|
|
|
###############
|
|
|
|
# General
|
|
|
|
###############
|
|
|
|
|
|
|
|
# Main domain and hostname
|
|
|
|
mydomain = {{ DOMAIN }}
|
|
|
|
myhostname = {{ HOSTNAME }}
|
|
|
|
myorigin = $mydomain
|
|
|
|
|
|
|
|
# Message size limit
|
|
|
|
message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
|
|
|
|
|
|
|
|
# Relayed networks
|
|
|
|
mynetworks = 127.0.0.1/32 [::1]/128 {{ RELAYNETS }}
|
|
|
|
|
|
|
|
# Empty alias list to override the configuration variable and disable NIS
|
|
|
|
alias_maps =
|
|
|
|
|
|
|
|
# SQLite configuration
|
|
|
|
sql = sqlite:${config_directory}/
|
|
|
|
|
|
|
|
# Only accept virtual emails
|
|
|
|
mydestination =
|
|
|
|
|
|
|
|
# Relayhost if any is configured
|
|
|
|
relayhost = {{ RELAYHOST }}
|
|
|
|
|
|
|
|
###############
|
|
|
|
# TLS
|
|
|
|
###############
|
|
|
|
|
|
|
|
# General TLS configuration
|
|
|
|
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
|
|
tls_preempt_cipherlist = yes
|
|
|
|
|
|
|
|
# Only one key/certificate pair is used, SNI not being supported by all
|
|
|
|
# services and not a strong requirement. Also, TLS is enforced for submission
|
|
|
|
# and smtps in master.cf.
|
|
|
|
smtpd_tls_security_level = may
|
|
|
|
smtpd_tls_cert_file=/certs/cert.pem
|
|
|
|
smtpd_tls_key_file=/certs/key.pem
|
|
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
|
|
|
|
|
|
# Server-side TLS is hardened, it should be up to the client to update his or
|
|
|
|
# her TLS stack in order to connect to the mail server. Hardening is based on
|
|
|
|
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
|
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
|
|
smtpd_tls_protocols = !SSLv2, !SSLv3
|
|
|
|
smtpd_tls_ciphers = high
|
|
|
|
smtpd_tls_mandatory_ciphers = high
|
|
|
|
|
|
|
|
|
|
|
|
# Outgoing TLS is more flexible because 1. not all receiving servers will
|
|
|
|
# support TLS, 2. not all will have and up-to-date TLS stack.
|
|
|
|
smtp_tls_security_level = may
|
|
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
|
|
smtp_tls_protocols =!SSLv2,!SSLv3
|
|
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
|
|
|
|
|
|
# General TLS hardening
|
|
|
|
tls_ssl_options = NO_COMPRESSION
|
|
|
|
tls_preempt_cipherlist = yes
|
|
|
|
|
|
|
|
###############
|
|
|
|
# SASL
|
|
|
|
###############
|
|
|
|
|
|
|
|
smtpd_sasl_local_domain = $myhostname
|
|
|
|
|
|
|
|
# Authentication is done against dovecot, which acts as the main authention
|
|
|
|
# source
|
|
|
|
smtpd_sasl_type = dovecot
|
|
|
|
smtpd_sasl_path = inet:imap:2102
|
|
|
|
smtpd_sasl_auth_enable = yes
|
|
|
|
smtpd_sasl_security_options = noanonymous
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Virtual
|
|
|
|
###############
|
|
|
|
|
|
|
|
# The alias map actually returns both aliases and local mailboxes, which is
|
|
|
|
# required for reject_unlisted_sender to work properly
|
|
|
|
virtual_alias_maps = ${sql}sqlite-virtual_alias_maps.cf
|
|
|
|
virtual_mailbox_domains = ${sql}sqlite-virtual_mailbox_domains.cf
|
|
|
|
virtual_mailbox_maps = $virtual_alias_maps
|
|
|
|
|
|
|
|
# Mails are forwarded to Dovecot for delivery
|
|
|
|
virtual_transport = lmtp:inet:imap:2525
|
|
|
|
|
|
|
|
# In order to prevent Postfix from running DNS query, enforce the use of the
|
|
|
|
# native DNS stack, that will check /etc/hosts properly.
|
|
|
|
lmtp_host_lookup = native
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Restrictions
|
|
|
|
###############
|
|
|
|
|
|
|
|
# Delay all rejects until all information can be logged
|
|
|
|
smtpd_delay_reject = yes
|
|
|
|
|
|
|
|
# Allowed senders are: the user or one of the alias destinations
|
|
|
|
smtpd_sender_login_maps = $virtual_alias_maps
|
|
|
|
|
|
|
|
# Helo restrictions are specified for smtp only in master.cf
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
|
|
|
|
# Sender restrictions
|
|
|
|
smtpd_sender_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
reject_non_fqdn_sender,
|
|
|
|
reject_unknown_sender_domain,
|
|
|
|
reject_unlisted_sender,
|
|
|
|
reject_sender_login_mismatch,
|
|
|
|
permit
|
|
|
|
|
|
|
|
# Recipient restrictions:
|
|
|
|
smtpd_recipient_restrictions =
|
|
|
|
reject_unauth_pipelining,
|
|
|
|
reject_non_fqdn_recipient,
|
|
|
|
reject_unknown_recipient_domain,
|
|
|
|
permit_mynetworks,
|
|
|
|
permit
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Milter
|
|
|
|
###############
|
|
|
|
|
|
|
|
smtpd_milters = inet:milter:9900
|
|
|
|
milter_protocol = 6
|
|
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
milter_default_action = tempfail
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Extra Settings
|
|
|
|
###############
|