cloud-modoboa/templates/etc/postfix/main.cf.j2

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
inet_interfaces = all
inet_protocols = ipv4

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myhostname = {{ modoboa_url }}
myorigin = $myhostname
mydestination = $myhostname
mynetworks = 127.0.0.0/8
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

## TLS settings
#
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_key_file = /etc/letsencrypt/live/mail.lars-hahn-test.de/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.lars-hahn-test.de/fullchain.pem 
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_received_header = yes

# Disallow SSLv2 and SSLv3, only accept secure ciphers
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL

# Enable elliptic curve cryptography
smtpd_tls_eecdh_grade = strong

# Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_exclude_ciphers = EXPORT, LOW


## SASL authentication through Dovecot
#
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
#smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
#smtpd_sasl_security_options = noanonymous

## SMTP session policies
#

# We require HELO to check it later
smtpd_helo_required = yes

# We do not let others find out which recipients are valid
disable_vrfy_command = yes

# MTA to MTA communication on Port 25. We expect (!) the other party to
# specify messages as required by RFC 821.
strict_rfc821_envelopes = yes

## Virtual transport settings
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

virtual_transport = lmtp:unix:private/dovecot-lmtp

virtual_mailbox_domains = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-domains.cf
virtual_alias_domains = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-domain-aliases.cf
virtual_alias_maps = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-aliases.cf

relay_domains = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-relaydomains.cf
transport_maps =
  {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-transport.cf
  {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-spliteddomains-transport.cf

smtpd_recipient_restrictions =
      #check_policy_service inet:localhost:9999
      permit_mynetworks
      permit_sasl_authenticated
      check_recipient_access
          {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-maintain.cf
          {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-relay-recipient-verification.cf
      reject_unverified_recipient
      reject_unauth_destination
      reject_non_fqdn_sender
      reject_non_fqdn_recipient
      reject_non_fqdn_helo_hostname

smtpd_sender_login_maps = {{ modoboa_db_type }}:{{ postfix_mapping_folder }}/sql-sender-login-map.cf
 
smtpd_sender_restrictions =
      reject_sender_login_mismatch

# OpenDKIM relevant
smtpd_milters = inet:127.0.0.1:{{ opendkim_port_listen }}
non_smtpd_milters = inet:127.0.0.1:{{ opendkim_port_listen }}
milter_default_action = accept
milter_content_timeout = 30s