~dricottone/container-images

ref: debbuilder container-images/postfix/main.cf.tls-in -rw-r--r-- 2.8 KiB
88ddaa4fDominic Ricottone WIP: debbuilder 7 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# postfix main configuration file
# see `postconf(5)` or https://www.postfix.org/BASIC_CONFIGURATION_README.html

compatibility_level = 3.6

# Allowed interfaces and addresses
inet_protocols = ipv4
inet_interfaces = all

# Values for default settings
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
myorigin = $mydomain
relay_domains = $myhostname, $mydomain

# Advertise host name after SMTP 200
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

# Address rewriting
smtp_generic_maps = lmdb:/etc/postfix/generic
recipient_canonical_maps = lmdb:/etc/postfix/recipient_canonical

# Transport map
smtp_dns_support_level = disabled
transport_maps = lmdb:/etc/postfix/transport

# Logging
maillog_file = /dev/stdout

# Restrictions
# reject if attempted to connect or authenticate 10 times in 60 seconds
anvil_rate_time_unit = 60s
smtpd_client_auth_rate_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
# reject if client IP and hostname do not match EXCEPT if authenticated
smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client_hostname
# reject if HELO or EHLO hostname does not have a valid A or MX record
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_helo_required = yes
# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
smtpd_sender_restrictions = reject_unknown_sender_domain
# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
smtpd_relay_restrictions = reject_unauth_destination
# if RCPT TO hostname IS in $mydestination, apply no further restrictions
smtpd_recipient_restrictions =

# Authentication
cyrus_sasl_config_path = /etc/sasl2/
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_service = smtpd
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes

# Encryption
smtpd_tls_chain_files = /var/letsencrypt/chain.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_security_level = encrypt

# If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed
local_recipient_maps =

# Local management
mail_owner = postfix
setgid_group = postdrop

home_mailbox = Maildir/

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = no
manpage_directory = /usr/share/man
mail_spool_directory = /var/spool/mail
meta_directory = /etc/postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/readme
sample_directory = /etc/postfix
shlib_directory = /usr/lib/postfix