mirror of
https://github.com/chatmail/relay.git
synced 2026-05-12 17:14:36 +00:00
80 lines
2.7 KiB
Django/Jinja
80 lines
2.7 KiB
Django/Jinja
myorigin = {{ config.mail_domain }}
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
|
biff = no
|
|
|
|
# appending .domain is the MUA's job.
|
|
append_dot_mydomain = no
|
|
|
|
# Uncomment the next line to generate "delayed mail" warnings
|
|
#delay_warning_time = 4h
|
|
|
|
readme_directory = no
|
|
|
|
# See http://www.postfix.org/COMPATIBILITY_README.html
|
|
compatibility_level = 3.6
|
|
|
|
# TLS parameters
|
|
smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
|
|
smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
|
|
smtpd_tls_security_level=may
|
|
|
|
smtp_tls_CApath=/etc/ssl/certs
|
|
smtp_tls_security_level=may
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
|
|
smtpd_tls_protocols = >=TLSv1.2
|
|
|
|
# Disable anonymous cipher suites
|
|
# and known insecure algorithms.
|
|
#
|
|
# Disabling anonymous ciphers
|
|
# does not generally improve security
|
|
# because clients that want to verify certificate
|
|
# will not select them anyway,
|
|
# but makes cipher suite list shorter and security scanners happy.
|
|
# See <https://www.postfix.org/TLS_README.html> for discussion.
|
|
#
|
|
# Only ancient insecure ciphers should be disabled here
|
|
# as MTA clients that do not support more secure cipher
|
|
# likely do not support MTA-STS either and will
|
|
# otherwise fall back to using plaintext connection.
|
|
smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
|
|
|
|
# Override client's preference order.
|
|
# <https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist>
|
|
#
|
|
# This is mostly to ensure cipher suites with forward secrecy
|
|
# are preferred over non cipher suites without forward secrecy.
|
|
# See <https://www.postfix.org/FORWARD_SECRECY_README.html#server_fs>.
|
|
tls_preempt_cipherlist = yes
|
|
|
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
|
myhostname = {{ config.mail_domain }}
|
|
alias_maps = hash:/etc/aliases
|
|
alias_database = hash:/etc/aliases
|
|
|
|
# Postfix does not deliver mail for any domain by itself.
|
|
# Primary domain is listed in `virtual_mailbox_domains` instead
|
|
# and handed over to Dovecot.
|
|
mydestination =
|
|
|
|
relayhost =
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
mailbox_size_limit = 0
|
|
# maximum 30MB sized messages
|
|
message_size_limit = 31457280
|
|
recipient_delimiter = +
|
|
inet_interfaces = all
|
|
inet_protocols = all
|
|
|
|
virtual_transport = lmtp:unix:private/dovecot-lmtp
|
|
virtual_mailbox_domains = {{ config.mail_domain }}
|
|
|
|
mua_client_restrictions = permit_sasl_authenticated, reject
|
|
mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
|
|
mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
|
|
|
|
# 1:1 map MAIL FROM to SASL login name.
|
|
smtpd_sender_login_maps = regexp:/etc/postfix/login_map
|