X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=etc%2Fpostfix%2Fmain.cf;h=1b24e31a74fbede710028a811730ae0d48efc379;hp=68b34a40f94e3b14cee37feace70dc2402a4a904;hb=b75d4503ef9c919231c0c02daf5a1ed1e57c73af;hpb=61ac98ca6513d9941d235c782a1d9a48977a27fd diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 68b34a4..1b24e31 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -1,7 +1,11 @@ # DOC: http://postfix.traduc.org/index.php/TLS_README.html -alias_database = hash:/etc/postfix/aliases -alias_maps = hash:/etc/postfix/aliases +alias_database = + hash:/etc/postfix/aliases + hash:/etc/mail/sympa/aliases +alias_maps = + hash:/etc/postfix/aliases + hash:/etc/mail/sympa/aliases append_dot_mydomain = no # NOTE: appending .domain is the MUA's job. biff = no @@ -13,21 +17,31 @@ body_checks = default_extra_recipient_limit = 5000 #delay_warning_time = 4h # NOTE: uncomment the previous line to generate "delayed mail" warnings +disable_vrfy_command = yes + # NOTE: this stops some techniques used to harvest email addresses. duplicate_filter_limit = 5000 +fallback_transport = lmtp:unix:private/dovecot-lmtp + # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward header_checks = regexp:/etc/postfix/$mydomain/header_checks inet_interfaces = all inet_protocols = ipv4 # NOTE: "all" to activate IPv6 line_length_limit = 2048 +local_recipient_maps = + # NOTE: laisse $fallback_transport vérifier l'existence du destinaire #local_header_rewrite_clients = mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc" mailbox_size_limit = 0 +masquerade_classes = envelope_sender, header_sender, header_recipient +masquerade_domains = +masquerade_exceptions = root maximal_queue_lifetime = 5d message_size_limit = 20480000 mime_header_checks = milter_header_checks = -mynetworks = 127.0.0.0/8 #, [::1]/128 +mynetworks = 127.0.0.0/8 + #[::1]/128 nested_header_checks = non_smtpd_milters = parent_domain_matches_subdomains = @@ -38,6 +52,7 @@ parent_domain_matches_subdomains = #qmqpd_authorized_clients #smtpd_access_maps permit_mx_backup_networks = +policy-spf_time_limit = 3600s propagate_unmatched_extensions = canonical, virtual queue_minfree = 0 readme_directory = no @@ -57,7 +72,8 @@ recipient_delimiter = + # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse. #relayhost = relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts -relay_domains = $mydestination +relay_domains = + $mydestination # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias... smtp_body_checks = #smtp_cname_overrides_servername = no @@ -78,7 +94,7 @@ smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_scert_verifydepth = 5 #smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_security_level = may -smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache #smtp_tls_session_cache_timeout = 3600s #smtp_tls_verify_cert_match = hostname smtpd_authorized_xclient_hosts = 127.0.0.1 @@ -126,11 +142,13 @@ smtpd_recipient_restrictions = permit_mynetworks permit_tls_clientcerts permit_sasl_authenticated + reject_unverified_recipient + # NOTE: $fallback_transport est garant de l'existence du destinataire reject_unauth_destination # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx - check_policy_service inet:127.0.0.1:10023 - # NOTE: Postgrey (greylisting) check_policy_service unix:private/spfcheck + check_policy_service unix:postgrey/socket + # NOTE: Postgrey (greylisting) permit_auth_destination # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant reject @@ -156,16 +174,16 @@ smtpd_sender_restrictions = permit smtpd_starttls_timeout = 300s #smtpd_tls_always_issue_session_ids = yes -smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem -smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/ +smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem +smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/ smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes # NOTE: pas d'AUTH SASL sans TLS smtpd_tls_ccert_verifydepth = 5 -smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem +smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem smtpd_tls_ciphers = high smtpd_tls_fingerprint_digest = sha512 -smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem +smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1 @@ -177,22 +195,34 @@ smtpd_tls_security_level = may # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced # SMTP server. Instead, this option should be used only on dedicated servers. -smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache +smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache #smtpd_tls_session_cache_timeout = 3600s strict_rfc821_envelopes = yes + # NOTE: this stops mail from poorly written software. +sympa_destination_recipient_limit = 1 +sympabounce_destination_recipient_limit = 1 #tls_high_cipherlist = AES256-SHA # NOTE: postconf(5) déconseille de changer ceci #tls_random_bytes = 32 -#tls_random_exchange_name = ${data_directory}/prng_exch +#tls_random_exchange_name = $data_directory/prng_exch # NOTE: à ne pas mettre dans la cage chroot #tls_random_prng_update_period = 3600s #tls_random_reseed_period = 3600s #tls_random_source = dev:/dev/urandom # NOTE: non-blocking -transport_maps = hash:/etc/postfix/$mydomain/transport -#virtual_alias_domains = +transport_maps = + hash:/etc/postfix/$mydomain/transport + hash:/etc/postfix/$mydomain/transport-pending-transition-from-lautrenet + hash:/etc/dovecot/transport + regexp:/etc/sympa/transport +virtual_alias_domains = + cyclocoop.org virtual_alias_maps = hash:/etc/postfix/$mydomain/virtual_alias + hash:/etc/postfix/$mydomain/virtual_alias-pending-transition-from-lautrenet + hash:/etc/postfix/cyclocoop.org/virtual_alias + hash:/etc/mail/dovecot/virtual_alias + regexp:/etc/sympa/virtual_alias # NOTE: do not specify virtual alias domain names in the main.cf # mydestination or relay_domains configuration parameters. # @@ -200,3 +230,5 @@ virtual_alias_maps = # accepts mail for known-user@virtual-alias.domain, and # rejects mail for unknown-user@virtual-alias.domain as # undeliverable. +unverified_recipient_reject_code = 550 + # NOTE: rejette immédiatement ce que $fallback_transport refuse