2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
9 # Last time we extensively looked at our configuration.
10 compatibility_level=3.6
13 myhostname = CHANGEME-HOSTNAME
15 mydestination = mail.l, l, localhost, localhost.localdomain
16 virtual_alias_domains = CHANGEME-DOMAINS
17 mynetworks = 10.0.0.0/8 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
20 smtpd_tls_cert_file = /etc/ssl/letsencrypt/CHANGEME-HOSTNAME/fullchain.pem
21 smtpd_tls_key_file = /etc/ssl/letsencrypt/CHANGEME-HOSTNAME/privkey.pem
22 smtpd_tls_security_level = may
23 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
24 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
25 smtpd_tls_ciphers = high
26 smtpd_tls_mandatory_ciphers = high
27 smtpd_tls_loglevel = 1
28 smtpd_tls_received_header = yes
29 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
30 smtpd_tls_auth_only = yes
31 # we override this for the "submission" service.
32 smtpd_sasl_auth_enable = no
33 smtpd_sasl_path = smtpd
34 smtpd_banner = $myhostname ESMTP $mail_name
35 smtpd_helo_required = yes
36 # fuck sec consult and their business "ethics".
37 smtpd_forbid_bare_newline = yes
38 smtpd_forbid_unauth_pipelining = yes
39 smtpd_discard_ehlo_keywords = chunking, silent-discard
41 smtp_tls_security_level = may
42 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
43 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
44 smtp_tls_ciphers = high
45 smtp_tls_mandatory_ciphers = high
47 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
48 smtp_header_checks = regexp:/etc/postfix/header_checks_out.regexp
51 tls_preempt_cipherlist = yes
54 alias_maps = hash:/etc/aliases
55 alias_database = hash:/etc/aliases
56 mailbox_transport = lmtp:unix:/var/lib/cyrus/socket/lmtp
57 transport_maps = hash:/etc/postfix/transport.map
58 virtual_alias_maps = hash:/etc/postfix/virtual.map
59 header_checks = regexp:/etc/postfix/header_checks_in.regexp
63 connection_cache_status_update_time = 3600
65 mailbox_size_limit = 209715200
66 message_size_limit = 104857600
67 recipient_delimiter = +
71 default_destination_concurrency_limit = 2
73 # disable smtputf8 because of cyrus
77 #########################################
78 # DONT BE AN OPEN RELAY. RESTRICT STUFF #
79 #########################################
80 smtpd_restriction_classes = HOLD_OK
81 HOLD_OK = check_client_access static:hold, permit
84 # 1. check every incomming connecting.
85 # we use master.cf to overridden this for the "submission" service to always require authentication:
86 # smtpd_client_restrictions = permit_sasl_authenticated, reject
87 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
88 #smtpd_client_restrictions =
90 # permit_sasl_authenticated,
91 # reject_unknown_client_hostname,
95 # 2. check the helo of the incomming connection.
96 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
97 # smtpd_helo_restrictions =
99 # permit_sasl_authenticated,
100 # reject_invalid_helo_hostname,
101 # reject_unknown_helo_hostname,
105 # 3. checks run after a connection issues "MAIL FROM"
106 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
107 # smtpd_sender_restrictions =
108 # check_sender_access regexp:/etc/postfix/sender_restrictions.regexp,
110 # permit_sasl_authenticated,
111 # reject_non_fqdn_sender,
112 # reject_unknown_sender_domain,
116 # 4a. checks run after a connection issues "RCPT TO"
117 smtpd_recipient_restrictions =
118 check_sender_access regexp:/etc/postfix/rcpt_sender.regexp,
119 check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
121 permit_sasl_authenticated,
122 reject_invalid_helo_hostname,
123 reject_unauth_pipelining,
124 reject_unauth_destination,
125 reject_non_fqdn_sender,
126 reject_non_fqdn_recipient,
127 reject_unknown_client_hostname,
128 reject_unknown_helo_hostname,
129 reject_unknown_sender_domain,
130 reject_unknown_recipient_domain,
134 # 4b. same as smtpd_recipient_restrictions but diffrent.
135 # needed for spamming astra
136 smtpd_relay_restrictions =
137 check_sender_access regexp:/etc/postfix/rel_sender.regexp,
138 check_recipient_access regexp:/etc/postfix/rel_recipient.regexp,
139 check_sender_access regexp:/etc/postfix/rcpt_sender.regexp,
140 check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
142 permit_sasl_authenticated,
143 reject_invalid_helo_hostname,
144 reject_unauth_pipelining,
145 reject_unauth_destination,
146 reject_non_fqdn_sender,
147 reject_non_fqdn_recipient,
148 reject_unknown_client_hostname,
149 reject_unknown_helo_hostname,
150 reject_unknown_sender_domain,
151 reject_unknown_recipient_domain,
155 # 5. checks run after a connection issues "RCPT TO"
156 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
157 # smtpd_data_restrictions =
159 # permit_sasl_authenticated,
160 # reject_unauth_pipelining,