### CRUX-ADDON default_privs = _postfix_xlocal setgid_group = _postfix_queue mail_spool_directory = /var/spool/mail alias_database = lmdb:$meta_directory/aliases alias_maps = $alias_database # all # or ipv4, ipv6 or ipv4 or ipv6 inet_protocols = all #myhostname = crux-box # default: gethostname #mydomain = localdomain # default: $myhostname less one component #myorigin = $mydomain # , lists.$myhostname mydestination = $myhostname, localhost.$mydomain, localhost mynetworks_style = host # mynetworks: which addresses we treat as belonging to "our network". # RFC 1918 defines several "address ranges for private internets", # one class A, 16 class B, 256 class C networks: # 10.0.0.0 - 10.255.255.255 (10/8 prefix) # 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) # 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) # In practice these are used by WLAN and other such networks, which is not # "our" per se. RFC 5737 defines several blocks "reserved for documentation" # that SHOULD NOT occur on the public internet, so they should be blocked on # ingress and better not leave on egress, but they can be assigned to local # namespaces etc., and be used within VPNs: # 192.0.2.0 - 192.0.2.255 (192.0.2.0/24, TEST-NET-1, from RFC 1166) # 198.51.100.0 - 198.51.100.255 (198.51.100.0/24, TEST-NET-2) # 203.0.113.0 - 203.0.113.255 (203.0.113.0/24, TEST-NET-3) # Dunno how to specify IPv6 link-local and site-local #mynetworks = 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 127.0.0.0/8 mynetworks = 127.0.0.0/8 #inet_interfaces = localhost #inet_interfaces = $myhostname, localhost inet_interfaces = all #debug_peer_list = localhost smtputf8_enable = no disable_vrfy_command = yes default_verp_delimiters = -= verp_delimiter_filter = -= recipient_delimiter = + default_process_limit = 8 anvil_rate_time_unit = 60s anvil_status_update_time = 3600s #n_flow_delay = 1s body_checks_size_limit = 102400 bounce_size_limit = 50000 #header_size_limit = 102400 mailbox_size_limit = 100000000 message_size_limit = 442000 ## TLSPROXY(8) (where diverging from daemon / client) tls_append_default_CA = no ## POSTFIX DAEMON # Calculate: # openssl x509 -noout -sha256 -fingerprint < CERT.pem # OR # openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c # Put the hash only in relay_clientcerts, right hand value is not inspected: # FINGERPRINT-HERE whatever value # Search #RELAY for this, uncomment #RELAY relay_clientcerts = lmdb:$meta_directory/relay_clientcerts # relay_domains <-> reject_unauth_destination,permit_auth_destination # eg lmdb:$meta_directory/transport transport_maps = relay_domains = $mynetworks,$transport_maps # Only localhost for mailing-lists etc.; maybe $mynetworks? smtpd_authorized_verp_clients = 127.0.0.1 # Clients connection checks smtpd_client_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, check_client_access lmdb:$meta_directory/client_restrict, reject_unknown_client_hostname, # in case you want reject DNS blacklists rather than greylist them, # exchange sleep (maybe) and uncomment the lines below sleep 1, #reject_rbl_client cbl.abuseat.org, #reject_rbl_client sbl.spamhaus.org, #DNSDL reject_rbl_client zen.spamhaus.org, #DNSDL reject_rbl_client dnsbl.sorbs.net, #reject_rbl_client bl.spamcop.net, #reject_rbl_client list.dsbl.org, reject_unauth_pipelining, #reject permit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit # MAIL FROM Checks smtpd_sender_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY reject_authenticated_sender_login_mismatch, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, reject_non_fqdn_sender, # Total no-goes database, eg: qq.com reject check_sender_access lmdb:$meta_directory/sender_restrict, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, #GRAY: with --focus-sender only! And --msg-allow=permit #GRAY check_policy_service unix:private/postgray, #VERIFY(..then) reject_unverified_sender, permit smtpd_relay_before_recipient_restrictions = yes # RCPT TO checks, relay policy # Local clients and authenticated clients may specify any destination domain smtpd_relay_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, reject_non_fqdn_recipient, #permit_auth_destination, #reject reject_unauth_destination, permit # RCPT TO checks, spam blocking policy # Match fast for $mynetworks and authenticated clients. smtpd_recipient_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, reject_unknown_recipient_domain, # DB of MAIL FROM's without policy server checks (one way, or another) check_sender_access lmdb:$meta_directory/sender_access, #check_policy_service inet:127.0.0.1:5525, #GRAY: without --focus-sender #GRAY check_policy_service unix:private/postgray, #VERIFY(..then) reject_unverified_sender, #(VERIFY would not) reject_unverified_recipient, permit # i would turn that on.. #smtpd_delay_reject = no smtpd_helo_required = yes smtpd_hard_error_limit = 2 smtpd_soft_error_limit = 1 smtpd_per_record_deadline = yes smtpd_timeout = 15s smtpd_starttls_timeout = 15s smtpd_junk_command_limit = 5 #smtpd_log_access_permit_actions = # permit_tls_clientcerts, # permit_sasl_authenticated #smtpd_client_connection_rate_limit = 20 #smtpd_client_connection_count_limit = 2 #VERIFY address_verify_map = lmdb:$data_directory/verify_cache #VERIFY address_verify_cache_cleanup_interval = 86400s #TLS Do not forget to look into master.cf! # That one is for client certificates! #smtpd_tls_CAfile = /etc/dovecot/cert.pem #TLS smtpd_tls_chain_files = $meta_directory/key_and_cert.pem #TLS smtpd_tls_dh1024_param_file = $meta_directory/dh2048.pem # This are managed per-service in master.cf! #smtpd_tls_security_level = none #RELAY smtpd_tls_ask_ccert = yes smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 #SMART The next is usually nice but when using client certificates smtpd_tls_received_header = no smtpd_tls_fingerprint_digest = sha256 smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache smtpd_tls_session_cache_timeout = 3600s # Usually enabled per-service in master.cf! #smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = no smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous ## POSTFIX CLIENT #TLS comment out next #SMART comment out next smtp_tls_security_level = may # To always go directly SMTPS/SUBMISSIONS #smtp_tls_wrappermode = yes smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_protocols = $smtpd_tls_protocols #SMART When only relaying to smarthost, the next should be =high #SMART smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtp_tls_ciphers = $smtpd_tls_ciphers smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers smtp_tls_connection_reuse = yes smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable #smtp_sasl_type = $smtpd_sasl_type #smtp_sasl_path = $smtpd_sasl_path #smtp_sasl_mechanism_filter = !external #smtp_sasl_security_options = $smtpd_sasl_security_options #smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options #smtp_sasl_mechanism_filter = plain, login # For laptops etc, rely on smarthost to do real delivery. # One or more destinations in the form of a domain name, hostname, # hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port, # separated by comma or whitespace. The form [hostname] turns off MX lookups # check man(5) postconf -> local_header_rewrite_clients; # "Or", i.e., for mail(1): use "-r myname@mydesired.host" #SMART relayhost = [HOST]:submissions #SMART Next only when going directly SMTPS/SUBMISSIONS #SMART smtp_tls_wrappermode = yes #SMART smtp_tls_chain_files = $smtpd_tls_chain_files #SMART EITHER these three #SMART smtp_tls_security_level = verify #SMART smtp_tls_CAfile = /etc/ssl/cert.pem #SMART smtp_tls_scert_verifydepth = 9 #SMART OR these two #SMART smtp_tls_security_level = fingerprint #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT # The following is not tested, really, and may not work with default config #SMART disable_dns_lookups = yes #SMART Authentication like that not tried, this from postfix SASL_README: #smtp_sasl_auth_enable = yes #smtp_sasl_tls_security_options = noanonymous #smtp_sasl_password_maps = lmdb:$meta_directory/sasl_passwd # $meta_directory/sasl_passwd: # # destination credentials # #user1@example.com username1:password1 # #user2@example.net username2:password2 # [mail.isp.example] username:password # # Alternative form: # # [mail.isp.example]:submission username:password #SMART Even sender-specific, uncomment the user1 user2 entries above then # sender_dependent_relayhost_maps = lmdb:$meta_directory/sender_relay # $meta_directory/sender_relay: # # Per-sender provider; see also $meta_directory/sasl_passwd. # user1@example.com [mail.example.com]:submission # user2@example.net [mail.example.net] # Permanently (to _destinations) instead if this is "no" smtp_connection_cache_on_demand = yes # $relayhost WITHOUT [] and : etc.!! smtp_connection_cache_destinations = $relayhost smtp_connection_cache_time_limit = 10s smtp_connection_reuse_count_limit = 242