etc/postfix/main.cf

   1 # DOC: http://postfix.traduc.org/index.php/TLS_README.html
   2
   3 alias_database =
   4         hash:/etc/postfix/aliases
   5         hash:/etc/mail/sympa/aliases
   6 alias_maps =
   7         hash:/etc/postfix/aliases
   8         hash:/etc/mail/sympa/aliases
   9 append_dot_mydomain = no
  10         # NOTE: appending .domain is the MUA's job.
  11 biff = no
  12         # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels.
  13 body_checks =
  14 #content_filter = amavisfeed:[127.0.0.1]:10024
  15 #debug_peer_level = 4
  16 #debug_peer_list = .$myhostname
  17 default_extra_recipient_limit = 5000
  18 #delay_warning_time = 4h
  19         # NOTE: uncomment the previous line to generate "delayed mail" warnings
  20 disable_vrfy_command = yes
  21         # NOTE: this stops some techniques used to harvest email addresses.
  22 duplicate_filter_limit = 5000
  23 fallback_transport = lmtp:unix:private/dovecot-lmtp
  24         # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas
  25 forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
  26 header_checks = regexp:/etc/postfix/$mydomain/header_checks
  27 inet_interfaces = all
  28 inet_protocols = ipv4
  29         # NOTE: "all" to activate IPv6
  30 line_length_limit = 2048
  31 local_recipient_maps =
  32         # NOTE: laisse $fallback_transport vérifier l'existence du destinaire
  33 #local_header_rewrite_clients =
  34 mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
  35 mailbox_size_limit = 0
  36 masquerade_classes = envelope_sender, header_sender, header_recipient
  37 masquerade_domains =
  38 masquerade_exceptions = root
  39 maximal_queue_lifetime = 5d
  40 message_size_limit = 20480000
  41 mime_header_checks =
  42 milter_header_checks =
  43 mynetworks = 127.0.0.0/8
  44         #[::1]/128
  45 nested_header_checks =
  46 non_smtpd_milters =
  47 parent_domain_matches_subdomains =
  48         #debug_peer_list
  49         #fast_flush_domains
  50         #mynetworks
  51         #permit_mx_backup_networks
  52         #qmqpd_authorized_clients
  53         #smtpd_access_maps
  54 permit_mx_backup_networks =
  55 policy-spf_time_limit = 3600s
  56 propagate_unmatched_extensions = canonical, virtual
  57 queue_minfree = 0
  58 readme_directory = no
  59 #receive_override_options = no_address_mappings
  60         # no_unknown_recipient_checks
  61         #         Do not try to reject unknown recipients (SMTP server only).
  62         #         This is typically specified AFTER an external content filter.
  63         # no_address_mappings
  64         #         Disable canonical address mapping, virtual alias map expansion,
  65         #         address masquerading, and automatic BCC (blind carbon-copy) recipients.
  66         #         This is typically specified BEFORE an external content filter (eg. amavis).
  67         # no_header_body_checks
  68         #         Disable header/body_checks. This is typically specified AFTER an external content filter.
  69         # no_milters
  70         #         Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
  71 recipient_delimiter = +
  72         # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
  73 #relayhost =
  74 relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
  75 relay_domains =
  76         $mydestination
  77         # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
  78 smtp_body_checks =
  79 #smtp_cname_overrides_servername = no
  80 smtp_connect_timeout = 60s
  81 smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks
  82 smtp_mime_header_checks =
  83 smtp_nested_header_checks =
  84 #smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem
  85 #smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/
  86 #smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem
  87 smtp_tls_fingerprint_digest = sha1
  88 #smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem
  89 smtp_tls_loglevel = 1
  90 #smtp_tls_note_starttls_offer = yes
  91 smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy
  92 smtp_tls_protocols = !SSLv2, !SSLv3
  93         # NOTE: only allow TLSv*
  94 smtp_tls_scert_verifydepth = 5
  95 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
  96 smtp_tls_security_level = may
  97 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
  98 #smtp_tls_session_cache_timeout = 3600s
  99 #smtp_tls_verify_cert_match = hostname
 100 smtpd_authorized_xclient_hosts = 127.0.0.1
 101         # NOTE: utile pour tester les restrictions
 102 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 103 smtpd_client_connection_count_limit = 50
 104 smtpd_client_connection_rate_limit = 0
 105 smtpd_client_event_limit_exceptions = $mynetworks
 106 smtpd_client_message_rate_limit = 0
 107 smtpd_client_new_tls_session_rate_limit = 0
 108 smtpd_client_port_logging = no
 109 smtpd_client_recipient_rate_limit = 0
 110 smtpd_client_restrictions =
 111         check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist
 112 smtpd_data_restrictions =
 113         reject_unauth_pipelining
 114                 # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK
 115         permit
 116 smtpd_discard_ehlo_keywords = starttls
 117         # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls
 118 #smtpd_end_of_data_restrictions =
 119 smtpd_error_sleep_time = 5
 120         # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
 121 smtpd_helo_required = yes
 122 smtpd_helo_restrictions =
 123         reject_invalid_helo_hostname
 124         reject_non_fqdn_helo_hostname
 125         #reject_unknown_helo_hostname
 126                 # NOTE: pourrait pourtant être utile pour lutter contre le spam
 127         permit
 128 smtpd_milters =
 129 smtpd_peername_lookup = yes
 130         # NOTE: nécessaire pour postgrey
 131 smtpd_recipient_limit = 5000
 132 smtpd_recipient_overshoot_limit = 5000
 133 smtpd_recipient_restrictions =
 134         reject_non_fqdn_recipient
 135         #reject_invalid_hostname
 136                 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions
 137         reject_unknown_recipient_domain
 138         #reject_non_fqdn_sender
 139                 # NOTE: dans smtpd_sender_restrictions
 140         reject_unauth_pipelining
 141                 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
 142         permit_mynetworks
 143         permit_tls_clientcerts
 144         permit_sasl_authenticated
 145         reject_unverified_recipient
 146                 # NOTE: $fallback_transport est garant de l'existence du destinataire
 147         reject_unauth_destination
 148                 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
 149         check_policy_service unix:private/spfcheck
 150         check_policy_service unix:postgrey/socket
 151                 # NOTE: Postgrey (greylisting)
 152         permit_auth_destination
 153                 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
 154         reject
 155         #reject_unknown_sender_domain
 156                 # NOTE: probablement mieux dans smtpd_sender_restrictions
 157         #reject_rbl_client bl.spamcop.net
 158         #reject_rbl_client list.dsbl.org
 159         #reject_rbl_client zen.spamhaus.org
 160         #reject_rbl_client dnsbl.sorbs.net
 161 #smtpd_restriction_classes =
 162 smtpd_sasl_auth_enable = yes
 163 smtpd_sasl_path = private/auth
 164 smtpd_sasl_security_options = noanonymous
 165 smtpd_sasl_type = dovecot
 166 smtpd_sender_restrictions =
 167         permit_mynetworks
 168         permit_tls_clientcerts
 169         permit_sasl_authenticated
 170         check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access
 171         reject_unauth_pipelining
 172         reject_non_fqdn_sender
 173         #reject_unknown_sender_domain
 174         permit
 175 smtpd_starttls_timeout = 300s
 176 #smtpd_tls_always_issue_session_ids = yes
 177 smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem
 178 smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/
 179 smtpd_tls_ask_ccert = no
 180 smtpd_tls_auth_only = yes
 181         # NOTE: pas d'AUTH SASL sans TLS
 182 smtpd_tls_ccert_verifydepth = 5
 183 smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem
 184 smtpd_tls_ciphers = high
 185 smtpd_tls_fingerprint_digest = sha512
 186 smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem
 187 smtpd_tls_loglevel = 1
 188 smtpd_tls_mandatory_ciphers = high
 189 smtpd_tls_mandatory_protocols = TLSv1
 190 #smtpd_tls_received_header = no
 191 smtpd_tls_req_ccert = no
 192 smtpd_tls_security_level = may
 193         # Postfix 2.3 and later
 194         # encrypt
 195         #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
 196         #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
 197         #  SMTP server. Instead, this option should be used only on dedicated servers.
 198 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
 199 #smtpd_tls_session_cache_timeout = 3600s
 200 strict_rfc821_envelopes = yes
 201         # NOTE: this stops mail from poorly written software.
 202 sympa_destination_recipient_limit = 1
 203 sympabounce_destination_recipient_limit = 1
 204 #tls_high_cipherlist = AES256-SHA
 205         # NOTE: postconf(5) déconseille de changer ceci
 206 #tls_random_bytes = 32
 207 #tls_random_exchange_name = $data_directory/prng_exch
 208         # NOTE: à ne pas mettre dans la cage chroot
 209 #tls_random_prng_update_period = 3600s
 210 #tls_random_reseed_period = 3600s
 211 #tls_random_source = dev:/dev/urandom
 212         # NOTE: non-blocking
 213 transport_maps =
 214         hash:/etc/postfix/$mydomain/transport
 215         hash:/etc/postfix/$mydomain/transport-pending-transition-from-lautrenet
 216         hash:/etc/dovecot/transport
 217         regexp:/etc/sympa/transport
 218 virtual_alias_domains =
 219         cyclocoop.org
 220 virtual_alias_maps =
 221         hash:/etc/postfix/$mydomain/virtual_alias
 222         hash:/etc/postfix/$mydomain/virtual_alias-pending-transition-from-lautrenet
 223         hash:/etc/postfix/cyclocoop.org/virtual_alias
 224         hash:/etc/mail/dovecot/virtual_alias
 225         regexp:/etc/sympa/virtual_alias
 226         # NOTE: do not specify virtual alias domain names in  the  main.cf
 227         #       mydestination or relay_domains configuration parameters.
 228         #
 229         # With  a  virtual  alias  domain,  the  Postfix SMTP server
 230         # accepts  mail  for  known-user@virtual-alias.domain,   and
 231         # rejects   mail  for  unknown-user@virtual-alias.domain  as
 232         # undeliverable.
 233 unverified_recipient_reject_code = 550
 234         # NOTE: rejette immédiatement ce que $fallback_transport refuse