--- /dev/null
+# --------------------
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# location of the Postfix queue. Default is /var/spool/postfix.
+queue_directory = /var/spool/postfix
+
+# location of all postXXX commands. Default is /usr/sbin.
+command_directory = /usr/sbin
+
+# location of all Postfix daemon programs (i.e. programs listed in the
+# master.cf file). This directory must be owned by root.
+# Default is /usr/libexec/postfix
+#daemon_directory = /usr/lib/postfix
+
+# location of Postfix-writable data files (caches, random numbers).
+# This directory must be owned by the mail_owner account (see below).
+# Default is /var/lib/postfix.
+data_directory = /var/lib/postfix
+
+# owner of the Postfix queue and of most Postfix daemon processes.
+# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
+# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
+# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
+# Default is postfix.
+mail_owner = postfix
+
+# The following parameters are used when installing a new Postfix version.
+#
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+#
+sendmail_path = /usr/sbin/sendmail
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases
+
+# full pathname of the Postfix mailq command. This is the Sendmail-compatible
+# mail queue listing command.
+mailq_path = /usr/bin/mailq
+
+# group for mail submission and queue management commands.
+# This must be a group name with a numerical group ID that is not shared with
+# other accounts, not even with the Postfix account.
+setgid_group = postdrop
+
+# external command that is executed when a Postfix daemon program is run with
+# the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+ PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ ddd $daemon_directory/$process_name $process_id & sleep 5
+
+debug_peer_level = 2
+
+# --------------------
+# CUSTOM SETTINGS
+#
+
+# SMTP server response code when recipient or domain not found.
+unknown_local_recipient_reject_code = 550
+
+# Do not notify local user.
+biff = no
+
+# Disable the rewriting of "site!user" into "user@site".
+swap_bangpath = no
+
+# Disable the rewriting of the form "user%domain" to "user@domain".
+allow_percent_hack = no
+
+# Allow recipient address start with '-'.
+allow_min_user = no
+
+# Disable the SMTP VRFY command. This stops some techniques used to
+# harvest email addresses.
+disable_vrfy_command = yes
+
+# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
+inet_protocols = all
+
+# Enable all network interfaces.
+inet_interfaces = all
+
+#
+# TLS settings.
+#
+# SSL key, certificate, CA
+#
+smtpd_tls_key_file = /etc/letsencrypt/live/mail.uhu-banane.net/privkey.pem
+smtpd_tls_cert_file = /etc/letsencrypt/live/mail.uhu-banane.net/fullchain.pem
+smtpd_tls_CAfile = $smtpd_tls_cert_file
+
+#
+# Disable SSLv2, SSLv3
+#
+smtpd_tls_protocols = !SSLv2 !SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
+smtp_tls_protocols = !SSLv2 !SSLv3
+smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
+lmtp_tls_protocols = !SSLv2 !SSLv3
+lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
+
+#
+# Fix 'The Logjam Attack'.
+#
+smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
+smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
+smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
+
+tls_random_source = dev:/dev/urandom
+
+# Log only a summary message on TLS handshake completion — no logging of client
+# certificate trust-chain verification errors if client certificate
+# verification is not required. With Postfix 2.8 and earlier, log the summary
+# message, peer certificate summary information and unconditionally log
+# trust-chain verification errors.
+smtp_tls_loglevel = 1
+smtpd_tls_loglevel = 1
+
+# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
+# not require that clients use TLS encryption.
+smtpd_tls_security_level = may
+
+# Produce `Received:` message headers that include information about the
+# protocol and cipher used, as well as the remote SMTP client CommonName and
+# client certificate issuer CommonName.
+# This is disabled by default, as the information may be modified in transit
+# through other mail servers. Only information that was recorded by the final
+# destination can be trusted.
+#smtpd_tls_received_header = yes
+
+# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext.
+# References:
+# - http://www.postfix.org/TLS_README.html#client_tls_may
+# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
+smtp_tls_security_level = may
+
+# Use the same CA file as smtpd.
+smtp_tls_CAfile = $smtpd_tls_cert_file
+smtp_tls_note_starttls_offer = yes
+
+# Enable long, non-repeating, queue IDs (queue file names).
+# The benefit of non-repeating names is simpler logfile analysis and easier
+# queue migration (there is no need to run "postsuper" to change queue file
+# names that don't match their message file inode number).
+#enable_long_queue_ids = yes
+
+# Reject unlisted sender and recipient
+smtpd_reject_unlisted_recipient = yes
+smtpd_reject_unlisted_sender = yes
+
+# Header and body checks with PCRE table
+header_checks = pcre:/etc/postfix/header_checks
+body_checks = pcre:/etc/postfix/body_checks.pcre
+
+# HELO restriction
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ reject_non_fqdn_helo_hostname
+ reject_invalid_helo_hostname
+ check_helo_access pcre:/etc/postfix/helo_access.pcre
+
+# Sender restrictions
+smtpd_sender_restrictions =
+ reject_unknown_sender_domain
+ reject_non_fqdn_sender
+ reject_unlisted_sender
+ permit_mynetworks
+ permit_sasl_authenticated
+ check_sender_access pcre:/etc/postfix/sender_access.pcre
+
+# Recipient restrictions
+smtpd_recipient_restrictions =
+ reject_unknown_recipient_domain
+ reject_non_fqdn_recipient
+ reject_unlisted_recipient
+ check_policy_service inet:127.0.0.1:7777
+ permit_mynetworks
+ permit_sasl_authenticated
+ reject_unauth_destination
+
+# Data restrictions
+smtpd_data_restrictions = reject_unauth_pipelining
+
+# END-OF-MESSAGE restrictions
+smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
+
+proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
+
+# Avoid duplicate recipient messages. Default is 'yes'.
+enable_original_recipient = no
+
+# Virtual support.
+virtual_minimum_uid = 2000
+virtual_uid_maps = static:2000
+virtual_gid_maps = static:2000
+virtual_mailbox_base = /home/vmail
+
+# Do not set virtual_alias_domains.
+virtual_alias_domains =
+
+#
+# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
+# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
+# be forced to submit email through port 587 instead.
+#
+#smtpd_sasl_auth_enable = yes
+#smtpd_tls_auth_only = yes
+#smtpd_sasl_security_options = noanonymous
+
+# hostname
+myhostname = mail.uhu-banane.net
+myorigin = mail.uhu-banane.net
+mydomain = uhu-banane.net
+
+# trusted SMTP clients which are allowed to relay mail through Postfix.
+#
+# Note: additional IP addresses/networks listed in mynetworks should be listed
+# in iRedAPD setting 'MYNETWORKS' too. for example:
+#
+# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
+#
+mynetworks = 127.0.0.1, 185.48.118.130, 10.12.20.5, [2001:6f8:1db7::5]
+
+# Accepted local emails
+mydestination = $myhostname, sarah.uhu-banane.de, localhost, localhost.localdomain
+
+alias_maps = hash:/etc/postfix/aliases
+alias_database = hash:/etc/postfix/aliases
+
+# Default message_size_limit.
+message_size_limit = 52428800
+
+# The set of characters that can separate a user name from its extension
+# (example: user+foo), or a .forward file name from its extension (example:
+# .forward+foo).
+# Postfix 2.11 and later supports multiple characters.
+recipient_delimiter = +
+
+#
+# Lookup virtual mail accounts
+#
+transport_maps =
+ proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
+ proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
+
+sender_dependent_relayhost_maps =
+ proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
+
+# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
+smtpd_sender_login_maps =
+ proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
+
+virtual_mailbox_domains =
+ proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
+
+relay_domains =
+ $mydestination
+ proxy:mysql:/etc/postfix/mysql/relay_domains.cf
+
+virtual_mailbox_maps =
+ proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
+
+virtual_alias_maps =
+ proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
+ proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
+ proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
+ proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
+
+sender_bcc_maps =
+ proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
+ proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
+
+recipient_bcc_maps =
+ proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
+ proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
+postscreen_dnsbl_threshold = 2
+postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
+postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
+postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
+postscreen_greet_action = enforce
+postscreen_dnsbl_action = enforce
+postscreen_blacklist_action = enforce
+postscreen_dnsbl_whitelist_threshold = -2
+#
+# Dovecot SASL support.
+#
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/dovecot-auth
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+content_filter = smtp-amavis:[127.0.0.1]:10024
+smtp-amavis_destination_recipient_limit = 1
+mailbox_size_limit = 524288000
+smtpd_tls_received_header = yes
+
+# smtpd_milters = inet:localhost:8891
+# non_smtpd_milters = inet:localhost:8891
+
+smtpd_banner = $myhostname ESMTP $mail_name $mail_version
+smtpd_sasl_authenticated_header = yes
+smtp_tls_cert_file = $smtpd_tls_cert_file
+smtp_tls_key_file = $smtpd_tls_key_file
projects / config / sarah / etc.git / commitdiff