dépôts / lhc / ateliers.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Ajout : roundcube.
[lhc/ateliers.git] / etc / postfix / main.cf
diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf
index b5d3da3..1b24e31 100644 (file)
--- a/etc/postfix/main.cf
+++ b/etc/postfix/main.cf
@@ -17,16 +17,25 @@ body_checks =
 default_extra_recipient_limit = 5000
 #delay_warning_time = 4h
        # NOTE: uncomment the previous line to generate "delayed mail" warnings
+disable_vrfy_command = yes
+       # NOTE: this stops some techniques used to harvest email addresses.
 duplicate_filter_limit = 5000
+fallback_transport = lmtp:unix:private/dovecot-lmtp
+       # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas
 forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
 header_checks = regexp:/etc/postfix/$mydomain/header_checks
 inet_interfaces = all
 inet_protocols = ipv4
        # NOTE: "all" to activate IPv6
 line_length_limit = 2048
+local_recipient_maps =
+       # NOTE: laisse $fallback_transport vérifier l'existence du destinaire
 #local_header_rewrite_clients =
 mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
 mailbox_size_limit = 0
+masquerade_classes = envelope_sender, header_sender, header_recipient
+masquerade_domains =
+masquerade_exceptions = root
 maximal_queue_lifetime = 5d
 message_size_limit = 20480000
 mime_header_checks =
@@ -43,6 +52,7 @@ parent_domain_matches_subdomains =
        #qmqpd_authorized_clients
        #smtpd_access_maps
 permit_mx_backup_networks =
+policy-spf_time_limit = 3600s
 propagate_unmatched_extensions = canonical, virtual
 queue_minfree = 0
 readme_directory = no
@@ -84,7 +94,7 @@ smtp_tls_protocols = !SSLv2, !SSLv3
 smtp_tls_scert_verifydepth = 5
 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
 smtp_tls_security_level = may
-smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 #smtp_tls_session_cache_timeout = 3600s
 #smtp_tls_verify_cert_match = hostname
 smtpd_authorized_xclient_hosts = 127.0.0.1
@@ -132,11 +142,13 @@ smtpd_recipient_restrictions =
        permit_mynetworks
        permit_tls_clientcerts
        permit_sasl_authenticated
+       reject_unverified_recipient
+               # NOTE: $fallback_transport est garant de l'existence du destinataire
        reject_unauth_destination
                # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
+       check_policy_service unix:private/spfcheck
        check_policy_service unix:postgrey/socket
                # NOTE: Postgrey (greylisting)
-       check_policy_service unix:private/spfcheck
        permit_auth_destination
                # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
        reject
@@ -183,15 +195,16 @@ smtpd_tls_security_level = may
        #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
        #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
        #  SMTP server. Instead, this option should be used only on dedicated servers.
-smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
+smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
 #smtpd_tls_session_cache_timeout = 3600s
 strict_rfc821_envelopes = yes
+       # NOTE: this stops mail from poorly written software.
 sympa_destination_recipient_limit = 1
 sympabounce_destination_recipient_limit = 1
 #tls_high_cipherlist = AES256-SHA
        # NOTE: postconf(5) déconseille de changer ceci
 #tls_random_bytes = 32
-#tls_random_exchange_name = ${data_directory}/prng_exch
+#tls_random_exchange_name = $data_directory/prng_exch
        # NOTE: à ne pas mettre dans la cage chroot
 #tls_random_prng_update_period = 3600s
 #tls_random_reseed_period = 3600s
@@ -200,12 +213,15 @@ sympabounce_destination_recipient_limit = 1
 transport_maps =
        hash:/etc/postfix/$mydomain/transport
        hash:/etc/postfix/$mydomain/transport-pending-transition-from-lautrenet
+       hash:/etc/dovecot/transport
        regexp:/etc/sympa/transport
-#virtual_alias_domains =
+virtual_alias_domains =
+       cyclocoop.org
 virtual_alias_maps =
        hash:/etc/postfix/$mydomain/virtual_alias
        hash:/etc/postfix/$mydomain/virtual_alias-pending-transition-from-lautrenet
        hash:/etc/postfix/cyclocoop.org/virtual_alias
+       hash:/etc/mail/dovecot/virtual_alias
        regexp:/etc/sympa/virtual_alias
        # NOTE: do not specify virtual alias domain names in  the  main.cf
        #       mydestination or relay_domains configuration parameters.
@@ -214,3 +230,5 @@ virtual_alias_maps =
        # accepts  mail  for  known-user@virtual-alias.domain,   and
        # rejects   mail  for  unknown-user@virtual-alias.domain  as
        # undeliverable.
+unverified_recipient_reject_code = 550
+       # NOTE: rejette immédiatement ce que $fallback_transport refuse
outils d'administration d'ateliers.heureux-cyclage.org