smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth #queue_directory = /var/spool/postfix smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_helo_required = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_delay_reject = yes # NETWORK restrictions #postmap /etc/postfix/client_access smtpd_client_restrictions = permit_mynetworks, check_policy_service unix:private/policy, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, check_client_access hash:/etc/postfix/client_access, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining # this is too restrictive # reject_rhsbl_sender dsn.rfc-clueless.org, # apews is blocking bsd.nethence.com (online.net) # reject_rbl_client l2.apews.org, # sarbl.org not found # reject_rbl_client public.sarbl.org, #deprecated: policy_time_limit = 3600 smtpd_policy_service_request_limit = 1 #http://www.postfix.org/SMTPD_POLICY_README.html #reject_unknown_client_hostname --> unknown_client_reject_code #reject_unknown_reverse_client_hostname --> unknown_client_reject_code unknown_client_reject_code = 554 #smtpd_client_port_logging = yes # HELO/EHLO restrictions smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, regexp:/etc/postfix/helo.regexp #reject_unknown_helo_hostname --> unknown_hostname_reject_code unknown_hostname_reject_code = 554 # MAIL FROM restrictions #postmap /etc/postfix/sender_access smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain # warn_if_reject, #too restrictive, this prevents unreal addresses to send #you messages. try to book a hotel or a flight with that #and you will feel the pain, # reject_unverified_sender #unverified_sender_reject_code = 550 #unverified_sender_reject_reason = Address verification failed #address_verify_map = proxy:btree:$data_directory/verify_cache #address_verify_cache_cleanup_interval = 72h # # Postfix 2.6 and later. # unverified_sender_defer_code = 250 # #proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map # RCPT TO restrictions smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain #reject_unknown_sender_domain --> unknown_address_reject_code #reject_unknown_recipient_domain --> unknown_address_reject_code unknown_address_reject_code = 554 # DATA restrictions # Block clients that speak too early. smtpd_data_restrictions = reject_unauth_pipelining #smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination) smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 #(default to myhostname) myorigin = $mydomain #(default to FQDN minus the first component) mydomain = nethence.com myhostname = mx.nethence.com mydestination = $mydomain #mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.17.0.0/16 mynetworks = 127.0.0.1/32 message_size_limit = 30720000 home_mailbox = Maildir/ #smtpd_banner (default: $myhostname ESMTP $mail_name) smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no readme_directory = no #smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem #smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_cert_file = /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem #smtpd_tls_cert_file = /etc/openssl/selfsign.cer #smtpd_tls_key_file = /etc/openssl/selfsign.key #smtpd_tls_cert_file = /usr/pkg/etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem #smtpd_tls_key_file = /usr/pkg/etc/letsencrypt/live/DOMAIN.TLD/privkey.pem smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_loglevel 1 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases relayhost = mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all compatibility_level = 2