Skip to content

Instantly share code, notes, and snippets.

@jult jult/main.cf
Last active Feb 14, 2019

Embed
What would you like to do?
current postfix and some related config (partly managed by ISPconfig)
# this is most of my /etc/postfix/main.cf file:
inet_protocols = all
inet_interfaces = all
recipient_delimiter = +
smtpd_banner = Blah ESMTP
empty_address_recipient = admin
default_process_limit = 64
default_recipient_limit = 10000
default_minimum_delivery_slots = 4
anvil_rate_time_unit = 60s
smtpd_client_connection_count_limit = 40
smtpd_client_connection_rate_limit = 200
smtpd_client_message_rate_limit = 100
anvil_status_update_time = 1800s
smtpd_helo_required = yes
smtp_helo_timeout = 69s
smtp_connect_timeout = 69s
smtp_destination_concurrency_limit = 18
smtp_destination_recipient_limit = 24
smtpd_recipient_limit = 80
smtpd_recipient_overshoot_limit = 120
local_destination_concurrency_limit = 8
body_checks_size_limit = 102400
header_size_limit = 102400
mailbox_size_limit = 0
queue_minfree = 122880000
qmgr_message_active_limit = 12000
bounce_size_limit = 150000
#in_flow_delay = 1s
# tempfailed adapted to be as fast as possible with requeue:
queue_run_delay = 242s
minimal_backoff_time = 241s
maximal_backoff_time = 3601s
maximal_queue_lifetime = 14d
biff = no
smtpd_delay_reject = yes
# tarpitting stupid spammers
smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 8
smtpd_hard_error_limit = 16
smtpd_junk_command_limit = 4
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
non_fqdn_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
maps_rbl_reject_code = 451
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 1h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/some host.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/some host.org/privkey.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_security_level = may
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
#smtpd_tls_mandatory_ciphers=low
#tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_loglevel=1
smtp_tls_loglevel=1
smtp_tls_note_starttls_offer=yes
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
# SASL settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
#broken_sasl_auth_clients = yes
myhostname = some host.org
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 x.x.x.x x.x.x.0/24
mailbox_size_limit = 0
message_size_limit = 0
html_directory = /usr/share/doc/postfix/html
virtual_transport = dovecot
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, reject_rbl_client spameatingmonkey.net, reject_rbl_client badconf.rhsbl.sorbs.net, reject_rbl_client truncate.gbudb.net, reject_rbl_client all.spam-rbl.fr, reject_rbl_client dnsbl.inps.de
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
dovecot_destination_recipient_limit = 1
default_destination_concurrency_limit = 4
relay_destination_concurrency_limit = 1
header_checks = regexp:/etc/postfix/header_checks
smtp_header_checks = regexp:/etc/postfix/headers_out
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
# Gmail IPv6 retry:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
@jult

This comment has been minimized.

Copy link
Owner Author

jult commented Apr 8, 2017

My /etc/postfix/header_checks:

/^Received: from mail.*somehost_you_want_to_hide/   IGNORE
/^Received:.*localhost.*somehost/ IGNORE
/^Received:.*127\.0\.0\.1/ IGNORE
/^.*amavisd-new/ IGNORE
/^X-Spam-Level:/ IGNORE
/^X-Spam-Status:/ IGNORE

@jult

This comment has been minimized.

Copy link
Owner Author

jult commented Apr 8, 2017

in /etc/postfix/main.cf:

undisclosed_recipients_header = To: (Probably SPAM or SCAM) undisclosed-recipients:;
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
body_checks_size_limit = 4096

then do:

# postfix reload
@jult

This comment has been minimized.

Copy link
Owner Author

jult commented Apr 9, 2017

If postfix doesn't seem to do the actual header changes, be sure to check if you have receive_override_options = no_header_body_checks in either /etc/postfix/master.cf or /etc/postfix/main.cf
and remove the no_header_body_checks part.

@suyog1pathak

This comment has been minimized.

Copy link

suyog1pathak commented Jun 7, 2017

Can I get configuration to append all emails relaying from my postfix with string "NOTICE: bla bla"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.