
         check_sender_access hash:/etc/postfix/whitelist_verify_sender,
         check_recipient_access hash:/etc/postfix/whitelist_verify_recipient,
         reject_unverified_sender
-\\
-# Don't offer ETRN nor VRFY\\
+# Don't offer ETRN nor VRFY
-smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY\\
+smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY
-\\
 smtpd_discard_ehlo_keyword_address_maps =
         hash:/etc/postfix/discard_ehelo_map
-\\
-smtpd_helo_restrictions =\\
+smtpd_helo_restrictions =
+        check_client_access hash:/etc/postfix/whitelist_helo_clients
         hash:/etc/postfix/helo_checks
-\\
+        permit_sasl_authenticated
-smtpd_etrn_restrictions=\\
+        permit_mynetworks
+        warn_if_reject reject_invalid_hostname
+        warn_if_reject reject_non_fqdn_hostname
+        warn_if_reject reject_unknown_hostname
+smtpd_etrn_restrictions=
         permit_mynetworks,
         reject
-\\
-smtpd_sender_restrictions =\\
+#smtpd_sender_login_maps =  ldap:ldap_accounts, ldap:ldap_alias
-\\
-smtpd_recipient_restrictions =\\
+#smtpd_sender_restrictions = reject_sender_login_mismatch
+smtpd_recipient_restrictions =
         greylisting,
         reject_unlisted_recipient,
@@ Line 140: / Line 171: @@
         verify_sender
 #       reject_unverified_recipient
-\\
-smtpd_data_restrictions =\\
+smtpd_data_restrictions =
                 reject_multi_recipient_bounce
                 reject_unauth_pipelining
                 permit
-\\
-content_filter = smtp-amavis:[127.0.0.1]:10024\\
+content_filter = smtp-amavis:[127.0.0.1]:10024
-\\
-lmtp_send_xforward_command = yes\\
+#already in master.cf:
-smtp_send_xforward_command = yes\\
+#lmtp_send_xforward_command = yes
-\\
+#smtp_send_xforward_command = yes
-hash_queue_depth = 1\\
-\\
+hash_queue_depth = 1
-# /etc/aliases - add postar!\\
-address_verify_sender = postar\\
+# /etc/aliases - add postar!
-address_verify_map = btree:$(data_directory)/verify\\
+address_verify_sender = postar
-\\
+address_verify_map = btree:$(data_directory)/verify
-home_mailbox = Maildir/\\
-message_size_limit = 70480000\\
-\\
+home_mailbox = Maildir/
-# ABKO\\
+message_size_limit = 70480000
-disable_vrfy_command = yes\\
-smtpd_helo_required = yes\\
+# ABKO
-strict_rfc821_envelopes = yes\\
+disable_vrfy_command = yes
-\\
+smtpd_helo_required = yes
-unverified_recipient_reject_code = 550\\
+strict_rfc821_envelopes = yes
-unverified_sender_reject_code = 550\\
-\\
+unverified_recipient_reject_code = 550
-smtpd_error_sleep_time = 0s\\
+unverified_sender_reject_code = 550
-smtpd_soft_error_limit = 5\\
-smtpd_hard_error_limit = 10\\
+smtpd_error_sleep_time = 3s
-\\
+smtpd_soft_error_limit = 5
+smtpd_hard_error_limit = 10
 # Mailman feature
-owner_request_special = yes\\
+owner_request_special = yes
-show_user_unknown_table_name = no\\
+show_user_unknown_table_name = no
-\\
 # testing purposed
-# smtpd_delay_reject = no\\
+# smtpd_delay_reject = no
-\\
-# DEBUG\\
+# DEBUG
-# debug_peer_level = 1\\
+# debug_peer_level = 1
-#debug_peer_list = 193.77.x.x/32\\
+#debug_peer_list = 193.77.x.x/32
-remote_header_rewrite_domain = domain.invalid\\
+remote_header_rewrite_domain = domain.invalid
+</code>
+**/etc/postfix/helo_checks**
+<code>
+<FQDN>	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
+<IP>	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
+[<IP>]	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
+</code>
 **/etc/postfix/no_dynamic.pcre**
@@ Line 210: / Line 254: @@
 **/etc/postfix/whitelist_policydweight_recipient**
+FIXME
 **/etc/postfix/whitelist_verify_sender**
@@ Line 227: / Line 271: @@
 **/etc/postfix/bogon_networks**
-.0.0.0/8       REJECT IP address of MX host is a bogus address
+<code>
-.0.0.0/8       REJECT IP address of MX host is a bogus address
+# http://www.cymru.com/Documents/bogon-bn-agg.txt
 .0.0.0/8       REJECT IP address of MX host is a bogus address
 .0.0.0/8       REJECT IP address of MX host is a bogus address
 .0.0.0/8      REJECT IP address of MX host is a bogus address
 .0.0.0/8      REJECT IP address of MX host is a bogus address
 .0.0.0/8      REJECT IP address of MX host is a bogus address
 .0.0.0/8      REJECT IP address of MX host is a bogus address
-.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/7      REJECT IP address of MX host is a bogus address
-.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
 .0.0.0/8      REJECT IP address of MX host is a bogus address
 .0.0.0/8      REJECT IP address of MX host is a bogus address
-.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/6     REJECT IP address of MX host is a bogus address
-.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/7     REJECT IP address of MX host is a bogus address
-.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.254.0.0/16  REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.16.0.0/12   REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/7     REJECT IP address of MX host is a bogus address
 .0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
 .0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.2.0/24    REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.168.0.0/16  REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.18.0.0/15   REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.51.100.0/24 REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.113.0/24  REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/3     REJECT IP address of MX host is a bogus address
-.254.0.0/16  REJECT IP address of MX host is a bogus address
+</code>
-.16.0.0/12   REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.2.0/24    REJECT IP address of MX host is a bogus address
-.168.0.0/16  REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.18.0.0/15   REJECT IP address of MX host is a bogus address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
-.0.0.0/3     REJECT IP address of MX host is a bogus address
-.0.0.0/12    REJECT IP address of MX host is a reserved address
-.0.0.0/8     REJECT IP address of MX host is a bogus address
+**/etc/postfix/discard_ehelo_map**
-/etc/postfix/discard_ehelo_map
+  # borken_tls_smtp_host  starttls, silent-discard
-  borken_tls_smtp_host  starttls, silent-discard
 .189.160.1     starttls, silent-discard
+**/etc/postfix/canonical_recipient**
+  username@mydomain      myemail
+**/etc/postfix/whitelist_helo_clients**
+.0.0.1               OK\\
+localhost               OK\\
+host.domain.tld        OK\\
+**/etc/postfix/master.cf**
+submission inet n       -       -       -       -       smtpd\\
+  -o smtpd_tls_security_level=encrypt\\
+  -o smtpd_sasl_auth_enable=yes\\
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\\
+  -o milter_macro_daemon_name=ORIGINATING\\
+**  -o syslog_name=postfix-submission**\\
+smtps     inet  n       -       -       -       -       smtpd\\
+  -o smtpd_tls_wrappermode=yes\\
+  -o smtpd_sasl_auth_enable=yes\\
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\\
+  -o milter_macro_daemon_name=ORIGINATING\\