# postfix main configuration file
# see `postconf(5)` or https://www.postfix.org/BASIC_CONFIGURATION_README.html
compatibility_level = 3.6
# Allowed interfaces and addresses
inet_protocols = ipv4
inet_interfaces = all
# Values for default settings
mydomain = example.com
myhostname = mail.example.com
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
myorigin = $mydomain
relay_domains = $myhostname, $mydomain
# Advertise host name after SMTP 200
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# Address rewriting
smtp_generic_maps = lmdb:/etc/postfix/generic
recipient_canonical_maps = lmdb:/etc/postfix/recipient_canonical
# Transport map
transport_maps = lmdb:/etc/postfix/transport
# Logging
maillog_file = /dev/stdout
# Restrictions
# reject if attempted to connect or authenticate 10 times in 60 seconds
anvil_rate_time_unit = 60s
smtpd_client_auth_rate_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
# reject if client IP and hostname do not match EXCEPT if authenticated
smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client_hostname
# reject if HELO or EHLO hostname does not have a valid A or MX record
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_helo_required = yes
# reject if MAIL FROM hostname is not in $mydestination AND does not have a valid A or MX record
smtpd_sender_restrictions = reject_unknown_sender_domain
# reject if RCPT TO hostname is not in $mydestination AND not in $relay_domains
smtpd_relay_restrictions = reject_unauth_destination
# if RCPT TO hostname IS in $mydestination, apply no further restrictions
smtpd_recipient_restrictions =
# Authentication
cyrus_sasl_config_path = /etc/sasl2/
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_service = smtpd
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
# Encryption
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = encrypt
smtpd_tls_chain_files = /var/letsencrypt/chain.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_security_level = encrypt
# If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed
local_recipient_maps =
# Local management
mail_owner = postfix
setgid_group = postdrop
home_mailbox = Maildir/
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = no
manpage_directory = /usr/share/man
mail_spool_directory = /var/spool/mail
meta_directory = /etc/postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/readme
sample_directory = /etc/postfix
shlib_directory = /usr/lib/postfix