## A GOOD START biff = no append_dot_mydomain = no readme_directory = no compatibility_level = 3.6 {% if system == 'freebsd' or system == 'netbsd' %} alias_maps = hash:/etc/mail/aliases alias_database = hash:/etc/mail/aliases {% else %} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases {% endif %} recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_banner = $myhostname ESMTP # happy-happy procmail mailbox_size_limit = 0 {% if system == 'freebsd' %} mailbox_command = /usr/local/bin/procmail {% elif system == 'netbsd' %} mailbox_command = /usr/pkg/bin/procmail {% else %} mailbox_command = /usr/bin/procmail {% endif %} # messages missing a valid Message-ID header are not accepted # may break DKIM but gmail wants it anyhow always_add_missing_headers = yes ## MAIN CONFIG & RELAY myhostname = {{mx}} myorigin = {{ mx | regex_replace('[^.]+\.(.*)', '\\1') }} mydomain = {{ mx | regex_replace('[^.]+\.(.*)', '\\1') }} mydestination = {{mydestination}} mynetworks = {{mynetworks}} # w/o permit_sasl_authenticated as we use a dedicated port for that smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination ## CASUAL # 10MB --> 25MB # (default: 10240000) message_size_limit = 26214400 # unused when mbox or procmail #home_mailbox = Maildir/ strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_delay_reject = yes enable_long_queue_ids = yes smtpd_sasl_auth_enable = no ## NETWORK # slow down inbound on errors # default is 10 smtpd_soft_error_limit = 5 # reduce inbound errors # default is 20 smtpd_hard_error_limit = 10 # bounce faster when messages get stuck # graylisting should be fine within 5 hours delay # default is 5d bounce_queue_lifetime = 5h maximal_queue_lifetime = 6h smtpd_client_restrictions = permit_mynetworks reject_unauth_pipelining reject_unknown_client_hostname check_client_access hash:/etc/postfix/access.client reject_rbl_client bl.spamcop.net reject_rbl_client public.sarbl.org reject_rbl_client cbl.abuseat.org reject_rbl_client psbl.surriel.com reject_rbl_client db.wpbl.info reject_rbl_client b.barracudacentral.org reject_rbl_client bl.blocklist.de reject_rbl_client spam.spamrats.com reject_rbl_client truncate.gbudb.net reject_rbl_client dnsbl.dronebl.org reject_rbl_client zen.spamhaus.org reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org # down #reject_rbl_client ix.dnsbl.manitu.net #reject_rbl_client dnsbl.inps.de #reject_unknown_client_hostname --> unknown_client_reject_code #reject_unknown_reverse_client_hostname --> unknown_client_reject_code unknown_client_reject_code = 554 #smtpd_client_port_logging = yes ## EHLO smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_unauth_pipelining reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname regexp:/etc/postfix/access.helo.regexp #reject_unknown_helo_hostname --> unknown_hostname_reject_code unknown_hostname_reject_code = 554 ## MAIL FROM & SPF smtpd_sender_restrictions = permit_mynetworks reject_unauth_pipelining check_sender_access hash:/etc/postfix/access.sender reject_non_fqdn_sender reject_unknown_sender_domain check_policy_service unix:private/policy #deprecated: policy_time_limit = 3600 smtpd_policy_service_request_limit = 1 ## RCPT TO smtpd_recipient_restrictions = permit_mynetworks reject_unauth_pipelining reject_unknown_recipient_domain reject_non_fqdn_recipient check_sender_access hash:/etc/postfix/access.rcpt #reject_unknown_sender_domain --> unknown_address_reject_code #reject_unknown_recipient_domain --> unknown_address_reject_code unknown_address_reject_code = 554 ## DATA #client speaks too early smtpd_data_restrictions = reject_unauth_pipelining ## CERTS & CIPHERS tls_append_default_CA = no tls_preempt_cipherlist = no tls_high_cipherlist = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES # :!AES128:!CAMELLIA128 ## STARTTLS INBOUND smtpd_tls_cert_file = /var/lib/dehydrated/certs/{{certpath}}/fullchain.pem smtpd_tls_key_file = /var/lib/dehydrated/certs/{{certpath}}/privkey.pem smtpd_tls_eccert_file = /var/lib/dehydrated/certs/ECC/{{certpath}}/fullchain.pem smtpd_tls_eckey_file = /var/lib/dehydrated/certs/ECC/{{certpath}}/privkey.pem smtpd_tls_received_header = yes smtpd_tls_auth_only = yes #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtpd_tls_loglevel = 1 smtpd_tls_security_level = may #smtpd_tls_security_level = encrypt smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 # !TLSv1, !TLSv1.1 #smtpd_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES #smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES # no need to check client certs smtpd_tls_CApath = /etc/ssl/certs #smtpd_tls_req_ccert = yes #smtpd_tls_ask_ccert = yes #smtpd_tls_CApath = no #smtpd_tls_CAfile = /etc/ssl/cacert.pem ## STARTTLS OUTBOUND # DANE wants DNSSEC smtp_dns_support_level = dnssec smtp_tls_cert_file = /var/lib/dehydrated/certs/{{certpath}}/fullchain.pem smtp_tls_key_file = /var/lib/dehydrated/certs/{{certpath}}/privkey.pem smtp_tls_eccert_file = /var/lib/dehydrated/certs/ECC/{{certpath}}/fullchain.pem smtp_tls_eckey_file = /var/lib/dehydrated/certs/ECC/{{certpath}}/privkey.pem #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache #smtp_tls_loglevel = 1 smtp_tls_security_level = dane smtp_tls_ciphers = high smtp_tls_mandatory_ciphers = high smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 # !TLSv1, !TLSv1.1 #smtp_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES #smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES #smtp_tls_verify_cert_match = hostname (default) #smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy # cannot check server certs unless we also enable DANE smtp_tls_CApath = /etc/ssl/certs #smtp_tls_verify_cert_match = hostname (default) #smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy #smtp_tls_CApath = no #smtp_tls_CAfile = /etc/ssl/cacert.pem # the default and is valid in both directions smtp_tls_enforce_peername = yes ## DKIM milter_default_action = tempfail milter_protocol = 6 smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters