# ################################################ ### Managed by someone's ansible provisioner ### ################################################ # Part of: https://git.somenet.org/root/pub/somesible.git # 2017-2024 by someone # # Last time we extensively looked at our configuration. compatibility_level=3.6 myhostname = mail.somenet.org myorigin = mail.l mydestination = mail.l, l, localhost, localhost.localdomain mynetworks = 10.0.0.0/8 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 # incoming mail smtpd_tls_chain_files = /etc/ssl/letsencrypt/mail.somenet.org/privkey.pem, /etc/ssl/letsencrypt/mail.somenet.org/fullchain.pem, /etc/ssl/letsencrypt-rsa/mail.somenet.org/privkey.pem, /etc/ssl/letsencrypt-rsa/mail.somenet.org/fullchain.pem smtpd_tls_security_level = may smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_auth_only = yes # we override this for the "submission" service. smtpd_sasl_auth_enable = no smtpd_sasl_path = smtpd smtpd_banner = $myhostname ESMTP $mail_name smtpd_helo_required = yes # fuck sec consult and their business "ethics". smtpd_forbid_bare_newline = yes smtpd_forbid_unauth_pipelining = yes smtpd_discard_ehlo_keywords = chunking, silent-discard # header cleanup + transport mapping header_checks = regexp:/etc/postfix/header_checks_in.regexp nested_header_checks = transport_maps = hash:/etc/postfix/transport.map #, hash:/var/lib/sympa/transport.map # outgoing mail smtp_tls_security_level = may smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_ciphers = high smtp_tls_mandatory_ciphers = high smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_header_checks = regexp:/etc/postfix/header_checks_out.regexp # hosted domains virtual_alias_domains = somenet.org virtual_alias_maps = hash:/etc/postfix/virtual.map # local delivery mailbox_transport = lmtp:unix:/var/lib/cyrus/socket/lmtp mailbox_size_limit = 209715200 #sympa # todo: flip vmailbox und valias domains? #virtual_mailbox_domains = lists.somenet.org #virtual_mailbox_maps = hash:/etc/postfix/virtual.map, hash:/etc/postfix/transport.map, hash:/var/lib/sympa/transport.map # random settings tls_preempt_cipherlist = yes biff = no connection_cache_status_update_time = 3600 inet_protocols=ipv4 message_size_limit = $mailbox_size_limit recipient_delimiter = + # take it easy. default_destination_concurrency_limit = 2 # disable smtputf8 because of cyrus smtputf8_enable = no ######################################### # DONT BE AN OPEN RELAY. RESTRICT STUFF # ######################################### smtpd_restriction_classes = HOLD_OK HOLD_OK = check_client_access static:hold, permit # 1. check every incomming connecting. # we use master.cf to overridden this for the "submission" service to always require authentication: # smtpd_client_restrictions = permit_sasl_authenticated, reject # we merge that into recipient and relay restrictions - no need to check everything multiple times. #smtpd_client_restrictions = # permit_mynetworks, # permit_sasl_authenticated, # reject_unknown_client_hostname, # permit # 2. check the helo of the incomming connection. # we merge that into recipient and relay restrictions - no need to check everything multiple times. # smtpd_helo_restrictions = # permit_mynetworks, # permit_sasl_authenticated, # reject_invalid_helo_hostname, # reject_unknown_helo_hostname, # permit # 3. checks run after a connection issues "MAIL FROM" # we merge that into recipient and relay restrictions - no need to check everything multiple times. # smtpd_sender_restrictions = # check_sender_access regexp:/etc/postfix/sender_restrictions.regexp, # permit_mynetworks, # permit_sasl_authenticated, # reject_non_fqdn_sender, # reject_unknown_sender_domain, # permit # 4a. checks run after a connection issues "RCPT TO" smtpd_recipient_restrictions = check_sender_access regexp:/etc/postfix/rcpt_sender.regexp, check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp, permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_unauth_pipelining, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_client_hostname, reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit # 4b. same as smtpd_recipient_restrictions but diffrent. smtpd_relay_restrictions = check_sender_access regexp:/etc/postfix/rel_sender.regexp, check_recipient_access regexp:/etc/postfix/rel_recipient.regexp, check_sender_access regexp:/etc/postfix/rcpt_sender.regexp, check_recipient_access regexp:/etc/postfix/rcpt_recipient.regexp, permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_unauth_pipelining, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_client_hostname, reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit # 5. checks run after a connection issues "RCPT TO" # we merge that into recipient and relay restrictions - no need to check everything multiple times. # smtpd_data_restrictions = # permit_mynetworks, # permit_sasl_authenticated, # reject_unauth_pipelining, # permit