# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no readme_directory = no # Basic configuration # myhostname = alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = $myhostname, localhost.$mydomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # TLS parameters # These [snakeoil files actually exist](https://askubuntu.com/questions/396120/what-is-the-purpose-of-the-ssl-cert-snakeoil-key), but shouldn't ever be used in production! # If no `SSL_TYPE` env is set, "plaintext" is configured, but still accepts SSL with these: smtpd_tls_chain_files = /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem #smtpd_tls_CAfile = #smtp_tls_CAfile = smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_loglevel = 1 # Reduces CPU overhead with `NO_COMPRESSION`, SMTP not at risk of CRIME attack (see git blame for details) # Reduce opportunities for a potential CPU exhaustion attack with `NO_RENEGOTIATION` tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = yes smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs smtp_tls_CApath = /etc/ssl/certs # Settings to prevent SPAM early smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname disable_vrfy_command = yes # Postscreen settings to drop zombies/open relays/spam early postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 bl.mailspike.net=127.0.0.[2;14;13;12;11;10] b.barracudacentral.org*2 bl.spameatingmonkey.net=127.0.0.2 dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_greet_action = enforce postscreen_bare_newline_action = enforce # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_type = dovecot smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = yes # Mail directory virtual_transport = lmtp:unix:/var/run/dovecot/lmtp virtual_mailbox_domains = /etc/postfix/vhost virtual_mailbox_maps = texthash:/etc/postfix/vmailbox virtual_alias_maps = texthash:/etc/postfix/virtual # Additional option for filtering content_filter = smtp-amavis:[127.0.0.1]:10024 # Milters used by DKIM milter_protocol = 6 milter_default_action = accept dkim_milter = inet:localhost:8891 dmarc_milter = inet:localhost:8893 smtpd_milters = $dkim_milter,$dmarc_milter non_smtpd_milters = $dkim_milter # SPF policy settings policyd-spf_time_limit = 3600 # Header checks for content inspection on receiving header_checks = pcre:/etc/postfix/maps/header_checks.pcre # Remove unwanted headers that reveal our privacy smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre # The default compatibility_level is 0 - which retains legacy settings defaults: # http://www.postfix.org/COMPATIBILITY_README.html # If backwards-compaitibilty log messages appear, fix them by explicitly adding # the legacy or new default value (alternatively raise the compatibility_level) # # TODO: The next compatibility_level is 3.6, when Postfix 3.6 is available consider # bumping this value after taking the compaitibilty changes into account. compatibility_level = 2