etc/postfix/main.cf

   1 # DOC: http://postfix.traduc.org/index.php/TLS_README.html
   2
   3 alias_database = hash:/etc/postfix/aliases
   4 alias_maps = hash:/etc/postfix/aliases
   5 append_dot_mydomain = no
   6         # NOTE: appending .domain is the MUA's job.
   7 biff = no
   8         # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels.
   9 body_checks =
  10 #content_filter = amavisfeed:[127.0.0.1]:10024
  11 #debug_peer_level = 4
  12 #debug_peer_list = .$myhostname
  13 default_extra_recipient_limit = 5000
  14 #delay_warning_time = 4h
  15         # NOTE: uncomment the previous line to generate "delayed mail" warnings
  16 duplicate_filter_limit = 5000
  17 forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
  18 header_checks = regexp:/etc/postfix/$mydomain/header_checks
  19 inet_interfaces = all
  20 inet_protocols = ipv4
  21         # NOTE: "all" to activate IPv6
  22 line_length_limit = 2048
  23 #local_header_rewrite_clients =
  24 mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
  25 mailbox_size_limit = 0
  26 maximal_queue_lifetime = 5d
  27 message_size_limit = 20480000
  28 mime_header_checks =
  29 milter_header_checks =
  30 mynetworks = 127.0.0.0/8 #, [::1]/128
  31 nested_header_checks =
  32 non_smtpd_milters =
  33 parent_domain_matches_subdomains =
  34         #debug_peer_list
  35         #fast_flush_domains
  36         #mynetworks
  37         #permit_mx_backup_networks
  38         #qmqpd_authorized_clients
  39         #smtpd_access_maps
  40 permit_mx_backup_networks =
  41 propagate_unmatched_extensions = canonical, virtual
  42 queue_minfree = 0
  43 readme_directory = no
  44 #receive_override_options = no_address_mappings
  45         # no_unknown_recipient_checks
  46         #         Do not try to reject unknown recipients (SMTP server only).
  47         #         This is typically specified AFTER an external content filter.
  48         # no_address_mappings
  49         #         Disable canonical address mapping, virtual alias map expansion,
  50         #         address masquerading, and automatic BCC (blind carbon-copy) recipients.
  51         #         This is typically specified BEFORE an external content filter (eg. amavis).
  52         # no_header_body_checks
  53         #         Disable header/body_checks. This is typically specified AFTER an external content filter.
  54         # no_milters
  55         #         Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
  56 recipient_delimiter = +
  57         # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
  58 #relayhost =
  59 relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
  60 relay_domains = $mydestination
  61         # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
  62 smtp_body_checks =
  63 #smtp_cname_overrides_servername = no
  64 smtp_connect_timeout = 60s
  65 smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks
  66 smtp_mime_header_checks =
  67 smtp_nested_header_checks =
  68 #smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem
  69 #smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/
  70 #smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem
  71 smtp_tls_fingerprint_digest = sha1
  72 #smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem
  73 smtp_tls_loglevel = 1
  74 #smtp_tls_note_starttls_offer = yes
  75 smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy
  76 smtp_tls_protocols = !SSLv2, !SSLv3
  77         # NOTE: only allow TLSv*
  78 smtp_tls_scert_verifydepth = 5
  79 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
  80 smtp_tls_security_level = may
  81 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
  82 #smtp_tls_session_cache_timeout = 3600s
  83 #smtp_tls_verify_cert_match = hostname
  84 smtpd_authorized_xclient_hosts = 127.0.0.1
  85         # NOTE: utile pour tester les restrictions
  86 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
  87 smtpd_client_connection_count_limit = 50
  88 smtpd_client_connection_rate_limit = 0
  89 smtpd_client_event_limit_exceptions = $mynetworks
  90 smtpd_client_message_rate_limit = 0
  91 smtpd_client_new_tls_session_rate_limit = 0
  92 smtpd_client_port_logging = no
  93 smtpd_client_recipient_rate_limit = 0
  94 smtpd_client_restrictions =
  95         check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist
  96 smtpd_data_restrictions =
  97         reject_unauth_pipelining
  98                 # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK
  99         permit
 100 smtpd_discard_ehlo_keywords = starttls
 101         # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls
 102 #smtpd_end_of_data_restrictions =
 103 smtpd_error_sleep_time = 5
 104         # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
 105 smtpd_helo_required = yes
 106 smtpd_helo_restrictions =
 107         reject_invalid_helo_hostname
 108         reject_non_fqdn_helo_hostname
 109         #reject_unknown_helo_hostname
 110                 # NOTE: pourrait pourtant être utile pour lutter contre le spam
 111         permit
 112 smtpd_milters =
 113 smtpd_peername_lookup = yes
 114         # NOTE: nécessaire pour postgrey
 115 smtpd_recipient_limit = 5000
 116 smtpd_recipient_overshoot_limit = 5000
 117 smtpd_recipient_restrictions =
 118         reject_non_fqdn_recipient
 119         #reject_invalid_hostname
 120                 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions
 121         reject_unknown_recipient_domain
 122         #reject_non_fqdn_sender
 123                 # NOTE: dans smtpd_sender_restrictions
 124         reject_unauth_pipelining
 125                 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
 126         permit_mynetworks
 127         permit_tls_clientcerts
 128         permit_sasl_authenticated
 129         reject_unauth_destination
 130                 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
 131         check_policy_service unix:/run/postgrey/socket
 132                 # NOTE: Postgrey (greylisting)
 133         check_policy_service unix:private/spfcheck
 134         permit_auth_destination
 135                 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
 136         reject
 137         #reject_unknown_sender_domain
 138                 # NOTE: probablement mieux dans smtpd_sender_restrictions
 139         #reject_rbl_client bl.spamcop.net
 140         #reject_rbl_client list.dsbl.org
 141         #reject_rbl_client zen.spamhaus.org
 142         #reject_rbl_client dnsbl.sorbs.net
 143 #smtpd_restriction_classes =
 144 smtpd_sasl_auth_enable = yes
 145 smtpd_sasl_path = private/auth
 146 smtpd_sasl_security_options = noanonymous
 147 smtpd_sasl_type = dovecot
 148 smtpd_sender_restrictions =
 149         permit_mynetworks
 150         permit_tls_clientcerts
 151         permit_sasl_authenticated
 152         check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access
 153         reject_unauth_pipelining
 154         reject_non_fqdn_sender
 155         #reject_unknown_sender_domain
 156         permit
 157 smtpd_starttls_timeout = 300s
 158 #smtpd_tls_always_issue_session_ids = yes
 159 smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem
 160 smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/
 161 smtpd_tls_ask_ccert = no
 162 smtpd_tls_auth_only = yes
 163         # NOTE: pas d'AUTH SASL sans TLS
 164 smtpd_tls_ccert_verifydepth = 5
 165 smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem
 166 smtpd_tls_ciphers = high
 167 smtpd_tls_fingerprint_digest = sha512
 168 smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem
 169 smtpd_tls_loglevel = 1
 170 smtpd_tls_mandatory_ciphers = high
 171 smtpd_tls_mandatory_protocols = TLSv1
 172 #smtpd_tls_received_header = no
 173 smtpd_tls_req_ccert = no
 174 smtpd_tls_security_level = may
 175         # Postfix 2.3 and later
 176         # encrypt
 177         #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
 178         #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
 179         #  SMTP server. Instead, this option should be used only on dedicated servers.
 180 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
 181 #smtpd_tls_session_cache_timeout = 3600s
 182 strict_rfc821_envelopes = yes
 183 #tls_high_cipherlist = AES256-SHA
 184         # NOTE: postconf(5) déconseille de changer ceci
 185 #tls_random_bytes = 32
 186 #tls_random_exchange_name = ${data_directory}/prng_exch
 187         # NOTE: à ne pas mettre dans la cage chroot
 188 #tls_random_prng_update_period = 3600s
 189 #tls_random_reseed_period = 3600s
 190 #tls_random_source = dev:/dev/urandom
 191         # NOTE: non-blocking
 192 transport_maps = hash:/etc/postfix/$mydomain/transport
 193 #virtual_alias_domains =
 194 virtual_alias_maps =
 195         hash:/etc/postfix/$mydomain/virtual_alias
 196         # NOTE: do not specify virtual alias domain names in  the  main.cf
 197         #       mydestination or relay_domains configuration parameters.
 198         #
 199         # With  a  virtual  alias  domain,  the  Postfix SMTP server
 200         # accepts  mail  for  known-user@virtual-alias.domain,   and
 201         # rejects   mail  for  unknown-user@virtual-alias.domain  as
 202         # undeliverable.