User:Paul/sandbox/Sample main.cf

WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.

smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no readme_directory = no # - smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = smtpd_sasl_authenticated_header = yes # - smtpd_tls_cert_file=/etc/ssl/private/example.com/server.crt smtpd_tls_key_file=/etc/ssl/private/example.com/server.key smtpd_tls_CAfile=/etc/ssl/private/startssl/startssl-ca-bundle.pem smtp_tls_ciphers = high tls_ssl_options = NO_COMPRESSION smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_security_level = may smtp_tls_security_level = may # - unknown_local_recipient_reject_code = 450 maximal_queue_lifetime = 7d minimal_backoff_time = 1000s maximal_backoff_time = 8000s smtp_helo_timeout = 60s smtpd_recipient_limit = 16 smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 12 # smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:postgrey/postgrey.sock, check_policy_service unix:private/policy-spf, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:postgrey/postgrey.sock, check_policy_service unix:private/policy-spf, permit smtpd_helo_required = yes smtpd_delay_reject = yes disable_vrfy_command = yes # -- myhostname = mail.example.com myorigin = /etc/hostname mydestination = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all mynetworks_style = host virtual_mailbox_base = /var/vmail virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf virtual_uid_maps = static:150 virtual_gid_maps = static:8 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 # -- header_checks = regexp:/etc/postfix/header_checks enable_original_recipient = no milter_default_action = accept smtpd_milters = unix:opendkim/opendkim.sock unix:opendmarc/opendmarc.sock unix:spamass/spamass.sock policy-spf_time_limit = 3600s
 * 1) See /usr/share/postfix/main.cf.dist for a commented, more complete version
 * 1) The first text sent to a connecting process.
 * 1) appending .domain is the MUA's job.
 * 1) SASL parameters
 * 1) Use Dovecot to authenticate.
 * 1) Referring to /var/spool/postfix/private/auth
 * 1) TLS parameters
 * 1) Replace this with your SSL certificate path if you are using one.
 * 1) The snakeoil self-signed certificate has no need for a CA file. But
 * 2) if you are using your own SSL certificate, then you probably have
 * 3) a CA certificate bundle from your provider. The path to that goes
 * 4) here.
 * 1) Enable (but don't force) all incoming smtp connections to use TLS.
 * 1) Enable (but don't force) all outgoing smtp connections to use TLS.
 * 1) See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 * 2) information on enabling SSL in the smtp client.
 * 1) SMTPD parameters
 * 1) Uncomment the next line to generate "delayed mail" warnings
 * 2) delay_warning_time = 4h
 * 3) will it be a permanent error or temporary
 * 1) how long to keep message on queue before return as failed.
 * 2) some have 3 days, I have 16 days as I am backup server for some people
 * 3) whom go on holiday with their server switched off.
 * 1) max and min time in seconds between retries if connection failed
 * 1) how long to wait when servers connect before receiving rest of data
 * 1) how many address can be used in one message.
 * 2) effective stopper to mass spammers, accidental copy in whole address list
 * 3) but may restrict intentional mail shots.
 * 1) how many error before back off.
 * 1) how many max errors before blocking it.
 * 1) This next set are important for determining who can send mail and relay mail
 * 2) to other servers. It is very important to get this right - accidentally producing
 * 3) an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
 * 1) You are encouraged to read up on what exactly each of these options accomplish.
 * 1) Requirements for the HELO statement
 * 1) Requirements for the sender details
 * 1) Requirements for the connecting server
 * 1) Requirement for the recipient address.
 * 1) require proper helo at connections
 * 1) waste spammers time before rejecting them
 * 1) General host and delivery info
 * 1) Some people see issues when setting mydestination explicitly to the server
 * 2) subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
 * 3) mydestination = mail.example.com, localhost
 * 1) If you have a separate web server that sends outgoing mail through this
 * 2) mailserver, you may want to add its IP address to the space-delimited list in
 * 3) mynetworks, e.g. as 111.222.333.444/32.
 * 1) This specifies where the virtual mailbox folders will be located.
 * 1) This is for the mailbox location for each user. The domainaliases
 * 2) map allows us to make use of Postfix Admin's domain alias feature.
 * 1) and their user id
 * 1) and group id
 * 1) This is for aliases. The domainaliases map allows us to make
 * 2) use of Postfix Admin's domain alias feature.
 * 1) This is for domain lookups.
 * 1) Integration with other packages
 * 1) Tell postfix to hand off mail to the definition for dovecot in master.cf
 * 1) Used with amavis (not installed currently)
 * 2) content_filter = amavis:[127.0.0.1]:10024
 * 1) Header manipulation
 * 1) Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
 * 1) getting rid of x-original-to