Mailu/core/postfix/conf/main.cf

###############
# General
###############

# Main domain and hostname
mydomain = {{ DOMAIN }}
myhostname = {{ HOSTNAMES.split(",")[0] }}
myorigin = $mydomain
maillog_file = /dev/stdout

# Queue location
queue_directory = /queue

# Message size limit
message_size_limit = {{ MESSAGE_SIZE_LIMIT }}

# Relayed networks
mynetworks = 127.0.0.1/32 {{ SUBNET }} {% if SUBNET6 %}[::1]/128 {{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %} {% if RELAYNETS %}{{ RELAYNETS.split(",") | join(" ") }}{% endif %}

# Empty alias list to override the configuration variable and disable NIS
alias_maps =

# Podop configuration
podop = socketmap:unix:/tmp/podop.socket:

postscreen_upstream_proxy_protocol = haproxy
compatibility_level=3.6

# Only accept virtual emails
mydestination =

# Relayhost if any is configured
relayhost = {{ RELAYHOST }}
{% if RELAYUSER %}
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
{% endif %}

# Recipient delimiter for extended addresses
recipient_delimiter = {{ RECIPIENT_DELIMITER }}

###############
# TLS
###############

# General TLS configuration
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION, NO_TICKET

# By default, outgoing TLS is more flexible because
# 1. not all receiving servers will support TLS,
# 2. not all will have and up-to-date TLS stack.
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols =!SSLv2,!SSLv3
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }}
smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
smtp_host_lookup = dns
smtp_dns_support_level = dnssec
delay_warning_time = 5m
smtp_tls_loglevel = 1
notify_classes = resource, software, delay

###############
# Virtual
###############

# The alias map actually returns both aliases and local mailboxes, which is
# required for reject_unlisted_sender to work properly
virtual_alias_domains =
virtual_alias_maps = ${podop}alias
virtual_mailbox_domains = ${podop}domain
virtual_mailbox_maps = ${podop}mailbox

# Mails are transported if required, then forwarded to Dovecot for delivery
relay_domains = ${podop}transport
transport_maps = lmdb:/etc/postfix/transport.map, ${podop}transport
virtual_transport = lmtp:inet:{{ IMAP_ADDRESS }}:2525

# Sender and recipient canonical maps, mostly for SRS
sender_canonical_maps = ${podop}sendermap
sender_canonical_classes = envelope_sender
recipient_canonical_maps = ${podop}recipientmap
recipient_canonical_classes= envelope_recipient,header_recipient

# In order to prevent Postfix from running DNS query, enforce the use of the
# native DNS stack, that will check /etc/hosts properly.
lmtp_host_lookup = native

###############
# Restrictions
###############

# Delay all rejects until all information can be logged
smtpd_delay_reject = yes

# Allowed senders are: the user or one of the alias destinations
smtpd_sender_login_maps = ${podop}senderlogin

# Restrictions for incoming SMTP, other restrictions are applied in master.cf
smtpd_helo_required = yes

check_ratelimit = check_sasl_access ${podop}senderrate

smtpd_client_restrictions =
  permit_mynetworks,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  permit

smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination

unverified_recipient_reject_reason = Address lookup failure

smtpd_authorized_xclient_hosts={{ SUBNET }}{% if SUBNET6 %},{{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %}

###############
# Milter
###############

smtpd_milters = inet:{{ ANTISPAM_ADDRESS }}:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = tempfail

###############
# Extra Settings
###############
{# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #}
{{- "\n" }}
Simple yet functional dovecot+postfix 2016-02-17 23:56:40 +02:00			`###############`
			`# General`
			`###############`
Import and clean vmm provided configuration files 2016-01-18 22:43:52 +02:00
Switch to env_file and deploy amavis 2016-03-02 22:25:56 +02:00			`# Main domain and hostname`
			`mydomain = {{ DOMAIN }}`
Support specifyin multiple hostnames 2017-09-24 17:49:39 +02:00			`myhostname = {{ HOSTNAMES.split(",")[0] }}`
Switch to env_file and deploy amavis 2016-03-02 22:25:56 +02:00			`myorigin = $mydomain`
Fix logs in the SMTP container 2023-04-21 14:42:25 +02:00			`maillog_file = /dev/stdout`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Mount the postfix queue as a volume, fixes #211 2017-07-02 16:39:00 +02:00			`# Queue location`
			`queue_directory = /queue`

Default message_size_limit to 50MB Add MESSAGE_SIZE_LIMIT variable in .env to allow setting the message size limit for postfix. 2016-09-25 01:46:10 +02:00			`# Message size limit`
			`message_size_limit = {{ MESSAGE_SIZE_LIMIT }}`

Switch to env_file and deploy amavis 2016-03-02 22:25:56 +02:00			`# Relayed networks`
Skip listen to v6 when SUBNET6 is not set 2023-01-25 16:55:35 +02:00			`mynetworks = 127.0.0.1/32 {{ SUBNET }} {% if SUBNET6 %}[::1]/128 {{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %} {% if RELAYNETS %}{{ RELAYNETS.split(",") \| join(" ") }}{% endif %}`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Simple yet functional dovecot+postfix 2016-02-17 23:56:40 +02:00			`# Empty alias list to override the configuration variable and disable NIS`
Empty alias map to avoid warnings about /etc/aliases, fixes #84 2016-10-19 15:09:26 +02:00			`alias_maps =`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Switch postfix to Podop 2018-07-26 21:57:21 +02:00			`# Podop configuration`
			`podop = socketmap:unix:/tmp/podop.socket:`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Same for front-smtp This should enable postfix to have visibility on TLS usage and fix the following: #1705 2022-12-28 16:21:28 +02:00			`postscreen_upstream_proxy_protocol = haproxy`
Tweak postfix logging 2022-12-28 17:05:39 +02:00			`compatibility_level=3.6`
Same for front-smtp This should enable postfix to have visibility on TLS usage and fix the following: #1705 2022-12-28 16:21:28 +02:00
Actually bind flask-admin to the mail servers 2016-02-20 21:11:59 +02:00			`# Only accept virtual emails`
			`mydestination =`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Add a RELAYHOST configuration value, fixes #27 2016-08-18 16:08:36 +02:00			`# Relayhost if any is configured`
			`relayhost = {{ RELAYHOST }}`
Add authentication for email relays 2019-03-04 19:52:04 +02:00			`{% if RELAYUSER %}`
			`smtp_sasl_auth_enable = yes`
Alpine has removed support for btree and hash 2021-08-08 19:18:33 +02:00			`smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd`
Don't send credentials in clear ever 2021-08-09 16:55:23 +02:00			`smtp_sasl_security_options = noanonymous, noplaintext`
			`smtp_sasl_tls_security_options = noanonymous`
Add authentication for email relays 2019-03-04 19:52:04 +02:00			`{% endif %}`
Import and clean vmm provided configuration files 2016-01-18 22:43:52 +02:00
Add a recipient delimiter for extended addresses 2017-09-03 16:18:08 +02:00			`# Recipient delimiter for extended addresses`
Make the recipient delimiter customizeable, fixes #233 and #164 2017-09-10 14:09:16 +02:00			`recipient_delimiter = {{ RECIPIENT_DELIMITER }}`
Add a recipient delimiter for extended addresses 2017-09-03 16:18:08 +02:00
Simple yet functional dovecot+postfix 2016-02-17 23:56:40 +02:00			`###############`
			`# TLS`
			`###############`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Apply strong TLS to opportunistic encryption as well 2017-01-23 22:29:02 +02:00			`# General TLS configuration`
			`tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA`
			`tls_preempt_cipherlist = yes`
give PFS a chance 2021-08-01 10:16:46 +02:00			`tls_ssl_options = NO_COMPRESSION, NO_TICKET`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Allow to enforce TLS for outbound using OUTBOUND_TLS_LEVEL=encrypt (default is 'may') 2020-05-02 20:58:07 +02:00			`# By default, outgoing TLS is more flexible because`
			`# 1. not all receiving servers will support TLS,`
			`# 2. not all will have and up-to-date TLS stack.`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00			`smtp_tls_mandatory_protocols = !SSLv2, !SSLv3`
			`smtp_tls_protocols =!SSLv2,!SSLv3`
Introduce DEFER_ON_TLS_ERROR This will default to True and defer emails that fail even "loose" validation of DANE or MTA-STS It should work most of the time but if it doesn't and you would rather see your emails delivered, you can turn it off. 2021-08-30 14:21:28 +02:00			`smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL\|default('dane') }}`
handle DEFER_ON_TLS_ERROR as bool use /conf/mta-sts-daemon.yml when override is missing 2021-09-09 17:30:46 +02:00			`smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }}`
forgot about alpine/lmdb 2021-09-01 08:41:39 +02:00			`smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix`
add a default tls_policy_map 2021-08-01 11:09:44 +02:00			`smtp_tls_CApath = /etc/ssl/certs`
fix PFS 2021-08-09 17:39:15 +02:00			`smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache`
			`smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache`
add additional options to make DANE easier 2021-08-20 14:11:41 +02:00			`smtp_host_lookup = dns`
			`smtp_dns_support_level = dnssec`
Introduce DEFER_ON_TLS_ERROR This will default to True and defer emails that fail even "loose" validation of DANE or MTA-STS It should work most of the time but if it doesn't and you would rather see your emails delivered, you can turn it off. 2021-08-30 14:21:28 +02:00			`delay_warning_time = 5m`
			`smtp_tls_loglevel = 1`
			`notify_classes = resource, software, delay`
Import and clean vmm provided configuration files 2016-01-18 22:43:52 +02:00
Simple yet functional dovecot+postfix 2016-02-17 23:56:40 +02:00			`###############`
			`# Virtual`
			`###############`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Add a virtual_mailbox_maps for unlisted senders to be rejected, fixes #95 2016-11-01 13:57:22 +02:00			`# The alias map actually returns both aliases and local mailboxes, which is`
			`# required for reject_unlisted_sender to work properly`
Update podop access and mail restrictions 2018-09-26 00:15:24 +02:00			`virtual_alias_domains =`
			`virtual_alias_maps = ${podop}alias`
			`virtual_mailbox_domains = ${podop}domain`
			`virtual_mailbox_maps = ${podop}mailbox`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Add a (not working) postfix conf for transports 2017-09-11 08:12:04 +02:00			`# Mails are transported if required, then forwarded to Dovecot for delivery`
Handle relays as virtual transports through podop 2018-09-27 16:30:20 +02:00			`relay_domains = ${podop}transport`
Implement #2213: slow transports 2022-02-19 19:37:37 +02:00			`transport_maps = lmdb:/etc/postfix/transport.map, ${podop}transport`
Enable dynamic resolution of hostnames 2022-12-08 13:46:31 +02:00			`virtual_transport = lmtp:inet:{{ IMAP_ADDRESS }}:2525`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Add support for SRS, related to #328 2020-01-14 02:18:30 +02:00			`# Sender and recipient canonical maps, mostly for SRS`
			`sender_canonical_maps = ${podop}sendermap`
			`sender_canonical_classes = envelope_sender`
			`recipient_canonical_maps = ${podop}recipientmap`
			`recipient_canonical_classes= envelope_recipient,header_recipient`

Add some documentation to the Postfix configuration 2016-08-19 13:43:01 +02:00			`# In order to prevent Postfix from running DNS query, enforce the use of the`
			`# native DNS stack, that will check /etc/hosts properly.`
Move to Docker Compose and multiple containers 2016-02-24 08:44:49 +02:00			`lmtp_host_lookup = native`
Enable milter in postfix and run the containers 2016-05-29 15:54:34 +02:00
Add postfix restrictions, related to #95 2016-11-01 12:05:47 +02:00			`###############`
			`# Restrictions`
			`###############`

			`# Delay all rejects until all information can be logged`
			`smtpd_delay_reject = yes`

			`# Allowed senders are: the user or one of the alias destinations`
Separate senderaccess and senderlogin maps 2018-10-07 16:23:53 +02:00			`smtpd_sender_login_maps = ${podop}senderlogin`
Add postfix restrictions, related to #95 2016-11-01 12:05:47 +02:00
Add a specific server for xclient-authenticated connections 2017-10-22 15:00:16 +02:00			`# Restrictions for incoming SMTP, other restrictions are applied in master.cf`
Add postfix restrictions, related to #95 2016-11-01 12:05:47 +02:00			`smtpd_helo_required = yes`

Apply the restriction on the right port 2021-08-09 14:58:58 +02:00			`check_ratelimit = check_sasl_access ${podop}senderrate`

Update podop access and mail restrictions 2018-09-26 00:15:24 +02:00			`smtpd_client_restrictions =`
Add a specific server for xclient-authenticated connections 2017-10-22 15:00:16 +02:00			`permit_mynetworks,`
			`reject_non_fqdn_sender,`
			`reject_unknown_sender_domain,`
			`reject_unknown_recipient_domain,`
			`permit`
Add postfix restrictions, related to #95 2016-11-01 12:05:47 +02:00
Update podop access and mail restrictions 2018-09-26 00:15:24 +02:00			`smtpd_relay_restrictions =`
			`permit_mynetworks,`
			`permit_sasl_authenticated,`
Fix relay restrictions so email gets delivered correctly 2018-10-07 01:28:22 +02:00			`reject_unauth_destination`
Update podop access and mail restrictions 2018-09-26 00:15:24 +02:00
Update main.cf 2017-12-04 23:04:22 +02:00			`unverified_recipient_reject_reason = Address lookup failure`

Skip listen to v6 when SUBNET6 is not set 2023-01-25 16:55:35 +02:00			`smtpd_authorized_xclient_hosts={{ SUBNET }}{% if SUBNET6 %},{{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %}`
doh 2023-01-05 19:14:19 +02:00
Enable milter in postfix and run the containers 2016-05-29 15:54:34 +02:00			`###############`
			`# Milter`
			`###############`
Apply the BetterCrypto Postfix configuration, related to #45 2016-08-19 13:49:58 +02:00
Enable dynamic resolution of hostnames 2022-12-08 13:46:31 +02:00			`smtpd_milters = inet:{{ ANTISPAM_ADDRESS }}:11332`
Enable milter in postfix and run the containers 2016-05-29 15:54:34 +02:00			`milter_protocol = 6`
			`milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}`
Added config folder for Postfix 2016-08-01 10:29:15 +02:00			`milter_default_action = tempfail`

			`###############`
			`# Extra Settings`
			`###############`
Ensure that the rendered file ends with newline in order to make `postconf` work correctly 2020-10-04 16:36:37 +02:00			{# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #}
			`{{- "\n" }}`