# See /usr/share/postfix/main.cf.dist for a commented, more complete version inet_interfaces = all inet_protocols = ipv4 # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname myhostname = {{ modoboa_url }} myorigin = $myhostname mydestination = $myhostname mynetworks = 127.0.0.0/8 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no ## TLS settings # smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_key_file = /etc/letsencrypt/live/mail.lars-hahn-test.de/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/mail.lars-hahn-test.de/fullchain.pem smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache smtpd_tls_security_level = may smtpd_tls_received_header = yes # Disallow SSLv2 and SSLv3, only accept secure ciphers smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL # Enable elliptic curve cryptography smtpd_tls_eecdh_grade = strong # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. smtp_tls_CApath = /etc/ssl/certs smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_exclude_ciphers = EXPORT, LOW ## SASL authentication through Dovecot # #smtpd_sasl_type = dovecot #smtpd_sasl_path = private/auth #smtpd_sasl_auth_enable = yes #broken_sasl_auth_clients = yes #smtpd_sasl_security_options = noanonymous ## SMTP session policies # # We require HELO to check it later smtpd_helo_required = yes # We do not let others find out which recipients are valid disable_vrfy_command = yes # MTA to MTA communication on Port 25. We expect (!) the other party to # specify messages as required by RFC 821. strict_rfc821_envelopes = yes ## Virtual transport settings # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on # fresh installs. compatibility_level = 2 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_mailbox_domains = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-domains.cf virtual_alias_domains = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-domain-aliases.cf virtual_alias_maps = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-aliases.cf relay_domains = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-relaydomains.cf transport_maps = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-transport.cf {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-spliteddomains-transport.cf smtpd_recipient_restrictions = #check_policy_service inet:localhost:9999 permit_mynetworks permit_sasl_authenticated check_recipient_access {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-maintain.cf {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-relay-recipient-verification.cf reject_unverified_recipient reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient reject_non_fqdn_helo_hostname smtpd_sender_login_maps = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-sender-login-map.cf smtpd_sender_restrictions = reject_sender_login_mismatch # OpenDKIM relevant smtpd_milters = inet:127.0.0.1:{{ opendkim_port_listen }} non_smtpd_milters = inet:127.0.0.1:{{ opendkim_port_listen }} milter_default_action = accept milter_content_timeout = 30s