# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no readme_directory = no # Basic configuration # myhostname = alias_maps = texthash:/etc/aliases alias_database = texthash:/etc/aliases mydestination = relayhost = mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key #smtpd_tls_CAfile= #smtp_tls_CAfile= smtpd_tls_security_level = may smtpd_use_tls=yes smtp_tls_security_level = may smtp_tls_loglevel = 1 tls_ssl_options = NO_COMPRESSION tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS smtpd_tls_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL smtpd_tls_CApath = /etc/ssl/certs smtp_tls_CApath = /etc/ssl/certs # Settings to prevent SPAM early smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_type = dovecot smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes # Mail directory virtual_transport = lmtp:unix:/var/run/dovecot/lmtp virtual_mailbox_domains = /etc/postfix/vhost virtual_mailbox_maps = texthash:/etc/postfix/vmailbox virtual_alias_maps = texthash:/etc/postfix/virtual # Additional option for filtering content_filter = smtp-amavis:[127.0.0.1]:10024 # Milters used by DKIM milter_protocol = 6 milter_default_action = accept dkim_milter = inet:localhost:8891 dmarc_milter = inet:localhost:8893 smtpd_milters = $dkim_milter,$dmarc_milter non_smtpd_milters = $dkim_milter