main.cf
von Tulskie- SNIPPET_TEXT:
-
- # SMTPd greeting banner: You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
- smtpd_banner = $myhostname
- # Disable local biff service
- biff = no
- # Do not append the string $mydomain to -locally- submitted email.
- append_dot_mydomain = no
- # Readme directory
- readme_directory = /usr/share/doc/postfix
- # HTML directory
- html_directory = /usr/share/doc/postfix/html
- # Certificates
- smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
- smtpd_tls_key_file = /etc/ssl/mail/mail.key
- # Opportunistic TLS. TLS auth only.
- smtpd_tls_security_level=may
- smtpd_tls_auth_only=yes
- # DH parameters, actually 2048 bit long
- smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
- # CA path for SMTP client connections to external servers
- # smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
- # TLS session cache for SMTPd
- smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
- # Disallow SSLv2 and SSLv3, only accept secure ciphers
- smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
- smtpd_tls_mandatory_ciphers=high
- smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
- smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
- # Log TLS handling
- smtpd_tls_loglevel = 1
- smtp_tls_loglevel = 1
- # Delay reject until RCPT TO
- smtpd_delay_reject = yes
- # Enable elliptic curve cryptography, "ultra" needs more cpu time
- smtpd_tls_eecdh_grade = strong
- # Default: Anonymize outgoing mail headers
- smtp_header_checks = pcre:/etc/postfix/mailcow_anonymize_headers.pcre
- # Sender, recipient, client and data restrictions
- smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
- permit_mynetworks,
- reject_sender_login_mismatch,
- permit_sasl_authenticated,
- reject_unlisted_sender,
- reject_unknown_sender_domain
- smtpd_recipient_restrictions = permit_sasl_authenticated,
- permit_mynetworks,
- reject_non_fqdn_helo_hostname,
- reject_invalid_helo_hostname,
- reject_unknown_reverse_client_hostname,
- reject_unauth_destination
- smtpd_data_restrictions =
- reject_unauth_pipelining,
- permit
- smtpd_restriction_classes = z1_greylisting
- z1_greylisting = permit_dnswl_client list.dnswl.org,
- check_policy_service inet:127.0.0.1:10023
- # Determine valid MAIL FROM addresses for a SASL authenticated user.
- smtpd_sender_login_maps =
- proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf,
- proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
- # Set a higher timeout for connecting, sending and receiving information from/to a proxy (FuGlu)
- smtpd_proxy_timeout = 600s
- # Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
- smtp_tls_security_level=may
- # TLS session cache for SMTP
- smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
- # A custom list with secure ciphers.
- tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
- # Use the FQDN for the local hostname!
- myhostname = mail.schmidttulskie.de
- # Alias maps and database for -local- delivery only
- alias_maps = hash:/etc/aliases
- alias_database = hash:/etc/aliases
- # The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to.
- myorigin = /etc/mailname
- # The list of domains that are delivered via the -local- mail delivery transport. No external domains like "schmidttulskie.de" belong here! "mail.schmidttulskie.de" is fine.
- mydestination = mail.schmidttulskie.de, localhost.schmidttulskie.de, localhost
- # We lookup MX records to send non-local mail, so this stays empty
- relayhost =
- # We relay for these domains
- relay_domains= proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf
- # Relay only for these accounts
- relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
- # Trusted SMTP clients with more privileges. Trusted clients can relay mail.
- mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
- # The maximal size of any -local- individual mailbox
- mailbox_size_limit = 0
- # Handle Postfix-style extensions
- recipient_delimiter = +
- # The network interface addresses that this mail system receives mail on.
- inet_interfaces = all
- # Specifies what protocols Postfix will use when it makes or accepts network connections, and also controls what DNS lookups Postfix will use when it makes network connections.
- inet_protocols = all
- # VRFY command is not really needed anymore
- disable_vrfy_command = yes
- # Please say hello first...
- smtpd_helo_required = yes
- # The SASL plug-in type that the Postfix SMTP server should use for authentication.
- smtpd_sasl_type=dovecot
- # Where to passthrough our authentication information for the above plug-in
- smtpd_sasl_path=private/auth_dovecot
- # Enable SASL authentication in the Postfix SMTP server.
- smtpd_sasl_auth_enable = yes
- # Report the SASL authenticated user name in the smtpd Received message header.
- smtpd_sasl_authenticated_header = yes
- # Have Postfix advertise AUTH support in a non-standard way.
- broken_sasl_auth_clients = yes
- # The lookup tables that the proxymap server is allowed to access for the read-only service.
- proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
- ## Virtual transport configuration
- # A prefix that the virtual delivery agent prepends to all pathname results from $virtual_mailbox_maps
- virtual_mailbox_base = /var/vmail/
- # THIS contains a list of domains we are the final destination for (unlike "mydestination").
- virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
- # Alias specific mail addresses or domains to other local or remote address.
- virtual_alias_maps =
- proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
- proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf,
- proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
- proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
- # Specify a left-hand side of "@schmidttulskie.de" to match any user in the specified domain
- virtual_mailbox_maps =
- proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
- proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
- # The minimum user ID value that the virtual delivery agent accepts
- virtual_minimum_uid = 104
- # We use "vmail" user with UID/GID 5000 to lookup tables
- virtual_uid_maps = static:5000
- virtual_gid_maps = static:5000
- # The default mail delivery transport and next-hop destination for final delivery to domains listed with "virtual_mailbox_domains"
- virtual_transport = lmtp:unix:private/dovecot-lmtp
- ## Queue configuration
- # Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
- maximal_queue_lifetime = 1d
- # Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached this limit.
- bounce_queue_lifetime = 1d
- # The time between deferred queue scans by the queue manager.
- queue_run_delay = 300s
- # The maximal/minimal time between attempts to deliver a deferred message.
- maximal_backoff_time = 1800s
- minimal_backoff_time = 300s
- # Maximum mail size
- message_size_limit = 26214400
- # This tarpits a client after 3 erroneous commands for 10s
- smtpd_soft_error_limit = 3
- smtpd_error_sleep_time = 10s
- smtpd_hard_error_limit = ${stress?1}${stress:5}
- # Feel free to maintain a white-/blacklist for Postscreen
- postscreen_access_list = permit_mynetworks,
- cidr:/etc/postfix/postscreen_access.cidr
- # Drop connections from blacklisted servers with a 521 reply
- postscreen_blacklist_action = drop
- # Clean Postscreen cache after 24h
- postscreen_cache_cleanup_interval = 24h
- postscreen_dnsbl_ttl = 5m
- postscreen_dnsbl_threshold = 8
- postscreen_dnsbl_action = enforce
- postscreen_dnsbl_sites =
- b.barracudacentral.org=127.0.0.2*7
- dnsbl.inps.de=127.0.0.2*7
- bl.mailspike.net=127.0.0.2*5
- bl.mailspike.net=127.0.0.[10;11;12]*4
- dnsbl.sorbs.net=127.0.0.10*8
- dnsbl.sorbs.net=127.0.0.5*6
- dnsbl.sorbs.net=127.0.0.7*3
- dnsbl.sorbs.net=127.0.0.8*2
- dnsbl.sorbs.net=127.0.0.6*2
- dnsbl.sorbs.net=127.0.0.9*2
- zen.spamhaus.org=127.0.0.[10;11]*8
- zen.spamhaus.org=127.0.0.[4..7]*6
- zen.spamhaus.org=127.0.0.3*4
- zen.spamhaus.org=127.0.0.2*3
- hostkarma.junkemailfilter.com=127.0.0.2*3
- hostkarma.junkemailfilter.com=127.0.0.4*1
- hostkarma.junkemailfilter.com=127.0.1.2*1
- wl.mailspike.net=127.0.0.[18;19;20]*-2
- hostkarma.junkemailfilter.com=127.0.0.1*-2
- postscreen_greet_banner = $smtpd_banner
- postscreen_greet_action = enforce
- postscreen_greet_wait = 3s
- postscreen_greet_ttl = 2d
- postscreen_bare_newline_enable = no
- postscreen_non_smtp_command_enable = no
- postscreen_pipelining_enable = no
- postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
- # We need milter support for OpenDKIM
- milter_protocol = 6
- milter_default_action = accept
Quellcode
Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN