diff options
Diffstat (limited to 'etc/postfix')
| -rw-r--r-- | etc/postfix/main.cf | 59 | ||||
| -rw-r--r-- | etc/postfix/master.cf | 37 |
2 files changed, 79 insertions, 17 deletions
diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 1d93a701..0c36d421 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -1,3 +1,62 @@ +# edit configs from: +# https://wiki.archlinux.org/title/Postfix +# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz +# https://wiki.archlinux.org/title/OpenDMARC +# https://wiki.archlinux.org/title/OpenDKIM +# maybe useful things: +# `man postconf.5` +# print config: `postconf` +# default config: `postconf -d` +myhostname = mail.flylightning.xyz + +# fix "relay access denied" error when receiving emails +# I choose to follow `man postconf.5` instruction to only add $mydomain +# emailwiz way add a lot more to mydestination, see: +# https://github.com/LukeSmithxyz/emailwiz/pull/275 +# https://github.com/LukeSmithxyz/emailwiz/issues/265 +mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain + +smtp_tls_security_level = may +smtpd_tls_security_level = may +smtpd_use_tls = yes +smtpd_tls_cert_file = /etc/postfix/flylightning.pem +smtpd_tls_key_file = /etc/postfix/flylightning.key + +# Here we tell Postfix to look to Dovecot for authenticating users/passwords. +# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth +smtpd_sasl_auth_enable = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth + +# NOTE: the trailing slash here, or for any directory name in the home_mailbox +# command, is necessary as it distinguishes a maildir (which is the actual +# directory that we want) from a spoolfile (which is what old unix boomers want +# and no one else). +home_mailbox = Mail/Inbox/ + +# https://wiki.archlinux.org/title/OpenDKIM +non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock +smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock + +# more emailwiz configs, maybe useful: + +# TLS required for authentication. +#smtpd_tls_auth_only = yes + +# Exclude insecure and obsolete encryption protocols. +#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 + +# helo, sender, relay and recipient restrictions +#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre +#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain +#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain +#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination +#smtpd_helo_required = yes +#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname + # Global Postfix configuration file. This file lists only a subset # of all parameters. For the syntax, and for a complete parameter # list, see the postconf(5) manual page (command: "man 5 postconf"). diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf index fd282dd2..7ce6e816 100644 --- a/etc/postfix/master.cf +++ b/etc/postfix/master.cf @@ -1,3 +1,6 @@ +# I follow these guides: +# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving) + # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or @@ -16,13 +19,13 @@ smtp inet n - n - - smtpd #tlsproxy unix - - n - 0 tlsproxy # Choose one: enable submission for loopback clients only, or for any client. #127.0.0.1:submission inet n - n - - smtpd -#submission inet n - n - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_tls_auth_only=yes +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_tls_auth_only=yes # -o local_header_rewrite_clients=static:all -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where @@ -30,17 +33,17 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING # Choose one: enable submissions for loopback clients only, or for any client. #127.0.0.1:submissions inet n - n - - smtpd -#submissions inet n - n - - smtpd -# -o syslog_name=postfix/submissions -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes +submissions inet n - n - - smtpd + -o syslog_name=postfix/submissions + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes # -o local_header_rewrite_clients=static:all -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where @@ -48,9 +51,9 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup |