postfix config

main.cf

# ------------------------------------------------------------------ #
#                       POSTFIX CONFIGURATION                        #
# ------------------------------------------------------------------ #

# ------------------------------------------------------------------ #
#                     1. WHO IS THIS MAIL SERVER?                    #
# ------------------------------------------------------------------ #

myorigin = /etc/mailname

myhostname = <>.<>
mydomain = $myhostname
mydestination = $myhostname, mail.<>.<>, localhost.localdomain, localhost

# ------------------------------------------------------------------ #
#                         2. NETWORKING				     #
# ------------------------------------------------------------------ #

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
mynetworks_style = host
inet_interfaces = all
inet_protocols = all

# ------------------------------------------------------------------ #
#                          3. USER MAILBOX			     #
# ------------------------------------------------------------------ #

home_mailbox = Maildir/
alias_maps = hash:/etc/postfix/config/mail/aliases
alias_database = hash:/etc/postfix/config/mail/aliases
virtual_alias_maps = hash:/etc/postfix/config/mail/virtual
enable_long_queue_ids = yes
mailbox_size_limit = 0
recipient_delimiter = +

# ------------------------------------------------------------------ #
#                       4. PRETTY CONFIGURATIONS		     #
# ------------------------------------------------------------------ #

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2

# ------------------------------------------------------------------ #
#                       5. SMTP SECURITY (TLS/SSL)	 	     #
# ------------------------------------------------------------------ #

smtp_tls_security_level = may

smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 0

smtp_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3

smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols =  !SSLv2 !SSLv3

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

smtpd_tls_cert_file = /<>/fullchain.pem
smtpd_tls_key_file = /<>/privkey.pem

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# ------------------------------------------------------------------ #
#             6. SMTP AUTHENTICATION + SECURITY (SASL)	 	     #
# ------------------------------------------------------------------ #

# Allow SASL.
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes

# I guess we can say we're authenticated.
smtpd_sasl_authenticated_header = yes

# Who manages our authentication?
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:localhost:4077

# You don't have to be a perfect client (?).
broken_sasl_auth_clients = yes

# Don't require TLS authentication. Some clients don't like it.
smtpd_tls_auth_only = no
# However, if we're using TLS, you can't be anonymous.
smtp_sasl_tls_security_options = noanonymous

# Where is our data?
smtp_sasl_password_maps = hash:/etc/postfix/config/sasl/passwd

# ------------------------------------------------------------------ #
#                     7. SECURITY I (CLIENT RULES)		     #
# ------------------------------------------------------------------ #

smtp_always_send_ehlo = yes

smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/config/mail/helo_access,
			  reject_unknown_reverse_client_hostname
			  warn_if_reject reject_unknown_helo_hostname
			  reject_invalid_helo_hostname
#			  reject_unknown_helo_hostname

smtpd_reject_unlisted_sender = yes

# ------------------------------------------------------------------ #
#                     8. SECURITY II (SENDER RULES)		     #
# ------------------------------------------------------------------ #

smtp_sender_dependent_authentication = yes
smtpd_sender_restrictions = reject_unknown_sender_domain,
			    check_sender_access pcre:/etc/postfix/config/mail/sender_access

# ------------------------------------------------------------------ #
#			9. SECURITY III (ACCESS RULES)		     #
# ------------------------------------------------------------------ #

disable_vrfy_command = yes

smtpd_recipient_restrictions = permit_mynetworks,
			       permit_sasl_authenticated,
			       reject_rhsbl_reverse_client dbl.spamhaus.org,
             reject_rhsbl_helo dbl.spamhaus.org,
             reject_rhsbl_sender dbl.spamhaus.org,
			       reject_non_fqdn_recipient
# ------------------------------------------------------------------ #
#                      10. SECURITY IV (RELAY RULES)		     #
# ------------------------------------------------------------------ #

relayhost =

smtpd_relay_restrictions = permit_mynetworks,
			   permit_sasl_authenticated,
			   reject_unauth_destination

relay_domains = hash:/etc/postfix/config/mail/relay_domains

# Valid addresses that may receive mail from the internet.
relay_recipient_maps = hash:/etc/postfix/config/mail/relay_recipients

# ------------------------------------------------------------------ #
#                           11. FILTERING			     #
# ------------------------------------------------------------------ #

milter_default_action = accept
milter_protocol = 2

# Access for OPENDKIM.
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

header_checks = pcre:/etc/postfix/config/mail/header_checks

smtpd_data_restrictions = reject_unauth_pipelining