Correction : : SPF eXolia.
[lhc/ateliers.git] / etc / postfix /
1 # DOC:
3 alias_database =
4 hash:/etc/postfix/aliases
5 hash:/etc/mail/sympa/aliases
6 alias_maps =
7 hash:/etc/postfix/aliases
8 hash:/etc/mail/sympa/aliases
9 append_dot_mydomain = no
10 # NOTE: appending .domain is the MUA's job.
11 biff = no
12 # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels.
13 body_checks =
14 #content_filter = amavisfeed:[]:10024
15 #debug_peer_level = 4
16 #debug_peer_list = .$myhostname
17 default_extra_recipient_limit = 5000
18 #delay_warning_time = 4h
19 # NOTE: uncomment the previous line to generate "delayed mail" warnings
20 duplicate_filter_limit = 5000
21 forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
22 header_checks = regexp:/etc/postfix/$mydomain/header_checks
23 inet_interfaces = all
24 inet_protocols = ipv4
25 # NOTE: "all" to activate IPv6
26 line_length_limit = 2048
27 #local_header_rewrite_clients =
28 mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
29 mailbox_size_limit = 0
30 maximal_queue_lifetime = 5d
31 message_size_limit = 20480000
32 mime_header_checks =
33 milter_header_checks =
34 mynetworks =
35 #[::1]/128
36 nested_header_checks =
37 non_smtpd_milters =
38 parent_domain_matches_subdomains =
39 #debug_peer_list
40 #fast_flush_domains
41 #mynetworks
42 #permit_mx_backup_networks
43 #qmqpd_authorized_clients
44 #smtpd_access_maps
45 permit_mx_backup_networks =
46 propagate_unmatched_extensions = canonical, virtual
47 queue_minfree = 0
48 readme_directory = no
49 #receive_override_options = no_address_mappings
50 # no_unknown_recipient_checks
51 # Do not try to reject unknown recipients (SMTP server only).
52 # This is typically specified AFTER an external content filter.
53 # no_address_mappings
54 # Disable canonical address mapping, virtual alias map expansion,
55 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
56 # This is typically specified BEFORE an external content filter (eg. amavis).
57 # no_header_body_checks
58 # Disable header/body_checks. This is typically specified AFTER an external content filter.
59 # no_milters
60 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
61 recipient_delimiter = +
62 # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
63 #relayhost =
64 relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
65 relay_domains =
66 $mydestination
67 # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
68 smtp_body_checks =
69 #smtp_cname_overrides_servername = no
70 smtp_connect_timeout = 60s
71 smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks
72 smtp_mime_header_checks =
73 smtp_nested_header_checks =
74 #smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem
75 #smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/
76 #smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem
77 smtp_tls_fingerprint_digest = sha1
78 #smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem
79 smtp_tls_loglevel = 1
80 #smtp_tls_note_starttls_offer = yes
81 smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy
82 smtp_tls_protocols = !SSLv2, !SSLv3
83 # NOTE: only allow TLSv*
84 smtp_tls_scert_verifydepth = 5
85 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
86 smtp_tls_security_level = may
87 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
88 #smtp_tls_session_cache_timeout = 3600s
89 #smtp_tls_verify_cert_match = hostname
90 smtpd_authorized_xclient_hosts =
91 # NOTE: utile pour tester les restrictions
92 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
93 smtpd_client_connection_count_limit = 50
94 smtpd_client_connection_rate_limit = 0
95 smtpd_client_event_limit_exceptions = $mynetworks
96 smtpd_client_message_rate_limit = 0
97 smtpd_client_new_tls_session_rate_limit = 0
98 smtpd_client_port_logging = no
99 smtpd_client_recipient_rate_limit = 0
100 smtpd_client_restrictions =
101 check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist
102 smtpd_data_restrictions =
103 reject_unauth_pipelining
104 # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK
105 permit
106 smtpd_discard_ehlo_keywords = starttls
107 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls
108 #smtpd_end_of_data_restrictions =
109 smtpd_error_sleep_time = 5
110 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
111 smtpd_helo_required = yes
112 smtpd_helo_restrictions =
113 reject_invalid_helo_hostname
114 reject_non_fqdn_helo_hostname
115 #reject_unknown_helo_hostname
116 # NOTE: pourrait pourtant être utile pour lutter contre le spam
117 permit
118 smtpd_milters =
119 smtpd_peername_lookup = yes
120 # NOTE: nécessaire pour postgrey
121 smtpd_recipient_limit = 5000
122 smtpd_recipient_overshoot_limit = 5000
123 smtpd_recipient_restrictions =
124 reject_non_fqdn_recipient
125 #reject_invalid_hostname
126 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions
127 reject_unknown_recipient_domain
128 #reject_non_fqdn_sender
129 # NOTE: dans smtpd_sender_restrictions
130 reject_unauth_pipelining
131 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
132 permit_mynetworks
133 permit_tls_clientcerts
134 permit_sasl_authenticated
135 reject_unauth_destination
136 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
137 check_policy_service unix:postgrey/socket
138 # NOTE: Postgrey (greylisting)
139 check_policy_service unix:private/spfcheck
140 permit_auth_destination
141 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
142 reject
143 #reject_unknown_sender_domain
144 # NOTE: probablement mieux dans smtpd_sender_restrictions
145 #reject_rbl_client
146 #reject_rbl_client
147 #reject_rbl_client
148 #reject_rbl_client
149 #smtpd_restriction_classes =
150 smtpd_sasl_auth_enable = yes
151 smtpd_sasl_path = private/auth
152 smtpd_sasl_security_options = noanonymous
153 smtpd_sasl_type = dovecot
154 smtpd_sender_restrictions =
155 permit_mynetworks
156 permit_tls_clientcerts
157 permit_sasl_authenticated
158 check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access
159 reject_unauth_pipelining
160 reject_non_fqdn_sender
161 #reject_unknown_sender_domain
162 permit
163 smtpd_starttls_timeout = 300s
164 #smtpd_tls_always_issue_session_ids = yes
165 smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem
166 smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/
167 smtpd_tls_ask_ccert = no
168 smtpd_tls_auth_only = yes
169 # NOTE: pas d'AUTH SASL sans TLS
170 smtpd_tls_ccert_verifydepth = 5
171 smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem
172 smtpd_tls_ciphers = high
173 smtpd_tls_fingerprint_digest = sha512
174 smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem
175 smtpd_tls_loglevel = 1
176 smtpd_tls_mandatory_ciphers = high
177 smtpd_tls_mandatory_protocols = TLSv1
178 #smtpd_tls_received_header = no
179 smtpd_tls_req_ccert = no
180 smtpd_tls_security_level = may
181 # Postfix 2.3 and later
182 # encrypt
183 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
184 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
185 # SMTP server. Instead, this option should be used only on dedicated servers.
186 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
187 #smtpd_tls_session_cache_timeout = 3600s
188 strict_rfc821_envelopes = yes
189 sympa_destination_recipient_limit = 1
190 sympabounce_destination_recipient_limit = 1
191 #tls_high_cipherlist = AES256-SHA
192 # NOTE: postconf(5) déconseille de changer ceci
193 #tls_random_bytes = 32
194 #tls_random_exchange_name = ${data_directory}/prng_exch
195 # NOTE: à ne pas mettre dans la cage chroot
196 #tls_random_prng_update_period = 3600s
197 #tls_random_reseed_period = 3600s
198 #tls_random_source = dev:/dev/urandom
199 # NOTE: non-blocking
200 transport_maps =
201 hash:/etc/postfix/$mydomain/transport
202 hash:/etc/postfix/$mydomain/transport-pending-transition-from-lautrenet
203 regexp:/etc/sympa/transport
204 #virtual_alias_domains =
205 virtual_alias_maps =
206 hash:/etc/postfix/$mydomain/virtual_alias
207 hash:/etc/postfix/$mydomain/virtual_alias-pending-transition-from-lautrenet
208 hash:/etc/postfix/
209 regexp:/etc/sympa/virtual_alias
210 # NOTE: do not specify virtual alias domain names in the
211 # mydestination or relay_domains configuration parameters.
212 #
213 # With a virtual alias domain, the Postfix SMTP server
214 # accepts mail for known-user@virtual-alias.domain, and
215 # rejects mail for unknown-user@virtual-alias.domain as
216 # undeliverable.