# DOC: http://postfix.traduc.org/index.php/TLS_README.html alias_database = hash:/etc/postfix/aliases hash:/etc/mail/sympa/aliases alias_maps = hash:/etc/postfix/aliases hash:/etc/mail/sympa/aliases append_dot_mydomain = no # NOTE: appending .domain is the MUA's job. biff = no # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels. body_checks = #content_filter = amavisfeed:[127.0.0.1]:10024 #debug_peer_level = 4 #debug_peer_list = .$myhostname default_extra_recipient_limit = 5000 #delay_warning_time = 4h # NOTE: uncomment the previous line to generate "delayed mail" warnings disable_vrfy_command = yes # NOTE: this stops some techniques used to harvest email addresses. duplicate_filter_limit = 5000 fallback_transport = lmtp:unix:private/dovecot-lmtp # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward header_checks = regexp:/etc/postfix/$mydomain/header_checks inet_interfaces = all inet_protocols = ipv4 # NOTE: "all" to activate IPv6 line_length_limit = 2048 local_recipient_maps = # NOTE: laisse $fallback_transport vérifier l'existence du destinaire #local_header_rewrite_clients = mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc" mailbox_size_limit = 0 masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 5d message_size_limit = 20480000 mime_header_checks = milter_header_checks = mynetworks = 127.0.0.0/8 #[::1]/128 nested_header_checks = non_smtpd_milters = parent_domain_matches_subdomains = #debug_peer_list #fast_flush_domains #mynetworks #permit_mx_backup_networks #qmqpd_authorized_clients #smtpd_access_maps permit_mx_backup_networks = #policy-spf_time_limit = 3600s propagate_unmatched_extensions = canonical, virtual, alias queue_minfree = 0 readme_directory = no #receive_override_options = no_address_mappings # no_unknown_recipient_checks # Do not try to reject unknown recipients (SMTP server only). # This is typically specified AFTER an external content filter. # no_address_mappings # Disable canonical address mapping, virtual alias map expansion, # address masquerading, and automatic BCC (blind carbon-copy) recipients. # This is typically specified BEFORE an external content filter (eg. amavis). # no_header_body_checks # Disable header/body_checks. This is typically specified AFTER an external content filter. # no_milters # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter. recipient_delimiter = + # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse. #relayhost = relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts relay_domains = $mydestination # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias... relay_recipient_maps = smtp_body_checks = #smtp_cname_overrides_servername = no smtp_connect_timeout = 60s smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks smtp_mime_header_checks = smtp_nested_header_checks = #smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem #smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/ #smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem smtp_tls_fingerprint_digest = sha1 #smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem smtp_tls_loglevel = 1 #smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy smtp_tls_protocols = !SSLv2, !SSLv3 # NOTE: only allow TLSv* smtp_tls_scert_verifydepth = 5 #smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache #smtp_tls_session_cache_timeout = 3600s #smtp_tls_verify_cert_match = hostname smtpd_authorized_xclient_hosts = 127.0.0.1 # NOTE: utile pour tester les restrictions smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_connection_count_limit = 50 smtpd_client_connection_rate_limit = 0 smtpd_client_event_limit_exceptions = $mynetworks smtpd_client_message_rate_limit = 0 smtpd_client_new_tls_session_rate_limit = 0 smtpd_client_port_logging = no smtpd_client_recipient_rate_limit = 0 smtpd_client_restrictions = check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist smtpd_data_restrictions = reject_unauth_pipelining # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK permit smtpd_discard_ehlo_keywords = starttls # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls #smtpd_end_of_data_restrictions = smtpd_error_sleep_time = 5 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes. smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname #reject_unknown_helo_hostname # NOTE: pourrait pourtant être utile pour lutter contre le spam permit smtpd_milters = smtpd_peername_lookup = yes # NOTE: nécessaire pour postgrey smtpd_recipient_limit = 5000 smtpd_recipient_overshoot_limit = 5000 smtpd_recipient_restrictions = reject_non_fqdn_recipient #reject_invalid_hostname # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions reject_unknown_recipient_domain #reject_non_fqdn_sender # NOTE: dans smtpd_sender_restrictions reject_unauth_pipelining # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions permit_mynetworks permit_tls_clientcerts permit_sasl_authenticated reject_unverified_recipient # NOTE: $fallback_transport est garant de l'existence du destinataire # ATTENTION: verify(8) tient un cache, consultable ainsi si verify(8) est stoppé : # postmap -s btree:/var/lib/postfix/verify_cache reject_unauth_destination # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx check_policy_service unix:private/spfcheck check_policy_service unix:postgrey/socket # NOTE: Postgrey (greylisting) permit_auth_destination # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant reject #reject_unknown_sender_domain # NOTE: probablement mieux dans smtpd_sender_restrictions #reject_rbl_client bl.spamcop.net #reject_rbl_client list.dsbl.org #reject_rbl_client zen.spamhaus.org #reject_rbl_client dnsbl.sorbs.net #smtpd_restriction_classes = smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks permit_tls_clientcerts permit_sasl_authenticated check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access reject_unauth_pipelining reject_non_fqdn_sender #reject_unknown_sender_domain permit smtpd_starttls_timeout = 300s #smtpd_tls_always_issue_session_ids = yes smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/ smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes # NOTE: pas d'AUTH SASL sans TLS smtpd_tls_ccert_verifydepth = 5 smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem smtpd_tls_ciphers = high smtpd_tls_fingerprint_digest = sha512 smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1 #smtpd_tls_received_header = no smtpd_tls_req_ccert = no smtpd_tls_security_level = may # Postfix 2.3 and later # encrypt # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced # SMTP server. Instead, this option should be used only on dedicated servers. smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache #smtpd_tls_session_cache_timeout = 3600s strict_rfc821_envelopes = yes # NOTE: this stops mail from poorly written software. #sympa_destination_recipient_limit = 1 #sympabounce_destination_recipient_limit = 1 #tls_high_cipherlist = AES256-SHA # NOTE: postconf(5) déconseille de changer ceci #tls_random_bytes = 32 #tls_random_exchange_name = $data_directory/prng_exch # NOTE: à ne pas mettre dans la cage chroot #tls_random_prng_update_period = 3600s #tls_random_reseed_period = 3600s #tls_random_source = dev:/dev/urandom # NOTE: non-blocking transport_maps = hash:/etc/postfix/$mydomain/transport hash:/etc/dovecot/transport regexp:/etc/sympa/transport virtual_alias_domains = chatperche.org cyclocoop.org lesjantesdunord.org ptitvelo.net sympa.etudesetchantiers.org veli-velo.org wiklou.org virtual_alias_maps = hash:/etc/postfix/$mydomain/virtual_alias hash:/etc/postfix/chatperche.org/virtual_alias hash:/etc/postfix/cyclocoop.org/virtual_alias hash:/etc/postfix/lesjantesdunord.org/virtual_alias hash:/etc/postfix/ptitvelo.net/virtual_alias hash:/etc/postfix/sympa.etudesetchantiers.org/virtual_alias hash:/etc/postfix/veli-velo.org/virtual_alias hash:/etc/postfix/wiklou.org/virtual_alias hash:/etc/mail/dovecot/virtual_alias regexp:/etc/sympa/virtual_alias # NOTE: do not specify virtual alias domain names in the main.cf # mydestination or relay_domains configuration parameters. # # With a virtual alias domain, the Postfix SMTP server # accepts mail for known-user@virtual-alias.domain, and # rejects mail for unknown-user@virtual-alias.domain as # undeliverable. unverified_recipient_reject_code = 550 # NOTE: rejette immédiatement ce que $fallback_transport refuse