Differences

This shows you the differences between two versions of the page.

--- postfix:optimized-configuration [2009/03/20 12:43]
greebo
+++ postfix:optimized-configuration [2013/09/12 15:40] (current)
zagi
@@ Line 1: / Line 1: @@
-soft_bounce = yes\\
+**main.cf**
-\\
+<code>
-smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html\\
+#soft_bounce = yes
-\\
+smtpd_banner = $myhostname ESMTP (NO UCE)(NO UBE) http://www.rfc.net/rfc2821.html
-biff = no\\
+biff = no
-\\
-# appending .domain is the MUA's job.\\
+# appending .domain is the MUA's job.
-append_dot_mydomain = no\\
+append_dot_mydomain = no
-\\
-# Uncomment the next line to generate "delayed mail" warnings\\
+# Uncomment the next line to generate "delayed mail" warnings
-delay_warning_time = 4h\\
+#delay_warning_time = 3h
-\\
-readme_directory = no\\
+readme_directory = no
+html_directory = no
+myorigin = $myhostname
+# mta MUST accept mail for localhost, localhost.$mydomain
+mydestination = $myhostname, localhost.$mydomain, localhost
+myhostname = host.domain.tld
+# Yes...please exchange it :-)
+mail_name = Exchange Microsoft
+# Use only if you have trouble sending mail. It breaks "sender address verification"
+#fallback_relay = [smtp.*.net]
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+sender_canonical_maps = hash:/etc/postfix/canonical_sender
+recipient_canonical_maps = hash:/etc/postfix/canonical_recipient
+allow_percent_hack = no
+swap_bangpath = no
+virtual_maps = hash:/etc/postfix/virtual
+local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname
+#slow-transport (3 smtp connections at a time)
+slow_destination-concurrency_limit = 3
+</code>
+**TLS Sections**
+<code>
+# TLS parameters
+smtp_tls_security_level=may
+#obsoletes smtp_use_tls smtp_enforce_tls  smtp_tls_enforce_peername
+smtp_tls_note_starttls_offer=yes
+smtp_tls_CApath = /etc/ssl/certs
+smtpd_tls_security_level=may
+#obsoletes  smtpd_use_tls smtpd_enforce_tls
+smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+# debuging tls
+smtp_tls_loglevel = 0
+smtpd_tls_loglevel = 0
+smtpd_tls_auth_only=yes
+smtpd_tls_received_header=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+tls_random_source = dev:/dev/urandom
+###smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+###smtpd_tls_ask_ccert = yes
+###smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
+smtp_tls_note_starttls_offer = yes
+#smtp_tls_enforce_peername = no
+smtpd_sasl_local_domain = $myhostname
+smtpd_sasl_application_name = smtpd
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+broken_sasl_auth_clients = yes
+smtpd_sasl_exceptions_networks = $mynetworks
+ smtpd_sasl_authenticated_header = no
+</code>
+<code>
+#unverified_sender_reject_code = 550
+relayhost =
+mynetworks = 127.0.0.0/8 192.168.10.0/24
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender
+permissive = permit
+rblcheck =
+        check_recipient_access hash:/etc/postfix/whitelist_rbl_recipient,
+        reject_rbl_client zen.spamhaus.org,
+        reject_rbl_client bl.spamcop.net,
+        reject_rbl_client psbl.surriel.com,
+        reject_rhsbl_sender bogusmx.rfc-ignorant.org
+greylisting =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        check_recipient_access hash:/etc/postfix/whitelist_greylist_recipient,
+        check_policy_service inet:127.0.0.1:60000
+nodynamic_client =
+        warn_if_reject reject_unknown_client_hostname,
+        check_client_access pcre:/etc/postfix/no_dynamic.pcre
+check_policyd_weight =
+        check_client_access hash:/etc/postfix/whitelist_policydweight_clients
+        check_recipient_access hash:/etc/postfix/whitelist_policydweight_recipient,
+        check_policy_service inet:127.0.0.1:12525
+verify_sender =
+        check_sender_access hash:/etc/postfix/whitelist_verify_sender,
+        check_recipient_access hash:/etc/postfix/whitelist_verify_recipient,
+        reject_unverified_sender
+# Don't offer ETRN nor VRFY
+smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY
+smtpd_discard_ehlo_keyword_address_maps =
+        hash:/etc/postfix/discard_ehelo_map
+smtpd_helo_restrictions =
+        check_client_access hash:/etc/postfix/whitelist_helo_clients
+        hash:/etc/postfix/helo_checks
+        permit_sasl_authenticated
+        permit_mynetworks
+        warn_if_reject reject_invalid_hostname
+        warn_if_reject reject_non_fqdn_hostname
+        warn_if_reject reject_unknown_hostname
+smtpd_etrn_restrictions=
+        permit_mynetworks,
+        reject
+#smtpd_sender_login_maps =  ldap:ldap_accounts, ldap:ldap_alias
+#smtpd_sender_restrictions = reject_sender_login_mismatch
+smtpd_recipient_restrictions =
+        greylisting,
+        reject_unlisted_recipient,
+        reject_non_fqdn_sender,
+        reject_non_fqdn_recipient,
+        reject_unknown_sender_domain,
+        reject_unknown_recipient_domain,
+        check_sender_mx_access cidr:/etc/postfix/bogon_networks,
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_unauth_destination,
+        rblcheck,
+        check_policyd_weight,
+        nodynamic_client,
+        verify_sender
+#       reject_unverified_recipient
+smtpd_data_restrictions =
+                reject_multi_recipient_bounce
+                reject_unauth_pipelining
+                permit
+content_filter = smtp-amavis:[127.0.0.1]:10024
+#already in master.cf:
+#lmtp_send_xforward_command = yes
+#smtp_send_xforward_command = yes
+hash_queue_depth = 1
+# /etc/aliases - add postar!
+address_verify_sender = postar
+address_verify_map = btree:$(data_directory)/verify
+home_mailbox = Maildir/
+message_size_limit = 70480000
+# ABKO
+disable_vrfy_command = yes
+smtpd_helo_required = yes
+strict_rfc821_envelopes = yes
+unverified_recipient_reject_code = 550
+unverified_sender_reject_code = 550
+smtpd_error_sleep_time = 3s
+smtpd_soft_error_limit = 5
+smtpd_hard_error_limit = 10
+# Mailman feature
+owner_request_special = yes
+show_user_unknown_table_name = no
+# testing purposed
+# smtpd_delay_reject = no
+# DEBUG
+# debug_peer_level = 1
+#debug_peer_list = 193.77.x.x/32
+remote_header_rewrite_domain = domain.invalid
+</code>
+**/etc/postfix/helo_checks**
+<code>
+<FQDN>	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
+<IP>	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
+[<IP>]	551	Spammer comes to me. Greets me with my own IP. His mail I shall not see.
+</code>
+**/etc/postfix/no_dynamic.pcre**
+  /\.static\./    OK
+  /\.dynamic\./   REJECT Get static IP or use your ISP SMTP server
+  /\-dynamic\./   REJECT Get static IP or use your ISP SMTP server
+  /\-dynamicIP\./   REJECT Get static IP or use your ISP SMTP server
+  /\-dynamicip\./   REJECT Get static IP or use your ISP SMTP server
+  /\.dsl\./       REJECT Get static IP or use your ISP SMTP server
+  /\.adsl\./      REJECT Get static IP or use your ISP SMTP server
 \\
-myorigin = $myhostname\\
-mydestination = $myhostname, localhost.$mydomain\\
-\\
-myhostname = host.domain.tld\\
-mail_name = Exchange Microsoft\\
-\\
-#fallback_relay = [smtp.*.net]\\
-\\
-alias_maps = hash:/etc/aliases\\
-alias_database = hash:/etc/aliases\\
-\\
-virtual_maps = hash:/etc/postfix/virtual\\
-\\
-local_recipient_maps = proxy:$virtual_maps proxy:$alias_maps proxy:unix:passwd.byname\\
-\\
-#slow-transport (3 smtp connections at a time)\\
-slow_destination-concurrency_limit = 3\\
-\\
-# TLS parameters\\
-smtpd_tls_cert_file=/etc/ssl/certs/server.crt\\
-smtpd_tls_key_file=/etc/ssl/private/server.key\\
-smtpd_use_tls=yes\\
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache\\
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache\\
-smtpd_tls_auth_only = yes\\
-smtpd_tls_received_header = yes\\
-tls_random_source = dev:/dev/urandom\\
-\\
-#smtpd_tls_loglevel = 3\\
-#smtp_tls_note_starttls_offer = yes\\
-#smtp_tls_enforce_peername = no\\
-\\
-smtpd_sasl_local_domain = $myhostname\\
-smtpd_sasl_application_name = smtpd\\
-smtpd_sasl_auth_enable = yes\\
-smtpd_sasl_security_options = noanonymous\\
-broken_sasl_auth_clients = yes\\
-smtpd_sasl_exceptions_networks = $mynetworks\\
-\\
-#unverified_sender_reject_code = 550\\
-\\
-relayhost =\\
-mynetworks = 127.0.0.0/8 192.168.10.0/24\\
-mailbox_size_limit = 0\\
-recipient_delimiter = +\\
-inet_interfaces = all\\
-inet_protocols = ipv4\\
-\\
-smtpd_restriction_classes = permissive, rblcheck, greylisting, nodynamic_client, check_policyd_weight, verify_sender\\
-\\
-permissive = permit\\
-\\
-rblcheck =\\
-        check_recipient_access hash:/etc/postfix/whitelist_rbl_recipient\\
-        reject_rbl_client zen.spamhaus.org,\\
-        reject_rhsbl_sender bogusmx.rfc-ignorant.org\\
-\\
-greylisting =\\
-        check_recipient_access hash:/etc/postfix/whitelist_greylist_recipient\\
-        check_policy_service inet:127.0.0.1:60000\\
-\\
-nodynamic_client =\\
-        warn_if_reject reject_unknown_client_hostname,\\
-        check_client_access pcre:/etc/postfix/no_dynamic.pcre\\
-\\
-check_policyd_weight =\\
-        check_recipient_access hash:/etc/postfix/whitelist_policydweight_recipient\\
-        check_policy_service inet:127.0.0.1:12525\\
-\\
-verify_sender =\\
-        check_sender_access hash:/etc/postfix/whitelist_verify_sender\\
-        check_recipient_access hash:/etc/postfix/whitelist_verify_recipient\\
-        reject_unverified_sender\\
-\\
-smtpd_discard_ehlo_keywords = silent-discard, ETRN VRFY\\
-\\
-smtpd_helo_restrictions =\\
-        hash:/etc/postfix/helo_checks\\
-\\
-smtpd_etrn_restrictions=\\
-        permit_mynetworks,\\
-        reject\\
-\\
-smtpd_sender_restrictions =\\
-\\
-smtpd_recipient_restrictions =\\
-        greylisting,\\
-        reject_unlisted_recipient,\\
-        reject_non_fqdn_sender,\\
-        reject_non_fqdn_recipient,\\
-        reject_unknown_sender_domain,\\
-        reject_unknown_recipient_domain,\\
-        check_sender_mx_access cidr:/etc/postfix/bogon_networks,\\
-        permit_mynetworks,\\
-        permit_sasl_authenticated,\\
-        reject_unauth_destination,\\
-        rblcheck,\\
-        check_policyd_weight,\\
-        nodynamic_client,\\
-        verify_sender\\
-#       reject_unverified_recipient\\
-\\
-smtpd_data_restrictions =\\
-                reject_multi_recipient_bounce\\
-                reject_unauth_pipelining\\
-                permit\\
-\\
-content_filter = smtp-amavis:[127.0.0.1]:10024\\
-\\
-lmtp_send_xforward_command = yes\\
-smtp_send_xforward_command = yes\\
-\\
-hash_queue_depth = 1\\
-\\
-# /etc/aliases - add postar\\
-address_verify_sender = postar\\
-address_verify_map = btree:$(data_directory)/verify\\
-\\
-home_mailbox = Maildir/\\
-message_size_limit = 70480000\\
-\\
-# ABKO\\
-disable_vrfy_command = yes\\
-smtpd_helo_required = yes\\
-strict_rfc821_envelopes = yes\\
-\\
-unverified_recipient_reject_code = 550\\
-unverified_sender_reject_code = 550\\
-\\
-smtpd_error_sleep_time = 0s\\
-smtpd_soft_error_limit = 5\\
-smtpd_hard_error_limit = 10\\
-\\
-owner_request_special = yes\\
-show_user_unknown_table_name = no\\
-\\
-#smtpd_delay_reject = no\\
-\\
-# DEBUG\\
-# debug_peer_level = 1\\
-#debug_peer_list = 193.77.x.x/32\\
-remote_header_rewrite_domain = domain.invalid\\
-/etc/postfix/whitelist_rbl_recipient FIXME \\
+**/etc/postfix/whitelist_rbl_recipient**
-/etc/postfix/whitelist_greylist_recipient FIXME \\
+  root@           OK
-/etc/postfix/no_dynamic.pcre FIXME \\
+  admin@          OK
-/etc/postfix/whitelist_policydweight_recipient FIXME \\
+  postmaster@     OK
-/etc/postfix/whitelist_verify_sender FIXME \\
+  abuse@          OK
-/etc/postfix/whitelist_verify_recipient FIXME \\
+  postar@         OK
-/etc/postfix/bogon_networks FIXME
+**/etc/postfix/whitelist_greylist_recipient**
+  root@           OK
+  admin@          OK
+  postmaster@     OK
+  abuse@          OK
+  postar@         OK
+**/etc/postfix/whitelist_policydweight_recipient**
+FIXME
+**/etc/postfix/whitelist_verify_sender**
+  nevtron.si              OK
+  www-data@               OK
+  finance-on.net          OK
+  uni-mb.si               OK
+  mailer.mojedelo.com     OK
+**/etc/postfix/whitelist_verify_recipient**
+  root@           OK
+  admin@          OK
+  postmaster@     OK
+  abuse@          OK
+  postar@         OK
+**/etc/postfix/bogon_networks**
+<code>
+# http://www.cymru.com/Documents/bogon-bn-agg.txt
+.0.0.0/8       REJECT IP address of MX host is a bogus address
+.0.0.0/8       REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/7      REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/8      REJECT IP address of MX host is a bogus address
+.0.0.0/6     REJECT IP address of MX host is a bogus address
+.0.0.0/7     REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
+.254.0.0/16  REJECT IP address of MX host is a bogus address
+.16.0.0/12   REJECT IP address of MX host is a bogus address
+.0.0.0/7     REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.2.0/24    REJECT IP address of MX host is a bogus address
+.168.0.0/16  REJECT IP address of MX host is a bogus address
+.18.0.0/15   REJECT IP address of MX host is a bogus address
+.51.100.0/24 REJECT IP address of MX host is a bogus address
+.0.113.0/24  REJECT IP address of MX host is a bogus address
+.0.0.0/8     REJECT IP address of MX host is a bogus address
+.0.0.0/3     REJECT IP address of MX host is a bogus address
+</code>
+**/etc/postfix/discard_ehelo_map**
+  # borken_tls_smtp_host  starttls, silent-discard
+.189.160.1     starttls, silent-discard
+**/etc/postfix/canonical_recipient**
+  username@mydomain      myemail
+**/etc/postfix/whitelist_helo_clients**
+.0.0.1               OK\\
+localhost               OK\\
+host.domain.tld        OK\\
+**/etc/postfix/master.cf**
+submission inet n       -       -       -       -       smtpd\\
+  -o smtpd_tls_security_level=encrypt\\
+  -o smtpd_sasl_auth_enable=yes\\
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\\
+  -o milter_macro_daemon_name=ORIGINATING\\
+**  -o syslog_name=postfix-submission**\\
+smtps     inet  n       -       -       -       -       smtpd\\
+  -o smtpd_tls_wrappermode=yes\\
+  -o smtpd_sasl_auth_enable=yes\\
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\\
+  -o milter_macro_daemon_name=ORIGINATING\\