2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
9 # Last time we extensively looked at our configuration.
10 compatibility_level=3.6
13 myhostname = mail.somenet.org
15 mydestination = mail.l, l, localhost, localhost.localdomain
16 mynetworks = 10.0.0.0/8 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
20 smtpd_tls_cert_file = /etc/ssl/letsencrypt/mail.somenet.org/fullchain.pem
21 smtpd_tls_key_file = /etc/ssl/letsencrypt/mail.somenet.org/privkey.pem
22 smtpd_tls_security_level = may
23 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
24 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
25 smtpd_tls_ciphers = high
26 smtpd_tls_mandatory_ciphers = high
27 smtpd_tls_loglevel = 1
28 smtpd_tls_received_header = yes
29 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
30 smtpd_tls_auth_only = yes
31 # we override this for the "submission" service.
32 smtpd_sasl_auth_enable = no
33 smtpd_sasl_path = smtpd
34 smtpd_banner = $myhostname ESMTP $mail_name
35 smtpd_helo_required = yes
36 # fuck sec consult and their business "ethics".
37 smtpd_forbid_bare_newline = yes
38 smtpd_forbid_unauth_pipelining = yes
39 smtpd_discard_ehlo_keywords = chunking, silent-discard
42 # header cleanup + transport mapping
43 header_checks = regexp:/etc/postfix/header_checks_in.regexp
44 nested_header_checks =
45 transport_maps = hash:/etc/postfix/transport.map
46 #, hash:/var/lib/sympa/transport.map
50 smtp_tls_security_level = may
51 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
52 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
53 smtp_tls_ciphers = high
54 smtp_tls_mandatory_ciphers = high
56 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
57 smtp_header_checks = regexp:/etc/postfix/header_checks_out.regexp
61 virtual_alias_domains = somenet.org
62 virtual_alias_maps = hash:/etc/postfix/virtual.map
66 mailbox_transport = lmtp:unix:/var/lib/cyrus/socket/lmtp
67 mailbox_size_limit = 209715200
71 # todo: flip vmailbox und valias domains?
72 #virtual_mailbox_domains = lists.somenet.org
73 #virtual_mailbox_maps = hash:/etc/postfix/virtual.map, hash:/etc/postfix/transport.map, hash:/var/lib/sympa/transport.map
77 tls_preempt_cipherlist = yes
79 connection_cache_status_update_time = 3600
81 message_size_limit = $mailbox_size_limit
82 recipient_delimiter = +
86 default_destination_concurrency_limit = 2
88 # disable smtputf8 because of cyrus
92 #########################################
93 # DONT BE AN OPEN RELAY. RESTRICT STUFF #
94 #########################################
95 smtpd_restriction_classes = HOLD_OK
96 HOLD_OK = check_client_access static:hold, permit
99 # 1. check every incomming connecting.
100 # we use master.cf to overridden this for the "submission" service to always require authentication:
101 # smtpd_client_restrictions = permit_sasl_authenticated, reject
102 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
103 #smtpd_client_restrictions =
105 # permit_sasl_authenticated,
106 # reject_unknown_client_hostname,
110 # 2. check the helo of the incomming connection.
111 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
112 # smtpd_helo_restrictions =
114 # permit_sasl_authenticated,
115 # reject_invalid_helo_hostname,
116 # reject_unknown_helo_hostname,
120 # 3. checks run after a connection issues "MAIL FROM"
121 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
122 # smtpd_sender_restrictions =
123 # check_sender_access regexp:/etc/postfix/sender_restrictions.regexp,
125 # permit_sasl_authenticated,
126 # reject_non_fqdn_sender,
127 # reject_unknown_sender_domain,
131 # 4a. checks run after a connection issues "RCPT TO"
132 smtpd_recipient_restrictions =
133 check_sender_access regexp:/etc/postfix/rcpt_sender.regexp,
134 check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
136 permit_sasl_authenticated,
137 reject_invalid_helo_hostname,
138 reject_unauth_pipelining,
139 reject_unauth_destination,
140 reject_non_fqdn_sender,
141 reject_non_fqdn_recipient,
142 reject_unknown_client_hostname,
143 reject_unknown_helo_hostname,
144 reject_unknown_sender_domain,
145 reject_unknown_recipient_domain,
149 # 4b. same as smtpd_recipient_restrictions but diffrent.
150 # needed for spamming astra
151 smtpd_relay_restrictions =
152 check_sender_access regexp:/etc/postfix/rel_sender.regexp,
153 check_recipient_access regexp:/etc/postfix/rel_recipient.regexp,
154 check_sender_access regexp:/etc/postfix/rcpt_sender.regexp,
155 check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp,
157 permit_sasl_authenticated,
158 reject_invalid_helo_hostname,
159 reject_unauth_pipelining,
160 reject_unauth_destination,
161 reject_non_fqdn_sender,
162 reject_non_fqdn_recipient,
163 reject_unknown_client_hostname,
164 reject_unknown_helo_hostname,
165 reject_unknown_sender_domain,
166 reject_unknown_recipient_domain,
170 # 5. checks run after a connection issues "RCPT TO"
171 # we merge that into recipient and relay restrictions - no need to check everything multiple times.
172 # smtpd_data_restrictions =
174 # permit_sasl_authenticated,
175 # reject_unauth_pipelining,