default_extra_recipient_limit = 5000
#delay_warning_time = 4h
# NOTE: uncomment the previous line to generate "delayed mail" warnings
+disable_vrfy_command = yes
+ # NOTE: this stops some techniques used to harvest email addresses.
duplicate_filter_limit = 5000
+fallback_transport = lmtp:unix:private/dovecot-lmtp
+ # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas
forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
header_checks = regexp:/etc/postfix/$mydomain/header_checks
inet_interfaces = all
inet_protocols = ipv4
# NOTE: "all" to activate IPv6
line_length_limit = 2048
+local_recipient_maps =
+ # NOTE: laisse $fallback_transport vérifier l'existence du destinaire
#local_header_rewrite_clients =
mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
mailbox_size_limit = 0
+masquerade_classes = envelope_sender, header_sender, header_recipient
+masquerade_domains =
+masquerade_exceptions = root
maximal_queue_lifetime = 5d
message_size_limit = 20480000
mime_header_checks =
milter_header_checks =
-mynetworks = 127.0.0.0/8 #, [::1]/128
+mynetworks = 127.0.0.0/8
+ #[::1]/128
nested_header_checks =
non_smtpd_milters =
parent_domain_matches_subdomains =
#qmqpd_authorized_clients
#smtpd_access_maps
permit_mx_backup_networks =
+policy-spf_time_limit = 3600s
propagate_unmatched_extensions = canonical, virtual
queue_minfree = 0
readme_directory = no
smtp_tls_scert_verifydepth = 5
#smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
-smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
#smtp_tls_session_cache_timeout = 3600s
#smtp_tls_verify_cert_match = hostname
smtpd_authorized_xclient_hosts = 127.0.0.1
permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
+ reject_unverified_recipient
+ # NOTE: $fallback_transport est garant de l'existence du destinataire
reject_unauth_destination
# NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
- check_policy_service unix:/run/postgrey/socket
- # NOTE: Postgrey (greylisting)
check_policy_service unix:private/spfcheck
+ check_policy_service unix:postgrey/socket
+ # NOTE: Postgrey (greylisting)
permit_auth_destination
# NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
reject
reject_unauth_pipelining
reject_non_fqdn_sender
#reject_unknown_sender_domain
- reject
+ permit
smtpd_starttls_timeout = 300s
#smtpd_tls_always_issue_session_ids = yes
smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem
# Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
# encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
# SMTP server. Instead, this option should be used only on dedicated servers.
-smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
+smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
#smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
+ # NOTE: this stops mail from poorly written software.
sympa_destination_recipient_limit = 1
sympabounce_destination_recipient_limit = 1
#tls_high_cipherlist = AES256-SHA
# NOTE: postconf(5) déconseille de changer ceci
#tls_random_bytes = 32
-#tls_random_exchange_name = ${data_directory}/prng_exch
+#tls_random_exchange_name = $data_directory/prng_exch
# NOTE: à ne pas mettre dans la cage chroot
#tls_random_prng_update_period = 3600s
#tls_random_reseed_period = 3600s
transport_maps =
hash:/etc/postfix/$mydomain/transport
hash:/etc/postfix/$mydomain/transport-pending-transition-from-lautrenet
+ hash:/etc/dovecot/transport
regexp:/etc/sympa/transport
-#virtual_alias_domains =
+virtual_alias_domains =
+ cyclocoop.org
virtual_alias_maps =
hash:/etc/postfix/$mydomain/virtual_alias
hash:/etc/postfix/$mydomain/virtual_alias-pending-transition-from-lautrenet
hash:/etc/postfix/cyclocoop.org/virtual_alias
+ hash:/etc/mail/dovecot/virtual_alias
regexp:/etc/sympa/virtual_alias
# NOTE: do not specify virtual alias domain names in the main.cf
# mydestination or relay_domains configuration parameters.
# accepts mail for known-user@virtual-alias.domain, and
# rejects mail for unknown-user@virtual-alias.domain as
# undeliverable.
+unverified_recipient_reject_code = 550
+ # NOTE: rejette immédiatement ce que $fallback_transport refuse