mirror of
https://github.com/Mailu/Mailu.git
synced 2024-12-20 20:22:38 +02:00
b57df78dac
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens ## What type of PR? Feature ## What does this PR do? A conflict-free version of #1360 implementing per-user sender limits ### Related issue(s) - close #1360 - close #1031 - close #1774 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org> Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
135 lines
4.0 KiB
CFEngine3
135 lines
4.0 KiB
CFEngine3
###############
|
|
# General
|
|
###############
|
|
|
|
# Logging configuration
|
|
maillog_file = /dev/stdout
|
|
|
|
# Main domain and hostname
|
|
mydomain = {{ DOMAIN }}
|
|
myhostname = {{ HOSTNAMES.split(",")[0] }}
|
|
myorigin = $mydomain
|
|
|
|
# Queue location
|
|
queue_directory = /queue
|
|
|
|
# Message size limit
|
|
message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
|
|
|
|
# Relayed networks
|
|
mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }}
|
|
|
|
# Empty alias list to override the configuration variable and disable NIS
|
|
alias_maps =
|
|
|
|
# Podop configuration
|
|
podop = socketmap:unix:/tmp/podop.socket:
|
|
|
|
# Only accept virtual emails
|
|
mydestination =
|
|
|
|
# Relayhost if any is configured
|
|
relayhost = {{ RELAYHOST }}
|
|
{% if RELAYUSER %}
|
|
smtp_sasl_auth_enable = yes
|
|
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
|
|
smtp_sasl_security_options = noanonymous, noplaintext
|
|
smtp_sasl_tls_security_options = noanonymous
|
|
{% endif %}
|
|
|
|
# Recipient delimiter for extended addresses
|
|
recipient_delimiter = {{ RECIPIENT_DELIMITER }}
|
|
|
|
# Only the front server is allowed to perform xclient
|
|
# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
|
|
smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }}
|
|
|
|
###############
|
|
# TLS
|
|
###############
|
|
|
|
# General TLS configuration
|
|
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
tls_preempt_cipherlist = yes
|
|
tls_ssl_options = NO_COMPRESSION, NO_TICKET
|
|
|
|
# By default, outgoing TLS is more flexible because
|
|
# 1. not all receiving servers will support TLS,
|
|
# 2. not all will have and up-to-date TLS stack.
|
|
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
smtp_tls_protocols =!SSLv2,!SSLv3
|
|
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
|
|
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
|
|
|
|
###############
|
|
# Virtual
|
|
###############
|
|
|
|
# The alias map actually returns both aliases and local mailboxes, which is
|
|
# required for reject_unlisted_sender to work properly
|
|
virtual_alias_domains =
|
|
virtual_alias_maps = ${podop}alias
|
|
virtual_mailbox_domains = ${podop}domain
|
|
virtual_mailbox_maps = ${podop}mailbox
|
|
|
|
# Mails are transported if required, then forwarded to Dovecot for delivery
|
|
relay_domains = ${podop}transport
|
|
transport_maps = ${podop}transport
|
|
virtual_transport = lmtp:inet:{{ LMTP_ADDRESS }}
|
|
|
|
# Sender and recipient canonical maps, mostly for SRS
|
|
sender_canonical_maps = ${podop}sendermap
|
|
sender_canonical_classes = envelope_sender
|
|
recipient_canonical_maps = ${podop}recipientmap
|
|
recipient_canonical_classes= envelope_recipient,header_recipient
|
|
|
|
# In order to prevent Postfix from running DNS query, enforce the use of the
|
|
# native DNS stack, that will check /etc/hosts properly.
|
|
lmtp_host_lookup = native
|
|
|
|
###############
|
|
# Restrictions
|
|
###############
|
|
|
|
# Delay all rejects until all information can be logged
|
|
smtpd_delay_reject = yes
|
|
|
|
# Allowed senders are: the user or one of the alias destinations
|
|
smtpd_sender_login_maps = ${podop}senderlogin
|
|
|
|
# Restrictions for incoming SMTP, other restrictions are applied in master.cf
|
|
smtpd_helo_required = yes
|
|
|
|
check_ratelimit = check_sasl_access ${podop}senderrate
|
|
|
|
smtpd_client_restrictions =
|
|
permit_mynetworks,
|
|
check_sender_access ${podop}senderaccess,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
reject_unknown_recipient_domain,
|
|
permit
|
|
|
|
smtpd_relay_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unauth_destination
|
|
|
|
unverified_recipient_reject_reason = Address lookup failure
|
|
|
|
###############
|
|
# Milter
|
|
###############
|
|
|
|
smtpd_milters = inet:{{ ANTISPAM_MILTER_ADDRESS }}
|
|
milter_protocol = 6
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
milter_default_action = tempfail
|
|
|
|
###############
|
|
# Extra Settings
|
|
###############
|
|
{# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #}
|
|
{{- "\n" }}
|