Skip to content

Instantly share code, notes, and snippets.

@Thermi
Forked from kitikonti/main.cf
Last active May 20, 2017 20:49
Show Gist options
  • Save Thermi/2efe1258ed9daf0df953ed93e1895613 to your computer and use it in GitHub Desktop.
Save Thermi/2efe1258ed9daf0df953ed93e1895613 to your computer and use it in GitHub Desktop.
# Only bind to 127.0.0.1 and ::1 so local SMTP clients (msmtp) can connect to it
inet_interfaces = localhost
# Use IPv4 and IPv6
inet_protocols = all
myorigin = $myhostname
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noplaintext noanonymous
smtp_connection_cache_on_demand = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
# Disables insecure sendmail
authorized_submit_users =
# You probably don't want to send the credentials to the remote MX in the clear
smtp_tls_security_level = encrypt
smtp_tls_ciphers = high
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtpd_sender_login_maps = regexp:/etc/postfix/sender_login_map
smtpd_helo_required = yes
smtpd_reject_unlisted_sender = yes
# For local SASL authentication where the user credentials are stored in dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_security_options = noanonymous
# Point this to the right local CA bundle
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_helo_restrictions = permit_sasl_authenticated
reject
smtpd_client_restrictions = permit_sasl_authenticated
reject
smtpd_recipient_restrictions = reject_unknown_recipient_domain
reject_unverified_recipient
reject_non_fqdn_recipient
permit
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
reject_unauthenticated_sender_login_mismatch
permit
$local_user_and_domain $remote_user_and_domain
# This can be a map of many types. (hash, regexp, ...)
# Look up happens with the key being the sender address and the table should return the SASL
# user that is allowed to send as this sender
# This is regexp style
/^marketing@remotething\.com$/ local_sasl_account_goes_here
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment