diff options
| -rw-r--r-- | etc/.cfgl/config | 4 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-mail.conf | 415 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-master.conf | 135 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/10-ssl.conf | 82 | ||||
| -rw-r--r-- | etc/dovecot/conf.d/15-mailboxes.conf | 99 | ||||
| -rw-r--r-- | etc/fstab | 6 | ||||
| -rw-r--r-- | etc/hostname | 2 | ||||
| -rw-r--r-- | etc/myconf/cfgl_meta | 22 | ||||
| -rw-r--r-- | etc/nftables.conf | 12 | ||||
| -rw-r--r-- | etc/opendkim/opendkim.conf | 769 | ||||
| -rw-r--r-- | etc/opendmarc/opendmarc.conf | 371 | ||||
| -rw-r--r-- | etc/postfix/aliases | 274 | ||||
| -rw-r--r-- | etc/postfix/main.cf | 747 | ||||
| -rw-r--r-- | etc/postfix/master.cf | 150 | ||||
| -rw-r--r-- | etc/services | 3 | ||||
| -rw-r--r-- | etc/systemd/network/default.network | 15 | ||||
| -rw-r--r-- | etc/systemd/system/acme.sh.service.d/override.conf | 2 | ||||
| -rw-r--r-- | etc/systemd/system/opendmarc.service.d/override.conf | 4 | ||||
| -rw-r--r-- | etc/tmpfiles.d/opendmarc.conf | 1 | ||||
| -rw-r--r-- | home/xyz/.config/myconf/pacman_Qqme | 2 | ||||
| -rw-r--r-- | home/xyz/.config/myconf/pacman_Qqne | 7 | ||||
| -rw-r--r-- | home/xyz/.config/myconf/sye | 8 |
22 files changed, 3104 insertions, 26 deletions
diff --git a/etc/.cfgl/config b/etc/.cfgl/config index f54a1e6d..cf863b03 100644 --- a/etc/.cfgl/config +++ b/etc/.cfgl/config @@ -11,6 +11,6 @@ fetch = +refs/heads/*:refs/remotes/origin/* [commit] gpgsign = false -[branch "ia"] +[branch "ib"] remote = origin - merge = refs/heads/ia + merge = refs/heads/ib diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf new file mode 100644 index 00000000..49e70cb9 --- /dev/null +++ b/etc/dovecot/conf.d/10-mail.conf @@ -0,0 +1,415 @@ +## +## Mailbox locations and namespaces +## + +# Location for users' mailboxes. The default is empty, which means that Dovecot +# tries to find the mailboxes automatically. This won't work if the user +# doesn't yet have any mail, so you should explicitly tell Dovecot the full +# location. +# +# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) +# isn't enough. You'll also need to tell Dovecot where the other mailboxes are +# kept. This is called the "root mail directory", and it must be the first +# path given in the mail_location setting. +# +# There are a few special variables you can use, eg.: +# +# %u - username +# %n - user part in user@domain, same as %u if there's no domain +# %d - domain part in user@domain, empty if there's no domain +# %h - home directory +# +# See doc/wiki/Variables.txt for full list. Some examples: +# +# mail_location = maildir:~/Maildir +# mail_location = mbox:~/mail:INBOX=/var/mail/%u +# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n +# +# <doc/wiki/MailLocation.txt> +# +mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs + +# If you need to set multiple mailbox locations or want to change default +# namespace settings, you can do it by defining namespace sections. +# +# You can have private, shared and public namespaces. Private namespaces +# are for user's personal mails. Shared namespaces are for accessing other +# users' mailboxes that have been shared. Public namespaces are for shared +# mailboxes that are managed by sysadmin. If you create any shared or public +# namespaces you'll typically want to enable ACL plugin also, otherwise all +# users can access all the shared mailboxes, assuming they have permissions +# on filesystem level to do so. +namespace inbox { + # Namespace type: private, shared or public + #type = private + + # Hierarchy separator to use. You should use the same separator for all + # namespaces or some clients get confused. '/' is usually a good one. + # The default however depends on the underlying mail storage format. + #separator = + + # Prefix required to access this namespace. This needs to be different for + # all namespaces. For example "Public/". + #prefix = + + # Physical location of the mailbox. This is in same format as + # mail_location, which is also the default for it. + #location = + + # There can be only one INBOX, and this setting defines which namespace + # has it. + inbox = yes + + # If namespace is hidden, it's not advertised to clients via NAMESPACE + # extension. You'll most likely also want to set list=no. This is mostly + # useful when converting from another server with different namespaces which + # you want to deprecate but still keep working. For example you can create + # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". + #hidden = no + + # Show the mailboxes under this namespace with LIST command. This makes the + # namespace visible for clients that don't support NAMESPACE extension. + # "children" value lists child mailboxes, but hides the namespace prefix. + #list = yes + + # Namespace handles its own subscriptions. If set to "no", the parent + # namespace handles them (empty prefix should always have this as "yes") + #subscriptions = yes + + # See 15-mailboxes.conf for definitions of special mailboxes. +} + +# Example shared namespace configuration +#namespace { + #type = shared + #separator = / + + # Mailboxes are visible under "shared/user@domain/" + # %%n, %%d and %%u are expanded to the destination user. + #prefix = shared/%%u/ + + # Mail location for other users' mailboxes. Note that %variables and ~/ + # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the + # destination user's data. + #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u + + # Use the default namespace for saving subscriptions. + #subscriptions = no + + # List the shared/ namespace only if there are visible shared mailboxes. + #list = children +#} +# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? +#mail_shared_explicit_inbox = no + +# System user and group used to access mails. If you use multiple, userdb +# can override these by returning uid or gid fields. You can use either numbers +# or names. <doc/wiki/UserIds.txt> +#mail_uid = +#mail_gid = + +# Group to enable temporarily for privileged operations. Currently this is +# used only with INBOX when either its initial creation or dotlocking fails. +# Typically this is set to "mail" to give access to /var/mail. +#mail_privileged_group = + +# Grant access to these supplementary groups for mail processes. Typically +# these are used to set up access to shared mailboxes. Note that it may be +# dangerous to set these if users can create symlinks (e.g. if "mail" group is +# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' +# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). +#mail_access_groups = + +# Allow full filesystem access to clients. There's no access checks other than +# what the operating system does for the active UID/GID. It works with both +# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ +# or ~user/. +#mail_full_filesystem_access = no + +# Dictionary for key=value mailbox attributes. This is used for example by +# URLAUTH and METADATA extensions. +#mail_attribute_dict = + +# A comment or note that is associated with the server. This value is +# accessible for authenticated users through the IMAP METADATA server +# entry "/shared/comment". +#mail_server_comment = "" + +# Indicates a method for contacting the server administrator. According to +# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that +# is currently not enforced. Use for example mailto:admin@example.com. This +# value is accessible for authenticated users through the IMAP METADATA server +# entry "/shared/admin". +#mail_server_admin = + +## +## Mail processes +## + +# Don't use mmap() at all. This is required if you store indexes to shared +# filesystems (NFS or clustered filesystem). +#mmap_disable = no + +# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL +# since version 3, so this should be safe to use nowadays by default. +#dotlock_use_excl = yes + +# When to use fsync() or fdatasync() calls: +# optimized (default): Whenever necessary to avoid losing important data +# always: Useful with e.g. NFS when write()s are delayed +# never: Never use it (best performance, but crashes can lose data) +#mail_fsync = optimized + +# Locking method for index files. Alternatives are fcntl, flock and dotlock. +# Dotlocking uses some tricks which may create more disk I/O than other locking +# methods. NFS users: flock doesn't work, remember to change mmap_disable. +#lock_method = fcntl + +# Directory where mails can be temporarily stored. Usually it's used only for +# mails larger than >= 128 kB. It's used by various parts of Dovecot, for +# example LDA/LMTP while delivering large mails or zlib plugin for keeping +# uncompressed mails. +#mail_temp_dir = /tmp + +# Valid UID range for users, defaults to 500 and above. This is mostly +# to make sure that users can't log in as daemons or other system users. +# Note that denying root logins is hardcoded to dovecot binary and can't +# be done even if first_valid_uid is set to 0. +#first_valid_uid = 500 +#last_valid_uid = 0 + +# Valid GID range for users, defaults to non-root/wheel. Users having +# non-valid GID as primary group ID aren't allowed to log in. If user +# belongs to supplementary groups with non-valid GIDs, those groups are +# not set. +#first_valid_gid = 1 +#last_valid_gid = 0 + +# Maximum allowed length for mail keyword name. It's only forced when trying +# to create new keywords. +#mail_max_keyword_length = 50 + +# ':' separated list of directories under which chrooting is allowed for mail +# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). +# This setting doesn't affect login_chroot, mail_chroot or auth chroot +# settings. If this setting is empty, "/./" in home dirs are ignored. +# WARNING: Never add directories here which local users can modify, that +# may lead to root exploit. Usually this should be done only if you don't +# allow shell access for users. <doc/wiki/Chrooting.txt> +#valid_chroot_dirs = + +# Default chroot directory for mail processes. This can be overridden for +# specific users in user database by giving /./ in user's home directory +# (eg. /home/./user chroots into /home). Note that usually there is no real +# need to do chrooting, Dovecot doesn't allow users to access files outside +# their mail directory anyway. If your home directories are prefixed with +# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> +#mail_chroot = + +# UNIX socket path to master authentication server to find users. +# This is used by imap (for shared users) and lda. +#auth_socket_path = /var/run/dovecot/auth-userdb + +# Directory where to look up mail plugins. +#mail_plugin_dir = /usr/lib/dovecot + +# Space separated list of plugins to load for all services. Plugins specific to +# IMAP, LDA, etc. are added to this list in their own .conf files. +#mail_plugins = + +## +## Mailbox handling optimizations +## + +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +#mailbox_list_index = yes + +# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost +# of potentially returning out-of-date results after e.g. server crashes. +# The results will be automatically fixed once the folders are opened. +#mailbox_list_index_very_dirty_syncs = yes + +# Should INBOX be kept up-to-date in the mailbox list index? By default it's +# not, because most of the mailbox accesses will open INBOX anyway. +#mailbox_list_index_include_inbox = no + +# The minimum number of mails in a mailbox before updates are done to cache +# file. This allows optimizing Dovecot's behavior to do less disk writes at +# the cost of more disk reads. +#mail_cache_min_mail_count = 0 + +# When IDLE command is running, mailbox is checked once in a while to see if +# there are any new mails or other changes. This setting defines the minimum +# time to wait between those checks. Dovecot can also use inotify and +# kqueue to find out immediately when changes occur. +#mailbox_idle_check_interval = 30 secs + +# Save mails with CR+LF instead of plain LF. This makes sending those mails +# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. +# But it also creates a bit more disk I/O which may just make it slower. +# Also note that if other software reads the mboxes/maildirs, they may handle +# the extra CRs wrong and cause problems. +#mail_save_crlf = no + +# Max number of mails to keep open and prefetch to memory. This only works with +# some mailbox formats and/or operating systems. +#mail_prefetch_count = 0 + +# How often to scan for stale temporary files and delete them (0 = never). +# These should exist only after Dovecot dies in the middle of saving mails. +#mail_temp_scan_interval = 1w + +# How many slow mail accesses sorting can perform before it returns failure. +# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long. +# The untagged SORT reply is still returned, but it's likely not correct. +#mail_sort_max_read_count = 0 + +protocol !indexer-worker { + # If folder vsize calculation requires opening more than this many mails from + # disk (i.e. mail sizes aren't in cache already), return failure and finish + # the calculation via indexer process. Disabled by default. This setting must + # be 0 for indexer-worker processes. + #mail_vsize_bg_after_count = 0 +} + +## +## Maildir-specific settings +## + +# By default LIST command returns all entries in maildir beginning with a dot. +# Enabling this option makes Dovecot return only entries which are directories. +# This is done by stat()ing each entry, so it causes more disk I/O. +# (For systems setting struct dirent->d_type, this check is free and it's +# done always regardless of this setting) +#maildir_stat_dirs = no + +# When copying a message, do it with hard links whenever possible. This makes +# the performance much better, and it's unlikely to have any side effects. +#maildir_copy_with_hardlinks = yes + +# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only +# when its mtime changes unexpectedly or when we can't find the mail otherwise. +#maildir_very_dirty_syncs = no + +# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for +# getting the mail's physical size, except when recalculating Maildir++ quota. +# This can be useful in systems where a lot of the Maildir filenames have a +# broken size. The performance hit for enabling this is very small. +#maildir_broken_filename_sizes = no + +# Always move mails from new/ directory to cur/, even when the \Recent flags +# aren't being reset. +#maildir_empty_new = no + +## +## mbox-specific settings +## + +# Which locking methods to use for locking mbox. There are four available: +# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe +# solution. If you want to use /var/mail/ like directory, the users +# will need write access to that directory. +# dotlock_try: Same as dotlock, but if it fails because of permissions or +# because there isn't enough disk space, just skip it. +# fcntl : Use this if possible. Works with NFS too if lockd is used. +# flock : May not exist in all systems. Doesn't work with NFS. +# lockf : May not exist in all systems. Doesn't work with NFS. +# +# You can use multiple locking methods; if you do the order they're declared +# in is important to avoid deadlocks if other MTAs/MUAs are using multiple +# locking methods as well. Some operating systems don't allow using some of +# them simultaneously. +#mbox_read_locks = fcntl +#mbox_write_locks = dotlock fcntl + +# Maximum time to wait for lock (all of them) before aborting. +#mbox_lock_timeout = 5 mins + +# If dotlock exists but the mailbox isn't modified in any way, override the +# lock file after this much time. +#mbox_dotlock_change_timeout = 2 mins + +# When mbox changes unexpectedly we have to fully read it to find out what +# changed. If the mbox is large this can take a long time. Since the change +# is usually just a newly appended mail, it'd be faster to simply read the +# new mails. If this setting is enabled, Dovecot does this but still safely +# fallbacks to re-reading the whole mbox file whenever something in mbox isn't +# how it's expected to be. The only real downside to this setting is that if +# some other MUA changes message flags, Dovecot doesn't notice it immediately. +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# commands. +#mbox_dirty_syncs = yes + +# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, +# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. +#mbox_very_dirty_syncs = no + +# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK +# commands and when closing the mailbox). This is especially useful for POP3 +# where clients often delete all mails. The downside is that our changes +# aren't immediately visible to other MUAs. +#mbox_lazy_writes = yes + +# If mbox size is smaller than this (e.g. 100k), don't write index files. +# If an index file already exists it's still read, just not updated. +#mbox_min_index_size = 0 + +# Mail header selection algorithm to use for MD5 POP3 UIDLs when +# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired +# algorithm, but it fails if the first Received: header isn't unique in all +# mails. An alternative algorithm is "all" that selects all headers. +#mbox_md5 = apop3d + +## +## mdbox-specific settings +## + +# Maximum dbox file size until it's rotated. +#mdbox_rotate_size = 10M + +# Maximum dbox file age until it's rotated. Typically in days. Day begins +# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. +#mdbox_rotate_interval = 0 + +# When creating new mdbox files, immediately preallocate their size to +# mdbox_rotate_size. This setting currently works only in Linux with some +# filesystems (ext4, xfs). +#mdbox_preallocate_space = no + +## +## Mail attachments +## + +# sdbox and mdbox support saving mail attachments to external files, which +# also allows single instance storage for them. Other backends don't support +# this for now. + +# Directory root where to store mail attachments. Disabled, if empty. +#mail_attachment_dir = + +# Attachments smaller than this aren't saved externally. It's also possible to +# write a plugin to disable saving specific attachments externally. +#mail_attachment_min_size = 128k + +# Filesystem backend to use for saving attachments: +# posix : No SiS done by Dovecot (but this might help FS's own deduplication) +# sis posix : SiS with immediate byte-by-byte comparison during saving +# sis-queue posix : SiS with delayed comparison and deduplication +#mail_attachment_fs = sis posix + +# Hash format to use in attachment filenames. You can add any text and +# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. +# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits +#mail_attachment_hash = %{sha1} + +# Settings to control adding $HasAttachment or $HasNoAttachment keywords. +# By default, all MIME parts with Content-Disposition=attachment, or inlines +# with filename parameter are consired attachments. +# add-flags - Add the keywords when saving new mails or when fetching can +# do it efficiently. +# content-type=type or !type - Include/exclude content type. Excluding will +# never consider the matched MIME part as attachment. Including will only +# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar). +# exclude-inlined - Exclude any Content-Disposition=inline MIME part. +#mail_attachment_detection_options = diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf new file mode 100644 index 00000000..fb03c64c --- /dev/null +++ b/etc/dovecot/conf.d/10-master.conf @@ -0,0 +1,135 @@ +#default_process_limit = 100 +#default_client_limit = 1000 + +# Default VSZ (virtual memory size) limit for service processes. This is mainly +# intended to catch and kill processes that leak memory before they eat up +# everything. +#default_vsz_limit = 256M + +# Login user is internally used by login processes. This is the most untrusted +# user in Dovecot system. It shouldn't have access to anything at all. +#default_login_user = dovenull + +# Internal user is used by unprivileged processes. It should be separate from +# login user, so that login processes can't disturb other processes. +#default_internal_user = dovecot + +service imap-login { + inet_listener imap { + #port = 143 + } + inet_listener imaps { + #port = 993 + #ssl = yes + } + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. <doc/wiki/LoginProcess.txt> + #service_count = 1 + + # Number of processes to always keep waiting for more connections. + #process_min_avail = 0 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = $default_vsz_limit +} + +service pop3-login { + inet_listener pop3 { + #port = 110 + } + inet_listener pop3s { + #port = 995 + #ssl = yes + } +} + +service submission-login { + inet_listener submission { + #port = 587 + } + inet_listener submissions { + #port = 465 + } +} + +service lmtp { + unix_listener lmtp { + #mode = 0666 + } + + # Create inet listener only if you can't use the above UNIX socket + #inet_listener lmtp { + # Avoid making LMTP visible for the entire internet + #address = + #port = + #} +} + +service imap { + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +} + +service pop3 { + # Max. number of POP3 processes (connections) + #process_limit = 1024 +} + +service submission { + # Max. number of SMTP Submission processes (connections) + #process_limit = 1024 +} + +service auth { + # auth_socket_path points to this userdb socket by default. It's typically + # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have + # full permissions to this socket are able to get a list of all usernames and + # get the results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but the + # userdb lookups will succeed only if the userdb returns an "uid" field that + # matches the caller process's UID. Also if caller's uid or gid matches the + # socket's uid or gid the lookup succeeds. Anything else causes a failure. + # + # To give the caller full permissions to lookup all users, set the mode to + # something else than 0666 and Dovecot lets the kernel enforce the + # permissions (e.g. 0777 allows everyone full permissions). + #unix_listener auth-userdb { + #mode = 0666 + #user = + #group = + #} + + # Postfix smtp-auth + unix_listener /var/spool/postfix/private/auth { + mode = 0666 + user = postfix + group = postfix + } + + # Auth process is run as this user. + #user = $default_internal_user +} + +service auth-worker { + # Auth worker process is run as root by default, so that it can access + # /etc/shadow. If this isn't necessary, the user should be changed to + # $default_internal_user. + #user = root +} + +service dict { + # If dict proxy is used, mail processes should have access to its socket. + # For example: mode=0660, group=vmail and global mail_access_groups=vmail + unix_listener dict { + #mode = 0600 + #user = + #group = + } +} diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf new file mode 100644 index 00000000..b9c2263e --- /dev/null +++ b/etc/dovecot/conf.d/10-ssl.conf @@ -0,0 +1,82 @@ +## +## SSL settings +## + +# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> +ssl = required + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = </etc/postfix/flylightning.pem +ssl_key = </etc/postfix/flylightning.key + +# If key file is password protected, give the password here. Alternatively +# give it when starting dovecot with -p parameter. Since this file is often +# world-readable, you may want to place this setting instead to a different +# root owned 0600 file by using ssl_key_password = <path. +#ssl_key_password = + +# PEM encoded trusted certificate authority. Set this only if you intend to use +# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) +# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) +#ssl_ca = + +# Require that CRL check succeeds for client certificates. +#ssl_require_crl = yes + +# Directory and/or file for trusted SSL CA certificates. These are used only +# when Dovecot needs to act as an SSL client (e.g. imapc backend or +# submission service). The directory is usually /etc/ssl/certs in +# Debian-based systems and the file is /etc/pki/tls/cert.pem in +# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with +# large CA bundles, because it leads to excessive memory usage. +#ssl_client_ca_dir = +#ssl_client_ca_file = + +# Require valid cert when connecting to a remote server +#ssl_client_require_valid_cert = yes + +# Request client to send a certificate. If you also want to require it, set +# auth_ssl_require_client_cert=yes in auth section. +#ssl_verify_client_cert = no + +# Which field from certificate to use for username. commonName and +# x500UniqueIdentifier are the usual choices. You'll also need to set +# auth_ssl_username_from_cert=yes. +#ssl_cert_username_field = commonName + +# SSL DH parameters +# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` +# Or migrate from old ssl-parameters.dat file with the command dovecot +# gives on startup when ssl_dh is unset. +ssl_dh = </etc/dovecot/dh.pem + +# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, +# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used. +# +# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol +# version, and LATEST matches with the latest version supported by library. +#ssl_min_protocol = TLSv1.2 + +# SSL ciphers to use, the default is: +#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH +# To disable non-EC DH, use: +#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH + +# Colon separated list of elliptic curves to use. Empty value (the default) +# means use the defaults from the SSL library. P-521:P-384:P-256 would be an +# example of a valid value. +#ssl_curve_list = + +# Prefer the server's order of ciphers over client's. +#ssl_prefer_server_ciphers = no + +# SSL crypto device to use, for valid values run "openssl engine" +#ssl_crypto_device = + +# SSL extra options. Currently supported options are: +# compression - Enable compression. +# no_ticket - Disable SSL session tickets. +#ssl_options = diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf new file mode 100644 index 00000000..5b2eebae --- /dev/null +++ b/etc/dovecot/conf.d/15-mailboxes.conf @@ -0,0 +1,99 @@ +## +## Mailbox definitions +## + +# Each mailbox is specified in a separate mailbox section. The section name +# specifies the mailbox name. If it has spaces, you can put the name +# "in quotes". These sections can contain the following mailbox settings: +# +# auto: +# Indicates whether the mailbox with this name is automatically created +# implicitly when it is first accessed. The user can also be automatically +# subscribed to the mailbox after creation. The following values are +# defined for this setting: +# +# no - Never created automatically. +# create - Automatically created, but no automatic subscription. +# subscribe - Automatically created and subscribed. +# +# special_use: +# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the +# mailbox. There are no validity checks, so you could specify anything +# you want in here, but it's not a good idea to use flags other than the +# standard ones specified in the RFC: +# +# \All - This (virtual) mailbox presents all messages in the +# user's message store. +# \Archive - This mailbox is used to archive messages. +# \Drafts - This mailbox is used to hold draft messages. +# \Flagged - This (virtual) mailbox presents all messages in the +# user's message store marked with the IMAP \Flagged flag. +# \Important - This (virtual) mailbox presents all messages in the +# user's message store deemed important to user. +# \Junk - This mailbox is where messages deemed to be junk mail +# are held. +# \Sent - This mailbox is used to hold copies of messages that +# have been sent. +# \Trash - This mailbox is used to hold messages that have been +# deleted. +# +# comment: +# Defines a default comment or note associated with the mailbox. This +# value is accessible through the IMAP METADATA mailbox entries +# "/shared/comment" and "/private/comment". Users with sufficient +# privileges can override the default value for entries with a custom +# value. + +# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. +namespace inbox { + # These mailboxes are widely used and could perhaps be created automatically: + mailbox Drafts { + special_use = \Drafts + auto = subscribe + } + mailbox Junk { + special_use = \Junk + auto = subscribe + } + mailbox Trash { + special_use = \Trash + auto = subscribe + # https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge + # https://github.com/LukeSmithxyz/emailwiz/blob/558c4de108a472eca70abca20888de2981ff17ca/emailwiz.sh#L259 + # https://doc.dovecot.org/settings/types/#time + autoexpunge = 30d + } + + # For \Sent mailboxes there are two widely used names. We'll mark both of + # them as \Sent. User typically deletes one of them if duplicates are created. + mailbox Sent { + special_use = \Sent + auto = subscribe + } + #mailbox "Sent Messages" { + # special_use = \Sent + #} + + mailbox Archive { + special_use = \Archive + auto = subscribe + } + + # If you have a virtual "All messages" mailbox: + #mailbox virtual/All { + # special_use = \All + # comment = All my messages + #} + + # If you have a virtual "Flagged" mailbox: + #mailbox virtual/Flagged { + # special_use = \Flagged + # comment = All my flagged messages + #} + + # If you have a virtual "Important" mailbox: + #mailbox virtual/Important { + # special_use = \Important + # comment = All my important messages + #} +} @@ -2,10 +2,10 @@ # See fstab(5) for details. # <file system> <dir> <type> <options> <dump> <pass> -# /dev/sda1 LABEL=Root -UUID=9b1c240a-4cee-4420-8e24-ff0f6f1baac9 / ext4 rw,relatime,errors=remount-ro 0 1 +# /dev/sda1 LABEL=root +UUID=ed61e67e-7605-4383-ac16-fe54ee2ede87 / ext4 rw,relatime,errors=remount-ro 0 1 # /dev/sdb1 -UUID=ffca8da3-1ff7-4780-80a1-959f7409bd1b /home ext4 rw,relatime 0 2 +UUID=57bd9dcd-6024-4e7e-a5c7-811269c13078 /home ext4 rw,relatime 0 2 /swapfile none swap defaults 0 0 diff --git a/etc/hostname b/etc/hostname index 45c80593..89dfb421 100644 --- a/etc/hostname +++ b/etc/hostname @@ -1 +1 @@ -xyzia +xyzib diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 17970a51..44110548 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -4,6 +4,12 @@ 600 root root //etc/.cfgl/config.worktree 700 root root //etc/.cfgl/info 600 root root //etc/.cfgl/info/sparse-checkout +755 root root //etc/dovecot +755 root root //etc/dovecot/conf.d +644 root root //etc/dovecot/conf.d/10-mail.conf +644 root root //etc/dovecot/conf.d/10-master.conf +644 root root //etc/dovecot/conf.d/10-ssl.conf +644 root root //etc/dovecot/conf.d/15-mailboxes.conf 644 root root //etc/fstab 644 root root //etc/hostname 644 root root //etc/locale.conf @@ -15,7 +21,15 @@ 755 root root //etc/myconf 600 root root //etc/myconf/cfgl_meta 644 root root //etc/nftables.conf +700 opendkim mail //etc/opendkim +644 opendkim mail //etc/opendkim/opendkim.conf +755 root root //etc/opendmarc +640 opendmarc mail //etc/opendmarc/opendmarc.conf 644 root root //etc/pacman.conf +755 root root //etc/postfix +644 root root //etc/postfix/aliases +644 root root //etc/postfix/main.cf +644 root root //etc/postfix/master.cf 777 root root //etc/resolv.conf 644 root root //etc/services 755 root root //etc/ssh @@ -27,13 +41,17 @@ 644 root root //etc/sysctl.d/99-sysctl.conf 755 root root //etc/systemd 755 root root //etc/systemd/network -644 systemd-network systemd-network //etc/systemd/network/default.network 755 root root //etc/systemd/system +755 root root //etc/systemd/system/acme.sh.service.d +644 root root //etc/systemd/system/acme.sh.service.d/override.conf 755 root root //etc/systemd/system/multi-user.target.wants -777 root root //etc/systemd/system/multi-user.target.wants/qbittorrent-nox@xyz.service 777 root root //etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service +755 root root //etc/systemd/system/opendmarc.service.d +644 root root //etc/systemd/system/opendmarc.service.d/override.conf 755 root root //etc/systemd/system/paccache.service.d 644 root root //etc/systemd/system/paccache.service.d/10-remove-all.conf +755 root root //etc/tmpfiles.d +644 root root //etc/tmpfiles.d/opendmarc.conf 755 root root //home 700 xyz wheel //home/xyz 644 xyz wheel //home/xyz/.bashrc diff --git a/etc/nftables.conf b/etc/nftables.conf index ab16ed11..da1f2f44 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -13,7 +13,6 @@ flush ruleset define pub_iface = "eth0" define wg_iface = "wg0" - table inet my_table { chain my_input { @@ -33,6 +32,17 @@ table inet my_table { udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept + udp dport swgp accept + # for acme.sh standalone mode builtin webserver to renew ssl cert + tcp dport http accept + # email related ports + tcp dport smtp accept + tcp dport pop3 accept + tcp dport imap accept + tcp dport submissions accept + tcp dport submission accept + tcp dport imaps accept + tcp dport pop3s accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf new file mode 100644 index 00000000..373c7213 --- /dev/null +++ b/etc/opendkim/opendkim.conf @@ -0,0 +1,769 @@ +## +## opendkim.conf -- configuration file for OpenDKIM filter +## +## Copyright (c) 2010-2015, 2018, The Trusted Domain Project. +## All rights reserved. +## + +## +## For settings that refer to a "dataset", see the opendkim(8) man page. +## + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendkim being unable to start. +## +## Removed in 2.10.0: +## AddAllSignatureResults +## ADSPAction +## ADSPNoSuchDomain +## BogusPolicy +## DisableADSP +## LDAPSoftStart +## LocalADSP +## NoDiscardableMailTo +## On-PolicyError +## SendADSPReports +## UnprotectedPolicy + +## CONFIGURATION OPTIONS + +## AllowSHA1Only { yes | no } +## default "no" +## +## By default, the filter will refuse to start if support for SHA256 is +## not available since this violates the strong recommendations of +## RFC6376 Section 3.3, which says: +## +## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST +## implement and SHOULD sign using rsa-sha256." +## +## This forces that violation to be explicitly selected by the administrator. + +# AllowSHA1Only no + +## AlwaysAddARHeader { yes | no } +## default "no" +## +## Add an "Authentication-Results:" header even to unsigned messages +## from domains with no "signs all" policy. The reported DKIM result +## will be "none" in such cases. Normally unsigned mail from non-strict +## domains does not cause the results header to be added. + +# AlwaysAddARHeader no + +## AuthservID string +## default (local host name) +## +## Defines the "authserv-id" token to be used when generating +## Authentication-Results headers after message verification. + +# AuthservID example.com + +## AuthservIDWithJobID +## default "no" +## +## Appends a "/" followed by the MTA's job ID to the "authserv-id" token +## when generating Authentication-Results headers after message verification. + +# AuthservIDWithJobId no + +## AutoRestart { yes | no } +## default "no" +## +## Indicate whether or not the filter should arrange to restart automatically +## if it crashes. + +# AutoRestart No + +## AutoRestartCount n +## default 0 +## +## Sets the maximum automatic restart count. After this number of +## automatic restarts, the filter will give up and terminate. A value of 0 +## implies no limit. + +# AutoRestartCount 0 + +## AutoRestartRate n/t[u] +## default (none) +## +## Sets the maximum automatic restart rate. See the opendkim.conf(5) +## man page for the format of this parameter. + +# AutoRestartRate n/tu + +## Background { yes | no } +## default "yes" +## +## Indicate whether or not the filter should run in the background. + +# Background Yes + +## BaseDirectory path +## default (none) +## +## Causes the filter to change to the named directory before beginning +## operation. Thus, cores will be dumped here and configuration files +## are read relative to this location. + +# BaseDirectory /run/opendkim + +## BodyLengthDB dataset +## default (none) +## +## A data set that is checked against envelope recipients to see if a +## body length tag should be included in the generated signature. +## This has security implications; see opendkim.conf(5) for details. + +# BodyLengthDB dataset + +## Canonicalization hdrcanon[/bodycanon] +## default "simple/simple" +## +## Select canonicalizations to use when signing. If the "bodycanon" is +## omitted, "simple" is used. Valid values for each are "simple" and +## "relaxed". + +Canonicalization relaxed/simple + +## ClockDrift n +## default 300 +## +## Specify the tolerance range for expired signatures or signatures +## which appear to have timestamps in the future, allowing for clock +## drift. + +# ClockDrift 300 + +## Diagnostics { yes | no } +## default "no" +## +## Specifies whether or not signatures with header diagnostic tags should +## be generated. + +# Diagnostics No + +## DNSTimeout n +## default 10 +## +## Specify the time in seconds to wait for replies from the nameserver when +## requesting keys or signing policies. + +# DNSTimeout 10 + +## Domain dataset +## default (none) +## +## Specify for which domain(s) signing should be done. No default; must +## be specified for signing. + +Domain flylightning.xyz + +## DomainKeysCompat { yes | no } +## default "no" +## +## When enabled, backward compatibility with DomainKeys (RFC4870) key +## records is enabled. Otherwise, such key records are considered to be +## syntactically invalid. + +# DomainKeysCompat no + +## DontSignMailTo dataset +## default (none) +## +## Gives a list of recipient addresses or address patterns whose mail should +## not be signed. + +# DontSignMailTo addr1,addr2,... + +## EnableCoredumps { yes | no } +## default "no" +## +## On systems which have support for such, requests that the kernel dump +## core even though the process may change user ID during its execution. + +# EnableCoredumps no + +## ExemptDomains dataset +## default (none) +## +## A data set of domain names that are checked against the message sender's +## domain. If a match is found, the message is ignored by the filter. + +# ExemptDomains domain1,domain2,... + +## ExternalIgnoreList filename +## +## Names a file from which a list of externally-trusted hosts is read. +## These are hosts which are allowed to send mail through you for signing. +## Automatically contains 127.0.0.1. See man page for file format. + +# ExternalIgnoreList filename + +## FixCRLF { yes | no } +## +## Requests that the library convert "naked" CR and LF characters to +## CRLFs during canonicalization. The default is "no". + +# FixCRLF no + +## IgnoreMalformedMail { yes | no } +## default "no" +## +## Silently passes malformed messages without alteration. This includes +## messages that fail the RequiredHeaders check, if enabled. The default is +## to pass those messages but add an Authentication-Results field indicating +## that they were malformed. + +# IgnoreMalformedMail no + +## InternalHosts dataset +## default "127.0.0.1" +## +## Names a file from which a list of internal hosts is read. These are +## hosts from which mail should be signed rather than verified. +## Automatically contains 127.0.0.1. + +# InternalHosts dataset + +## KeepTemporaryFiles { yes | no } +## default "no" +## +## If set, causes temporary files generated during message signing or +## verifying to be left behind for debugging use. Not for normal operation; +## can fill your disks quite fast on busy systems. + +# KeepTemporaryFiles no + +## KeyFile filename +## default (none) +## +## Specifies the path to the private key to use when signing. Ignored if +## SigningTable and KeyTable are used. No default; must be specified for +## signing if SigningTable/KeyTable are not in use. + +KeyFile /etc/opendkim/mail.private + +## KeyTable dataset +## default (none) +## +## Defines a table that will be queried to convert key names to +## sets of data of the form (signing domain, signing selector, private key). +## The private key can either contain a PEM-formatted private key, +## a base64-encoded DER format private key, or a path to a file containing +## one of those. + +# KeyTable dataset + +## LogWhy { yes | no } +## default "no" +## +## If logging is enabled (see Syslog below), issues very detailed logging +## about the logic behind the filter's decision to either sign a message +## or verify it. The logic behind the decision is non-trivial and can be +## confusing to administrators not familiar with its operation. A +## description of how the decision is made can be found in the OPERATIONS +## section of the opendkim(8) man page. This causes a large increase +## in the amount of log data generated for each message, so it should be +## limited to debugging use and not enabled for general operation. + +# LogWhy no + +## MacroList macro[=value][,...] +## +## Gives a set of MTA-provided macros which should be checked to see +## if the sender has been determined to be a local user and therefore +## whether or not signing should be done. See opendkim.conf(5) for +## more information. + +# MacroList foo=bar,baz=blivit + +## MaximumHeaders n +## +## Disallow messages whose header blocks are bigger than "n" bytes. +## Intended to detect and block a denial-of-service attack. The default +## is 65536. A value of 0 disables this test. + +# MaximumHeaders n + +## MaximumSignaturesToVerify n +## (default 3) +## +## Verify no more than "n" signatures on an arriving message. +## A value of 0 means "no limit". + +# MaximumSignaturesToVerify n + +## MaximumSignedBytes n +## +## Don't sign more than "n" bytes of the message. The default is to +## sign the entire message. Setting this implies "BodyLengths". + +# MaximumSignedBytes n + +## MilterDebug n +## +## Request a debug level of "n" from the milter library. The default is 0. + +# MilterDebug 0 + +## Minimum n[% | +] +## default 0 +## +## Sets a minimum signing volume; one of the following formats: +## n at least n bytes (or the whole message, whichever is less) +## must be signed +## n% at least n% of the message must be signed +## n+ if a length limit was presented in the signature, no more than +## n bytes may have been added + +# Minimum n + +## MinimumKeyBits n +## default 1024 +## +## Causes the library not to accept signatures matching keys made of fewer +## than the specified number of bits, even if they would otherwise pass +## DKIM signing. + +# MinimumKeyBits 1024 + +## Mode [sv] +## default sv +## +## Indicates which mode(s) of operation should be provided. "s" means +## "sign", "v" means "verify". + +# Mode sv + +## MTA dataset +## default (none) +## +## Specifies a list of MTAs whos mail should always be signed rather than +## verified. The "mtaname" is extracted from the DaemonPortOptions line +## in effect. + +# MTA name + +## MultipleSignatures { yes | no } +## default no +## +## Allows multiple signatures to be added. If set to "true" and a SigningTable +## is in use, all SigningTable entries that match the candidate message will +## cause a signature to be added. Otherwise, only the first matching +## SigningTable entry will be added, or only the key defined by Domain, +## Selector and KeyFile will be added. + +# MultipleSignatures no + +## MustBeSigned dataset +## default (none) +## +## Defines a list of headers which, if present on a message, must be +## signed for the signature to be considered acceptable. + +# MustBeSigned header1,header2,... + +## Nameservers addr1[,addr2[,...]] +## default (none) +## +## Provides a comma-separated list of IP addresses that are to be used when +## doing DNS queries to retrieve DKIM keys, VBR records, etc. +## These override any local defaults built in to the resolver in use, which +## may be defined in /etc/resolv.conf or hard-coded into the software. + +# Nameservers addr1,addr2,... + +## NoHeaderB { yes | no } +## default "no" +## +## Suppresses addition of "header.b" tags on Authentication-Results +## header fields. + +# NoHeaderB no + +## OmitHeaders dataset +## default (none) +## +## Specifies a list of headers that should always be omitted when signing. +## Header names should be separated by commas. + +# OmitHeaders header1,header2,... + +## On-... +## +## Specifies what to do when certain error conditions are encountered. +## +## See opendkim.conf(5) for more information. + +# On-Default +# On-BadSignature +# On-DNSError +# On-InternalError +# On-NoSignature +# On-Security +# On-SignatureError + +## OversignHeaders dataset +## default (none) +## +## Specifies a set of header fields that should be included in all signature +## header lists (the "h=" tag) once more than the number of times they were +## actually present in the signed message. See opendkim.conf(5) for more +## information. + +# OverSignHeaders header1,header2,... + +## PeerList dataset +## default (none) +## +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. + +# PeerList filename + +## PidFile filename +## default (none) +## +## Name of the file where the filter should write its pid before beginning +## normal operations. + +# PidFile filename + +## POPDBFile dataset +## default (none) +## +## Names a database which should be checked for "POP before SMTP" records +## as a form of authentication of users who may be sending mail through +## the MTA for signing. Requires special compilation of the filter. +## See opendkim.conf(5) for more information. + +# POPDBFile filename + +## Quarantine { yes | no } +## default "no" +## +## Indicates whether or not the filter should arrange to quarantine mail +## which fails verification. Intended for diagnostic use only. + +# Quarantine No + +## QueryCache { yes | no } +## default "no" +## +## Instructs the DKIM library to maintain its own local cache of keys and +## policies retrieved from DNS, rather than relying on the nameserver for +## caching service. Useful if the nameserver being used by the filter is +## not local. The filter must be compiled with the QUERY_CACHE flag to enable +## this feature, since it adds a library dependency. + +# QueryCache No + +## RedirectFailuresTo address +## default (none) +## +## Redirects signed messages to the specified address if none of the +## signatures present failed to verify. + +# RedirectFailuresTo postmaster@example.com + +## RemoveARAll { yes | no } +## default "no" +## +## Remove all Authentication-Results: headers on all arriving mail. + +# RemoveARAll No + +## RemoveARFrom dataset +## default (none) +## +## Remove all Authentication-Results: headers on all arriving mail that +## claim to have been added by hosts listed in this parameter. The list +## should be comma-separated. Entire domains may be specified by preceding +## the dopmain name by a single dot (".") character. + +# RemoveARFrom host1,host2,.domain1,.domain2,... + +## RemoveOldSignatures { yes | no } +## default "no" +## +## Remove old signatures on messages, if any, when generating a signature. + +# RemoveOldSignatures No + +## ReportAddress addr +## default (executing user)@(hostname) +## +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used. + +# ReportAddress "DKIM Error Postmaster" <postmaster@example.com> + +## ReportBccAddress addr +## default (none) +## +## Specifies additional recipient address(es) to receive outgoing failure +## reports. + +# ReportBccAddress postmaster@example.com, john@example.com + +## RequiredHeaders { yes | no } +## default no +## +## Rejects messages which don't conform to RFC5322 header count requirements. + +# RequiredHeaders No + +## RequireSafeKeys { yes | no } +## default yes +## +## Refuses to use key files that appear to have unsafe permissions. + +# RequireSafeKeys Yes + +## ResignAll { yes | no } +## default no +## +## Where ResignMailTo triggers a re-signing action, this flag indicates +## whether or not all mail should be signed (if set) versus only verified +## mail being signed (if not set). + +# ResignAll No + +## ResignMailTo dataset +## default (none) +## +## Checks each message recipient against the specified dataset for a +## matching record. The full address is checked in each case, then the +## hostname, then each domain preceded by ".". If there is a match, the +## value returned is presumed to be the name of a key in the KeyTable +## (if defined) to be used to re-sign the message in addition to +## verifying it. If there is a match without a KeyTable, the default key +## is applied. + +# ResignMailTo dataset + +## ResolverConfiguration string +## +## Passes arbitrary configuration data to the resolver. For the stock UNIX +## resolver, this is ignored; for Unbound, it names an unbound.conf(5)-style +## file that should be read for configuration information. + +# ResolverConfiguration string + +## ResolverTracing { yes | no } +## +## Requests enabling of resolver trace features, if available. The effect +## of setting this flag depends on how trace features, if any, are implemented +## in the resolver in use. Currently only effective when used with the +## OpenDKIM asynchronous resolver. + +# ResolverTracing no + +## Selector name +## +## The name of the selector to use when signing. No default; must be +## specified for signing. + +Selector mail + +## SenderHeaders dataset +## default (none) +## +## Overrides the default list of headers that will be used to determine +## the sending domain when deciding whether to sign the message and with +## with which key(s). See opendkim.conf(5) for details. + +# SenderHeaders From + +## SendReports { yes | no } +## default "no" +## +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. + +# SendReports No + +## SignatureAlgorithm signalg +## default "rsa-sha256" +## +## Signature algorithm to use when generating signatures. Must be one of +## "rsa-sha1", "rsa-sha256", or "ed25519-sha256". + +# SignatureAlgorithm rsa-sha256 + +## SignatureTTL seconds +## default "0" +## +## Specifies the lifetime in seconds of signatures generated by the +## filter. A value of 0 means no expiration time is included in the +## signature. + +# SignatureTTL 0 + +## SignHeaders dataset +## default (none) +## +## Specifies the list of headers which should be included when generating +## signatures. The string should be a comma-separated list of header names. +## See the opendkim.conf(5) man page for more information. + +# SignHeaders header1,header2,... + +## SigningTable dataset +## default (none) +## +## Defines a dataset that will be queried for the message sender's address +## to determine which private key(s) (if any) should be used to sign the +## message. The sender is determined from the value of the sender +## header fields as described with SenderHeaders above. The key for this +## lookup should be an address or address pattern that matches senders; +## see the opendkim.conf(5) man page for more information. The value +## of the lookup should return the name of a key found in the KeyTable +## that should be used to sign the message. If MultipleSignatures +## is set, all possible lookup keys will be attempted which may result +## in multiple signatures being applied. + +# SigningTable filename + +## SingleAuthResult { yes | no} +## default "no" +## +## When DomainKeys verification is enabled, multiple Authentication-Results +## will be added, one for DK and one for DKIM. With this enabled, only +## a DKIM result will be reported unless DKIM failed but DK passed, in which +## case only a DK result will be reported. + +# SingleAuthResult no + +## SMTPURI uri +## +## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent +## via SMTP when notifications are generated. + +# SMTPURI smtp://localhost + +## Socket socketspec +## +## Names the socket where this filter should listen for milter connections +## from the MTA. Required. Should be in one of these forms: +## +## inet:port@address to listen on a specific interface +## inet:port to listen on all interfaces +## local:/path/to/socket to listen on a UNIX domain socket + +Socket local:/run/opendkim/opendkim.sock + +## SoftwareHeader { yes | no } +## default "no" +## +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. + +# SoftwareHeader no + +## StrictHeaders { yes | no } +## default "no" +## +## Requests that the DKIM library refuse to process a message whose +## header fields do not conform to the standards, in particular Section 3.6 +## of RFC5322. + +# StrictHeaders no + +## StrictTestMode { yes | no } +## default "no" +## +## Selects strict CRLF mode during testing (see the "-t" command line +## flag in the opendkim(8) man page). Messages for which all header +## fields and body lines are not CRLF-terminated are considered malformed +## and will produce an error. + +# StrictTestMode no + +## SubDomains { yes | no } +## default "no" +## +## Sign for subdomains as well? + +# SubDomains No + +## Syslog { yes | no } +## default "yes" +## +## Log informational and error activity to syslog? + +Syslog Yes + +## SyslogFacility facility +## default "mail" +## +## Valid values are : +## auth cron daemon kern lpr mail news security syslog user uucp +## local0 local1 local2 local3 local4 local5 local6 local7 +## +## syslog facility to be used + +# SyslogFacility mail + +## SyslogName ident +## default "opendkim" (or the name of the executable) +## +## Identifier to be prepended to all generated log entries. + +# SyslogName opendkim + +## SyslogSuccess { yes | no } +## default "no" +## +## Log success activity to syslog? + +# SyslogSuccess No + +## TemporaryDirectory path +## default /tmp +## +## Specifies which directory will be used for creating temporary files +## during message processing. + +# TemporaryDirectory /tmp + +## TestPublicKeys filename +## default (none) +## +## Names a file from which public keys should be read. Intended for use +## only during automated testing. + +# TestPublicKeys /tmp/testkeys + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +# TrustAnchorFile /var/named/trustanchor + +## UMask mask +## default (none) +## +## Change the process umask for file creation to the specified value. +## The system has its own default which will be used (usually 022). +## See the umask(2) man page for more information. + +UMask 002 + +## Userid userid +## default (none) +## +## Change to user "userid" before starting normal operation? May include +## a group ID as well, separated from the userid by a colon. + +UserID opendkim diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf new file mode 100644 index 00000000..f8d8120c --- /dev/null +++ b/etc/opendmarc/opendmarc.conf @@ -0,0 +1,371 @@ +## opendmarc.conf -- configuration file for OpenDMARC filter +## +## Copyright (c) 2012-2015, The Trusted Domain Project. All rights reserved. + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendmarc being unable to start. +## +## Renamed in 1.3.0: +## ForensicReports became FailureReports +## ForensicReportsBcc became FailureReportsBcc +## ForensicReportsOnNone became FailureReportsOnNone +## ForensicReportsSentBy became FailureReportsSentBy + +## CONFIGURATION OPTIONS + +## AuthservID (string) +## defaults to MTA name +## +## Sets the "authserv-id" to use when generating the Authentication-Results: +## header field after verifying a message. If the string "HOSTNAME" is +## provided, the name of the host running the filter (as returned by the +## gethostname(3) function) will be used. +# +# AuthservID name +AuthservID HOSTNAME + +## AuthservIDWithJobID { true | false } +## default "false" +## +## If "true", requests that the authserv-id portion of the added +## Authentication-Results header fields contain the job ID of the message +## being evaluated. +# +# AuthservIDWithJobID false + +## AutoRestart { true | false } +## default "false" +## +## Automatically re-start on failures. Use with caution; if the filter fails +## instantly after it starts, this can cause a tight fork(2) loop. +# +# AutoRestart false + +## AutoRestartCount n +## default 0 +## +## Sets the maximum automatic restart count. After this number of automatic +## restarts, the filter will give up and terminate. A value of 0 implies no +## limit. +# +# AutoRestartCount 0 + +## AutoRestartRate n/t[u] +## default (no limit) +## +## Sets the maximum automatic restart rate. If the filter begins restarting +## faster than the rate defined here, it will give up and terminate. This +## is a string of the form n/t[u] where n is an integer limiting the count +## of restarts in the given interval and t[u] defines the time interval +## through which the rate is calculated; t is an integer and u defines the +## units thus represented ("s" or "S" for seconds, the default; "m" or "M" +## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a +## value of "10/1h" limits the restarts to 10 in one hour. There is no +## default, meaning restart rate is not limited. +# +# AutoRestartRate n/t[u] + +## Background { true | false } +## default "true" +## +## Causes opendmarc to fork and exits immediately, leaving the service +## running in the background. +# +# Background true + +## BaseDirectory (string) +## default (none) +## +## If set, instructs the filter to change to the specified directory using +## chdir(2) before doing anything else. This means any files referenced +## elsewhere in the configuration file can be specified relative to this +## directory. It's also useful for arranging that any crash dumps will be +## saved to a specific location. +# +# BaseDirectory /var/run/opendmarc + +## ChangeRootDirectory (string) +## default (none) +## +## Requests that the operating system change the effective root directory of +## the process to the one specified here prior to beginning execution. +## chroot(2) requires superuser access. A warning will be generated if +## UserID is not also set. +# +# ChangeRootDirectory /var/chroot/opendmarc + +## CopyFailuresTo (string) +## default (none) +## +## Requests addition of the specified email address to the envelope of +## any message that fails the DMARC evaluation. +# +# CopyFailuresTo postmaster@localhost + +## DNSTimeout (integer) +## default 5 +## +## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. +## (NOT YET IMPLEMENTED) +# +# DNSTimeout 5 + +## EnableCoredumps { true | false } +## default "false" +## +## On systems that have such support, make an explicit request to the kernel +## to dump cores when the filter crashes for some reason. Some modern UNIX +## systems suppress core dumps during crashes for security reasons if the +## user ID has changed during the lifetime of the process. Currently only +## supported on Linux. +# +# EnableCoreDumps false + +## FailureReports { true | false } +## default "false" +## +## Enables generation of failure reports when the DMARC test fails and the +## purported sender of the message has requested such reports. Reports are +## formatted per RFC6591. +# +# FailureReports false + +## FailureReportsBcc (string) +## default (none) +## +## When failure reports are enabled and one is to be generated, always +## send one to the address(es) specified here. If a failure report is +## requested by the domain owner, the address(es) are added in a Bcc: field. +## If no request is made, they address(es) are used in a To: field. There +## is no default. +# +# FailureReportsBcc postmaster@example.coom + +## FailureReportsOnNone { true | false } +## default "false" +## +## Supplements the "FailureReports" setting by generating reports for +## domains that advertise "none" policies. By default, reports are only +## generated (when enabled) for sending domains advertising a "quarantine" +## or "reject" policy. +# +# FailureReportsOnNone false + +## FailureReportsSentBy string +## default "USER@HOSTNAME" +## +## Specifies the email address to use in the From: field of failure +## reports generated by the filter. The default is to use the userid of +## the user running the filter and the local hostname to construct an +## email address. "postmaster" is used in place of the userid if a name +## could not be determined. +# +# FailureReportsSentBy USER@HOSTNAME + +## HistoryFile path +## default (none) +## +## If set, specifies the location of a text file to which records are written +## that can be used to generate DMARC aggregate reports. Records are groups +## of rows containing information about a single received message, and +## include all relevant information needed to generate a DMARC aggregate +## report. It is expected that this will not be used in its raw form, but +## rather periodically imported into a relational database from which the +## aggregate reports can be extracted by a tool such as opendmarc-import(8). +# +# HistoryFile /var/run/opendmarc.dat + +## IgnoreAuthenticatedClients { true | false } +## default "false" +## +## If set, causes mail from authenticated clients (i.e., those that used +## SMTP AUTH) to be ignored by the filter. +# +IgnoreAuthenticatedClients true + +## IgnoreHosts path +## default (internal) +## +## Specifies the path to a file that contains a list of hostnames, IP +## addresses, and/or CIDR expressions identifying hosts whose SMTP +## connections are to be ignored by the filter. If not specified, defaults +## to "127.0.0.1" only. +# +# IgnoreHosts /etc/opendmarc/ignore.hosts + +## IgnoreMailFrom domain[,...] +## default (none) +## +## Gives a list of domain names whose mail (based on the From: domain) is to +## be ignored by the filter. The list should be comma-separated. Matching +## against this list is case-insensitive. The default is an empty list, +## meaning no mail is ignored. +# +# IgnoreMailFrom example.com + +## MilterDebug (integer) +## default 0 +## +## Sets the debug level to be requested from the milter library. +# +# MilterDebug 0 + +## PidFile path +## default (none) +## +## Specifies the path to a file that should be created at process start +## containing the process ID. +# +# PidFile /var/run/opendmarc.pid + +## PublicSuffixList path +## default (none) +## +## Specifies the path to a file that contains top-level domains (TLDs) that +## will be used to compute the Organizational Domain for a given domain name, +## as described in the DMARC specification. If not provided, the filter will +## not be able to determine the Organizational Domain and only the presented +## domain will be evaluated. +# +# PublicSuffixList path + +## RecordAllMessages { true | false } +## default "false" +## +## If set and "HistoryFile" is in use, all received messages are recorded +## to the history file. If not set (the default), only messages for which +## the From: domain published a DMARC record will be recorded in the +## history file. +# +# RecordAllMessages false + +## RejectFailures { true | false } +## default "false" +## +## If set, messages will be rejected if they fail the DMARC evaluation, or +## temp-failed if evaluation could not be completed. By default, no message +## will be rejected or temp-failed regardless of the outcome of the DMARC +## evaluation of the message. Instead, an Authentication-Results header +## field will be added. +# +# RejectFailures false + +## ReportCommand string +## default "/usr/sbin/sendmail -t" +## +## Indicates the shell command to which failure reports should be passed for +## delivery when "FailureReports" is enabled. +# +# ReportCommand /usr/sbin/sendmail -t + +## RequiredHeaders { true | false } +## default "false" +## +## If set, the filter will ensure the header of the message conforms to the +## basic header field count restrictions laid out in RFC5322, Section 3.6. +## Messages failing this test are rejected without further processing. A +## From: field from which no domain name could be extracted will also be +## rejected. +# +# RequiredHeaders false + +## Socket socketspec +## default (none) +## +## Specifies the socket that should be established by the filter to receive +## connections from sendmail(8) in order to provide service. socketspec is +## in one of two forms: local:path, which creates a UNIX domain socket at +## the specified path, or inet:port[@host] or inet6:port[@host] which creates +## a TCP socket on the specified port for the appropriate protocol family. +## If the host is not given as either a hostname or an IP address, the +## socket will be listening on all interfaces. This option is mandatory +## either in the configuration file or on the command line. If an IP +## address is used, it must be enclosed in square brackets. +# +# Socket inet:8893@localhost +#Socket unix:/var/spool/opendmarc/opendmarc.sock +Socket unix:/run/opendmarc/opendmarc.sock + +## SoftwareHeader { true | false } +## default "false" +## +## Causes the filter to add a "DMARC-Filter" header field indicating the +## presence of this filter in the path of the message from injection to +## delivery. The product's name, version, and the job ID are included in +## the header field's contents. +# +# SoftwareHeader false + +## SPFIgnoreResults { true | false } +## default "false" +## +## Causes the filter to ignore any SPF results in the header of the +## message. This is useful if you want the filter to perfrom SPF checks +## itself, or because you don't trust the arriving header. +# +# SPFIgnoreResults false + +## SPFSelfValidate { true | false } +## default false +## +## Enable internal spf checking with --with-spf +## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path +## +## Causes the filter to perform a fallback SPF check itself when +## it can find no SPF results in the message header. If SPFIgnoreResults +## is also set, it never looks for SPF results in headers and +## always performs the SPF check itself when this is set. +# +SPFSelfValidate true + +## Syslog { true | false } +## default "false" +## +## Log via calls to syslog(3) any interesting activity. +# +# Syslog false + +## SyslogFacility facility-name +## default "mail" +## +## Log via calls to syslog(3) using the named facility. The facility names +## are the same as the ones allowed in syslog.conf(5). +# +# SyslogFacility mail + +## TrustedAuthservIDs string +## default HOSTNAME +## +## Specifies one or more "authserv-id" values to trust as relaying true +## upstream DKIM and SPF results. The default is to use the name of +## the MTA processing the message. To specify a list, separate each entry +## with a comma. The key word "HOSTNAME" will be replaced by the name of +## the host running the filter as reported by the gethostname(3) function. +# +# TrustedAuthservIDs HOSTNAME + +## UMask mask +## default (none) +## +## Requests a specific permissions mask to be used for file creation. This +## only really applies to creation of the socket when Socket specifies a +## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary +## files are normally created by the mkstemp(3) function that enforces a +## specific file mode on creation regardless of the process umask. See +## umask(2) for more information. +# +# UMask 077 +UMask 002 + +## UserID user[:group] +## default (none) +## +## Attempts to become the specified userid before starting operations. +## The process will be assigned all of the groups and primary group ID of +## the named userid unless an alternate group is specified. +# +# UserID opendmarc +# ATTENTION: user and group are enforced throug the systemd service file diff --git a/etc/postfix/aliases b/etc/postfix/aliases new file mode 100644 index 00000000..a4c4f8a0 --- /dev/null +++ b/etc/postfix/aliases @@ -0,0 +1,274 @@ +# +# Sample aliases file. Install in the location as specified by the +# output from the command "postconf alias_maps". Typical path names +# are /etc/aliases or /etc/mail/aliases. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to Postfix. +# + +# Person who should get root's mail. Don't receive mail as root! +# https://wiki.archlinux.org/title/Postfix#Aliases +root: xyz + +# Basic system aliases -- these MUST be present +MAILER-DAEMON: postmaster +postmaster: root + +# General redirections for pseudo accounts +bin: root +daemon: root +named: root +nobody: root +uucp: root +www: root +ftp-bugs: root +postfix: root + +# Put your local aliases here. + +# Well-known aliases +manager: root +dumper: root +operator: root +abuse: postmaster + +# trap decode to catch security attacks +decode: root + +# ALIASES(5) ALIASES(5) +# +# NAME +# aliases - Postfix local alias database format +# +# SYNOPSIS +# newaliases +# +# DESCRIPTION +# The optional aliases(5) table (alias_maps) redirects mail +# for local recipients. The redirections are processed by +# the Postfix local(8) delivery agent. +# +# This is unlike virtual(5) aliasing (virtual_alias_maps) +# which applies to all recipients: local(8), virtual, and +# remote, and which is implemented by the cleanup(8) daemon. +# +# Normally, the aliases(5) table is specified as a text file +# that serves as input to the postalias(1) command. The +# result, an indexed file in dbm or db format, is used for +# fast lookup by the mail system. Execute the command +# newaliases in order to rebuild the indexed file after +# changing the Postfix alias database. +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. +# +# Alternatively, the table can be provided as a regu- +# lar-expression map where patterns are given as regular +# expressions. In this case, the lookups are done in a +# slightly different way as described below under "REGULAR +# EXPRESSION TABLES". +# +# Users can control delivery of their own mail by setting up +# .forward files in their home directory. Lines in per-user +# .forward files have the same syntax as the right-hand side +# of aliases(5) entries. +# +# The format of the alias database input file is as follows: +# +# o An alias definition has the form +# +# name: value1, value2, ... +# +# o Empty lines and whitespace-only lines are ignored, +# as are lines whose first non-whitespace character +# is a `#'. +# +# o A logical line starts with non-whitespace text. A +# line that starts with whitespace continues a logi- +# cal line. +# +# The name is a local address (no domain part). Use double +# quotes when the name contains any special characters such +# as whitespace, `#', `:', or `@'. The name is folded to +# lowercase, in order to make database lookups case insensi- +# tive. +# +# In addition, when an alias exists for owner-name, this +# will override the envelope sender address, so that deliv- +# ery diagnostics are directed to owner-name, instead of the +# originator of the message (for details, see +# owner_request_special, expand_owner_alias and +# reset_owner_alias). This is typically used to direct +# delivery errors to the maintainer of a mailing list, who +# is in a better position to deal with mailing list delivery +# problems than the originator of the undelivered mail. +# +# The value contains one or more of the following: +# +# address +# Mail is forwarded to address, which is compatible +# with the RFC 822 standard. +# +# /file/name +# Mail is appended to /file/name. For details on how +# a file is written see the sections "EXTERNAL FILE +# DELIVERY" and "DELIVERY RIGHTS" in the local(8) +# documentation. Delivery is not limited to regular +# files. For example, to dispose of unwanted mail, +# deflect it to /dev/null. +# +# |command +# Mail is piped into command. Commands that contain +# special characters, such as whitespace, should be +# enclosed between double quotes. For details on how +# a command is executed see "EXTERNAL COMMAND DELIV- +# ERY" and "DELIVERY RIGHTS" in the local(8) documen- +# tation. +# +# When the command fails, a limited amount of command +# output is mailed back to the sender. The file +# /usr/include/sysexits.h defines the expected exit +# status codes. For example, use "|exit 67" to simu- +# late a "user unknown" error, and "|exit 0" to +# implement an expensive black hole. +# +# :include:/file/name +# Mail is sent to the destinations listed in the +# named file. Lines in :include: files have the same +# syntax as the right-hand side of alias entries. +# +# A destination can be any destination that is +# described in this manual page. However, delivery to +# "|command" and /file/name is disallowed by default. +# To enable, edit the allow_mail_to_commands and +# allow_mail_to_files configuration parameters. +# +# ADDRESS EXTENSION +# When alias database search fails, and the recipient local- +# part contains the optional recipient delimiter (e.g., +# user+foo), the search is repeated for the unextended +# address (e.g., user). +# +# The propagate_unmatched_extensions parameter controls +# whether an unmatched address extension (+foo) is propa- +# gated to the result of table lookup. +# +# CASE FOLDING +# The local(8) delivery agent always folds the search string +# to lowercase before database lookup. +# +# REGULAR EXPRESSION TABLES +# This section describes how the table lookups change when +# the table is given in the form of regular expressions. For +# a description of regular expression lookup table syntax, +# see regexp_table(5) or pcre_table(5). NOTE: these formats +# do not use ":" at the end of a pattern. +# +# Each regular expression is applied to the entire search +# string. Thus, a search string user+foo is not broken up +# into user and foo. +# +# Regular expressions are applied in the order as specified +# in the table, until a regular expression is found that +# matches the search string. +# +# Lookup results are the same as with indexed file lookups. +# For security reasons there is no support for $1, $2 etc. +# substring interpolation. +# +# SECURITY +# The local(8) delivery agent disallows regular expression +# substitution of $1 etc. in alias_maps, because that would +# open a security hole. +# +# The local(8) delivery agent will silently ignore requests +# to use the proxymap(8) server within alias_maps. Instead +# it will open the table directly. Before Postfix version +# 2.2, the local(8) delivery agent will terminate with a +# fatal error. +# +# CONFIGURATION PARAMETERS +# The following main.cf parameters are especially relevant. +# The text below provides only a parameter summary. See +# postconf(5) for more details including examples. +# +# alias_database (see 'postconf -d' output) +# The alias databases for local(8) delivery that are +# updated with "newaliases" or with "sendmail -bi". +# +# alias_maps (see 'postconf -d' output) +# Optional lookup tables with aliases that apply only +# to local(8) recipients; this is unlike vir- +# tual_alias_maps that apply to all recipients: +# local(8), virtual, and remote. +# +# allow_mail_to_commands (alias, forward) +# Restrict local(8) mail delivery to external com- +# mands. +# +# allow_mail_to_files (alias, forward) +# Restrict local(8) mail delivery to external files. +# +# expand_owner_alias (no) +# When delivering to an alias "aliasname" that has an +# "owner-aliasname" companion alias, set the envelope +# sender address to the expansion of the +# "owner-aliasname" alias. +# +# propagate_unmatched_extensions (canonical, virtual) +# What address lookup tables copy an address exten- +# sion from the lookup key to the lookup result. +# +# owner_request_special (yes) +# Enable special treatment for owner-listname entries +# in the aliases(5) file, and don't split owner-list- +# name and listname-request address localparts when +# the recipient_delimiter is set to "-". +# +# recipient_delimiter (empty) +# The set of characters that can separate an email +# address localpart, user name, or a .forward file +# name from its extension. +# +# Available in Postfix version 2.3 and later: +# +# frozen_delivered_to (yes) +# Update the local(8) delivery agent's idea of the +# Delivered-To: address (see prepend_deliv- +# ered_header) only once, at the start of a delivery +# attempt; do not update the Delivered-To: address +# while expanding aliases or .forward files. +# +# STANDARDS +# RFC 822 (ARPA Internet Text Messages) +# +# SEE ALSO +# local(8), local delivery agent +# newaliases(1), create/update alias database +# postalias(1), create/update alias database +# postconf(5), configuration parameters +# +# README FILES +# Use "postconf readme_directory" or "postconf html_direc- +# tory" to locate this information. +# DATABASE_README, Postfix lookup table overview +# +# LICENSE +# The Secure Mailer license must be distributed with this +# software. +# +# AUTHOR(S) +# Wietse Venema +# IBM T.J. Watson Research +# P.O. Box 704 +# Yorktown Heights, NY 10598, USA +# +# Wietse Venema +# Google, Inc. +# 111 8th Avenue +# New York, NY 10011, USA +# +# ALIASES(5) diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf new file mode 100644 index 00000000..f5cc794d --- /dev/null +++ b/etc/postfix/main.cf @@ -0,0 +1,747 @@ +# edit configs from: +# https://wiki.archlinux.org/title/Postfix +# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz +# https://wiki.archlinux.org/title/OpenDMARC +# https://wiki.archlinux.org/title/OpenDKIM +# maybe useful things: +# `man postconf.5` +# print config: `postconf` +# default config: `postconf -d` +myhostname = mail2.flylightning.xyz + +# fix "relay access denied" error when receiving emails +# I choose to follow `man postconf.5` instruction to only add $mydomain +# emailwiz way add a lot more to mydestination, see: +# https://github.com/LukeSmithxyz/emailwiz/pull/275 +# https://github.com/LukeSmithxyz/emailwiz/issues/265 +mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain + +smtp_tls_security_level = may +smtpd_tls_security_level = may +smtpd_tls_cert_file = /etc/postfix/flylightning.pem +smtpd_tls_key_file = /etc/postfix/flylightning.key + +# Here we tell Postfix to look to Dovecot for authenticating users/passwords. +# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth +smtpd_sasl_auth_enable = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth + +# NOTE: the trailing slash here, or for any directory name in the home_mailbox +# command, is necessary as it distinguishes a maildir (which is the actual +# directory that we want) from a spoolfile (which is what old unix boomers want +# and no one else). +home_mailbox = Mail/Inbox/ + +# https://wiki.archlinux.org/title/OpenDKIM +non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock +smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock + +# more emailwiz configs, maybe useful: + +# TLS required for authentication. +#smtpd_tls_auth_only = yes + +# Exclude insecure and obsolete encryption protocols. +#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + +# helo, sender, relay and recipient restrictions +#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre +#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain +#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain +#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination +#smtpd_helo_required = yes +#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname + +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# TIP: use the command "postconf -n" to view main.cf parameter +# settings, "postconf parametername" to view a specific parameter, +# and "postconf 'parametername=value'" to set a specific parameter. +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 3.9 + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/bin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/lib/postfix/bin + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = host), Postfix "trusts" only +# the local machine. +# +# Specify "mynetworks_style = subnet" when Postfix should "trust" +# SMTP clients in the same IP subnetworks as the local machine. +# On Linux, this works correctly only with interfaces specified +# with the "ifconfig" or "ip" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.3.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_relay_restrictions and +# smtpd_recipient_restrictions descriptions in postconf(5) for detailed +# information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks, or is +# SASL authenticated) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is empty. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases +alias_maps = lmdb:/etc/postfix/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases +alias_database = $alias_maps + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_privs. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen session, su root and run "screen -r +# <id_string>" where <id_string> uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/bin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix +inet_protocols = ipv4 +shlib_directory = /usr/lib/postfix +meta_directory = /etc/postfix diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf new file mode 100644 index 00000000..46ed0b73 --- /dev/null +++ b/etc/postfix/master.cf @@ -0,0 +1,150 @@ +# I follow these guides: +# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving) + +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - n - - smtpd +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_tls_auth_only=yes +# -o local_header_rewrite_clients=static:all + -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd_<xxx>_restrictions here, +# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" +# here, and specify mua_<xxx>_restrictions in main.cf (where +# "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable submissions for loopback clients only, or for any client. +#127.0.0.1:submissions inet n - n - - smtpd +submissions inet n - n - - smtpd + -o syslog_name=postfix/submissions + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes +# -o local_header_rewrite_clients=static:all + -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd_<xxx>_restrictions here, +# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" +# here, and specify mua_<xxx>_restrictions in main.cf (where +# "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp + -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# ==================================================================== +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +# +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient +# +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store +# ${nexthop} ${user} ${extension} +# +#mailman unix - n n - - pipe +# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py +# ${nexthop} ${user} diff --git a/etc/services b/etc/services index 0387cd9c..5081b2a3 100644 --- a/etc/services +++ b/etc/services @@ -11516,11 +11516,12 @@ nusrp 49001/tcp nusdp-disc 49001/udp inspider 49150/tcp # my services -wireguard 49432/udp # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ +wireguard 49432/udp ssh-isp 49812/tcp iperf3 53497/tcp +swgp 54635/udp # qbittorrent-nox web ui port for remote access browser gui qbt-nox 57151/tcp # qbittorrent/ options/ connection/ listening port diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network deleted file mode 100644 index f9dfe95d..00000000 --- a/etc/systemd/network/default.network +++ /dev/null @@ -1,15 +0,0 @@ -[Match] -Name=eth0 - -[Address] -Address=89.213.174.92/24 - -[Address] -Address=2a0f:9400:7e11:bce7::1/64 - -[Route] -Gateway=89.213.174.1 - -[Route] -Gateway=2a0f:9400:7e11::1 -GatewayOnLink=yes diff --git a/etc/systemd/system/acme.sh.service.d/override.conf b/etc/systemd/system/acme.sh.service.d/override.conf new file mode 100644 index 00000000..722f60a6 --- /dev/null +++ b/etc/systemd/system/acme.sh.service.d/override.conf @@ -0,0 +1,2 @@ +[Service] +ReadWritePaths=/etc/acme.sh /var/log/acme.sh /etc/postfix diff --git a/etc/systemd/system/opendmarc.service.d/override.conf b/etc/systemd/system/opendmarc.service.d/override.conf new file mode 100644 index 00000000..40ab443c --- /dev/null +++ b/etc/systemd/system/opendmarc.service.d/override.conf @@ -0,0 +1,4 @@ +# https://wiki.archlinux.org/title/OpenDMARC +[Service] +Group= +Group=postfix diff --git a/etc/tmpfiles.d/opendmarc.conf b/etc/tmpfiles.d/opendmarc.conf new file mode 100644 index 00000000..126d2922 --- /dev/null +++ b/etc/tmpfiles.d/opendmarc.conf @@ -0,0 +1 @@ +D /run/opendmarc 0750 opendmarc postfix diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 58f6080c..026331c3 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -1,4 +1,5 @@ absolutely-proprietary +acme.sh-systemd atool2-git bash-complete-alias dashbinsh @@ -9,4 +10,5 @@ librespeed-cli-bin neovim-plug paru-bin pipdeptree +swgp-go task-spooler diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index e6f67aba..7efe7697 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -3,6 +3,7 @@ base-devel bash-completion dash devtools +dovecot fastfetch fio fsh-git @@ -17,12 +18,15 @@ lf linux lostfiles lsof +mailutils man-pages moreutils neovim nethogs nftables openbsd-netcat +opendkim +opendmarc openssh p7zip pacman-contrib @@ -31,11 +35,13 @@ posix-c-development posix-software-development posix-user-portability posix-xsi +postfix python-pip qbittorrent-nox rebuild-detector reflector shellcheck +socat speedtest-cli strace systemd-resolvconf @@ -47,6 +53,7 @@ tree unrar-free unzip vidir2-git +wget wireguard-tools xdg-user-dirs zip diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index a0dc6868..576c1d39 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -1,8 +1,13 @@ UNIT FILE STATE PRESET +dovecot.service enabled disabled getty@.service enabled enabled jackett.service enabled disabled nftables.service enabled disabled +opendkim.service enabled disabled +opendmarc.service enabled disabled +postfix.service enabled disabled sshd.service enabled disabled +swgp-go.service enabled disabled systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service enabled enabled systemd-networkd.service enabled enabled @@ -12,7 +17,8 @@ systemd-timesyncd.service enabled enabled systemd-networkd.socket enabled disabled systemd-userdbd.socket enabled enabled remote-fs.target enabled enabled +acme.sh.timer enabled disabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -15 unit files listed. +20 unit files listed. |