aboutsummaryrefslogtreecommitdiffstats
path: root/roles/mail/templates/postfix/main.cf.j2
blob: e9e4a21828b81b207a1f7863014feb5a4ae70d0a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
#
# /usr/local/etc/postfix/main.cf
# Postfix main configuration file, see postconf(5) for details.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
#
# References
# ----------
# * Postfix Configuration Parameters
#   http://www.postfix.org/postconf.5.html
# * Postfix SASL Howto
#   http://www.postfix.org/SASL_README.html
# * Postfix Virtual Domain Hosting Howto
#   http://www.postfix.org/VIRTUAL_README.html
# * Fighting Spam - What can I do as an: Email Administrator, Domain
#   Owner, or User?
#   https://serverfault.com/a/419475/387898
#
#
# Aaron LI
# Created: 2017-04-15
#

{% set mydomain = mail.domains[0] %}

# COMPATIBILITY
#
# The compatibility_level determines what default settings Postfix will
# use for "main.cf" and "master.cf" settings.  These defaults will
# change over time.
#
# To avoid breaking things, Postfix will use backwards-compatible
# default settings and log where it uses those old backwards-compatible
# default settings, until the system administrator has determined
# if any backwards-compatible default settings need to be made
# permanent in "main.cf" or "master.cf".
#
# When this review is complete, update the compatibility_level setting
# below as recommended in the RELEASE_NOTES file.
#
compatibility_level = 2

# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing.  When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no

# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system.  The default is to use the fully-qualified domain name
# from gethostname().  $myhostname is used as a default value for many
# other configuration parameters.
#
myhostname = mail.{{ mydomain }}

# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
mydomain = {{ mydomain }}

# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites.  If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
myorigin = $mydomain

# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner.
#
# You MUST specify $myhostname at the start of the text.  That is an
# RFC requirement.  Postfix itself does not care.
#
# NOTE: Give out as little information as possible :-)
#
smtpd_banner = $myhostname ESMTP


##
## RECEIVING MAIL
##

# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on.  By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
inet_interfaces = all

# The Internet protocols Postfix will attempt to use when making or
# accepting connections.  'all' for both IPv4 and IPv6.
#
inet_protocols = all

# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting.  By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain + localhost.
# On a mail domain gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for.  Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace.  A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# NOTE: If the machine is a mail server for its entire domain, then
#       "$mydomain" must be listed as well.
# NOTE: In order to avoid mail delivery loops, you must list all
#       hostnames of the machine, including $myhostname, and
#       localhost.$mydomain
#
# WARNING: NEVER list "virtual_mailbox_domains" or "virtual_alias_domains"
#          names as "mydestination" domains here!
#          See also the below $virtual_mailbox_domains .
#
# NOTE: Since we will use the virtual(8) mailbox delivery agent (i.e.,
#       invoke "dovecot") for $mydomain, we should list $mydomain under
#       $virtual_mailbox_domains instead here!
#
mydestination = $myhostname, localhost.$mydomain, localhost


##
## TRUST AND RELAY CONTROL
##

# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix.  See the 'smtpd_recipient_restrictions' parameter.
#
# * host:   (default) trust only the local machine.
# * subnet: trust SMTP clients in the same IP subnetworks as the local
#           machine.
# * class:  trust SMTP clients in the same IP class A/B/C networks as
#           the local machine.
#           WARNING: Don't do this with a dial-up site - it would cause
#           Postfix to "trust" your entire provider's network!  Instead,
#           specify an explicit mynetworks list by hand.
#
mynetworks_style = host

# What destination domains (and subdomains thereof) this system will
# relay mail to, using the $relay_transport delivery.
#
# See also the description of "permit_auth_destination" and
# "reject_unauth_destination" SMTP recipient restrictions.
#
#relay_domains = $mydestination


##
## Mail delivery for system users
##

# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent.  The default list is system dependent.
#
# If you change the alias database, run "postalias /etc/aliases"
# (or wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
alias_maps = hash:/etc/mail/aliases
#
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi".  This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
alias_database = $alias_maps

# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
recipient_delimiter = +

# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery.  The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions.  This is to
# make it easier to specify shell syntax.
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
# See also: https://wiki.dovecot.org/LDA/Postfix
#
mailbox_command =
	/usr/local/libexec/dovecot/deliver
	-f "$SENDER" -a "$RECIPIENT"


##
## SASL authentication and authorization with Dovecot
##
## See: https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
##

# Use the Dovecot SASL implementation
smtpd_sasl_type = dovecot

# Path to the Dovecot authentication server.
# Here the path relative to the Postfix queue directory is used,
# so that it will work whether or not the Postfix SMTP server
# runs chrooted.
smtpd_sasl_path = private/auth

# Enable SASL authentication
smtpd_sasl_auth_enable = yes

# SMTP server policies on SASL mechanisms available to the clients.
#
# SASL mechanism properties:
#   - noanonymous     : don't use mechanisms that permit anonymous
#                       authentication (i.e., disable ANONYMOUS auth);
#   - noplaintext     : don't use mechanisms that transmit unencrypted
#                       username and password information
#                       (i.e., disable PLAIN auth);
#   - nodictionary    : don't use mechanisms that are vulnerable to
#                       dictionary attacks;
#   - forward_secrecy : require forward secrecy between sessions (breaking
#                       one session does not break earlier sessions);
#   - mutual_auth     : use only mechanisms that authenticate both the
#                       client and the server to each other.
#
# NOTE: Always set at least the 'noanonymous' option!
#       Otherwise, the Postfix SMTP server can give strangers the same
#       authorization as a properly-authenticated client!
#
# Allows plaintext mechanisms (e.g., PLAIN, LOGIN), but only over a
# TLS-encrypted connection:
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

# Offer SASL authentication only after a TLS-encrypted session has
# been established.
smtpd_tls_auth_only = yes

# The name of the Postfix SMTP server's local SASL authentication realm,
# which tells Postfix append a domain name (or any other string) to a
# SASL login name that does not have a domain part (e.g., "username"
# instead of "username@example.com").
# This is useful as a default setting and safety net for misconfigured
# clients.
#smtpd_sasl_local_domain = $mydomain

# Report the SASL authenticated user name in "Received:" message headers.
# NOTE: The SASL login names will be shared with the entire world.
smtpd_sasl_authenticated_header = yes


##
## Access control & address verification
##

# By default, Postfix has a moderately restrictive approach to mail
# relaying.  See the "smtpd_relay_restrictions" parameter for a
# description of the default mail relay policy.
#
# References:
# * Postfix SMTP Relay and Access Control
#   http://www.postfix.org/SMTPD_ACCESS_README.html
# * Postfix Address Verficiation Howto
#   http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# * CentOS Wiki - HowTos - Postfix Restrictions
#   https://wiki.centos.org/HowTos/postfix_restrictions
#

# Example SMTP session explaining the various restrictions/checks:
#+--------------------------------------------------------------------+
#| $ telnet <server> 25
#| <- 220 mail.example.com ESMTP Postfix        # smtpd_client_restrictions
#| -> HELO mail.example.com                     # smtpd_helo_restrictions
#| <- 250 mail.example.com
#| -> MAIL FROM:<sender@example.com>            # smtpd_sender_restrictions
#| <- 250 2.1.0 Ok
#| -> RCPT TO:<recipient@example.com>           # smtpd_recipient_restrictions
#| <- 250 2.1.5 Ok
#| -> DATA                                      # smtpd_data_restrictions
#| <- 354 End data with <CR><LF>.<CR><LF>
#| -> To:<recipient@example.com>                # header_checks
#| -> From:<sender@example.com>
#| -> Subject:SMTP test
#| -> This is a test meesage.                   # body_checks
#| -> .
#| <- 250 2.0.0 Ok: queued as xxxxxxxxxx
#| -> QUIT
#| <- 221 2.0.0 Bye
#+--------------------------------------------------------------------+

# NOTE:
# The HELO name is not related to and doesn't matter for
# 'reject_unknown_client_hostname'.  Note that there are two different
# context of hostname: client (rDNS) vs. HELO (SMTP).
# The *client* hostname is determined by an rDNS lookup of the connecting
# IP.  The resulting rDNS hostname is then looked up, and must resolve
# to the connecting IP.  This is also referred to as "Forward Confirmed
# reverse DNS" (FCrDNS).

# Wait until the "RCPT TO" or "ETRN" commands before evaluating the
# corresponding restriction rules. (default: yes)
#
# This allows Postfix to log recipient address information when rejecting
# a client name/address or sender address.
#
smtpd_delay_reject = yes

# Require that the client sends the HELO/EHLO command before sending
# the MAIL FROM or TERN command, i.e., senders must identify themselves
# before we'll accept e-mail commands from them.  This is important
# because we can use the way the remote server identities itself as a
# basis for accepting or rejecting mail from it --- spammers often
# don't issue proper HELO/EHLO response.
#
# NOTE: This may cause problems with home-grown clients, therefore,
#       this requirement is disabled by default.
#
smtpd_helo_required = yes
#
# Restrictions that the Postfix SMTP server applies in the context of
# a client HELO command.
#
# * reject_non_fqdn_helo_hostname : reject connections if the hostname
#       supplied with the HELO command is not a fully qualified domain
#       name as required by the RFC guidelines.
# * reject_invalid_helo_hostname : reject connection attempts when the
#       HELO hostname syntax is invalid.
# * reject_unknown_helo_hostname : reject messages if the hostname
#       supplied with the helo command doesn't have either a valid DNS
#       A or MX record.
#
# NOTE: set 'smtpd_helo_required=yes' to fully enforce this restriction.
#
# WARNING:
# Do note that the HELO/EHLO check that requires a valid hostname is
# going to drop legitimate mail.  Yes, people running mail servers
# should know better, but there are way to many Exchange servers out
# there that will spit out a HELO line like "localhost.localdomain"
# or "SERVER1.LOCAL" or other nonsense.  Therefore, maintaining a
# whitelist (which is a pain) may be necessary.  In addition, the
# rejections will show up in your logs, so it's possible to enable
# the check and then see who you're blocking.
#
# WARNING:
# The 'reject_unknown_helo_hostname' policy should be used with
# *caution* as it # will reject email from legitimate systems with
# temporary DNS problems and can lead to false positives.
#
smtpd_helo_restrictions =
	permit_mynetworks,
	check_helo_access pcre:$config_directory/helo-access.pcre,
	reject_non_fqdn_helo_hostname,
	reject_invalid_helo_hostname,
	warn_if_reject reject_unknown_helo_hostname,
	permit

# Relay control
# Only local clients and authenticated clients may specify any
# destination domain.
#
# WARNING: The 'reject_unauth_destination' is critically important!
#          The server would be an *open relay* without this!
#
smtpd_relay_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unauth_destination

# Recipient and sender addresses control
#
# * reject_unknown_sender_domain:
#       Reject the request when Postfix is not the final destination
#       for the sender address, and the "MAIL FROM" domain has (1) no
#       DNS MX and no DNS A record, or (2) a malformed MX record.
# * reject_sender_login_mismatch:
#       This subsumes the functionality of both
#       'reject_{un,}authenticated_sender_login_mismatch' (see below).
# * reject_authenticated_sender_login_mismatch:
#       Reject the request when the client is (SASL) logged in (i.e.,
#       authenticated), but the client's login name doesn't own the
#       "MAIL FROM" address according to $smtpd_sender_login_maps .
# * reject_unauthenticated_sender_login_mismatch:
#       Reject the request when $smtpd_sender_login_maps specifies an
#       owner for the "MAIL FROM" address, but the client is not (SASL)
#       logged in as that address' owner (i.e., unauthenticated).
#
# WARNING: Recipient and sender address verification may cause your
#          server to be blacklisted by some providers, due to the
#          possibly frequent address probe (try to connect but cancel
#          mail delivery).  This also increases system load, which may
#          be a problem in the case of a dictionary attack or a flood
#          of backscatter bounces.
#
# Credit: https://serverfault.com/a/540614/387898
#
smtpd_recipient_restrictions =
	reject_unknown_reverse_client_hostname,
	warn_if_reject reject_unknown_client_hostname,
	reject_non_fqdn_sender,
	reject_unknown_sender_domain,
	reject_non_fqdn_recipient,
	reject_unknown_recipient_domain

# Block clients that speak too early.
# Reject the request when the client sends SMTP commands ahead of
# time where it is not allowed, or when the client sends SMTP commands
# ahead of time without knowing that Postfix actually supports ESMTP
# command pipelining.
#
smtpd_data_restrictions = reject_unauth_pipelining

# A lookup table maps between the SASL login names that own the sender
# (MAIL FROM) addresses.
#
# WARNING: see the explanation in this file on why only enable
#          'reject_sender_login_mismatch' for the "submission" service
#          (see "master.cf")  but not the smtpd(8) service (i.e., the
#          above $smtpd_sender_restrictions).
#
smtpd_sender_login_maps = pcre:$config_directory/login-maps.pcre


##
## TLS settings
##

# List or bit-mask of OpenSSL options to enable.
#
# * NO_COMPRESSION : disable SSL compression even if supported by
#                    the OpenSSL library.  Compression is CPU-intensive,
#                    and compression before encryption does not always
#                    improve security.
tls_ssl_options = NO_COMPRESSION

# Use the Postfix SMTP server's cipher preference order instead of the
# remote client's cipher preference order.
#
tls_preempt_cipherlist = yes


##
## SMTP server TLS settings
##

# Ask remote servers to identify themselves with a certificate.
#
smtpd_tls_ask_ccert = yes

# TLS certificate and key for this server (host)
#
smtpd_tls_cert_file = {{ web.ssl_root }}/$mydomain/fullchain
smtpd_tls_key_file = {{ web.ssl_root }}/$mydomain/key

# A CA bundle used by Postfix to validate remote servers' certificate.
# NOTE: install package 'ca_root_nss'.
#
smtpd_tls_CAfile = /usr/local/etc/ssl/cert.pem

# File with Diffie-Hellman parameters that the Postfix SMTP server
# should use with non-export EDH/DHE ciphers.
#
smtpd_tls_dh1024_param_file = /usr/local/etc/ssl/dhparam4096.pem

# The SMTP TLS security level for the Postfix SMTP server.
# Value "may" tells Postfix that it should use SSL/TLS if the remote
# host supports it, i.e., opportunistic TLS.
# There is a stricter option ("encrypt") to force Postfix to *always*
# encrypt, but that makes your server non-compliant with IETF RFC 2487.
#
smtpd_tls_security_level = may

# The minimum TLS cipher grade that the Postfix SMTP server will use
# with opportunistic/mandatory TLS encryption.
#
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = $smtpd_tls_ciphers

# The SSL/TLS protocols accepted by the Postfix SMTP server with
# opportunistic/mandatory TLS encryption.
#
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = $smtpd_tls_protocols

# Enable EECDH key exchange for Forward Security
#
smtpd_tls_eecdh_grade = ultra

# Enable additional Postfix SMTP server logging of TLS activity.
#   1 : log only a summary message on TLS handshake completion;
#       no logging of client certificate trust-chain verification
#       errors if client certificate verfication is not required.
# NOTE: do NOT use level 2 or higher except in case of problems.
#
smtpd_tls_loglevel = 1

# Request that the Postfix SMTp server produces "Received:" message
# headers that include information about the protocol and cipher
# used, as well as the remote SMTP client CommonName and client
# certificate issuer CommonName.
# NOTE: This is disabled by default, as the information may be modified
#       in transit through other mail servers.  Only information that
#       was recorded by the *final destination* can be trusted.
#
smtpd_tls_received_header = yes

# Name of the file containing the optional Postfix SMTP server TLS
# session cache.  Specify a database type that supports enumeration,
# such as "btree" or "sdbm"; there is no need to support concurrent
# access.  The file is created if it does not exist.
#
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache


##
## SMTP client TLS settings
##

# The default SMTP TLS security level for the Postfix SMTP client.
#   - may : opportunistic TLS.  Use TLS if this is supported by the
#           remote SMTP server, otherwise use plaintext.
#   - encrypt : mandatory TLS!
#
smtp_tls_security_level = may

# The minimum TLS cipher grade that the Postfix SMTP client will use
# with opportunistic/mandatory TLS encryption.
#
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = $smtp_tls_ciphers

# The SSL/TLS protocols accepted by the Postfix SMTP client with
# opportunistic/mandatory TLS encryption.
#
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = $smtp_tls_protocols 

# Enable additional Postfix SMTP client logging of TLS activity.
#
smtp_tls_loglevel = 1

# Log the hostname of a remote SMTP server that offers STARTTLS, when
# TLS is not already enabled for that server.
#
smtp_tls_note_starttls_offer = yes

# Name of the file containing the optional Postfix SMTP client TLS
# session cache.
#
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache


##
## Virtual domain hosting with Dovecot delivery
##

# Postfix virtual MAILBOX: separate domains, non-UNIX accounts,
# and non-Postfix mailbox store (use $virtual_transport).
#
# With the Postfix virtual(8) mailbox delivery agent, every recipient
# address can have its own virtual mailbox. virtual mailbox domains
# ($virtual_mailbox_domains) do not need the clumsy translation from
# each recipient addresses into a different address, and owners of a
# virtual mailbox address do not need to have a UNIX system account.
#

# List of domain(s) that Postfix is the final destination; mail is
# delivered via the $virtual_transport mail delivery transport.
#
# WARNING: NEVER list a "virtual_mailbox_domains" name as a
#          "mydestination" domain above!
#
virtual_mailbox_domains = $config_directory/virtual-domains

# Specfiy the lookup table with all valid recipient addresses.  The
# lookup result (i.e., the right column) is ignored by Postfix when
# using a non-Postfix delivery agent ($virtual_transport).
#
# Credit: http://www.postfix.org/VIRTUAL_README.html#in_virtual_other
#
virtual_mailbox_maps = hash:$config_directory/virtual-users

# Link alias e-mail addresses to real e-mail addresses.
#
# WARNING: NEVER put a virtual MAILBOX wild-card in the virtual
#          ALIAS file!!
#
virtual_alias_maps = hash:$config_directory/virtual-aliases

# With delivery to a non-Postfix mailbox store for hosted domains,
# the 'virtual_transport' parameter usually specifies the Postfix LMTP
# client, or the name of a "master.cf" entry that executes non-Postfix
# software via the 'pipe' delivery agent, which is responsible for the
# next-hop destination for final delivery to domains listed with
# $virtual_mailbox_domains .
#
# NOTE: Add the appropriate service definition in "master.cf" before
#       restart Postfix.
#
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1


##
## Other settings
##

# Do not sends "new mail" notifications to users who have requested
# new mail notification with the UNIX command "biff y".
#
biff = no

# The maximal size of any 'local(8)' individual mailbox or maildir
# file, or zero (no limit).
mailbox_size_limit = 0
#
# The maximal size (byte) of a message, including envelope information.
message_size_limit = 52428800

# The default maximal number of parallel deliveries to the same
# destination.  This is the default limit for delivery via the 'lmtp(8)',
# 'pipe(8)', 'smtp(8)' and 'virtual(8)' delivery agents.
#
default_destination_concurrency_limit = 5

# The maximal number of parallel deliveries to the same destination
# via the relay message delivery transport.  This limit is enforced
# by the queue manager.
#
relay_destination_concurrency_limit = 1

# Disable the SMTP "VRFY" command, which is used to verify that an email
# address exists prior to sending a message, therefore stops some
# techniques used to harvest email addresses.
#
disable_vrfy_command = yes

# Require strictly RFC821 compliant envelopes, which requires that
# addresses received in "MAIL FROM" and "RCPT TO" commands are enclosed
# with <> and do not contain other comments or phrases, e.g.,
# <user@example.com>.
# This stops mail from poorly written software (may reduce spams).
#
strict_rfc821_envelopes = yes


##
## Mail filter (milter) settings
##

# The default action when a Milter (mail filter) application is
# unavailable or mis-configured.
#
milter_default_action = accept

# A list of Milter applications for new mail that arrives via the
# Postfix SMTP server.
#
# * inet:localhost:{{ mail.dkim.port }} - OpenDKIM
#
smtpd_milters = inet:localhost:{{ mail.dkim.port }}

# A list of Milter applications for new mail that does not arrive
# via the Postfix SMTP server.
#
non_smtpd_milters = $smtpd_milters


##
## Postscreen and additional filtering
##
## NOTE: Enable the corresponding daemons/utilities in "master.cf".
##

postscreen_access_list = permit_mynetworks

# Enforce non-spammy connection behavior (and not accept connections
# from clients that try to short-circuit the process to deliver
# spam faster).
#
postscreen_greet_action = enforce

# Enable DNS blacklist checking.
# DNSRBLs (DNS real-time black hole lists) are lists maintained
# by various entities, some companies, and some individuals, filled
# with IP addresses and ranges from which the list maintainer
# believes spam has originated.
#
postscreen_dnsbl_action = enforce
#
# Increase the DNS lookup timeout for the configured local recursive
# resolver by "unbound".
# Default: 10s
#
postscreen_dnsbl_timeout = 30s
#
# Lists:
# * zen.spamhaus.org
# * bl.spamcop.net
# * b.barracudacentral.org
#
# NOTE:
# The "b.barracudacentral.org" RBL requires registration!
# To test the access to this RBL:
#     $ host 2.0.0.127.b.barracudacentral.org
# If nothing returns, then access not granted to the used DNS, and
# registration is required.
# It seems that this RBL do not accept IPv6 address registration!
# See: http://www.barracudacentral.org/rbl/how-to-use
#
# Credit: https://serverfault.com/a/14256
#
# Useful tools:
# * Spam Database Lookup: http://www.dnsbl.info/
#
postscreen_dnsbl_sites =
	zen.spamhaus.org,
	bl.spamcop.net


##
## DEBUGGING CONTROL
##

# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2

# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
debugger_command =
	PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
	echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
	>$config_directory/$process_name.$process_id.log & sleep 5

# vim: set ft=pfmain: