contrib/postfix-lmdb/main-addon.cf

287 lines
10 KiB
CFEngine3

### CRUX-ADDON
default_privs = _postfix_xlocal
setgid_group = _postfix_queue
mail_spool_directory = /var/spool/mail
alias_database = lmdb:$meta_directory/aliases
alias_maps = $alias_database
# all # or ipv4, ipv6 or ipv4 or ipv6
inet_protocols = all
#myhostname = crux-box # default: gethostname
#mydomain = localdomain # default: $myhostname less one component
#myorigin = $mydomain
# , lists.$myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks_style = host
# mynetworks: which addresses we treat as belonging to "our network".
# RFC 1918 defines several "address ranges for private internets",
# one class A, 16 class B, 256 class C networks:
# 10.0.0.0 - 10.255.255.255 (10/8 prefix)
# 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
# 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
# In practice these are used by WLAN and other such networks, which is not
# "our" per se. RFC 5737 defines several blocks "reserved for documentation"
# that SHOULD NOT occur on the public internet, so they should be blocked on
# ingress and better not leave on egress, but they can be assigned to local
# namespaces etc., and be used within VPNs:
# 192.0.2.0 - 192.0.2.255 (192.0.2.0/24, TEST-NET-1, from RFC 1166)
# 198.51.100.0 - 198.51.100.255 (198.51.100.0/24, TEST-NET-2)
# 203.0.113.0 - 203.0.113.255 (203.0.113.0/24, TEST-NET-3)
# Dunno how to specify IPv6 link-local and site-local
#mynetworks = 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 127.0.0.0/8
mynetworks = 127.0.0.0/8
#inet_interfaces = localhost
#inet_interfaces = $myhostname, localhost
inet_interfaces = all
#debug_peer_list = localhost
smtputf8_enable = no
disable_vrfy_command = yes
default_verp_delimiters = -=
verp_delimiter_filter = -=
recipient_delimiter = +
default_process_limit = 8
anvil_rate_time_unit = 60s
anvil_status_update_time = 3600s
#n_flow_delay = 1s
body_checks_size_limit = 102400
bounce_size_limit = 50000
#header_size_limit = 102400
mailbox_size_limit = 100000000
message_size_limit = 442000
## TLSPROXY(8) (where diverging from daemon / client)
tls_append_default_CA = no
## POSTFIX DAEMON
# Calculate:
# openssl x509 -noout -sha256 -fingerprint < CERT.pem
# OR
# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
# Put the hash only in relay_clientcerts, right hand value is not inspected:
# FINGERPRINT-HERE whatever value
# Search #RELAY for this, uncomment
#RELAY relay_clientcerts = lmdb:$meta_directory/relay_clientcerts
# relay_domains <-> reject_unauth_destination,permit_auth_destination
# eg lmdb:$meta_directory/transport
transport_maps =
relay_domains = $mynetworks,$transport_maps
# Only localhost for mailing-lists etc.; maybe $mynetworks?
smtpd_authorized_verp_clients = 127.0.0.1
# Clients connection checks
smtpd_client_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
check_client_access lmdb:$meta_directory/client_restrict,
reject_unknown_client_hostname,
# in case you want reject DNS blacklists rather than greylist them,
# exchange sleep (maybe) and uncomment the lines below
sleep 1,
#reject_rbl_client cbl.abuseat.org,
#reject_rbl_client sbl.spamhaus.org,
#DNSDL reject_rbl_client zen.spamhaus.org,
#DNSDL reject_rbl_client dnsbl.sorbs.net,
#reject_rbl_client bl.spamcop.net,
#reject_rbl_client list.dsbl.org,
reject_unauth_pipelining,
#reject
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_helo_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
permit
# MAIL FROM Checks
smtpd_sender_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY reject_authenticated_sender_login_mismatch,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_non_fqdn_sender,
# Total no-goes database, eg: qq.com reject
check_sender_access lmdb:$meta_directory/sender_restrict,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
#GRAY: with --focus-sender only! And --msg-allow=permit
#GRAY check_policy_service unix:private/postgray,
#VERIFY(..then) reject_unverified_sender,
permit
smtpd_relay_before_recipient_restrictions = yes
# RCPT TO checks, relay policy
# Local clients and authenticated clients may specify any destination domain
smtpd_relay_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_non_fqdn_recipient,
#permit_auth_destination,
#reject
reject_unauth_destination,
permit
# RCPT TO checks, spam blocking policy
# Match fast for $mynetworks and authenticated clients.
smtpd_recipient_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
#RELAY permit_tls_clientcerts,
#[RELAY] permit_sasl_authenticated,
reject_unknown_recipient_domain,
# DB of MAIL FROM's without policy server checks (one way, or another)
check_sender_access lmdb:$meta_directory/sender_access,
#check_policy_service inet:127.0.0.1:5525,
#GRAY: without --focus-sender
#GRAY check_policy_service unix:private/postgray,
#VERIFY(..then) reject_unverified_sender,
#(VERIFY would not) reject_unverified_recipient,
permit
# i would turn that on..
#smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_hard_error_limit = 2
smtpd_soft_error_limit = 1
smtpd_per_record_deadline = yes
smtpd_timeout = 15s
smtpd_starttls_timeout = 15s
smtpd_junk_command_limit = 5
#smtpd_log_access_permit_actions =
# permit_tls_clientcerts,
# permit_sasl_authenticated
#smtpd_client_connection_rate_limit = 20
#smtpd_client_connection_count_limit = 2
#VERIFY address_verify_map = lmdb:$data_directory/verify_cache
#VERIFY address_verify_cache_cleanup_interval = 86400s
#TLS Do not forget to look into master.cf!
# That one is for client certificates!
#smtpd_tls_CAfile = /etc/dovecot/cert.pem
#TLS smtpd_tls_chain_files = $meta_directory/key_and_cert.pem
#TLS smtpd_tls_dh1024_param_file = $meta_directory/dh2048.pem
# This are managed per-service in master.cf!
#smtpd_tls_security_level = none
#RELAY smtpd_tls_ask_ccert = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
#SMART The next is usually nice but when using client certificates
smtpd_tls_received_header = no
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
# Usually enabled per-service in master.cf!
#smtpd_sasl_auth_enable = yes
smtpd_sasl_auth_enable = no
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
## POSTFIX CLIENT
#TLS comment out next
#SMART comment out next
smtp_tls_security_level = may
# To always go directly SMTPS/SUBMISSIONS
#smtp_tls_wrappermode = yes
smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = $smtpd_tls_protocols
#SMART When only relaying to smarthost, the next should be =high
#SMART smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtp_tls_ciphers = $smtpd_tls_ciphers
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_tls_connection_reuse = yes
smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
#smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
#smtp_sasl_type = $smtpd_sasl_type
#smtp_sasl_path = $smtpd_sasl_path
#smtp_sasl_mechanism_filter = !external
#smtp_sasl_security_options = $smtpd_sasl_security_options
#smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options
#smtp_sasl_mechanism_filter = plain, login
# For laptops etc, rely on smarthost to do real delivery.
# One or more destinations in the form of a domain name, hostname,
# hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port,
# separated by comma or whitespace. The form [hostname] turns off MX lookups
# check man(5) postconf -> local_header_rewrite_clients;
# "Or", i.e., for mail(1): use "-r myname@mydesired.host"
#SMART relayhost = [HOST]:submissions
#SMART Next only when going directly SMTPS/SUBMISSIONS
#SMART smtp_tls_wrappermode = yes
#SMART smtp_tls_chain_files = $smtpd_tls_chain_files
#SMART EITHER these three
#SMART smtp_tls_security_level = verify
#SMART smtp_tls_CAfile = /etc/ssl/cert.pem
#SMART smtp_tls_scert_verifydepth = 9
#SMART OR these two
#SMART smtp_tls_security_level = fingerprint
#SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
# The following is not tested, really, and may not work with default config
#SMART disable_dns_lookups = yes
#SMART Authentication like that not tried, this from postfix SASL_README:
#smtp_sasl_auth_enable = yes
#smtp_sasl_tls_security_options = noanonymous
#smtp_sasl_password_maps = lmdb:$meta_directory/sasl_passwd
# $meta_directory/sasl_passwd:
# # destination credentials
# #user1@example.com username1:password1
# #user2@example.net username2:password2
# [mail.isp.example] username:password
# # Alternative form:
# # [mail.isp.example]:submission username:password
#SMART Even sender-specific, uncomment the user1 user2 entries above then
# sender_dependent_relayhost_maps = lmdb:$meta_directory/sender_relay
# $meta_directory/sender_relay:
# # Per-sender provider; see also $meta_directory/sasl_passwd.
# user1@example.com [mail.example.com]:submission
# user2@example.net [mail.example.net]
# Permanently (to _destinations) instead if this is "no"
smtp_connection_cache_on_demand = yes
# $relayhost WITHOUT [] and : etc.!!
smtp_connection_cache_destinations = $relayhost
smtp_connection_cache_time_limit = 10s
smtp_connection_reuse_count_limit = 242