[lhc/ateliers.git] / etc / postfix / main.cf

# DOC: http://postfix.traduc.org/index.php/TLS_README.html

alias_database = hash:/etc/aliases
        # NOTE: fichier de hash contenant une table d’alias mail.
        #       Celle-ci est éditable dans /etc/aliases, puis (indispensable)
        #       regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
        # NOTE: appending .domain is the MUA's job.
biff = no
        # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels.
body_checks =
#content_filter = amavisfeed:[127.0.0.1]:10024
#debug_peer_level = 4
#debug_peer_list = .$myhostname
default_extra_recipient_limit = 5000
#delay_warning_time = 4h
        # NOTE: uncomment the previous line to generate "delayed mail" warnings
duplicate_filter_limit = 5000
forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
header_checks = regexp:/etc/postfix/$mydomain/header_checks
inet_interfaces = all
inet_protocols = ipv4
        # NOTE: "all" to activate IPv6
line_length_limit = 2048
#local_header_rewrite_clients =
mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
mailbox_size_limit = 0
maximal_queue_lifetime = 5d
message_size_limit = 20480000
mime_header_checks =
milter_header_checks =
mynetworks = 127.0.0.0/8 #, [::1]/128
non_smtpd_milters =
nested_header_checks =
parent_domain_matches_subdomains =
        #debug_peer_list
        #fast_flush_domains
        #mynetworks
        #permit_mx_backup_networks
        #qmqpd_authorized_clients
        #smtpd_access_maps
permit_mx_backup_networks =
propagate_unmatched_extensions = canonical, virtual
queue_minfree = 0
readme_directory = no
#receive_override_options = no_address_mappings
        # no_unknown_recipient_checks
        #         Do not try to reject unknown recipients (SMTP server only).
        #         This is typically specified AFTER an external content filter.
        # no_address_mappings
        #         Disable canonical address mapping, virtual alias map expansion,
        #         address masquerading, and automatic BCC (blind carbon-copy) recipients.
        #         This is typically specified BEFORE an external content filter (eg. amavis).
        # no_header_body_checks
        #         Disable header/body_checks. This is typically specified AFTER an external content filter.
        # no_milters
        #         Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
recipient_delimiter = +
        # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
#relayhost =
relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
relay_domains = $mydestination
        # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
smtp_body_checks =
#smtp_cname_overrides_servername = no
smtp_connect_timeout = 60s
smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks
smtp_mime_header_checks =
smtp_nested_header_checks =
#smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem
#smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/
#smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem
smtp_tls_fingerprint_digest = sha1
#smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem
smtp_tls_loglevel = 1
#smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy
smtp_tls_protocols = !SSLv2, !SSLv3
        # NOTE: only allow TLSv*
smtp_tls_scert_verifydepth = 5
#smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
#smtp_tls_session_cache_timeout = 3600s
#smtp_tls_verify_cert_match = hostname
smtpd_authorized_xclient_hosts = 127.0.0.1
        # NOTE: utile pour tester les restrictions
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_port_logging = no
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
        check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist
smtpd_data_restrictions =
        reject_unauth_pipelining
                # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK
        permit
smtpd_discard_ehlo_keywords = starttls
        # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls
#smtpd_end_of_data_restrictions =
smtpd_error_sleep_time = 5
        # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
smtpd_helo_required = yes
smtpd_helo_restrictions =
        reject_invalid_helo_hostname
        reject_non_fqdn_helo_hostname
        #reject_unknown_helo_hostname
                # NOTE: pourrait pourtant être utile pour lutter contre le spam
        permit
smtpd_milters =
smtpd_peername_lookup = yes
        # NOTE: nécessaire pour postgrey
smtpd_recipient_limit = 5000
smtpd_recipient_overshoot_limit = 5000
smtpd_recipient_restrictions =
        reject_non_fqdn_recipient
        #reject_invalid_hostname
                # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions
        reject_unknown_recipient_domain
        #reject_non_fqdn_sender
                # NOTE: dans smtpd_sender_restrictions
        reject_unauth_pipelining
                # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
        permit_mynetworks
        permit_tls_clientcerts
        permit_sasl_authenticated
        reject_unauth_destination
                # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
        check_policy_service inet:127.0.0.1:10023
                # NOTE: Postgrey (greylisting)
        check_policy_service unix:private/spfcheck
        permit_auth_destination
                # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
        reject
        #reject_unknown_sender_domain
                # NOTE: probablement mieux dans smtpd_sender_restrictions
        #reject_rbl_client bl.spamcop.net
        #reject_rbl_client list.dsbl.org
        #reject_rbl_client zen.spamhaus.org
        #reject_rbl_client dnsbl.sorbs.net
#smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
        permit_mynetworks
        permit_tls_clientcerts
        permit_sasl_authenticated
        check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access
        reject_unauth_pipelining
        reject_non_fqdn_sender
        #reject_unknown_sender_domain
        permit
smtpd_starttls_timeout = 300s
#smtpd_tls_always_issue_session_ids = yes
smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem
smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
        # NOTE: pas d'AUTH SASL sans TLS
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem
smtpd_tls_ciphers = high
smtpd_tls_fingerprint_digest = sha512
smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1
#smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
        # Postfix 2.3 and later
        # encrypt
        #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
        #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
        #  SMTP server. Instead, this option should be used only on dedicated servers.
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
#smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
#tls_high_cipherlist = AES256-SHA
        # NOTE: postconf(5) déconseille de changer ceci
#tls_random_bytes = 32
#tls_random_exchange_name = ${data_directory}/prng_exch
        # NOTE: à ne pas mettre dans la cage chroot
#tls_random_prng_update_period = 3600s
#tls_random_reseed_period = 3600s
#tls_random_source = dev:/dev/urandom
        # NOTE: non-blocking
transport_maps = hash:/etc/postfix/$mydomain/transport
#virtual_alias_domains =
virtual_alias_maps =
        hash:/etc/postfix/$mydomain/virtual_alias
        # NOTE: do not specify virtual alias domain names in  the  main.cf
        #       mydestination or relay_domains configuration parameters.
        #
        # With  a  virtual  alias  domain,  the  Postfix SMTP server
        # accepts  mail  for  known-user@virtual-alias.domain,   and
        # rejects   mail  for  unknown-user@virtual-alias.domain  as
        # undeliverable.