Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modernize postfix template #259

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Modernize postfix template #259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
806d0f9
postfix templates: reorder and minimize differences
lelutin Jun 16, 2018
b414125
regroup TLS options and modernize them
lelutin Jun 16, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
32 changes: 20 additions & 12 deletions etc/alternc/templates/alternc/postfix/postfix-slave.cf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,35 @@
# Postfix Configuration options
# Used by alternc.install with postconf
# WARNING: this script is not used directly by postfix! it is parse by alternc.install
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
local_destination_concurrency_limit = 8
default_destination_concurrency_limit = 10
smtpd_use_tls = yes
smtpd_tls_dcert_file = /etc/alternc/apache.pem
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_key_file = $smtpd_tls_dcert_file
smtpd_tls_cert_file = $smtpd_tls_dcert_file
#### TLS options
smtpd_tls_security_level = may
# The apache.pem file as generated by alternc should contain the private key as
# well, so we don't need to specify smtpd_tls_key_file
# If you use Let's Encrypt, or other certificate vendors, then you want to
# point smtpd_tls_cert_file to a file that contains the certificate and the
# CA's intermediate cert, and you want to point smtpd_tls_key_file to the file
# containing the private key.
smtpd_tls_cert_file = /etc/alternc/apache.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtp_tls_dcert_file = $smtpd_tls_dcert_file
smtp_tls_dkey_file = $smtpd_tls_dcert_file
smtp_tls_CApath = $smtpd_tls_CApath
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#### SASL options
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = postfix
smtpd_sasl_security_options = noanonymous
enable_sasl_authentification = yes
broken_sasl_auth_clients = yes
#### Virtual mapping
# none, the primary server knows about virtual mailboxes
# We do need to know who's allowed to relay through here, though.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_maps =
Expand All @@ -34,7 +41,8 @@ default_privs = nobody
transport_maps=proxy:mysql:/etc/postfix/myrelay.cf
relay_domains=proxy:mysql:/etc/postfix/myrelay.cf
relay_recipients_map=proxy:mysql:/etc/postfix/myvirtual.cf
smtpd_recipient_restrictions = reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000, reject_rbl_client zen.spamhaus.org
#### General options
message_size_limit = 100000000
mailbox_size_limit = 0
enable_original_recipient = no
smtpd_recipient_restrictions = reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000, reject_rbl_client zen.spamhaus.org
59 changes: 26 additions & 33 deletions etc/alternc/templates/alternc/postfix/postfix.cf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,27 +21,36 @@ smtpd_client_connection_rate_limit=50
# in "[Incompat 20031223]")
smtp_mx_session_limit = 1
#### TLS options
smtpd_use_tls = yes
smtpd_tls_dcert_file = /etc/alternc/apache.pem
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_key_file = $smtpd_tls_dcert_file
smtpd_tls_cert_file = $smtpd_tls_dcert_file
smtpd_tls_security_level = may
# The apache.pem file as generated by alternc should contain the private key as
# well, so we don't need to specify smtpd_tls_key_file
# If you use Let's Encrypt, or other certificate vendors, then you want to
# point smtpd_tls_cert_file to a file that contains the certificate and the
# CA's intermediate cert, and you want to point smtpd_tls_key_file to the file
# containing the private key.
smtpd_tls_cert_file = /etc/alternc/apache.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_dcert_file = $smtpd_tls_dcert_file
smtp_tls_dkey_file = $smtpd_tls_dcert_file
smtp_tls_CApath = $smtpd_tls_CApath
smtpd_tls_auth_only = no
#SASL options
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
smtp_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
#### SASL options
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = postfix
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
#### Virtual Mapping
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Expand All @@ -56,32 +65,16 @@ virtual_uid_maps = proxy:mysql:/etc/postfix/mygid.cf
relay_recipient_maps = $virtual_alias_maps
relay_domains = proxy:mysql:/etc/postfix/myrelay-domain.cf
transport_maps = proxy:mysql:/etc/postfix/mytransport.cf
dovecot_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unlisted_recipient, reject_unauth_destination
virtual_mailbox_limit = 0
#### DKIM Filtering
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
#### General options
dovecot_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 100000000
virtual_mailbox_limit = 0
mailbox_size_limit = 0
enable_original_recipient = no
smtp_tls_dcert_file = $smtpd_tls_dcert_file
smtp_tls_dkey_file = $smtpd_tls_dcert_file
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_key_file = $smtpd_tls_dcert_file
smtp_tls_cert_file = $smtpd_tls_dcert_file
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
smtp_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
smtp_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unlisted_recipient, reject_unauth_destination