1
0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-20 20:22:38 +02:00
Mailu/core/postfix/conf/main.cf

140 lines
4.2 KiB
CFEngine3
Raw Normal View History

2016-02-17 23:56:40 +02:00
###############
# General
###############
2016-03-02 22:25:56 +02:00
# Main domain and hostname
mydomain = {{ DOMAIN }}
2017-09-24 17:49:39 +02:00
myhostname = {{ HOSTNAMES.split(",")[0] }}
2016-03-02 22:25:56 +02:00
myorigin = $mydomain
# Queue location
queue_directory = /queue
# Message size limit
message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
2016-03-02 22:25:56 +02:00
# Relayed networks
mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {% if RELAYNETS %}{{ RELAYNETS.split(",") | join(' ') }}{% endif %}
2016-02-17 23:56:40 +02:00
# Empty alias list to override the configuration variable and disable NIS
alias_maps =
2018-07-26 21:57:21 +02:00
# Podop configuration
podop = socketmap:unix:/tmp/podop.socket:
postscreen_upstream_proxy_protocol = haproxy
2022-12-28 17:05:39 +02:00
compatibility_level=3.6
# Only accept virtual emails
mydestination =
# Relayhost if any is configured
relayhost = {{ RELAYHOST }}
2019-03-04 19:52:04 +02:00
{% if RELAYUSER %}
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
2021-08-09 16:55:23 +02:00
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
2019-03-04 19:52:04 +02:00
{% endif %}
# Recipient delimiter for extended addresses
recipient_delimiter = {{ RECIPIENT_DELIMITER }}
2016-02-17 23:56:40 +02:00
###############
# TLS
###############
# General TLS configuration
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
2021-08-01 10:16:46 +02:00
tls_ssl_options = NO_COMPRESSION, NO_TICKET
# By default, outgoing TLS is more flexible because
# 1. not all receiving servers will support TLS,
# 2. not all will have and up-to-date TLS stack.
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols =!SSLv2,!SSLv3
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }}
2021-09-01 08:41:39 +02:00
smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
2021-08-01 11:09:44 +02:00
smtp_tls_CApath = /etc/ssl/certs
2021-08-09 17:39:15 +02:00
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
smtp_host_lookup = dns
smtp_dns_support_level = dnssec
delay_warning_time = 5m
smtp_tls_loglevel = 1
notify_classes = resource, software, delay
2016-02-17 23:56:40 +02:00
###############
# Virtual
###############
# The alias map actually returns both aliases and local mailboxes, which is
# required for reject_unlisted_sender to work properly
virtual_alias_domains =
virtual_alias_maps = ${podop}alias
virtual_mailbox_domains = ${podop}domain
virtual_mailbox_maps = ${podop}mailbox
# Mails are transported if required, then forwarded to Dovecot for delivery
relay_domains = ${podop}transport
2022-02-19 19:37:37 +02:00
transport_maps = lmdb:/etc/postfix/transport.map, ${podop}transport
2022-12-08 13:46:31 +02:00
virtual_transport = lmtp:inet:{{ IMAP_ADDRESS }}:2525
2020-01-14 02:18:30 +02:00
# Sender and recipient canonical maps, mostly for SRS
sender_canonical_maps = ${podop}sendermap
sender_canonical_classes = envelope_sender
recipient_canonical_maps = ${podop}recipientmap
recipient_canonical_classes= envelope_recipient,header_recipient
# In order to prevent Postfix from running DNS query, enforce the use of the
# native DNS stack, that will check /etc/hosts properly.
lmtp_host_lookup = native
###############
# Restrictions
###############
# Delay all rejects until all information can be logged
smtpd_delay_reject = yes
# Allowed senders are: the user or one of the alias destinations
smtpd_sender_login_maps = ${podop}senderlogin
# Restrictions for incoming SMTP, other restrictions are applied in master.cf
smtpd_helo_required = yes
check_ratelimit = check_sasl_access ${podop}senderrate
smtpd_client_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
2017-12-04 23:04:22 +02:00
unverified_recipient_reject_reason = Address lookup failure
2023-01-05 19:14:19 +02:00
smtpd_authorized_xclient_hosts={{ SUBNET}},{{ SUBNET6 }}
###############
# Milter
###############
2022-12-08 13:46:31 +02:00
smtpd_milters = inet:{{ ANTISPAM_ADDRESS }}:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
2016-08-01 10:29:15 +02:00
milter_default_action = tempfail
###############
# Extra Settings
###############
{# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #}
{{- "\n" }}