etc/postfix/main.cf

   1 # DOC: http://postfix.traduc.org/index.php/TLS_README.html
   2
   3 alias_database =
   4         hash:/etc/postfix/aliases
   5         hash:/etc/mail/sympa/aliases
   6 alias_maps =
   7         hash:/etc/postfix/aliases
   8         hash:/etc/mail/sympa/aliases
   9 append_dot_mydomain = no
  10         # NOTE: appending .domain is the MUA's job.
  11 biff = no
  12         # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels.
  13 body_checks =
  14 #content_filter = amavisfeed:[127.0.0.1]:10024
  15 #debug_peer_level = 4
  16 #debug_peer_list = .$myhostname
  17 default_extra_recipient_limit = 5000
  18 #delay_warning_time = 4h
  19         # NOTE: uncomment the previous line to generate "delayed mail" warnings
  20 disable_vrfy_command = yes
  21         # NOTE: this stops some techniques used to harvest email addresses.
  22 duplicate_filter_limit = 5000
  23 fallback_transport = lmtp:unix:private/dovecot-lmtp
  24         # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas
  25 forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
  26 header_checks = regexp:/etc/postfix/$mydomain/header_checks
  27 inet_interfaces = all
  28 inet_protocols = ipv4
  29         # NOTE: "all" to activate IPv6
  30 line_length_limit = 2048
  31 local_recipient_maps =
  32         # NOTE: laisse $fallback_transport vérifier l'existence du destinaire
  33 #local_header_rewrite_clients =
  34 mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
  35 mailbox_size_limit = 0
  36 masquerade_classes = envelope_sender, header_sender, header_recipient
  37 masquerade_domains =
  38 masquerade_exceptions = root
  39 maximal_queue_lifetime = 5d
  40 message_size_limit = 20480000
  41 mime_header_checks =
  42 milter_header_checks =
  43 mynetworks = 127.0.0.0/8
  44         #[::1]/128
  45 nested_header_checks =
  46 non_smtpd_milters =
  47 parent_domain_matches_subdomains =
  48         #debug_peer_list
  49         #fast_flush_domains
  50         #mynetworks
  51         #permit_mx_backup_networks
  52         #qmqpd_authorized_clients
  53         #smtpd_access_maps
  54 permit_mx_backup_networks =
  55 policy-spf_time_limit = 3600s
  56 propagate_unmatched_extensions = canonical, virtual
  57 queue_minfree = 0
  58 readme_directory = no
  59 #receive_override_options = no_address_mappings
  60         # no_unknown_recipient_checks
  61         #         Do not try to reject unknown recipients (SMTP server only).
  62         #         This is typically specified AFTER an external content filter.
  63         # no_address_mappings
  64         #         Disable canonical address mapping, virtual alias map expansion,
  65         #         address masquerading, and automatic BCC (blind carbon-copy) recipients.
  66         #         This is typically specified BEFORE an external content filter (eg. amavis).
  67         # no_header_body_checks
  68         #         Disable header/body_checks. This is typically specified AFTER an external content filter.
  69         # no_milters
  70         #         Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
  71 recipient_delimiter = +
  72         # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
  73 #relayhost =
  74 relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
  75 relay_domains =
  76         $mydestination
  77         # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
  78 relay_recipient_maps =
  79 smtp_body_checks =
  80 #smtp_cname_overrides_servername = no
  81 smtp_connect_timeout = 60s
  82 smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks
  83 smtp_mime_header_checks =
  84 smtp_nested_header_checks =
  85 #smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem
  86 #smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/
  87 #smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem
  88 smtp_tls_fingerprint_digest = sha1
  89 #smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem
  90 smtp_tls_loglevel = 1
  91 #smtp_tls_note_starttls_offer = yes
  92 smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy
  93 smtp_tls_protocols = !SSLv2, !SSLv3
  94         # NOTE: only allow TLSv*
  95 smtp_tls_scert_verifydepth = 5
  96 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
  97 smtp_tls_security_level = may
  98 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
  99 #smtp_tls_session_cache_timeout = 3600s
 100 #smtp_tls_verify_cert_match = hostname
 101 smtpd_authorized_xclient_hosts = 127.0.0.1
 102         # NOTE: utile pour tester les restrictions
 103 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 104 smtpd_client_connection_count_limit = 50
 105 smtpd_client_connection_rate_limit = 0
 106 smtpd_client_event_limit_exceptions = $mynetworks
 107 smtpd_client_message_rate_limit = 0
 108 smtpd_client_new_tls_session_rate_limit = 0
 109 smtpd_client_port_logging = no
 110 smtpd_client_recipient_rate_limit = 0
 111 smtpd_client_restrictions =
 112         check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist
 113 smtpd_data_restrictions =
 114         reject_unauth_pipelining
 115                 # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK
 116         permit
 117 smtpd_discard_ehlo_keywords = starttls
 118         # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls
 119 #smtpd_end_of_data_restrictions =
 120 smtpd_error_sleep_time = 5
 121         # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
 122 smtpd_helo_required = yes
 123 smtpd_helo_restrictions =
 124         reject_invalid_helo_hostname
 125         reject_non_fqdn_helo_hostname
 126         #reject_unknown_helo_hostname
 127                 # NOTE: pourrait pourtant être utile pour lutter contre le spam
 128         permit
 129 smtpd_milters =
 130 smtpd_peername_lookup = yes
 131         # NOTE: nécessaire pour postgrey
 132 smtpd_recipient_limit = 5000
 133 smtpd_recipient_overshoot_limit = 5000
 134 smtpd_recipient_restrictions =
 135         reject_non_fqdn_recipient
 136         #reject_invalid_hostname
 137                 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions
 138         reject_unknown_recipient_domain
 139         #reject_non_fqdn_sender
 140                 # NOTE: dans smtpd_sender_restrictions
 141         reject_unauth_pipelining
 142                 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
 143         permit_mynetworks
 144         permit_tls_clientcerts
 145         permit_sasl_authenticated
 146         reject_unverified_recipient
 147                 # NOTE: $fallback_transport est garant de l'existence du destinataire
 148         reject_unauth_destination
 149                 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
 150         check_policy_service unix:private/spfcheck
 151         check_policy_service unix:postgrey/socket
 152                 # NOTE: Postgrey (greylisting)
 153         permit_auth_destination
 154                 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
 155         reject
 156         #reject_unknown_sender_domain
 157                 # NOTE: probablement mieux dans smtpd_sender_restrictions
 158         #reject_rbl_client bl.spamcop.net
 159         #reject_rbl_client list.dsbl.org
 160         #reject_rbl_client zen.spamhaus.org
 161         #reject_rbl_client dnsbl.sorbs.net
 162 #smtpd_restriction_classes =
 163 smtpd_sasl_auth_enable = yes
 164 smtpd_sasl_path = private/auth
 165 smtpd_sasl_security_options = noanonymous
 166 smtpd_sasl_type = dovecot
 167 smtpd_sender_restrictions =
 168         permit_mynetworks
 169         permit_tls_clientcerts
 170         permit_sasl_authenticated
 171         check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access
 172         reject_unauth_pipelining
 173         reject_non_fqdn_sender
 174         #reject_unknown_sender_domain
 175         permit
 176 smtpd_starttls_timeout = 300s
 177 #smtpd_tls_always_issue_session_ids = yes
 178 smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem
 179 smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/
 180 smtpd_tls_ask_ccert = no
 181 smtpd_tls_auth_only = yes
 182         # NOTE: pas d'AUTH SASL sans TLS
 183 smtpd_tls_ccert_verifydepth = 5
 184 smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem
 185 smtpd_tls_ciphers = high
 186 smtpd_tls_fingerprint_digest = sha512
 187 smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem
 188 smtpd_tls_loglevel = 1
 189 smtpd_tls_mandatory_ciphers = high
 190 smtpd_tls_mandatory_protocols = TLSv1
 191 #smtpd_tls_received_header = no
 192 smtpd_tls_req_ccert = no
 193 smtpd_tls_security_level = may
 194         # Postfix 2.3 and later
 195         # encrypt
 196         #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
 197         #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
 198         #  SMTP server. Instead, this option should be used only on dedicated servers.
 199 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
 200 #smtpd_tls_session_cache_timeout = 3600s
 201 strict_rfc821_envelopes = yes
 202         # NOTE: this stops mail from poorly written software.
 203 sympa_destination_recipient_limit = 1
 204 sympabounce_destination_recipient_limit = 1
 205 #tls_high_cipherlist = AES256-SHA
 206         # NOTE: postconf(5) déconseille de changer ceci
 207 #tls_random_bytes = 32
 208 #tls_random_exchange_name = $data_directory/prng_exch
 209         # NOTE: à ne pas mettre dans la cage chroot
 210 #tls_random_prng_update_period = 3600s
 211 #tls_random_reseed_period = 3600s
 212 #tls_random_source = dev:/dev/urandom
 213         # NOTE: non-blocking
 214 transport_maps =
 215         hash:/etc/postfix/$mydomain/transport
 216         hash:/etc/dovecot/transport
 217         regexp:/etc/sympa/transport
 218 virtual_alias_domains =
 219         cyclocoop.org
 220         ptitvelo.net
 221 virtual_alias_maps =
 222         hash:/etc/postfix/$mydomain/virtual_alias
 223         hash:/etc/postfix/cyclocoop.org/virtual_alias
 224         hash:/etc/postfix/ptitvelo.net/virtual_alias
 225         hash:/etc/mail/dovecot/virtual_alias
 226         regexp:/etc/sympa/virtual_alias
 227         # NOTE: do not specify virtual alias domain names in  the  main.cf
 228         #       mydestination or relay_domains configuration parameters.
 229         #
 230         # With  a  virtual  alias  domain,  the  Postfix SMTP server
 231         # accepts  mail  for  known-user@virtual-alias.domain,   and
 232         # rejects   mail  for  unknown-user@virtual-alias.domain  as
 233         # undeliverable.
 234 unverified_recipient_reject_code = 550
 235         # NOTE: rejette immédiatement ce que $fallback_transport refuse