mirror of
https://github.com/Mailu/Mailu.git
synced 2024-12-18 17:40:38 +02:00
a8142dabbe
This will default to True and defer emails that fail even "loose" validation of DANE or MTA-STS It should work most of the time but if it doesn't and you would rather see your emails delivered, you can turn it off.
143 lines
4.3 KiB
CFEngine3
143 lines
4.3 KiB
CFEngine3
###############
|
|
# General
|
|
###############
|
|
|
|
# Logging configuration
|
|
maillog_file = /dev/stdout
|
|
|
|
# Main domain and hostname
|
|
mydomain = {{ DOMAIN }}
|
|
myhostname = {{ HOSTNAMES.split(",")[0] }}
|
|
myorigin = $mydomain
|
|
|
|
# Queue location
|
|
queue_directory = /queue
|
|
|
|
# Message size limit
|
|
message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
|
|
|
|
# Relayed networks
|
|
mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }}
|
|
|
|
# Empty alias list to override the configuration variable and disable NIS
|
|
alias_maps =
|
|
|
|
# Podop configuration
|
|
podop = socketmap:unix:/tmp/podop.socket:
|
|
|
|
# Only accept virtual emails
|
|
mydestination =
|
|
|
|
# Relayhost if any is configured
|
|
relayhost = {{ RELAYHOST }}
|
|
{% if RELAYUSER %}
|
|
smtp_sasl_auth_enable = yes
|
|
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
|
|
smtp_sasl_security_options = noanonymous, noplaintext
|
|
smtp_sasl_tls_security_options = noanonymous
|
|
{% endif %}
|
|
|
|
# Recipient delimiter for extended addresses
|
|
recipient_delimiter = {{ RECIPIENT_DELIMITER }}
|
|
|
|
# Only the front server is allowed to perform xclient
|
|
# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
|
|
smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }}
|
|
|
|
###############
|
|
# TLS
|
|
###############
|
|
|
|
# General TLS configuration
|
|
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
tls_preempt_cipherlist = yes
|
|
tls_ssl_options = NO_COMPRESSION, NO_TICKET
|
|
|
|
# By default, outgoing TLS is more flexible because
|
|
# 1. not all receiving servers will support TLS,
|
|
# 2. not all will have and up-to-date TLS stack.
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
smtp_tls_protocols =!SSLv2,!SSLv3
|
|
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
|
|
smtp_tls_dane_insecure_mx_policy = dane
|
|
smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
|
|
smtp_tls_CApath = /etc/ssl/certs
|
|
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
|
|
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
|
|
smtp_host_lookup = dns
|
|
smtp_dns_support_level = dnssec
|
|
delay_warning_time = 5m
|
|
smtp_tls_loglevel = 1
|
|
notify_classes = resource, software, delay
|
|
|
|
###############
|
|
# Virtual
|
|
###############
|
|
|
|
# The alias map actually returns both aliases and local mailboxes, which is
|
|
# required for reject_unlisted_sender to work properly
|
|
virtual_alias_domains =
|
|
virtual_alias_maps = ${podop}alias
|
|
virtual_mailbox_domains = ${podop}domain
|
|
virtual_mailbox_maps = ${podop}mailbox
|
|
|
|
# Mails are transported if required, then forwarded to Dovecot for delivery
|
|
relay_domains = ${podop}transport
|
|
transport_maps = ${podop}transport
|
|
virtual_transport = lmtp:inet:{{ LMTP_ADDRESS }}
|
|
|
|
# Sender and recipient canonical maps, mostly for SRS
|
|
sender_canonical_maps = ${podop}sendermap
|
|
sender_canonical_classes = envelope_sender
|
|
recipient_canonical_maps = ${podop}recipientmap
|
|
recipient_canonical_classes= envelope_recipient,header_recipient
|
|
|
|
# In order to prevent Postfix from running DNS query, enforce the use of the
|
|
# native DNS stack, that will check /etc/hosts properly.
|
|
lmtp_host_lookup = native
|
|
|
|
###############
|
|
# Restrictions
|
|
###############
|
|
|
|
# Delay all rejects until all information can be logged
|
|
smtpd_delay_reject = yes
|
|
|
|
# Allowed senders are: the user or one of the alias destinations
|
|
smtpd_sender_login_maps = ${podop}senderlogin
|
|
|
|
# Restrictions for incoming SMTP, other restrictions are applied in master.cf
|
|
smtpd_helo_required = yes
|
|
|
|
check_ratelimit = check_sasl_access ${podop}senderrate
|
|
|
|
smtpd_client_restrictions =
|
|
permit_mynetworks,
|
|
check_sender_access ${podop}senderaccess,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
reject_unknown_recipient_domain,
|
|
permit
|
|
|
|
smtpd_relay_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_destination
|
|
|
|
unverified_recipient_reject_reason = Address lookup failure
|
|
|
|
###############
|
|
# Milter
|
|
###############
|
|
|
|
smtpd_milters = inet:{{ ANTISPAM_MILTER_ADDRESS }}
|
|
milter_protocol = 6
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
milter_default_action = tempfail
|
|
|
|
###############
|
|
# Extra Settings
|
|
###############
|
|
{# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #}
|
|
{{- "\n" }}
|