############### # General ############### # Main domain and hostname mydomain = {{ DOMAIN }} myhostname = {{ HOSTNAME }} myorigin = $mydomain # Queue location queue_directory = /queue # Message size limit message_size_limit = {{ MESSAGE_SIZE_LIMIT }} # Relayed networks mynetworks = 127.0.0.1/32 [::1]/128 {{ RELAYNETS }} # Empty alias list to override the configuration variable and disable NIS alias_maps = # SQLite configuration sql = sqlite:${config_directory}/ # Only accept virtual emails mydestination = # Relayhost if any is configured relayhost = {{ RELAYHOST }} # Recipient delimiter for extended addresses recipient_delimiter = {{ RECIPIENT_DELIMITER }} ############### # TLS ############### # General TLS configuration tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes # Only one key/certificate pair is used, SNI not being supported by all # services and not a strong requirement. Also, TLS is enforced for submission # and smtps in master.cf. smtpd_tls_security_level = may smtpd_tls_cert_file=/certs/cert.pem smtpd_tls_key_file=/certs/key.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # Server-side TLS is hardened, it should be up to the client to update his or # her TLS stack in order to connect to the mail server. Hardening is based on # https://bettercrypto.org/static/applied-crypto-hardening.pdf smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high # Outgoing TLS is more flexible because 1. not all receiving servers will # support TLS, 2. not all will have and up-to-date TLS stack. smtp_tls_security_level = may smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # General TLS hardening tls_ssl_options = NO_COMPRESSION tls_preempt_cipherlist = yes ############### # SASL ############### smtpd_sasl_local_domain = $myhostname # Authentication is done against dovecot, which acts as the main authention # source smtpd_sasl_type = dovecot smtpd_sasl_path = inet:imap:2102 smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous ############### # Virtual ############### # The alias map actually returns both aliases and local mailboxes, which is # required for reject_unlisted_sender to work properly virtual_alias_maps = ${sql}sqlite-virtual_alias_maps.cf virtual_mailbox_domains = ${sql}sqlite-virtual_mailbox_domains.cf virtual_mailbox_maps = $virtual_alias_maps # Mails are transported if required, then forwarded to Dovecot for delivery transport_maps = ${sql}sqlite-transport.cf virtual_transport = lmtp:inet:imap:2525 # In order to prevent Postfix from running DNS query, enforce the use of the # native DNS stack, that will check /etc/hosts properly. lmtp_host_lookup = native ############### # Restrictions ############### # Delay all rejects until all information can be logged smtpd_delay_reject = yes # Allowed senders are: the user or one of the alias destinations smtpd_sender_login_maps = $virtual_alias_maps # Helo restrictions are specified for smtp only in master.cf smtpd_helo_required = yes # Sender restrictions smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unlisted_sender, reject_sender_login_mismatch, permit # Recipient restrictions: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit ############### # Milter ############### smtpd_milters = inet:milter:9900 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = tempfail ############### # Extra Settings ###############