forked from Deuxfleurs/nixcfg
113 lines
3.1 KiB
CFEngine3
113 lines
3.1 KiB
CFEngine3
#===
|
|
# Base configuration
|
|
#===
|
|
myhostname = smtp.deuxfleurs.fr
|
|
alias_maps = hash:/etc/aliases
|
|
alias_database = hash:/etc/aliases
|
|
myorigin = /etc/mailname
|
|
mydestination = smtp.deuxfleurs.fr
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
|
|
mailbox_size_limit = 0
|
|
recipient_delimiter = +
|
|
inet_protocols = all
|
|
inet_interfaces = all
|
|
message_size_limit = 204800000
|
|
smtpd_banner = $myhostname
|
|
biff = no
|
|
append_dot_mydomain = no
|
|
readme_directory = no
|
|
compatibility_level = 2
|
|
|
|
#===
|
|
# TLS parameters
|
|
#===
|
|
smtpd_tls_cert_file=/etc/ssl/postfix.crt
|
|
smtpd_tls_key_file=/etc/ssl/postfix.key
|
|
smtpd_tls_dh1024_param_file=auto
|
|
smtpd_use_tls=yes
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
|
|
smtp_tls_security_level = may
|
|
|
|
#===
|
|
# Remove privacy related content from emails
|
|
#===
|
|
mime_header_checks = regexp:/etc/postfix/header_checks
|
|
header_checks = regexp:/etc/postfix/header_checks
|
|
|
|
#===
|
|
# Handle user authentication (handled by dovecot)
|
|
#===
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_path = inet:dovecot-auth.service.prod.consul:1337
|
|
smtpd_sasl_type = dovecot
|
|
|
|
#===
|
|
# Restrictions / Checks
|
|
#===
|
|
# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists
|
|
|
|
# Require a valid HELO
|
|
smtpd_helo_required = yes
|
|
# As we use the same postfix to send and receive,
|
|
# we can't enforce a valid HELO hostname...
|
|
#smtpd_helo_restrictions =
|
|
# reject_unknown_helo_hostname
|
|
|
|
# Require that sender email has a valid domain
|
|
smtpd_sender_restrictions =
|
|
reject_unknown_sender_domain
|
|
|
|
# Delivering email policy
|
|
# MyNetwork is required by sogo
|
|
smtpd_recipient_restrictions =
|
|
permit_sasl_authenticated
|
|
permit_mynetworks
|
|
reject_unauth_destination
|
|
reject_rbl_client zen.spamhaus.org
|
|
reject_rhsbl_reverse_client dbl.spamhaus.org
|
|
reject_rhsbl_helo dbl.spamhaus.org
|
|
reject_rhsbl_sender dbl.spamhaus.org
|
|
|
|
# Sending email policy
|
|
# MyNetwork is required by sogo
|
|
smtpd_relay_restrictions =
|
|
permit_sasl_authenticated
|
|
permit_mynetworks
|
|
reject_unauth_destination
|
|
|
|
# Disable SMTP smuggling attacks
|
|
# https://www.postfix.org/smtp-smuggling.html
|
|
smtpd_forbid_unauth_pipelining = yes
|
|
smtpd_discard_ehlo_keywords = chunking
|
|
smtpd_forbid_bare_newline = yes
|
|
|
|
#===
|
|
# Rate limiting
|
|
#===
|
|
smtpd_client_connection_rate_limit = 2
|
|
# do not rate-limit ourselves
|
|
# in particular, useful for forgejo who opens a lot of SMTP connections
|
|
smtpd_client_event_limit_exceptions = $mynetworks /etc/postfix/rate-limit-exceptions
|
|
|
|
slow_destination_recipient_limit = 20
|
|
slow_destination_concurrency_limit = 2
|
|
|
|
#====
|
|
# Transport configuration
|
|
#====
|
|
default_transport = smtp-ipv4
|
|
transport_maps = hash:/etc/postfix/transport
|
|
virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf
|
|
virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf
|
|
virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf
|
|
virtual_transport = lmtp:dovecot-lmtp.service.prod.consul:24
|
|
|
|
#===
|
|
# Mail filters
|
|
#===
|
|
milter_default_action = accept
|
|
milter_protocol = 6
|
|
smtpd_milters = inet:opendkim.service.prod.consul:8999
|
|
non_smtpd_milters = inet:opendkim.service.prod.consul:8999
|