# DOC: http://postfix.traduc.org/index.php/TLS_README.html
-alias_database = hash:/etc/aliases
- # NOTE: fichier de hash contenant une table d’alias mail.
- # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
- # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
-alias_maps = hash:/etc/aliases
+alias_database =
+ hash:/etc/postfix/aliases
+ hash:/etc/mail/sympa/aliases
+alias_maps =
+ hash:/etc/postfix/aliases
+ hash:/etc/mail/sympa/aliases
append_dot_mydomain = no
# NOTE: appending .domain is the MUA's job.
biff = no
default_extra_recipient_limit = 5000
#delay_warning_time = 4h
# NOTE: uncomment the previous line to generate "delayed mail" warnings
+disable_vrfy_command = yes
+ # NOTE: this stops some techniques used to harvest email addresses.
duplicate_filter_limit = 5000
+fallback_transport = lmtp:unix:private/dovecot-lmtp
+ # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas
forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
header_checks = regexp:/etc/postfix/$mydomain/header_checks
inet_interfaces = all
inet_protocols = ipv4
# NOTE: "all" to activate IPv6
line_length_limit = 2048
+local_recipient_maps =
+ # NOTE: laisse $fallback_transport vérifier l'existence du destinaire
#local_header_rewrite_clients =
mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
mailbox_size_limit = 0
+masquerade_classes = envelope_sender, header_sender, header_recipient
+masquerade_domains =
+masquerade_exceptions = root
maximal_queue_lifetime = 5d
message_size_limit = 20480000
mime_header_checks =
milter_header_checks =
-mynetworks = 127.0.0.0/8 #, [::1]/128
-non_smtpd_milters =
+mynetworks = 127.0.0.0/8
+ #[::1]/128
nested_header_checks =
+non_smtpd_milters =
parent_domain_matches_subdomains =
#debug_peer_list
#fast_flush_domains
#qmqpd_authorized_clients
#smtpd_access_maps
permit_mx_backup_networks =
+policy-spf_time_limit = 3600s
propagate_unmatched_extensions = canonical, virtual
queue_minfree = 0
readme_directory = no
# NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
#relayhost =
relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
-relay_domains = $mydestination
+relay_domains =
+ $mydestination
# NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
smtp_body_checks =
#smtp_cname_overrides_servername = no
smtp_tls_scert_verifydepth = 5
#smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
-smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
#smtp_tls_session_cache_timeout = 3600s
#smtp_tls_verify_cert_match = hostname
smtpd_authorized_xclient_hosts = 127.0.0.1
permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
+ reject_unverified_recipient
+ # NOTE: $fallback_transport est garant de l'existence du destinataire
reject_unauth_destination
# NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
- check_policy_service inet:127.0.0.1:10023
- # NOTE: Postgrey (greylisting)
check_policy_service unix:private/spfcheck
+ check_policy_service unix:postgrey/socket
+ # NOTE: Postgrey (greylisting)
permit_auth_destination
# NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
reject
permit
smtpd_starttls_timeout = 300s
#smtpd_tls_always_issue_session_ids = yes
-smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem
-smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/
+smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem
+smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
# NOTE: pas d'AUTH SASL sans TLS
smtpd_tls_ccert_verifydepth = 5
-smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem
+smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem
smtpd_tls_ciphers = high
smtpd_tls_fingerprint_digest = sha512
-smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem
+smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1
# Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
# encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
# SMTP server. Instead, this option should be used only on dedicated servers.
-smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
+smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
#smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
+ # NOTE: this stops mail from poorly written software.
+sympa_destination_recipient_limit = 1
+sympabounce_destination_recipient_limit = 1
#tls_high_cipherlist = AES256-SHA
# NOTE: postconf(5) déconseille de changer ceci
#tls_random_bytes = 32
-#tls_random_exchange_name = ${data_directory}/prng_exch
+#tls_random_exchange_name = $data_directory/prng_exch
# NOTE: à ne pas mettre dans la cage chroot
#tls_random_prng_update_period = 3600s
#tls_random_reseed_period = 3600s
#tls_random_source = dev:/dev/urandom
# NOTE: non-blocking
-transport_maps = hash:/etc/postfix/$mydomain/transport
-#virtual_alias_domains =
+transport_maps =
+ hash:/etc/postfix/$mydomain/transport
+ hash:/etc/postfix/$mydomain/transport-pending-transition-from-lautrenet
+ hash:/etc/dovecot/transport
+ regexp:/etc/sympa/transport
+virtual_alias_domains =
+ cyclocoop.org
virtual_alias_maps =
hash:/etc/postfix/$mydomain/virtual_alias
+ hash:/etc/postfix/$mydomain/virtual_alias-pending-transition-from-lautrenet
+ hash:/etc/postfix/cyclocoop.org/virtual_alias
+ hash:/etc/mail/dovecot/virtual_alias
+ regexp:/etc/sympa/virtual_alias
# NOTE: do not specify virtual alias domain names in the main.cf
# mydestination or relay_domains configuration parameters.
#
# accepts mail for known-user@virtual-alias.domain, and
# rejects mail for unknown-user@virtual-alias.domain as
# undeliverable.
+unverified_recipient_reject_code = 550
+ # NOTE: rejette immédiatement ce que $fallback_transport refuse
dépôts / lhc / ateliers.git / blobdiff