### CRUX-ADDON default_privs = _postfix_xlocal setgid_group = _postfix_queue mail_spool_directory = /var/spool/mail alias_database = lmdb:/etc/postfix-lmdb/aliases alias_maps = $alias_database # all # or ipv4, ipv6 or ipv4 or ipv6 inet_protocols = all #myhostname = crux-0306 # default: gethostname #mydomain = localdomain # default: $myhostname less one component #myorigin = $mydomain # , lists.$myhostname mydestination = $myhostname, localhost.$mydomain, localhost mynetworks_style = host # One class A, 16 class B, 256 class C networks; loopback # Dunno how to specify IPv6 link-local and site-local mynetworks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 #inet_interfaces = localhost #inet_interfaces = $myhostname, localhost inet_interfaces = all #debug_peer_list = 10.0.0.1 smtputf8_enable = no disable_vrfy_command = yes default_verp_delimiters = -= verp_delimiter_filter = -= recipient_delimiter = + default_process_limit = 8 anvil_rate_time_unit = 60s anvil_status_update_time = 3600s #n_flow_delay = 1s body_checks_size_limit = 102400 bounce_size_limit = 50000 #header_size_limit = 102400 mailbox_size_limit = 100000000 message_size_limit = 442000 ## TLSPROXY(8) (where diverging from daemon / client) tls_append_default_CA = no ## POSTFIX DAEMON # Calculate: # openssl x509 -noout -sha256 -fingerprint < CERT.pem # OR # openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c # Put the hash only in relay_clientcerts, right hand value is not inspected: # FINGERPRINT-HERE whatever value # Search #RELAY for this, uncomment #RELAY relay_clientcerts = lmdb:/etc/postfix-lmdb/relay_clientcerts # relay_domains <-> reject_unauth_destination,permit_auth_destination # eg lmdb:/etc/postfix-lmdb/transport transport_maps = relay_domains = $mynetworks,$transport_maps # Only localhost for mailing-lists etc.; maybe $mynetworks? smtpd_authorized_verp_clients = 127.0.0.1 # Clients which are allowed to invoke commands smtpd_client_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, # permit_sasl_authenticated, reject_unknown_client_hostname, # in case you want reject DNS blacklists rather than greylist them # with gross, exchange sleep (maybe) and uncomment the lines below sleep 1, #reject_rbl_client cbl.abuseat.org, #reject_rbl_client sbl.spamhaus.org, #DNSDL reject_rbl_client zen.spamhaus.org, #DNSDL reject_rbl_client dnsbl.sorbs.net, #reject_rbl_client bl.spamcop.net, #reject_rbl_client list.dsbl.org, reject_unauth_pipelining, #reject permit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, # permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname smtpd_relay_before_recipient_restrictions = yes # RCPT TO checks, relay policy # Local clients and authenticated clients may specify any destination domain smtpd_relay_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, #permit_auth_destination, #reject reject_unauth_destination, permit # RCPT TO checks, spam blocking policy # Match fast for $mynetworks and authenticated clients. smtpd_recipient_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_recipient_domain, reject_unauth_destination, # better not reject_unverified_sender, #check_policy_service inet:127.0.0.1:5525, permit # MAIL FROM Checks smtpd_sender_restrictions = # permit_inet_interfaces, OR permit_mynetworks, #RELAY permit_tls_clientcerts, #[RELAY] permit_sasl_authenticated, # Eg: qq.com reject lmdb:/etc/postfix-lmdb/sender_restrict, reject_unknown_sender_domain, permit # i would turn that on.. #smtpd_delay_reject = no smtpd_helo_required = yes smtpd_hard_error_limit = 1 smtpd_soft_error_limit = 1 smtpd_per_record_deadline = yes smtpd_timeout = 15s smtpd_starttls_timeout = 15s smtpd_junk_command_limit = 5 #smtpd_log_access_permit_actions = # permit_tls_clientcerts, # permit_sasl_authenticated #smtpd_client_connection_rate_limit = 20 #smtpd_client_connection_count_limit = 2 #TLS Do not forget to look into master.cf! # That one is for client certificates! #smtpd_tls_CAfile = /etc/dovecot/cert.pem #TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem #TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem # This are managed per-service in master.cf! #smtpd_tls_security_level = none #RELAY smtpd_tls_ask_ccert = yes smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 #SMART The next is usually nice but when using client certificates smtpd_tls_received_header = no smtpd_tls_fingerprint_digest = sha256 smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtpd_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtpd_scache smtpd_tls_session_cache_timeout = 3600s # Usually enabled per-service in master.cf! #smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = no smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous ## POSTFIX CLIENT #TLS comment out next #SMART comment out next smtp_tls_security_level = may # To always go directly SMTPS/SUBMISSIONS #smtp_tls_wrappermode = yes smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_protocols = $smtpd_tls_protocols #SMART When only relaying to smarthost, the next can be =high !?! smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtp_tls_ciphers = $smtpd_tls_ciphers smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers smtp_tls_connection_reuse = yes smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable #smtp_sasl_type = $smtpd_sasl_type #smtp_sasl_path = $smtpd_sasl_path #smtp_sasl_mechanism_filter = !external #smtp_sasl_security_options = $smtpd_sasl_security_options #smtp_sasl_tls_security_options = $smtpd_sasl_tls_security_options #smtp_sasl_mechanism_filter = plain, login # For laptops etc, rely on smarthost to do real delivery. # One or more destinations in the form of a domain name, hostname, # hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port, # separated by comma or whitespace. The form [hostname] turns off MX lookups # check man(5) postconf -> local_header_rewrite_clients; # "Or", i.e., for mail(1): use "-r myname@mydesired.host" #SMART relayhost = [HOST]:submissions #SMART Next only when going directly SMTPS/SUBMISSIONS #SMART smtp_tls_wrappermode = yes #SMART smtp_tls_chain_files = $smtpd_tls_chain_files #SMART EITHER these three #SMART smtp_tls_security_level = verify #SMART smtp_tls_CAfile = /etc/ssl/cert.pem #SMART smtp_tls_scert_verifydepth = 9 #SMART OR these two #SMART smtp_tls_security_level = fingerprint #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT # The following is not tested, really, and may not work with default config #SMART disable_dns_lookups = yes #SMART Authentication like that not tried, this from postfix SASL_README: #smtp_sasl_auth_enable = yes #smtp_sasl_tls_security_options = noanonymous #smtp_sasl_password_maps = lmdb:/etc/postfix-lmdb/sasl_passwd # /etc/postfix-lmdb/sasl_passwd: # # destination credentials # #user1@example.com username1:password1 # #user2@example.net username2:password2 # [mail.isp.example] username:password # # Alternative form: # # [mail.isp.example]:submission username:password #SMART Even sender-specific, uncomment the user1 user2 entries above then # sender_dependent_relayhost_maps = lmdb:/etc/postfix/sender_relay # /etc/postfix/sender_relay: # # Per-sender provider; see also /etc/postfix/sasl_passwd. # user1@example.com [mail.example.com]:submission # user2@example.net [mail.example.net] # Permanently (to _destinations) instead if this is "no" smtp_connection_cache_on_demand = yes # $relayhost WITHOUT [] and : etc.!! smtp_connection_cache_destinations = $relayhost smtp_connection_cache_time_limit = 10s smtp_connection_reuse_count_limit = 242