forked from ports/contrib
287 lines
10 KiB
CFEngine3
287 lines
10 KiB
CFEngine3
|
|
### CRUX-ADDON
|
|
|
|
default_privs = _postfix_xlocal
|
|
setgid_group = _postfix_queue
|
|
mail_spool_directory = /var/spool/mail
|
|
alias_database = lmdb:$meta_directory/aliases
|
|
alias_maps = $alias_database
|
|
# all # or ipv4, ipv6 or ipv4 or ipv6
|
|
inet_protocols = all
|
|
|
|
#myhostname = crux-box # default: gethostname
|
|
#mydomain = localdomain # default: $myhostname less one component
|
|
#myorigin = $mydomain
|
|
# , lists.$myhostname
|
|
mydestination = $myhostname, localhost.$mydomain, localhost
|
|
mynetworks_style = host
|
|
|
|
# mynetworks: which addresses we treat as belonging to "our network".
|
|
# RFC 1918 defines several "address ranges for private internets",
|
|
# one class A, 16 class B, 256 class C networks:
|
|
# 10.0.0.0 - 10.255.255.255 (10/8 prefix)
|
|
# 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
|
|
# 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
|
|
# In practice these are used by WLAN and other such networks, which is not
|
|
# "our" per se. RFC 5737 defines several blocks "reserved for documentation"
|
|
# that SHOULD NOT occur on the public internet, so they should be blocked on
|
|
# ingress and better not leave on egress, but they can be assigned to local
|
|
# namespaces etc., and be used within VPNs:
|
|
# 192.0.2.0 - 192.0.2.255 (192.0.2.0/24, TEST-NET-1, from RFC 1166)
|
|
# 198.51.100.0 - 198.51.100.255 (198.51.100.0/24, TEST-NET-2)
|
|
# 203.0.113.0 - 203.0.113.255 (203.0.113.0/24, TEST-NET-3)
|
|
# Dunno how to specify IPv6 link-local and site-local
|
|
#mynetworks = 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 127.0.0.0/8
|
|
mynetworks = 127.0.0.0/8
|
|
|
|
#inet_interfaces = localhost
|
|
#inet_interfaces = $myhostname, localhost
|
|
inet_interfaces = all
|
|
#debug_peer_list = localhost
|
|
|
|
smtputf8_enable = no
|
|
disable_vrfy_command = yes
|
|
default_verp_delimiters = -=
|
|
verp_delimiter_filter = -=
|
|
recipient_delimiter = +
|
|
|
|
default_process_limit = 8
|
|
anvil_rate_time_unit = 60s
|
|
anvil_status_update_time = 3600s
|
|
#n_flow_delay = 1s
|
|
body_checks_size_limit = 102400
|
|
bounce_size_limit = 50000
|
|
#header_size_limit = 102400
|
|
mailbox_size_limit = 100000000
|
|
message_size_limit = 442000
|
|
|
|
## TLSPROXY(8) (where diverging from daemon / client)
|
|
|
|
tls_append_default_CA = no
|
|
|
|
## POSTFIX DAEMON
|
|
|
|
# Calculate:
|
|
# openssl x509 -noout -sha256 -fingerprint < CERT.pem
|
|
# OR
|
|
# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
|
|
# Put the hash only in relay_clientcerts, right hand value is not inspected:
|
|
# FINGERPRINT-HERE whatever value
|
|
# Search #RELAY for this, uncomment
|
|
#RELAY relay_clientcerts = lmdb:$meta_directory/relay_clientcerts
|
|
# relay_domains <-> reject_unauth_destination,permit_auth_destination
|
|
# eg lmdb:$meta_directory/transport
|
|
transport_maps =
|
|
relay_domains = $mynetworks,$transport_maps
|
|
|
|
# Only localhost for mailing-lists etc.; maybe $mynetworks?
|
|
smtpd_authorized_verp_clients = 127.0.0.1
|
|
|
|
# Clients connection checks
|
|
smtpd_client_restrictions =
|
|
# permit_inet_interfaces, OR
|
|
permit_mynetworks,
|
|
#RELAY permit_tls_clientcerts,
|
|
#[RELAY] permit_sasl_authenticated,
|
|
check_client_access lmdb:$meta_directory/client_restrict,
|
|
reject_unknown_client_hostname,
|
|
# in case you want reject DNS blacklists rather than greylist them,
|
|
# exchange sleep (maybe) and uncomment the lines below
|
|
sleep 1,
|
|
#reject_rbl_client cbl.abuseat.org,
|
|
#reject_rbl_client sbl.spamhaus.org,
|
|
#DNSDL reject_rbl_client zen.spamhaus.org,
|
|
#DNSDL reject_rbl_client dnsbl.sorbs.net,
|
|
#reject_rbl_client bl.spamcop.net,
|
|
#reject_rbl_client list.dsbl.org,
|
|
reject_unauth_pipelining,
|
|
#reject
|
|
permit
|
|
|
|
smtpd_data_restrictions =
|
|
reject_unauth_pipelining,
|
|
permit
|
|
|
|
smtpd_helo_restrictions =
|
|
# permit_inet_interfaces, OR
|
|
permit_mynetworks,
|
|
#RELAY permit_tls_clientcerts,
|
|
#[RELAY] permit_sasl_authenticated,
|
|
reject_invalid_helo_hostname,
|
|
reject_non_fqdn_helo_hostname,
|
|
reject_unknown_helo_hostname,
|
|
permit
|
|
|
|
# MAIL FROM Checks
|
|
smtpd_sender_restrictions =
|
|
# permit_inet_interfaces, OR
|
|
permit_mynetworks,
|
|
#RELAY reject_authenticated_sender_login_mismatch,
|
|
#RELAY permit_tls_clientcerts,
|
|
#[RELAY] permit_sasl_authenticated,
|
|
reject_non_fqdn_sender,
|
|
# Total no-goes database, eg: qq.com reject
|
|
check_sender_access lmdb:$meta_directory/sender_restrict,
|
|
reject_unknown_sender_domain,
|
|
reject_unknown_reverse_client_hostname,
|
|
#GRAY: with --focus-sender only! And --msg-allow=permit
|
|
#GRAY check_policy_service unix:private/postgray,
|
|
#VERIFY(..then) reject_unverified_sender,
|
|
permit
|
|
|
|
smtpd_relay_before_recipient_restrictions = yes
|
|
|
|
# RCPT TO checks, relay policy
|
|
# Local clients and authenticated clients may specify any destination domain
|
|
smtpd_relay_restrictions =
|
|
# permit_inet_interfaces, OR
|
|
permit_mynetworks,
|
|
#RELAY permit_tls_clientcerts,
|
|
#[RELAY] permit_sasl_authenticated,
|
|
reject_non_fqdn_recipient,
|
|
#permit_auth_destination,
|
|
#reject
|
|
reject_unauth_destination,
|
|
permit
|
|
|
|
# RCPT TO checks, spam blocking policy
|
|
# Match fast for $mynetworks and authenticated clients.
|
|
smtpd_recipient_restrictions =
|
|
# permit_inet_interfaces, OR
|
|
permit_mynetworks,
|
|
#RELAY permit_tls_clientcerts,
|
|
#[RELAY] permit_sasl_authenticated,
|
|
reject_unknown_recipient_domain,
|
|
# DB of MAIL FROM's without policy server checks (one way, or another)
|
|
check_sender_access lmdb:$meta_directory/sender_access,
|
|
#check_policy_service inet:127.0.0.1:5525,
|
|
#GRAY: without --focus-sender
|
|
#GRAY check_policy_service unix:private/postgray,
|
|
#VERIFY(..then) reject_unverified_sender,
|
|
#(VERIFY would not) reject_unverified_recipient,
|
|
permit
|
|
|
|
# i would turn that on..
|
|
#smtpd_delay_reject = no
|
|
smtpd_helo_required = yes
|
|
smtpd_hard_error_limit = 2
|
|
smtpd_soft_error_limit = 1
|
|
smtpd_per_record_deadline = yes
|
|
smtpd_timeout = 15s
|
|
smtpd_starttls_timeout = 15s
|
|
smtpd_junk_command_limit = 5
|
|
#smtpd_log_access_permit_actions =
|
|
# permit_tls_clientcerts,
|
|
# permit_sasl_authenticated
|
|
#smtpd_client_connection_rate_limit = 20
|
|
#smtpd_client_connection_count_limit = 2
|
|
|
|
#VERIFY address_verify_map = lmdb:$data_directory/verify_cache
|
|
#VERIFY address_verify_cache_cleanup_interval = 86400s
|
|
|
|
#TLS Do not forget to look into master.cf!
|
|
# That one is for client certificates!
|
|
#smtpd_tls_CAfile = /etc/dovecot/cert.pem
|
|
#TLS smtpd_tls_chain_files = $meta_directory/key_and_cert.pem
|
|
#TLS smtpd_tls_dh1024_param_file = $meta_directory/dh2048.pem
|
|
# This are managed per-service in master.cf!
|
|
#smtpd_tls_security_level = none
|
|
#RELAY smtpd_tls_ask_ccert = yes
|
|
smtpd_tls_ask_ccert = no
|
|
smtpd_tls_auth_only = yes
|
|
smtpd_tls_loglevel = 1
|
|
#SMART The next is usually nice but when using client certificates
|
|
smtpd_tls_received_header = no
|
|
smtpd_tls_fingerprint_digest = sha256
|
|
smtpd_tls_mandatory_protocols = >=TLSv1.2
|
|
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
|
|
smtpd_tls_mandatory_ciphers = medium
|
|
smtpd_tls_mandatory_exclude_ciphers =
|
|
aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
|
|
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
|
|
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
|
|
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
|
|
smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache
|
|
smtpd_tls_session_cache_timeout = 3600s
|
|
|
|
# Usually enabled per-service in master.cf!
|
|
#smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_auth_enable = no
|
|
smtpd_sasl_type = dovecot
|
|
smtpd_sasl_path = private/auth
|
|
smtpd_sasl_local_domain = $myhostname
|
|
smtpd_sasl_security_options = noanonymous, noplaintext
|
|
smtpd_sasl_tls_security_options = noanonymous
|
|
|
|
## POSTFIX CLIENT
|
|
|
|
#TLS comment out next
|
|
#SMART comment out next
|
|
smtp_tls_security_level = may
|
|
# To always go directly SMTPS/SUBMISSIONS
|
|
#smtp_tls_wrappermode = yes
|
|
smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
|
|
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
|
|
smtp_tls_protocols = $smtpd_tls_protocols
|
|
#SMART When only relaying to smarthost, the next should be =high
|
|
#SMART smtp_tls_mandatory_ciphers = high
|
|
smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
|
|
smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
|
|
smtp_tls_ciphers = $smtpd_tls_ciphers
|
|
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
|
|
smtp_tls_connection_reuse = yes
|
|
smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache
|
|
smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
|
|
|
|
#smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
|
|
#smtp_sasl_type = $smtpd_sasl_type
|
|
#smtp_sasl_path = $smtpd_sasl_path
|
|
#smtp_sasl_mechanism_filter = !external
|
|
#smtp_sasl_security_options = $smtpd_sasl_security_options
|
|
#smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options
|
|
#smtp_sasl_mechanism_filter = plain, login
|
|
|
|
# For laptops etc, rely on smarthost to do real delivery.
|
|
# One or more destinations in the form of a domain name, hostname,
|
|
# hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port,
|
|
# separated by comma or whitespace. The form [hostname] turns off MX lookups
|
|
# check man(5) postconf -> local_header_rewrite_clients;
|
|
# "Or", i.e., for mail(1): use "-r myname@mydesired.host"
|
|
#SMART relayhost = [HOST]:submissions
|
|
#SMART Next only when going directly SMTPS/SUBMISSIONS
|
|
#SMART smtp_tls_wrappermode = yes
|
|
#SMART smtp_tls_chain_files = $smtpd_tls_chain_files
|
|
#SMART EITHER these three
|
|
#SMART smtp_tls_security_level = verify
|
|
#SMART smtp_tls_CAfile = /etc/ssl/cert.pem
|
|
#SMART smtp_tls_scert_verifydepth = 9
|
|
#SMART OR these two
|
|
#SMART smtp_tls_security_level = fingerprint
|
|
#SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
|
|
# The following is not tested, really, and may not work with default config
|
|
#SMART disable_dns_lookups = yes
|
|
#SMART Authentication like that not tried, this from postfix SASL_README:
|
|
#smtp_sasl_auth_enable = yes
|
|
#smtp_sasl_tls_security_options = noanonymous
|
|
#smtp_sasl_password_maps = lmdb:$meta_directory/sasl_passwd
|
|
# $meta_directory/sasl_passwd:
|
|
# # destination credentials
|
|
# #user1@example.com username1:password1
|
|
# #user2@example.net username2:password2
|
|
# [mail.isp.example] username:password
|
|
# # Alternative form:
|
|
# # [mail.isp.example]:submission username:password
|
|
#SMART Even sender-specific, uncomment the user1 user2 entries above then
|
|
# sender_dependent_relayhost_maps = lmdb:$meta_directory/sender_relay
|
|
# $meta_directory/sender_relay:
|
|
# # Per-sender provider; see also $meta_directory/sasl_passwd.
|
|
# user1@example.com [mail.example.com]:submission
|
|
# user2@example.net [mail.example.net]
|
|
|
|
# Permanently (to _destinations) instead if this is "no"
|
|
smtp_connection_cache_on_demand = yes
|
|
# $relayhost WITHOUT [] and : etc.!!
|
|
smtp_connection_cache_destinations = $relayhost
|
|
smtp_connection_cache_time_limit = 10s
|
|
smtp_connection_reuse_count_limit = 242
|