X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=etc%2Fpostfix%2Fmain.cf;h=9423ae401668b3e67ced9a6355c2f8fceaf00fbf;hp=6325085ece2c3c32c2515714f35b5e4ac7502f00;hb=f9f97cade4c5d72e94c3c8b095f31b2b70e24af9;hpb=f1ea1df6ff4652bb89b232cb5fd5762c6fea4dcf diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 6325085..9423ae4 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -17,21 +17,31 @@ body_checks = default_extra_recipient_limit = 5000 #delay_warning_time = 4h # NOTE: uncomment the previous line to generate "delayed mail" warnings +disable_vrfy_command = yes + # NOTE: this stops some techniques used to harvest email addresses. duplicate_filter_limit = 5000 +fallback_transport = lmtp:unix:private/dovecot-lmtp + # NOTE: passe à dovecot les destinataires de $mydestination qui n'existent pas forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward header_checks = regexp:/etc/postfix/$mydomain/header_checks inet_interfaces = all inet_protocols = ipv4 # NOTE: "all" to activate IPv6 line_length_limit = 2048 +local_recipient_maps = + # NOTE: laisse $fallback_transport vérifier l'existence du destinaire #local_header_rewrite_clients = mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc" mailbox_size_limit = 0 +masquerade_classes = envelope_sender, header_sender, header_recipient +masquerade_domains = +masquerade_exceptions = root maximal_queue_lifetime = 5d message_size_limit = 20480000 mime_header_checks = milter_header_checks = -mynetworks = 127.0.0.0/8 #, [::1]/128 +mynetworks = 127.0.0.0/8 + #[::1]/128 nested_header_checks = non_smtpd_milters = parent_domain_matches_subdomains = @@ -42,7 +52,8 @@ parent_domain_matches_subdomains = #qmqpd_authorized_clients #smtpd_access_maps permit_mx_backup_networks = -propagate_unmatched_extensions = canonical, virtual +#policy-spf_time_limit = 3600s +propagate_unmatched_extensions = canonical, virtual, alias queue_minfree = 0 readme_directory = no #receive_override_options = no_address_mappings @@ -64,6 +75,7 @@ relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts relay_domains = $mydestination # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias... +relay_recipient_maps = smtp_body_checks = #smtp_cname_overrides_servername = no smtp_connect_timeout = 60s @@ -83,7 +95,7 @@ smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_scert_verifydepth = 5 #smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_security_level = may -smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache #smtp_tls_session_cache_timeout = 3600s #smtp_tls_verify_cert_match = hostname smtpd_authorized_xclient_hosts = 127.0.0.1 @@ -131,11 +143,15 @@ smtpd_recipient_restrictions = permit_mynetworks permit_tls_clientcerts permit_sasl_authenticated + reject_unverified_recipient + # NOTE: $fallback_transport est garant de l'existence du destinataire + # ATTENTION: verify(8) tient un cache, consultable ainsi si verify(8) est stoppé : + # postmap -s btree:/var/lib/postfix/verify_cache reject_unauth_destination # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx - check_policy_service unix:/run/postgrey/socket - # NOTE: Postgrey (greylisting) check_policy_service unix:private/spfcheck + check_policy_service unix:postgrey/socket + # NOTE: Postgrey (greylisting) permit_auth_destination # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant reject @@ -182,15 +198,16 @@ smtpd_tls_security_level = may # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced # SMTP server. Instead, this option should be used only on dedicated servers. -smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache +smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache #smtpd_tls_session_cache_timeout = 3600s strict_rfc821_envelopes = yes -sympa_destination_recipient_limit = 1 -sympabounce_destination_recipient_limit = 1 + # NOTE: this stops mail from poorly written software. +#sympa_destination_recipient_limit = 1 +#sympabounce_destination_recipient_limit = 1 #tls_high_cipherlist = AES256-SHA # NOTE: postconf(5) déconseille de changer ceci #tls_random_bytes = 32 -#tls_random_exchange_name = ${data_directory}/prng_exch +#tls_random_exchange_name = $data_directory/prng_exch # NOTE: à ne pas mettre dans la cage chroot #tls_random_prng_update_period = 3600s #tls_random_reseed_period = 3600s @@ -198,10 +215,28 @@ sympabounce_destination_recipient_limit = 1 # NOTE: non-blocking transport_maps = hash:/etc/postfix/$mydomain/transport + hash:/etc/dovecot/transport regexp:/etc/sympa/transport -#virtual_alias_domains = +virtual_alias_domains = + chatperche.org + cyclocoop.org + lesjantesdunord.org + ptitvelo.net + sympa.etudesetchantiers.org + sympa.velosenville.org + sympa.vieuxbiclou.org + veli-velo.org + wiklou.org virtual_alias_maps = hash:/etc/postfix/$mydomain/virtual_alias + hash:/etc/postfix/chatperche.org/virtual_alias + hash:/etc/postfix/cyclocoop.org/virtual_alias + hash:/etc/postfix/lesjantesdunord.org/virtual_alias + hash:/etc/postfix/ptitvelo.net/virtual_alias + hash:/etc/postfix/sympa.etudesetchantiers.org/virtual_alias + hash:/etc/postfix/veli-velo.org/virtual_alias + hash:/etc/postfix/wiklou.org/virtual_alias + hash:/etc/mail/dovecot/virtual_alias regexp:/etc/sympa/virtual_alias # NOTE: do not specify virtual alias domain names in the main.cf # mydestination or relay_domains configuration parameters. @@ -210,3 +245,5 @@ virtual_alias_maps = # accepts mail for known-user@virtual-alias.domain, and # rejects mail for unknown-user@virtual-alias.domain as # undeliverable. +unverified_recipient_reject_code = 550 + # NOTE: rejette immédiatement ce que $fallback_transport refuse