[[postfix:optimized-configuration]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
postfix:optimized-configuration [2009/03/17 16:12]
a 		postfix:optimized-configuration [2013/09/12 15:40] (current)
zagi
Line 1: Line 1:
 +**main.cf**
 <code> <code>
-soft_bounce = yes +#soft_bounce = yes 
- +smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html
-smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html\\ +
 biff = no biff = no
  
Line 10: Line 9:
  
 # Uncomment the next line to generate "delayed mail" warnings # Uncomment the next line to generate "delayed mail" warnings
-delay_warning_time = 4h+#delay_warning_time = 3h
  
 readme_directory = no readme_directory = no
 +html_directory = no
  
 myorigin = $myhostname myorigin = $myhostname
-mydestination = $myhostname, localhost.$mydomain+# mta MUST accept mail for localhost, localhost.$mydomain 
 +mydestination = $myhostname, localhost.$mydomain, localhost
  
 myhostname = host.domain.tld myhostname = host.domain.tld
 +
 +# Yes...please exchange it :-)
 mail_name = Exchange Microsoft mail_name = Exchange Microsoft
  
 +# Use only if you have trouble sending mail. It breaks "sender address verification"
 #fallback_relay = [smtp.*.net] #fallback_relay = [smtp.*.net]
  
 alias_maps = hash:/etc/aliases alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases alias_database = hash:/etc/aliases
 +
 +sender_canonical_maps = hash:/etc/postfix/canonical_sender
 +recipient_canonical_maps = hash:/etc/postfix/canonical_recipient
 +
 +allow_percent_hack = no
 +swap_bangpath = no
  
 virtual_maps = hash:/etc/postfix/virtual virtual_maps = hash:/etc/postfix/virtual
Line 29: Line 39:
 local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname
  
- +#slow-transport (3 smtp connections at a time)
-#slow-transport (siol ipd)+
 slow_destination-concurrency_limit = 3 slow_destination-concurrency_limit = 3
 +</code>
  
 +**TLS Sections**
 +<code>
 # TLS parameters # TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/server.crt +smtp_tls_security_level=may 
-smtpd_tls_key_file=/etc/ssl/private/server.key +#obsoletes smtp_use_tls smtp_enforce_tls  smtp_tls_enforce_peername 
-smtpd_use_tls=yes+smtp_tls_note_starttls_offer=yes 
 + 
 +smtp_tls_CApath = /etc/ssl/certs 
 + 
 +smtpd_tls_security_level=may 
 +#obsoletes  smtpd_use_tls smtpd_enforce_tls 
 + 
 +smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem 
 +smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key 
 + 
 +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem 
 +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key 
 + 
 +# debuging tls 
 +smtp_tls_loglevel = 0 
 +smtpd_tls_loglevel = 0 
 + 
 +smtpd_tls_auth_only=yes 
 +smtpd_tls_received_header=yes 
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtpd_tls_auth_only = yes +
-smtpd_tls_received_header = yes+
 tls_random_source = dev:/dev/urandom tls_random_source = dev:/dev/urandom
  
-#smtpd_tls_loglevel 3 +###smtp_tls_policy_maps hash:/etc/postfix/tls_policy 
-#smtp_tls_note_starttls_offer = yes+###smtpd_tls_ask_ccert = yes 
 +###smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop 
 + 
 +smtp_tls_note_starttls_offer = yes
 #smtp_tls_enforce_peername = no #smtp_tls_enforce_peername = no
  
Line 54: Line 87:
 smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_exceptions_networks = $mynetworks
  
 +
 + smtpd_sasl_authenticated_header = no
 +</code>
 +
 +<code>
 #unverified_sender_reject_code = 550 #unverified_sender_reject_code = 550
  
Line 61: Line 99:
 recipient_delimiter = + recipient_delimiter = +
 inet_interfaces = all inet_interfaces = all
-inet_protocols = ipv4+inet_protocols = all
  
 smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender
Line 68: Line 106:
  
 rblcheck = rblcheck =
-        check_recipient_access hash:/etc/postfix/whitelist_rbl_recipient+        check_recipient_access hash:/etc/postfix/whitelist_rbl_recipient,
         reject_rbl_client zen.spamhaus.org,         reject_rbl_client zen.spamhaus.org,
 +        reject_rbl_client bl.spamcop.net,
 +        reject_rbl_client psbl.surriel.com,
         reject_rhsbl_sender bogusmx.rfc-ignorant.org         reject_rhsbl_sender bogusmx.rfc-ignorant.org
  
 greylisting = greylisting =
-        check_recipient_access hash:/etc/postfix/whitelist_greylist_recipient+        permit_mynetworks, 
 +        permit_sasl_authenticated, 
 +        check_recipient_access hash:/etc/postfix/whitelist_greylist_recipient,
         check_policy_service inet:127.0.0.1:60000         check_policy_service inet:127.0.0.1:60000
  
Line 81: Line 123:
  
 check_policyd_weight = check_policyd_weight =
-        check_recipient_access hash:/etc/postfix/whitelist_policydweight_recipient+        check_client_access hash:/etc/postfix/whitelist_policydweight_clients 
 +        check_recipient_access hash:/etc/postfix/whitelist_policydweight_recipient,
         check_policy_service inet:127.0.0.1:12525         check_policy_service inet:127.0.0.1:12525
  
 verify_sender = verify_sender =
-        check_sender_access hash:/etc/postfix/whitelist_verify_sender +        check_sender_access hash:/etc/postfix/whitelist_verify_sender, 
-        check_recipient_access hash:/etc/postfix/whitelist_verify_recipient+        check_recipient_access hash:/etc/postfix/whitelist_verify_recipient,
         reject_unverified_sender         reject_unverified_sender
  
 +# Don't offer ETRN nor VRFY
 smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY
 +
 +smtpd_discard_ehlo_keyword_address_maps =
 +        hash:/etc/postfix/discard_ehelo_map
  
 smtpd_helo_restrictions = smtpd_helo_restrictions =
 +        check_client_access hash:/etc/postfix/whitelist_helo_clients
         hash:/etc/postfix/helo_checks         hash:/etc/postfix/helo_checks
 +        permit_sasl_authenticated
 +        permit_mynetworks
 +        warn_if_reject reject_invalid_hostname
 +        warn_if_reject reject_non_fqdn_hostname
 +        warn_if_reject reject_unknown_hostname
  
 smtpd_etrn_restrictions= smtpd_etrn_restrictions=
Line 98: Line 151:
         reject         reject
  
-smtpd_sender_restrictions =+#smtpd_sender_login_maps =  ldap:ldap_accounts, ldap:ldap_alias 
 + 
 +#smtpd_sender_restrictions = reject_sender_login_mismatch
  
 smtpd_recipient_restrictions = smtpd_recipient_restrictions =
Line 124: Line 179:
 content_filter = smtp-amavis:[127.0.0.1]:10024 content_filter = smtp-amavis:[127.0.0.1]:10024
  
-lmtp_send_xforward_command = yes +#already in master.cf: 
-smtp_send_xforward_command = yes+#lmtp_send_xforward_command = yes 
 +#smtp_send_xforward_command = yes
  
 hash_queue_depth = 1 hash_queue_depth = 1
  
-# /etc/aliases - add postar+# /etc/aliases - add postar!
 address_verify_sender = postar address_verify_sender = postar
 address_verify_map = btree:$(data_directory)/verify address_verify_map = btree:$(data_directory)/verify
 +
  
 home_mailbox = Maildir/ home_mailbox = Maildir/
Line 144: Line 201:
 unverified_sender_reject_code = 550 unverified_sender_reject_code = 550
  
-smtpd_error_sleep_time = 0s+smtpd_error_sleep_time = 3s
 smtpd_soft_error_limit = 5 smtpd_soft_error_limit = 5
 smtpd_hard_error_limit = 10 smtpd_hard_error_limit = 10
  
 +# Mailman feature
 owner_request_special = yes owner_request_special = yes
 show_user_unknown_table_name = no show_user_unknown_table_name = no
  
-#smtpd_delay_reject = no+# testing purposed 
 +# smtpd_delay_reject = no
  
 # DEBUG # DEBUG
Line 159: Line 218:
 </code> </code>
  
-/etc/postfix/whitelist_rbl_recipient FIXME \\ + 
-/etc/postfix/whitelist_greylist_recipient FIXME \\ +**/etc/postfix/helo_checks** 
-/etc/postfix/no_dynamic.pcre FIXME \\ +<code> 
-/etc/postfix/whitelist_policydweight_recipient FIXME \\ +<FQDN> 551 Spammer comes to me. Greets me with my own IP. His mail I shall not see. 
-/etc/postfix/whitelist_verify_sender FIXME \\ +<IP> 551 Spammer comes to me. Greets me with my own IP. His mail I shall not see. 
-/etc/postfix/whitelist_verify_recipient FIXME \\ +[<IP>] 551 Spammer comes to me. Greets me with my own IP. His mail I shall not see. 
-/etc/postfix/bogon_networks FIXME+</code> 
 + 
 + 
 + 
 +**/etc/postfix/no_dynamic.pcre** 
 +  /\.static\./    OK 
 +  /\.dynamic\.  REJECT Get static IP or use your ISP SMTP server 
 +  /\-dynamic\./   REJECT Get static IP or use your ISP SMTP server 
 +  /\-dynamicIP\./   REJECT Get static IP or use your ISP SMTP server 
 +  /\-dynamicip\./   REJECT Get static IP or use your ISP SMTP server 
 +  /\.dsl\./       REJECT Get static IP or use your ISP SMTP server 
 +  /\.adsl\./      REJECT Get static IP or use your ISP SMTP server 
 +\\ 
 + 
 +**/etc/postfix/whitelist_rbl_recipient** 
 +  root@           OK 
 +  admin@          OK 
 +  postmaster@     OK 
 +  abuse@          OK 
 +  postar@         OK 
 + 
 + 
 +**/etc/postfix/whitelist_greylist_recipient** 
 +  root@           OK 
 +  admin@          OK 
 +  postmaster@     OK 
 +  abuse@          OK 
 +  postar@         OK 
 + 
 +**/etc/postfix/whitelist_policydweight_recipient** 
 +FIXME 
 + 
 +**/etc/postfix/whitelist_verify_sender** 
 +  nevtron.si              OK 
 +  www-data@               OK 
 +  finance-on.net          OK 
 +  uni-mb.si               OK 
 +  mailer.mojedelo.com     OK 
 + 
 +**/etc/postfix/whitelist_verify_recipient** 
 +  root@           OK 
 +  admin@          OK 
 +  postmaster@     OK 
 +  abuse@          OK 
 +  postar@         OK 
 + 
 +**/etc/postfix/bogon_networks** 
 +<code> 
 +# http://www.cymru.com/Documents/bogon-bn-agg.txt 
 +0.0.0.0/      REJECT IP address of MX host is a bogus address 
 +5.0.0.0/      REJECT IP address of MX host is a bogus address 
 +10.0.0.0/     REJECT IP address of MX host is a bogus address 
 +14.0.0.0/     REJECT IP address of MX host is a bogus address 
 +23.0.0.0/     REJECT IP address of MX host is a bogus address 
 +31.0.0.0/     REJECT IP address of MX host is a bogus address 
 +36.0.0.0/     REJECT IP address of MX host is a bogus address 
 +39.0.0.0/     REJECT IP address of MX host is a bogus address 
 +42.0.0.0/     REJECT IP address of MX host is a bogus address 
 +49.0.0.0/     REJECT IP address of MX host is a bogus address 
 +100.0.0.0/    REJECT IP address of MX host is a bogus address 
 +104.0.0.0/    REJECT IP address of MX host is a bogus address 
 +106.0.0.0/    REJECT IP address of MX host is a bogus address 
 +127.0.0.0/    REJECT IP address of MX host is a bogus address 
 +169.254.0.0/16  REJECT IP address of MX host is a bogus address 
 +172.16.0.0/12   REJECT IP address of MX host is a bogus address 
 +176.0.0.0/    REJECT IP address of MX host is a bogus address 
 +179.0.0.0/    REJECT IP address of MX host is a bogus address 
 +181.0.0.0/    REJECT IP address of MX host is a bogus address 
 +185.0.0.0/    REJECT IP address of MX host is a bogus address 
 +192.0.2.0/24    REJECT IP address of MX host is a bogus address 
 +192.168.0.0/16  REJECT IP address of MX host is a bogus address 
 +198.18.0.0/15   REJECT IP address of MX host is a bogus address 
 +198.51.100.0/24 REJECT IP address of MX host is a bogus address 
 +203.0.113.0/24  REJECT IP address of MX host is a bogus address 
 +223.0.0.0/    REJECT IP address of MX host is a bogus address 
 +224.0.0.0/    REJECT IP address of MX host is a bogus address 
 +</code> 
 + 
 +**/etc/postfix/discard_ehelo_map** 
 +  # borken_tls_smtp_host  starttls, silent-discard 
 +  193.189.160.1     starttls, silent-discard 
 + 
 +**/etc/postfix/canonical_recipient** 
 +  username@mydomain      myemail 
 + 
 + 
 +**/etc/postfix/whitelist_helo_clients** 
 +127.0.0.1               OK\\ 
 +localhost               OK\\ 
 +host.domain.tld        OK\\ 
 + 
 + 
 +**/etc/postfix/master.cf** 
 +submission inet n                               smtpd\\ 
 +  -o smtpd_tls_security_level=encrypt\\ 
 +  -o smtpd_sasl_auth_enable=yes\\ 
 +  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\\ 
 +  -o milter_macro_daemon_name=ORIGINATING\\ 
 +**  -o syslog_name=postfix-submission**\\ 
 +smtps     inet  n                               smtpd\\ 
 +  -o smtpd_tls_wrappermode=yes\\ 
 +  -o smtpd_sasl_auth_enable=yes\\ 
 +  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\\ 
 +  -o milter_macro_daemon_name=ORIGINATING\\ 
  
postfix/optimized-configuration.1237302740.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready