From: Frank Brehm Date: Thu, 16 Jan 2025 11:39:23 +0000 (+0100) Subject: Current state of postfix X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=f382dc210a2e91e7e189f20fb93540e40aea7b9d;p=config%2Fdev-mail-fbrehm%2Fetc.git Current state of postfix --- diff --git a/.etckeeper b/.etckeeper index 8e36b20..973737a 100755 --- a/.etckeeper +++ b/.etckeeper @@ -1000,14 +1000,50 @@ maybe chmod 0644 'postfix/access' maybe chmod 0644 'postfix/aliases' maybe chgrp 'postfix' 'postfix/body_checks.pcre' maybe chmod 0640 'postfix/body_checks.pcre' +maybe chmod 0644 'postfix/command_filter.pcre' maybe chmod 0644 'postfix/dynamicmaps.cf' maybe chmod 0755 'postfix/dynamicmaps.cf.d' maybe chmod 0644 'postfix/header_checks' +maybe chgrp 'postfix' 'postfix/helo_access.pcre' +maybe chmod 0640 'postfix/helo_access.pcre' maybe chmod 0644 'postfix/main.cf' maybe chmod 0644 'postfix/main.cf.proto' maybe chmod 0644 'postfix/master.cf' maybe chmod 0644 'postfix/master.cf.orig' maybe chmod 0644 'postfix/master.cf.proto' +maybe chmod 0755 'postfix/mysql' +maybe chgrp 'postfix' 'postfix/mysql/catchall_maps.cf' +maybe chmod 0640 'postfix/mysql/catchall_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/domain_alias_catchall_maps.cf' +maybe chmod 0640 'postfix/mysql/domain_alias_catchall_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/domain_alias_maps.cf' +maybe chmod 0640 'postfix/mysql/domain_alias_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/recipient_bcc_maps_domain.cf' +maybe chmod 0640 'postfix/mysql/recipient_bcc_maps_domain.cf' +maybe chgrp 'postfix' 'postfix/mysql/recipient_bcc_maps_user.cf' +maybe chmod 0640 'postfix/mysql/recipient_bcc_maps_user.cf' +maybe chgrp 'postfix' 'postfix/mysql/relay_domains.cf' +maybe chmod 0640 'postfix/mysql/relay_domains.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_bcc_maps_domain.cf' +maybe chmod 0640 'postfix/mysql/sender_bcc_maps_domain.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_bcc_maps_user.cf' +maybe chmod 0640 'postfix/mysql/sender_bcc_maps_user.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_dependent_relayhost_maps.cf' +maybe chmod 0640 'postfix/mysql/sender_dependent_relayhost_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_login_maps.cf' +maybe chmod 0640 'postfix/mysql/sender_login_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/transport_maps_domain.cf' +maybe chmod 0640 'postfix/mysql/transport_maps_domain.cf' +maybe chgrp 'postfix' 'postfix/mysql/transport_maps_maillist.cf' +maybe chmod 0640 'postfix/mysql/transport_maps_maillist.cf' +maybe chgrp 'postfix' 'postfix/mysql/transport_maps_user.cf' +maybe chmod 0640 'postfix/mysql/transport_maps_user.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_alias_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_alias_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_domains.cf' +maybe chmod 0640 'postfix/mysql/virtual_mailbox_domains.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_mailbox_maps.cf' maybe chmod 0755 'postfix/post-install' maybe chmod 0644 'postfix/postfix-files' maybe chmod 0755 'postfix/postfix-files.d' @@ -1018,7 +1054,11 @@ maybe chmod 0644 'postfix/postfix-files.d/sqlite.files' maybe chmod 0755 'postfix/postfix-script' maybe chmod 0644 'postfix/postscreen_access.cidr' maybe chmod 0644 'postfix/postscreen_dnsbl_reply' +maybe chmod 0644 'postfix/recipient_bcc' maybe chmod 0755 'postfix/sasl' +maybe chmod 0644 'postfix/sender_bcc' +maybe chmod 0644 'postfix/sender_dependent_relayhost' +maybe chmod 0644 'postfix/transport' maybe chmod 0644 'postfix/virtual' maybe chmod 0755 'ppp' maybe chmod 0755 'ppp/ip-down.d' @@ -1222,6 +1262,8 @@ maybe chmod 0755 'ssl' maybe chmod 0755 'ssl/certs' maybe chmod 0644 'ssl/certs/ca-certificates.crt' maybe chmod 0644 'ssl/certs/ssl-cert-snakeoil.pem' +maybe chmod 0644 'ssl/dh2048_param.pem' +maybe chmod 0644 'ssl/dh512_param.pem' maybe chmod 0755 'ssl/dkim' maybe chmod 0600 'ssl/dkim/mail-2025-01-14.dpx.private' maybe chmod 0644 'ssl/dkim/mail-2025-01-14.dpx.pub' diff --git a/postfix/main.cf b/postfix/main.cf index 016c666..72af544 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -6,7 +6,7 @@ # is /etc/mailname. #myorigin = /etc/mailname -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +smtpd_banner = $myhostname ESMTP $mail_name $mail_version biff = no # appending .domain is the MUA's job. @@ -24,8 +24,8 @@ compatibility_level = 3.6 # TLS parameters -smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_cert_file = /etc/ssl/tls/certs/wildcard.pixelpark.com-cert.pem +smtpd_tls_key_file = /etc/ssl/tls/private/wildcard.pixelpark.com-key.pem smtpd_tls_security_level=may smtp_tls_CApath=/etc/ssl/certs @@ -38,8 +38,8 @@ myhostname = dev-mail-fbrehm.pixelpark.com alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases myorigin = /etc/mailname -mydestination = $myhostname, dev-mail-fbrehm.pixelpark.com, localhost.pixelpark.com, , localhost -relayhost = +mydestination = $myhostname, dev-mail-fbrehm, dev-mail-fbrehm.pixelpark.com, dev-mail-fbrehm.$mydomain, localhost.pixelpark.com, localhost, localhost.localdomain, localhost.$mydomain +relayhost = [prd-mail.pixelpark.com] mynetworks = 127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128, 217.66.51.28 # mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 524288000 @@ -55,13 +55,62 @@ header_checks = pcre:/etc/postfix/header_checks lmtp_tls_mandatory_protocols = >=TLSv1 lmtp_tls_protocols = >=TLSv1 message_size_limit = 52428800 +milter_default_action = accept mlmmj_destination_recipient_limit = 1 mydomain = pixelpark.com postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = enforce -postscreen_dnsbl_action = enforc +postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply -postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2 +postscreen_dnsbl_sites = postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce postscreen_dnsbl_whitelist_threshold = -2 +recipient_bcc_maps = $default_database_type:/etc/postfix/recipient_bcc, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf +proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps +relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf +sender_bcc_maps = $default_database_type:/etc/postfix/sender_bcc, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf +sender_dependent_relayhost_maps = $default_database_type:/etc/postfix/sender_dependent_relayhost, proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf +setgid_group = postdrop +show_user_unknown_table_name = yes +# smtp_tls_CAfile = $smtpd_tls_CAfile +smtp_tls_loglevel = 1 +smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols +smtp_tls_note_starttls_offer = yes +smtp_tls_protocols = $smtpd_tls_protocols +smtpd_tls_loglevel = 1 +smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 +smtpd_tls_protocols = !SSLv2 !SSLv3 +smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre +smtpd_data_restrictions = reject_unauth_pipelining +smtpd_forbid_bare_newline = yes +smtpd_forbid_bare_newline_exclusions = $mynetworks +smtpd_helo_required = yes +smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname +smtpd_milters = inet:localhost:11332 +smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination +smtpd_reject_unlisted_recipient = yes +smtpd_reject_unlisted_sender = yes +smtpd_sasl_authenticated_header = yes +smtpd_sasl_path = private/dovecot-auth +smtpd_sasl_type = dovecot +smtpd_tls_CApath = /etc/ssl/certs +smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem +smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem +smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA +smtpd_tls_received_header = yes +swap_bangpath = yes +tls_random_source = dev:/dev/urandom +transport_maps = $default_database_type:/etc/postfix/transport, proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf +unknown_local_recipient_reject_code = 550 +virtual_alias_domains = +virtual_alias_maps = $default_database_type:/etc/postfix/virtual, proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf +virtual_gid_maps = static:2000 +virtual_mailbox_base = /var/vmail +virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf +virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf +virtual_minimum_uid = 2000 +virtual_transport = dovecot +virtual_uid_maps = static:2000 +smtp_tls_cert_file = $smtpd_tls_cert_file +smtp_tls_key_file = $smtpd_tls_key_file diff --git a/postfix/mysql/catchall_maps.cf b/postfix/mysql/catchall_maps.cf new file mode 100644 index 0000000..8114cf9 --- /dev/null +++ b/postfix/mysql/catchall_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%d' AND '%u' NOT LIKE '%%+%%' AND forwardings.address=domain.domain AND forwardings.active=1 AND domain.active=1 AND domain.backupmx=0 diff --git a/postfix/mysql/domain_alias_catchall_maps.cf b/postfix/mysql/domain_alias_catchall_maps.cf new file mode 100644 index 0000000..548e20a --- /dev/null +++ b/postfix/mysql/domain_alias_catchall_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1 diff --git a/postfix/mysql/domain_alias_maps.cf b/postfix/mysql/domain_alias_maps.cf new file mode 100644 index 0000000..81b8789 --- /dev/null +++ b/postfix/mysql/domain_alias_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=CONCAT('%u', '@', alias_domain.target_domain) AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1 AND domain.backupmx=0 diff --git a/postfix/mysql/recipient_bcc_maps_domain.cf b/postfix/mysql/recipient_bcc_maps_domain.cf new file mode 100644 index 0000000..99327e5 --- /dev/null +++ b/postfix/mysql/recipient_bcc_maps_domain.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT bcc_address FROM recipient_bcc_domain WHERE domain='%d' AND active=1 diff --git a/postfix/mysql/recipient_bcc_maps_user.cf b/postfix/mysql/recipient_bcc_maps_user.cf new file mode 100644 index 0000000..fc8552b --- /dev/null +++ b/postfix/mysql/recipient_bcc_maps_user.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT recipient_bcc_user.bcc_address FROM recipient_bcc_user,domain WHERE recipient_bcc_user.username='%s' AND recipient_bcc_user.domain='%d' AND recipient_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND recipient_bcc_user.active=1 diff --git a/postfix/mysql/relay_domains.cf b/postfix/mysql/relay_domains.cf new file mode 100644 index 0000000..b865c37 --- /dev/null +++ b/postfix/mysql/relay_domains.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT domain FROM domain WHERE domain='%s' AND backupmx=1 AND active=1 LIMIT 1 diff --git a/postfix/mysql/sender_bcc_maps_domain.cf b/postfix/mysql/sender_bcc_maps_domain.cf new file mode 100644 index 0000000..492714d --- /dev/null +++ b/postfix/mysql/sender_bcc_maps_domain.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT bcc_address FROM sender_bcc_domain WHERE domain='%d' AND active=1 diff --git a/postfix/mysql/sender_bcc_maps_user.cf b/postfix/mysql/sender_bcc_maps_user.cf new file mode 100644 index 0000000..4f914b3 --- /dev/null +++ b/postfix/mysql/sender_bcc_maps_user.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT sender_bcc_user.bcc_address FROM sender_bcc_user,domain WHERE sender_bcc_user.username='%s' AND sender_bcc_user.domain='%d' AND sender_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND sender_bcc_user.active=1 diff --git a/postfix/mysql/sender_dependent_relayhost_maps.cf b/postfix/mysql/sender_dependent_relayhost_maps.cf new file mode 100644 index 0000000..b383c1a --- /dev/null +++ b/postfix/mysql/sender_dependent_relayhost_maps.cf @@ -0,0 +1,6 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +# '%s' will be replaced by the envelope sender address or @domain. +query = SELECT relayhost FROM sender_relayhost WHERE account='%s' LIMIT 1 diff --git a/postfix/mysql/sender_login_maps.cf b/postfix/mysql/sender_login_maps.cf new file mode 100644 index 0000000..cde3dc0 --- /dev/null +++ b/postfix/mysql/sender_login_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1 diff --git a/postfix/mysql/transport_maps_domain.cf b/postfix/mysql/transport_maps_domain.cf new file mode 100644 index 0000000..08a5ea9 --- /dev/null +++ b/postfix/mysql/transport_maps_domain.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT transport FROM domain WHERE domain='%s' AND active=1 LIMIT 1 diff --git a/postfix/mysql/transport_maps_maillist.cf b/postfix/mysql/transport_maps_maillist.cf new file mode 100644 index 0000000..b27d9fa --- /dev/null +++ b/postfix/mysql/transport_maps_maillist.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT maillists.transport FROM maillists,domain WHERE maillists.address='%s' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1 diff --git a/postfix/mysql/transport_maps_user.cf b/postfix/mysql/transport_maps_user.cf new file mode 100644 index 0000000..b0c5911 --- /dev/null +++ b/postfix/mysql/transport_maps_user.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1 diff --git a/postfix/mysql/virtual_alias_maps.cf b/postfix/mysql/virtual_alias_maps.cf new file mode 100644 index 0000000..e4c35c3 --- /dev/null +++ b/postfix/mysql/virtual_alias_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%s' AND forwardings.domain=domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1 diff --git a/postfix/mysql/virtual_mailbox_domains.cf b/postfix/mysql/virtual_mailbox_domains.cf new file mode 100644 index 0000000..d29180d --- /dev/null +++ b/postfix/mysql/virtual_mailbox_domains.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = (SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 LIMIT 1) UNION (SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0 LIMIT 1) diff --git a/postfix/mysql/virtual_mailbox_maps.cf b/postfix/mysql/virtual_mailbox_maps.cf new file mode 100644 index 0000000..00e2fa2 --- /dev/null +++ b/postfix/mysql/virtual_mailbox_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT CONCAT(mailbox.storagenode, '/', mailbox.maildir, '/Maildir/') FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.domain = mailbox.domain AND domain.active=1 diff --git a/postfix/recipient_bcc b/postfix/recipient_bcc new file mode 100644 index 0000000..e69de29