mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
5e09074d58
* new setup.sh function, new tests, new script and some minor updates to main.cf * fix for missing files * removed obsolete test-files * restart postfix if neccessary. * see pr #845 * fixed typo * fixed branchmixup * changed postfix reload command & changed to operate on container instead of image * reload postfix only on adding new restriction * main.cf is only changed when user is added. - Postfix reload changed - working on container instead of image now in setup.sh - added cleanup after tests * moved cleanup to makefile
106 lines
4.2 KiB
CFEngine3
106 lines
4.2 KiB
CFEngine3
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name (Debian)
|
|
biff = no
|
|
append_dot_mydomain = no
|
|
readme_directory = no
|
|
|
|
# Basic configuration
|
|
# myhostname =
|
|
alias_maps = texthash:/etc/aliases
|
|
alias_database = texthash:/etc/aliases
|
|
mydestination =
|
|
relayhost =
|
|
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64
|
|
mailbox_size_limit = 0
|
|
recipient_delimiter = +
|
|
inet_interfaces = all
|
|
inet_protocols = all
|
|
|
|
# TLS parameters
|
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
|
#smtpd_tls_CAfile=
|
|
#smtp_tls_CAfile=
|
|
smtpd_tls_security_level = may
|
|
smtpd_use_tls=yes
|
|
smtpd_tls_loglevel = 1
|
|
smtp_tls_security_level = may
|
|
smtp_tls_loglevel = 1
|
|
tls_ssl_options = NO_COMPRESSION
|
|
tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
|
|
tls_preempt_cipherlist = yes
|
|
smtpd_tls_protocols=!SSLv2,!SSLv3
|
|
smtp_tls_protocols=!SSLv2,!SSLv3
|
|
smtpd_tls_mandatory_ciphers = high
|
|
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
|
|
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
|
|
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
|
|
smtpd_tls_CApath = /etc/ssl/certs
|
|
smtp_tls_CApath = /etc/ssl/certs
|
|
|
|
# Settings to prevent SPAM early
|
|
smtpd_helo_required = yes
|
|
smtpd_delay_reject = yes
|
|
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
|
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
|
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
|
|
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
|
|
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
|
|
disable_vrfy_command = yes
|
|
|
|
# Postscreen settings to drop zombies/open relays/spam early
|
|
postscreen_dnsbl_action = enforce
|
|
postscreen_dnsbl_sites = zen.spamhaus.org*3
|
|
bl.mailspike.net
|
|
b.barracudacentral.org*2
|
|
bl.spameatingmonkey.net
|
|
bl.spamcop.net
|
|
dnsbl.sorbs.net
|
|
psbl.surriel.com
|
|
list.dnswl.org=127.0.[0..255].0*-2
|
|
list.dnswl.org=127.0.[0..255].1*-3
|
|
list.dnswl.org=127.0.[0..255].[2..3]*-4
|
|
postscreen_dnsbl_threshold = 3
|
|
postscreen_dnsbl_whitelist_threshold = -1
|
|
postscreen_greet_action = enforce
|
|
postscreen_bare_newline_action = enforce
|
|
|
|
# SASL
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_path = /var/spool/postfix/private/auth
|
|
smtpd_sasl_type = dovecot
|
|
|
|
smtpd_sasl_security_options = noanonymous
|
|
smtpd_sasl_local_domain = $myhostname
|
|
broken_sasl_auth_clients = yes
|
|
|
|
# Mail directory
|
|
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
|
|
virtual_mailbox_domains = /etc/postfix/vhost
|
|
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
|
|
virtual_alias_maps = texthash:/etc/postfix/virtual
|
|
|
|
# Additional option for filtering
|
|
content_filter = smtp-amavis:[127.0.0.1]:10024
|
|
|
|
# Milters used by DKIM
|
|
milter_protocol = 6
|
|
milter_default_action = accept
|
|
dkim_milter = inet:localhost:8891
|
|
dmarc_milter = inet:localhost:8893
|
|
smtpd_milters = $dkim_milter,$dmarc_milter
|
|
non_smtpd_milters = $dkim_milter
|
|
|
|
# SPF policy settings
|
|
policyd-spf_time_limit = 3600
|
|
|
|
# Remove unwanted headers that reveail our privacy
|
|
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
|
|
|
|
# postSRSd rules to process spf mail forwarding
|
|
sender_canonical_maps = tcp:localhost:10001
|
|
sender_canonical_classes = envelope_sender
|
|
recipient_canonical_maps = tcp:localhost:10002
|
|
recipient_canonical_classes = envelope_recipient,header_recipient
|