1 # DOC: http://postfix.traduc.org/index.php/TLS_README.html
4 hash:/etc/postfix/aliases
5 hash:/etc/mail/sympa/aliases
7 hash:/etc/postfix/aliases
8 hash:/etc/mail/sympa/aliases
9 append_dot_mydomain = no
10 # NOTE: appending .domain is the MUA's job.
12 # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels.
14 #content_filter = amavisfeed:[127.0.0.1]:10024
16 #debug_peer_list = .$myhostname
17 default_extra_recipient_limit = 5000
18 #delay_warning_time = 4h
19 # NOTE: uncomment the previous line to generate "delayed mail" warnings
20 disable_vrfy_command = yes
21 # NOTE: this stops some techniques used to harvest email addresses.
22 duplicate_filter_limit = 5000
23 fallback_transport = lmtp:unix:private/dovecot-lmtp
24 # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas
25 forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
26 header_checks = regexp:/etc/postfix/$mydomain/header_checks
29 # NOTE: "all" to activate IPv6
30 line_length_limit = 2048
31 local_recipient_maps =
32 # NOTE: laisse $fallback_transport vérifier l'existence du destinaire
33 #local_header_rewrite_clients =
34 mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
35 mailbox_size_limit = 0
36 masquerade_classes = envelope_sender, header_sender, header_recipient
38 masquerade_exceptions = root
39 maximal_queue_lifetime = 5d
40 message_size_limit = 20480000
42 milter_header_checks =
43 mynetworks = 127.0.0.0/8
45 nested_header_checks =
47 parent_domain_matches_subdomains =
51 #permit_mx_backup_networks
52 #qmqpd_authorized_clients
54 permit_mx_backup_networks =
55 #policy-spf_time_limit = 3600s
56 propagate_unmatched_extensions = canonical, virtual, alias
59 #receive_override_options = no_address_mappings
60 # no_unknown_recipient_checks
61 # Do not try to reject unknown recipients (SMTP server only).
62 # This is typically specified AFTER an external content filter.
64 # Disable canonical address mapping, virtual alias map expansion,
65 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
66 # This is typically specified BEFORE an external content filter (eg. amavis).
67 # no_header_body_checks
68 # Disable header/body_checks. This is typically specified AFTER an external content filter.
70 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
71 recipient_delimiter = +
72 # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
74 relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
77 # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
78 relay_recipient_maps =
80 #smtp_cname_overrides_servername = no
81 smtp_connect_timeout = 60s
82 smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks
83 smtp_mime_header_checks =
84 smtp_nested_header_checks =
85 #smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem
86 #smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/
87 #smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem
88 smtp_tls_fingerprint_digest = sha1
89 #smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem
91 #smtp_tls_note_starttls_offer = yes
92 smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy
93 smtp_tls_protocols = !SSLv2, !SSLv3
94 # NOTE: only allow TLSv*
95 smtp_tls_scert_verifydepth = 5
96 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
97 smtp_tls_security_level = may
98 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
99 #smtp_tls_session_cache_timeout = 3600s
100 #smtp_tls_verify_cert_match = hostname
101 smtpd_authorized_xclient_hosts = 127.0.0.1
102 # NOTE: utile pour tester les restrictions
103 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
104 smtpd_client_connection_count_limit = 50
105 smtpd_client_connection_rate_limit = 0
106 smtpd_client_event_limit_exceptions = $mynetworks
107 smtpd_client_message_rate_limit = 0
108 smtpd_client_new_tls_session_rate_limit = 0
109 smtpd_client_port_logging = no
110 smtpd_client_recipient_rate_limit = 0
111 smtpd_client_restrictions =
112 check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist
113 smtpd_data_restrictions =
114 reject_unauth_pipelining
115 # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK
117 smtpd_discard_ehlo_keywords = starttls
118 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls
119 #smtpd_end_of_data_restrictions =
120 smtpd_error_sleep_time = 5
121 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
122 smtpd_helo_required = yes
123 smtpd_helo_restrictions =
124 reject_invalid_helo_hostname
125 reject_non_fqdn_helo_hostname
126 #reject_unknown_helo_hostname
127 # NOTE: pourrait pourtant être utile pour lutter contre le spam
130 smtpd_peername_lookup = yes
131 # NOTE: nécessaire pour postgrey
132 smtpd_recipient_limit = 5000
133 smtpd_recipient_overshoot_limit = 5000
134 smtpd_recipient_restrictions =
135 reject_non_fqdn_recipient
136 #reject_invalid_hostname
137 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions
138 reject_unknown_recipient_domain
139 #reject_non_fqdn_sender
140 # NOTE: dans smtpd_sender_restrictions
141 reject_unauth_pipelining
142 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
144 permit_tls_clientcerts
145 permit_sasl_authenticated
146 reject_unverified_recipient
147 # NOTE: $fallback_transport est garant de l'existence du destinataire
148 # ATTENTION: verify(8) tient un cache, consultable ainsi si verify(8) est stoppé :
149 # postmap -s btree:/var/lib/postfix/verify_cache
150 reject_unauth_destination
151 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
152 check_policy_service unix:private/spfcheck
153 check_policy_service unix:postgrey/socket
154 # NOTE: Postgrey (greylisting)
155 permit_auth_destination
156 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
158 #reject_unknown_sender_domain
159 # NOTE: probablement mieux dans smtpd_sender_restrictions
160 #reject_rbl_client bl.spamcop.net
161 #reject_rbl_client list.dsbl.org
162 #reject_rbl_client zen.spamhaus.org
163 #reject_rbl_client dnsbl.sorbs.net
164 #smtpd_restriction_classes =
165 smtpd_sasl_auth_enable = yes
166 smtpd_sasl_path = private/auth
167 smtpd_sasl_security_options = noanonymous
168 smtpd_sasl_type = dovecot
169 smtpd_sender_restrictions =
171 permit_tls_clientcerts
172 permit_sasl_authenticated
173 check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access
174 reject_unauth_pipelining
175 reject_non_fqdn_sender
176 #reject_unknown_sender_domain
178 smtpd_starttls_timeout = 300s
179 #smtpd_tls_always_issue_session_ids = yes
180 smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem
181 smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/
182 smtpd_tls_ask_ccert = no
183 smtpd_tls_auth_only = yes
184 # NOTE: pas d'AUTH SASL sans TLS
185 smtpd_tls_ccert_verifydepth = 5
186 smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem
187 smtpd_tls_ciphers = high
188 smtpd_tls_fingerprint_digest = sha512
189 smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem
190 smtpd_tls_loglevel = 1
191 smtpd_tls_mandatory_ciphers = high
192 smtpd_tls_mandatory_protocols = TLSv1
193 #smtpd_tls_received_header = no
194 smtpd_tls_req_ccert = no
195 smtpd_tls_security_level = may
196 # Postfix 2.3 and later
198 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
199 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
200 # SMTP server. Instead, this option should be used only on dedicated servers.
201 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
202 #smtpd_tls_session_cache_timeout = 3600s
203 strict_rfc821_envelopes = yes
204 # NOTE: this stops mail from poorly written software.
205 #sympa_destination_recipient_limit = 1
206 #sympabounce_destination_recipient_limit = 1
207 #tls_high_cipherlist = AES256-SHA
208 # NOTE: postconf(5) déconseille de changer ceci
209 #tls_random_bytes = 32
210 #tls_random_exchange_name = $data_directory/prng_exch
211 # NOTE: à ne pas mettre dans la cage chroot
212 #tls_random_prng_update_period = 3600s
213 #tls_random_reseed_period = 3600s
214 #tls_random_source = dev:/dev/urandom
217 hash:/etc/postfix/$mydomain/transport
218 hash:/etc/dovecot/transport
219 regexp:/etc/sympa/transport
220 virtual_alias_domains =
225 sympa.etudesetchantiers.org
226 sympa.velosenville.org
227 sympa.vieuxbiclou.org
231 hash:/etc/postfix/$mydomain/virtual_alias
232 hash:/etc/postfix/chatperche.org/virtual_alias
233 hash:/etc/postfix/cyclocoop.org/virtual_alias
234 hash:/etc/postfix/lesjantesdunord.org/virtual_alias
235 hash:/etc/postfix/ptitvelo.net/virtual_alias
236 hash:/etc/postfix/sympa.etudesetchantiers.org/virtual_alias
237 hash:/etc/postfix/veli-velo.org/virtual_alias
238 hash:/etc/postfix/wiklou.org/virtual_alias
239 hash:/etc/mail/dovecot/virtual_alias
240 regexp:/etc/sympa/virtual_alias
241 # NOTE: do not specify virtual alias domain names in the main.cf
242 # mydestination or relay_domains configuration parameters.
244 # With a virtual alias domain, the Postfix SMTP server
245 # accepts mail for known-user@virtual-alias.domain, and
246 # rejects mail for unknown-user@virtual-alias.domain as
248 unverified_recipient_reject_code = 550
249 # NOTE: rejette immédiatement ce que $fallback_transport refuse
dépôts / lhc / ateliers.git / blob