]> git.somenet.org - root/pub/somesible.git/blob - roles/server/mail/postfix/files/default/main.cf
roles/server/nginx/vhost-unified
[root/pub/somesible.git] / roles / server / mail / postfix / files / default / main.cf
1 #
2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
7 #
8
9 # Last time we extensively looked at our configuration.
10 compatibility_level=3.6
11
12
13 myhostname = mail.somenet.org
14 myorigin = mail.l
15 mydestination = mail.l, l, localhost, localhost.localdomain
16 mynetworks = 10.0.0.0/8 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
17
18
19 # incoming mail
20 smtpd_tls_chain_files =
21     /etc/ssl/letsencrypt/mail.somenet.org/privkey.pem,
22     /etc/ssl/letsencrypt/mail.somenet.org/fullchain.pem,
23     /etc/ssl/letsencrypt-rsa/mail.somenet.org/privkey.pem,
24     /etc/ssl/letsencrypt-rsa/mail.somenet.org/fullchain.pem
25 smtpd_tls_security_level = may
26 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
27 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
28 smtpd_tls_ciphers = high
29 smtpd_tls_mandatory_ciphers = high
30 smtpd_tls_loglevel = 1
31 smtpd_tls_received_header = yes
32 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
33 smtpd_tls_auth_only = yes
34 # we override this for the "submission" service.
35 smtpd_sasl_auth_enable = no
36 smtpd_sasl_path = smtpd
37 smtpd_banner = $myhostname ESMTP $mail_name
38 smtpd_helo_required = yes
39 # fuck sec consult and their business "ethics".
40 smtpd_forbid_bare_newline = yes
41 smtpd_forbid_unauth_pipelining = yes
42 smtpd_discard_ehlo_keywords = chunking, silent-discard
43
44
45 # header cleanup + transport mapping
46 header_checks = regexp:/etc/postfix/header_checks_in.regexp
47 nested_header_checks =
48 transport_maps = hash:/etc/postfix/transport.map
49 #, hash:/var/lib/sympa/transport.map
50
51
52 # outgoing mail
53 smtp_tls_security_level = may
54 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
55 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
56 smtp_tls_ciphers = high
57 smtp_tls_mandatory_ciphers = high
58 smtp_tls_loglevel = 1
59 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
60 smtp_header_checks = regexp:/etc/postfix/header_checks_out.regexp
61
62
63 # hosted domains
64 virtual_alias_domains = somenet.org
65 virtual_alias_maps = hash:/etc/postfix/virtual.map
66
67
68 # local delivery
69 mailbox_transport = lmtp:unix:/var/lib/cyrus/socket/lmtp
70 mailbox_size_limit = 209715200
71
72
73 #sympa
74 # todo: flip vmailbox und valias domains?
75 #virtual_mailbox_domains = lists.somenet.org
76 #virtual_mailbox_maps = hash:/etc/postfix/virtual.map, hash:/etc/postfix/transport.map, hash:/var/lib/sympa/transport.map
77
78
79 # random settings
80 tls_preempt_cipherlist = yes
81 biff = no
82 connection_cache_status_update_time = 3600
83 inet_protocols=ipv4
84 message_size_limit = $mailbox_size_limit
85 recipient_delimiter = +
86
87
88 # take it easy.
89 default_destination_concurrency_limit = 2
90
91 # disable smtputf8 because of cyrus
92 smtputf8_enable = no
93
94
95 #########################################
96 # DONT BE AN OPEN RELAY. RESTRICT STUFF #
97 #########################################
98 smtpd_restriction_classes = HOLD_OK
99 HOLD_OK = check_client_access static:hold, permit
100
101
102 # 1. check every incomming connecting.
103 # we use master.cf to overridden this for the "submission" service to always require authentication:
104 #   smtpd_client_restrictions = permit_sasl_authenticated, reject
105 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
106 #smtpd_client_restrictions =
107 #    permit_mynetworks,
108 #    permit_sasl_authenticated,
109 #    reject_unknown_client_hostname,
110 #    permit
111
112
113 # 2. check the helo of the incomming connection.
114 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
115 # smtpd_helo_restrictions =
116 #    permit_mynetworks,
117 #    permit_sasl_authenticated,
118 #    reject_invalid_helo_hostname,
119 #    reject_unknown_helo_hostname,
120 #    permit
121
122
123 # 3. checks run after a connection issues "MAIL FROM"
124 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
125 # smtpd_sender_restrictions =
126 #    check_sender_access regexp:/etc/postfix/sender_restrictions.regexp,
127 #    permit_mynetworks,
128 #    permit_sasl_authenticated,
129 #    reject_non_fqdn_sender,
130 #    reject_unknown_sender_domain,
131 #    permit
132
133
134 # 4a. checks run after a connection issues "RCPT TO"
135 smtpd_recipient_restrictions =
136     check_sender_access    regexp:/etc/postfix/rcpt_sender.regexp,
137     check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
138     permit_mynetworks,
139     permit_sasl_authenticated,
140     reject_invalid_helo_hostname,
141     reject_unauth_pipelining,
142     reject_unauth_destination,
143     reject_non_fqdn_sender,
144     reject_non_fqdn_recipient,
145     reject_unknown_client_hostname,
146     reject_unknown_helo_hostname,
147     reject_unknown_sender_domain,
148     reject_unknown_recipient_domain,
149     permit
150
151
152 # 4b. same as smtpd_recipient_restrictions but diffrent.
153 smtpd_relay_restrictions =
154     check_sender_access    regexp:/etc/postfix/rel_sender.regexp,
155     check_recipient_access regexp:/etc/postfix/rel_recipient.regexp,
156     check_sender_access    regexp:/etc/postfix/rcpt_sender.regexp,
157     check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
158     permit_mynetworks,
159     permit_sasl_authenticated,
160     reject_invalid_helo_hostname,
161     reject_unauth_pipelining,
162     reject_unauth_destination,
163     reject_non_fqdn_sender,
164     reject_non_fqdn_recipient,
165     reject_unknown_client_hostname,
166     reject_unknown_helo_hostname,
167     reject_unknown_sender_domain,
168     reject_unknown_recipient_domain,
169     permit
170
171
172 # 5. checks run after a connection issues "RCPT TO"
173 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
174 # smtpd_data_restrictions =
175 #    permit_mynetworks,
176 #    permit_sasl_authenticated,
177 #    reject_unauth_pipelining,
178 #    permit