mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
76594c21c4
[Postfix docs](http://www.postfix.org/postconf.5.html#tls_ssl_options): > Disable SSL compression even if supported by the OpenSSL library. Compression is CPU-intensive, and compression before encryption does not always improve security. [Postfix mailing list discussion](http://postfix.1071664.n5.nabble.com/patch-mitigate-CRIME-attack-td57978.html): > The CRIME attack does not apply to SMTP, because unlike SMTP, there is no javascript in SMTP clients that makes them send thousands of email messages with chosen plaintext compressed together in the same packet with SASL credentials or other sensitive data. > The auditor completely failed to take the context into account. [Mailing list discussion of potential compression CRIME-like attack](https://lists.cert.at/pipermail/ach/2014-December/001660.html) > keeping compression disabled is a good idea. If you need a good test score, PCI compliance will likely flag compression despite not having any known risk with non-HTTP TLS.
105 lines
4 KiB
CFEngine3
105 lines
4 KiB
CFEngine3
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name (Debian)
|
|
biff = no
|
|
append_dot_mydomain = no
|
|
readme_directory = no
|
|
|
|
# Basic configuration
|
|
# myhostname =
|
|
alias_maps = hash:/etc/aliases
|
|
alias_database = hash:/etc/aliases
|
|
mydestination = $myhostname, localhost.$mydomain, localhost
|
|
relayhost =
|
|
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64
|
|
mailbox_size_limit = 0
|
|
recipient_delimiter = +
|
|
inet_interfaces = all
|
|
inet_protocols = all
|
|
|
|
# TLS parameters
|
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
|
#smtpd_tls_CAfile=
|
|
#smtp_tls_CAfile=
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_loglevel = 1
|
|
smtp_tls_security_level = may
|
|
smtp_tls_loglevel = 1
|
|
|
|
# Reduces CPU overhead with `NO_COMPRESSION`, SMTP not at risk of CRIME attack (see git blame for details)
|
|
tls_ssl_options = NO_COMPRESSION
|
|
|
|
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
|
tls_preempt_cipherlist = yes
|
|
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtpd_tls_mandatory_ciphers = high
|
|
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
|
|
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
|
|
smtpd_tls_CApath = /etc/ssl/certs
|
|
smtp_tls_CApath = /etc/ssl/certs
|
|
|
|
# Settings to prevent SPAM early
|
|
smtpd_helo_required = yes
|
|
smtpd_delay_reject = yes
|
|
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
|
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
|
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
|
|
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
|
|
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
|
|
disable_vrfy_command = yes
|
|
|
|
# Postscreen settings to drop zombies/open relays/spam early
|
|
postscreen_dnsbl_action = enforce
|
|
postscreen_dnsbl_sites = zen.spamhaus.org*3
|
|
bl.mailspike.net
|
|
b.barracudacentral.org*2
|
|
bl.spameatingmonkey.net
|
|
bl.spamcop.net
|
|
dnsbl.sorbs.net
|
|
psbl.surriel.com
|
|
list.dnswl.org=127.0.[0..255].0*-2
|
|
list.dnswl.org=127.0.[0..255].1*-3
|
|
list.dnswl.org=127.0.[0..255].[2..3]*-4
|
|
postscreen_dnsbl_threshold = 3
|
|
postscreen_dnsbl_whitelist_threshold = -1
|
|
postscreen_greet_action = enforce
|
|
postscreen_bare_newline_action = enforce
|
|
|
|
# SASL
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_path = /var/spool/postfix/private/auth
|
|
smtpd_sasl_type = dovecot
|
|
|
|
smtpd_sasl_security_options = noanonymous
|
|
smtpd_sasl_local_domain = $mydomain
|
|
broken_sasl_auth_clients = yes
|
|
|
|
# Mail directory
|
|
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
|
|
virtual_mailbox_domains = /etc/postfix/vhost
|
|
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
|
|
virtual_alias_maps = texthash:/etc/postfix/virtual
|
|
|
|
# Additional option for filtering
|
|
content_filter = smtp-amavis:[127.0.0.1]:10024
|
|
|
|
# Milters used by DKIM
|
|
milter_protocol = 6
|
|
milter_default_action = accept
|
|
dkim_milter = inet:localhost:8891
|
|
dmarc_milter = inet:localhost:8893
|
|
smtpd_milters = $dkim_milter,$dmarc_milter
|
|
non_smtpd_milters = $dkim_milter
|
|
|
|
# SPF policy settings
|
|
policyd-spf_time_limit = 3600
|
|
|
|
# Header checks for content inspection on receiving
|
|
header_checks = pcre:/etc/postfix/maps/header_checks.pcre
|
|
|
|
# Remove unwanted headers that reveail our privacy
|
|
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
|