|
- ###################################################################################################
- ### Base Settings ###
- #####################
-
- # Listen on all interfaces
- inet_interfaces = all
-
- # Use TCP IPv4
- inet_protocols = ipv4
-
- # Greet connecting clients with this banner
- smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
-
- # Fully-qualified hostname
- myhostname = mail.${DOMAIN}
-
- # Do not append domain part to incomplete addresses (this is the MUA's job)
- append_dot_mydomain = no
-
- # Trusted networks/hosts (these are allowed to relay without authentication)
- mynetworks =
- # Local
- 127.0.0.0/8
- # External
- #1.2.3.4/32
-
-
- ###################################################################################################
- ### Local Transport ###
- #######################
-
- # Disable local transport (so that system accounts can't receive mail)
- local_transport = error:Local Transport Disabled
-
- # Don't use local alias maps
- alias_maps =
-
- # Local domain (could be omitted, since it is automatically derived from $myhostname)
- mydomain = ${DOMAIN}
-
- # Mails for these domains will be transported locally
- mydestination =
- $myhostname
- localhost.$mydomain
- localhost
-
-
- ###################################################################################################
- ### Virtual Transport ###
- #########################
-
- # Deliver mail for virtual recipients to Dovecot
- virtual_transport = dovecot
-
- # Process one mail at one time
- dovecot_destination_recipient_limit = 1
-
- # Valid virtual domains
- virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
-
- # Valid virtual recipients
- virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf
-
- # Virtual aliases
- virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
-
-
- ###################################################################################################
- ### ESMTP Settings ###
- ######################
-
- ### SASL ###
-
- # Enable SASL (required for SMTP authentication)
- smtpd_sasl_auth_enable = yes
-
- # Enable SASL for Outlook-Clients as well
- broken_sasl_auth_clients = yes
-
- ### TLS ###
-
- # Enable TLS (required to encrypt the plaintext SASL authentication)
- smtpd_tls_security_level = may
-
- # Only offer SASL in a TLS session
- smtpd_tls_auth_only = yes
-
- # Certification Authority
- smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
-
- # Public Certificate
- smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt
-
- # Private Key (without passphrase)
- smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
-
- # Randomizer for key creation
- tls_random_source = dev:/dev/urandom
-
- # TLS related logging (set to 2 for debugging)
- smtpd_tls_loglevel = 0
-
- # Avoid Denial-Of-Service-Attacks
- smtpd_client_new_tls_session_rate_limit = 10
-
- # Activate TLS Session Cache
- smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
-
- # Deny some TLS-Ciphers
- smtpd_tls_exclude_ciphers =
- EXP
- EDH-RSA-DES-CBC-SHA
- ADH-DES-CBC-SHA
- DES-CBC-SHA
- SEED-SHA
-
- # Diffie-Hellman Parameters for Perfect Forward Secrecy
- # Can be created with:
- # openssl dhparam -2 -out dh_512.pem 512
- # openssl dhparam -2 -out dh_1024.pem 1024
- smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
- smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
-
-
- ###################################################################################################
- ### Connection Policies ###
- ###########################
-
- # Reject Early Talkers
- postscreen_greet_action = enforce
-
-
- ###################################################################################################
- ### Session Policies ###
- ########################
-
- # Recipient Restrictions (RCPT TO related)
- smtpd_recipient_restrictions =
- reject_non_fqdn_recipient
- reject_unknown_recipient_domain
- # Allow relaying for SASL authenticated clients and trusted hosts/networks
- # This can be put to smtpd_relay_restrictions in Postfix 2.10 and later
- permit_sasl_authenticated
- permit_mynetworks
- # If not authenticated or on mynetworks, reject mailing to external addresses
- reject_unauth_destination
- # Reject the following hosts
- check_sender_ns_access cidr:/etc/postfix/drop.cidr
- check_sender_mx_access cidr:/etc/postfix/drop.cidr
- # Additional blacklist
- reject_rbl_client ix.dnsbl.manitu.net
- # Finally permit (relaying still requires SASL auth)
- # WARNING: Due to this permit, everyone will be able to send emails to internal addresses without authentication. If this is set to reject though, the server does not receive emails from external addresses. Unfortunately I do not have a solution for this.
- permit
-
- # Reject the request if the sender is the null address and there are multiple recipients
- smtpd_data_restrictions = reject_multi_recipient_bounce
-
- # Sender Restrictions
- smtpd_sender_restrictions =
- reject_non_fqdn_sender
- reject_unknown_sender_domain
-
- # HELO/EHLO Restrictions
- smtpd_helo_restrictions =
- permit_mynetworks
- check_helo_access pcre:/etc/postfix/identitycheck.pcre
- #reject_non_fqdn_helo_hostname
- reject_invalid_hostname
-
- # Deny VRFY recipient checks
- disable_vrfy_command = yes
-
- # Require HELO
- smtpd_helo_required = yes
-
- # Reject instantly if a restriction applies (do not wait until RCPT TO)
- smtpd_delay_reject = no
-
- # Client Restrictions (IP Blacklist)
- smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
|
