From 8ce2d46747834f1b06f2c250f0d0fa055799a767 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 4 Jul 2025 15:16:05 +0800 Subject: init xyzru VPS --- etc/.cfgl/config | 4 +- etc/dovecot/dovecot.conf | 48 -- etc/fstab | 2 +- etc/hostname | 2 +- etc/hosts | 7 - etc/nftables.conf | 34 - etc/opendkim/opendkim.conf | 769 --------------------- etc/opendmarc/opendmarc.conf | 371 ---------- etc/postfix/aliases | 284 -------- etc/postfix/main.cf | 747 -------------------- etc/postfix/master.cf | 154 ----- etc/systemd/network/10-cloud-init-eth0.network | 38 - etc/systemd/network/default.network | 6 + etc/systemd/system/acme.sh.service.d/override.conf | 2 - .../system/opendmarc.service.d/override.conf | 4 - .../system/paccache.service.d/10-remove-all.conf | 8 + .../20-remove-all-uninstalled.conf | 9 - etc/tmpfiles.d/opendmarc.conf | 1 - home/xyz/.bashrc | 2 +- home/xyz/.config/myconf/pacman_Qqme | 1 - home/xyz/.config/myconf/pacman_Qqne | 5 - home/xyz/.config/myconf/sye | 7 +- 22 files changed, 20 insertions(+), 2485 deletions(-) delete mode 100644 etc/dovecot/dovecot.conf delete mode 100644 etc/hosts delete mode 100644 etc/opendkim/opendkim.conf delete mode 100644 etc/opendmarc/opendmarc.conf delete mode 100644 etc/postfix/aliases delete mode 100644 etc/postfix/main.cf delete mode 100644 etc/postfix/master.cf delete mode 100644 etc/systemd/network/10-cloud-init-eth0.network create mode 100644 etc/systemd/network/default.network delete mode 100644 etc/systemd/system/acme.sh.service.d/override.conf delete mode 100644 etc/systemd/system/opendmarc.service.d/override.conf create mode 100644 etc/systemd/system/paccache.service.d/10-remove-all.conf delete mode 100644 etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf delete mode 100644 etc/tmpfiles.d/opendmarc.conf diff --git a/etc/.cfgl/config b/etc/.cfgl/config index 608699e2..6bdb01ac 100644 --- a/etc/.cfgl/config +++ b/etc/.cfgl/config @@ -11,6 +11,6 @@ fetch = +refs/heads/*:refs/remotes/origin/* [commit] gpgsign = false -[branch "ca"] +[branch "ru"] remote = origin - merge = refs/heads/ca + merge = refs/heads/ru diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf deleted file mode 100644 index e7d11a07..00000000 --- a/etc/dovecot/dovecot.conf +++ /dev/null @@ -1,48 +0,0 @@ -# Edited from `doveconf -nP`, see https://doc.dovecot.org/2.3/configuration_manual/quick_configuration/#split-configuration-files -mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs -namespace inbox { - inbox = yes - location = - mailbox Archive { - auto = subscribe - special_use = \Archive - } - mailbox Drafts { - auto = subscribe - special_use = \Drafts - } - mailbox Junk { - auto = subscribe - special_use = \Junk - } - mailbox Sent { - auto = subscribe - special_use = \Sent - } - mailbox Trash { - auto = subscribe - # https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge - # https://github.com/LukeSmithxyz/emailwiz/blob/558c4de108a472eca70abca20888de2981ff17ca/emailwiz.sh#L259 - # https://doc.dovecot.org/settings/types/#time - autoexpunge = 30 days - special_use = \Trash - } - prefix = -} -passdb { - driver = pam -} -service auth { - unix_listener /var/spool/postfix/private/auth { - group = postfix - mode = 0666 - user = postfix - } -} -ssl = required -ssl_cert = -/swap/swapfile none swap defaults 0 0 +/dev/vda1 / xfs rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 1 diff --git a/etc/hostname b/etc/hostname index 8eb04e15..4c5fdf06 100644 --- a/etc/hostname +++ b/etc/hostname @@ -1 +1 @@ -xyzca +xyzru diff --git a/etc/hosts b/etc/hosts deleted file mode 100644 index 4e744102..00000000 --- a/etc/hosts +++ /dev/null @@ -1,7 +0,0 @@ -# Static table lookup for hostnames. -# See hosts(5) for details. -127.0.0.1 localhost -::1 localhost - -10.0.0.3 flylightning.xyz git.flylightning.xyz mirrors.flylightning.xyz -fdc9:281f:04d7:9ee9::3 flylightning.xyz git.flylightning.xyz mirrors.flylightning.xyz diff --git a/etc/nftables.conf b/etc/nftables.conf index 1bc5fec6..dc22f26a 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -10,7 +10,6 @@ flush ruleset define pub_iface = "eth0" define wg_iface = "wg0" -define website_ip6 = "2606:a8c0:3:773::b" table inet my_table { chain my_input { @@ -25,26 +24,9 @@ table inet my_table { meta l4proto ipv6-icmp accept tcp dport ssh accept - #tcp dport qbt-nox accept - #tcp dport qbt accept - #udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept udp dport swgp accept - # for acme.sh standalone mode builtin webserver to renew ssl cert - # for forward to studio - tcp dport http accept - tcp dport https accept - # email related ports - tcp dport smtp accept - tcp dport pop3 accept - tcp dport imap accept - tcp dport submissions accept - tcp dport submission accept - tcp dport imaps accept - tcp dport pop3s accept - tcp dport monerod-p2p accept - tcp dport ssh-isp accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -74,22 +56,6 @@ table inet my_table { # https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families table inet nat { # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting` - # also vice versa, no need `chain postrouting` if has `chain prerouting` - # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ - chain prerouting { - type nat hook prerouting priority -100 - policy accept - # port forwarding from client - # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet - iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p - iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p - iifname $pub_iface tcp dport ssh-isp dnat ip to 10.0.0.3:ssh - iifname $pub_iface tcp dport ssh-isp dnat ip6 to [fdc9:281f:04d7:9ee9::3]:ssh - iifname $pub_iface tcp dport http dnat ip to 10.0.0.3:http - iifname $pub_iface ip6 daddr $website_ip6 tcp dport http dnat ip6 to [fdc9:281f:04d7:9ee9::3]:http - iifname $pub_iface tcp dport https dnat ip to 10.0.0.3:https - iifname $pub_iface tcp dport https dnat ip6 to [fdc9:281f:04d7:9ee9::3]:https - } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { type nat hook postrouting priority 100 diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf deleted file mode 100644 index 373c7213..00000000 --- a/etc/opendkim/opendkim.conf +++ /dev/null @@ -1,769 +0,0 @@ -## -## opendkim.conf -- configuration file for OpenDKIM filter -## -## Copyright (c) 2010-2015, 2018, The Trusted Domain Project. -## All rights reserved. -## - -## -## For settings that refer to a "dataset", see the opendkim(8) man page. -## - -## DEPRECATED CONFIGURATION OPTIONS -## -## The following configuration options are no longer valid. They should be -## removed from your existing configuration file to prevent potential issues. -## Failure to do so may result in opendkim being unable to start. -## -## Removed in 2.10.0: -## AddAllSignatureResults -## ADSPAction -## ADSPNoSuchDomain -## BogusPolicy -## DisableADSP -## LDAPSoftStart -## LocalADSP -## NoDiscardableMailTo -## On-PolicyError -## SendADSPReports -## UnprotectedPolicy - -## CONFIGURATION OPTIONS - -## AllowSHA1Only { yes | no } -## default "no" -## -## By default, the filter will refuse to start if support for SHA256 is -## not available since this violates the strong recommendations of -## RFC6376 Section 3.3, which says: -## -## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST -## implement and SHOULD sign using rsa-sha256." -## -## This forces that violation to be explicitly selected by the administrator. - -# AllowSHA1Only no - -## AlwaysAddARHeader { yes | no } -## default "no" -## -## Add an "Authentication-Results:" header even to unsigned messages -## from domains with no "signs all" policy. The reported DKIM result -## will be "none" in such cases. Normally unsigned mail from non-strict -## domains does not cause the results header to be added. - -# AlwaysAddARHeader no - -## AuthservID string -## default (local host name) -## -## Defines the "authserv-id" token to be used when generating -## Authentication-Results headers after message verification. - -# AuthservID example.com - -## AuthservIDWithJobID -## default "no" -## -## Appends a "/" followed by the MTA's job ID to the "authserv-id" token -## when generating Authentication-Results headers after message verification. - -# AuthservIDWithJobId no - -## AutoRestart { yes | no } -## default "no" -## -## Indicate whether or not the filter should arrange to restart automatically -## if it crashes. - -# AutoRestart No - -## AutoRestartCount n -## default 0 -## -## Sets the maximum automatic restart count. After this number of -## automatic restarts, the filter will give up and terminate. A value of 0 -## implies no limit. - -# AutoRestartCount 0 - -## AutoRestartRate n/t[u] -## default (none) -## -## Sets the maximum automatic restart rate. See the opendkim.conf(5) -## man page for the format of this parameter. - -# AutoRestartRate n/tu - -## Background { yes | no } -## default "yes" -## -## Indicate whether or not the filter should run in the background. - -# Background Yes - -## BaseDirectory path -## default (none) -## -## Causes the filter to change to the named directory before beginning -## operation. Thus, cores will be dumped here and configuration files -## are read relative to this location. - -# BaseDirectory /run/opendkim - -## BodyLengthDB dataset -## default (none) -## -## A data set that is checked against envelope recipients to see if a -## body length tag should be included in the generated signature. -## This has security implications; see opendkim.conf(5) for details. - -# BodyLengthDB dataset - -## Canonicalization hdrcanon[/bodycanon] -## default "simple/simple" -## -## Select canonicalizations to use when signing. If the "bodycanon" is -## omitted, "simple" is used. Valid values for each are "simple" and -## "relaxed". - -Canonicalization relaxed/simple - -## ClockDrift n -## default 300 -## -## Specify the tolerance range for expired signatures or signatures -## which appear to have timestamps in the future, allowing for clock -## drift. - -# ClockDrift 300 - -## Diagnostics { yes | no } -## default "no" -## -## Specifies whether or not signatures with header diagnostic tags should -## be generated. - -# Diagnostics No - -## DNSTimeout n -## default 10 -## -## Specify the time in seconds to wait for replies from the nameserver when -## requesting keys or signing policies. - -# DNSTimeout 10 - -## Domain dataset -## default (none) -## -## Specify for which domain(s) signing should be done. No default; must -## be specified for signing. - -Domain flylightning.xyz - -## DomainKeysCompat { yes | no } -## default "no" -## -## When enabled, backward compatibility with DomainKeys (RFC4870) key -## records is enabled. Otherwise, such key records are considered to be -## syntactically invalid. - -# DomainKeysCompat no - -## DontSignMailTo dataset -## default (none) -## -## Gives a list of recipient addresses or address patterns whose mail should -## not be signed. - -# DontSignMailTo addr1,addr2,... - -## EnableCoredumps { yes | no } -## default "no" -## -## On systems which have support for such, requests that the kernel dump -## core even though the process may change user ID during its execution. - -# EnableCoredumps no - -## ExemptDomains dataset -## default (none) -## -## A data set of domain names that are checked against the message sender's -## domain. If a match is found, the message is ignored by the filter. - -# ExemptDomains domain1,domain2,... - -## ExternalIgnoreList filename -## -## Names a file from which a list of externally-trusted hosts is read. -## These are hosts which are allowed to send mail through you for signing. -## Automatically contains 127.0.0.1. See man page for file format. - -# ExternalIgnoreList filename - -## FixCRLF { yes | no } -## -## Requests that the library convert "naked" CR and LF characters to -## CRLFs during canonicalization. The default is "no". - -# FixCRLF no - -## IgnoreMalformedMail { yes | no } -## default "no" -## -## Silently passes malformed messages without alteration. This includes -## messages that fail the RequiredHeaders check, if enabled. The default is -## to pass those messages but add an Authentication-Results field indicating -## that they were malformed. - -# IgnoreMalformedMail no - -## InternalHosts dataset -## default "127.0.0.1" -## -## Names a file from which a list of internal hosts is read. These are -## hosts from which mail should be signed rather than verified. -## Automatically contains 127.0.0.1. - -# InternalHosts dataset - -## KeepTemporaryFiles { yes | no } -## default "no" -## -## If set, causes temporary files generated during message signing or -## verifying to be left behind for debugging use. Not for normal operation; -## can fill your disks quite fast on busy systems. - -# KeepTemporaryFiles no - -## KeyFile filename -## default (none) -## -## Specifies the path to the private key to use when signing. Ignored if -## SigningTable and KeyTable are used. No default; must be specified for -## signing if SigningTable/KeyTable are not in use. - -KeyFile /etc/opendkim/mail.private - -## KeyTable dataset -## default (none) -## -## Defines a table that will be queried to convert key names to -## sets of data of the form (signing domain, signing selector, private key). -## The private key can either contain a PEM-formatted private key, -## a base64-encoded DER format private key, or a path to a file containing -## one of those. - -# KeyTable dataset - -## LogWhy { yes | no } -## default "no" -## -## If logging is enabled (see Syslog below), issues very detailed logging -## about the logic behind the filter's decision to either sign a message -## or verify it. The logic behind the decision is non-trivial and can be -## confusing to administrators not familiar with its operation. A -## description of how the decision is made can be found in the OPERATIONS -## section of the opendkim(8) man page. This causes a large increase -## in the amount of log data generated for each message, so it should be -## limited to debugging use and not enabled for general operation. - -# LogWhy no - -## MacroList macro[=value][,...] -## -## Gives a set of MTA-provided macros which should be checked to see -## if the sender has been determined to be a local user and therefore -## whether or not signing should be done. See opendkim.conf(5) for -## more information. - -# MacroList foo=bar,baz=blivit - -## MaximumHeaders n -## -## Disallow messages whose header blocks are bigger than "n" bytes. -## Intended to detect and block a denial-of-service attack. The default -## is 65536. A value of 0 disables this test. - -# MaximumHeaders n - -## MaximumSignaturesToVerify n -## (default 3) -## -## Verify no more than "n" signatures on an arriving message. -## A value of 0 means "no limit". - -# MaximumSignaturesToVerify n - -## MaximumSignedBytes n -## -## Don't sign more than "n" bytes of the message. The default is to -## sign the entire message. Setting this implies "BodyLengths". - -# MaximumSignedBytes n - -## MilterDebug n -## -## Request a debug level of "n" from the milter library. The default is 0. - -# MilterDebug 0 - -## Minimum n[% | +] -## default 0 -## -## Sets a minimum signing volume; one of the following formats: -## n at least n bytes (or the whole message, whichever is less) -## must be signed -## n% at least n% of the message must be signed -## n+ if a length limit was presented in the signature, no more than -## n bytes may have been added - -# Minimum n - -## MinimumKeyBits n -## default 1024 -## -## Causes the library not to accept signatures matching keys made of fewer -## than the specified number of bits, even if they would otherwise pass -## DKIM signing. - -# MinimumKeyBits 1024 - -## Mode [sv] -## default sv -## -## Indicates which mode(s) of operation should be provided. "s" means -## "sign", "v" means "verify". - -# Mode sv - -## MTA dataset -## default (none) -## -## Specifies a list of MTAs whos mail should always be signed rather than -## verified. The "mtaname" is extracted from the DaemonPortOptions line -## in effect. - -# MTA name - -## MultipleSignatures { yes | no } -## default no -## -## Allows multiple signatures to be added. If set to "true" and a SigningTable -## is in use, all SigningTable entries that match the candidate message will -## cause a signature to be added. Otherwise, only the first matching -## SigningTable entry will be added, or only the key defined by Domain, -## Selector and KeyFile will be added. - -# MultipleSignatures no - -## MustBeSigned dataset -## default (none) -## -## Defines a list of headers which, if present on a message, must be -## signed for the signature to be considered acceptable. - -# MustBeSigned header1,header2,... - -## Nameservers addr1[,addr2[,...]] -## default (none) -## -## Provides a comma-separated list of IP addresses that are to be used when -## doing DNS queries to retrieve DKIM keys, VBR records, etc. -## These override any local defaults built in to the resolver in use, which -## may be defined in /etc/resolv.conf or hard-coded into the software. - -# Nameservers addr1,addr2,... - -## NoHeaderB { yes | no } -## default "no" -## -## Suppresses addition of "header.b" tags on Authentication-Results -## header fields. - -# NoHeaderB no - -## OmitHeaders dataset -## default (none) -## -## Specifies a list of headers that should always be omitted when signing. -## Header names should be separated by commas. - -# OmitHeaders header1,header2,... - -## On-... -## -## Specifies what to do when certain error conditions are encountered. -## -## See opendkim.conf(5) for more information. - -# On-Default -# On-BadSignature -# On-DNSError -# On-InternalError -# On-NoSignature -# On-Security -# On-SignatureError - -## OversignHeaders dataset -## default (none) -## -## Specifies a set of header fields that should be included in all signature -## header lists (the "h=" tag) once more than the number of times they were -## actually present in the signed message. See opendkim.conf(5) for more -## information. - -# OverSignHeaders header1,header2,... - -## PeerList dataset -## default (none) -## -## Contains a list of IP addresses, CIDR blocks, hostnames or domain names -## whose mail should be neither signed nor verified by this filter. See man -## page for file format. - -# PeerList filename - -## PidFile filename -## default (none) -## -## Name of the file where the filter should write its pid before beginning -## normal operations. - -# PidFile filename - -## POPDBFile dataset -## default (none) -## -## Names a database which should be checked for "POP before SMTP" records -## as a form of authentication of users who may be sending mail through -## the MTA for signing. Requires special compilation of the filter. -## See opendkim.conf(5) for more information. - -# POPDBFile filename - -## Quarantine { yes | no } -## default "no" -## -## Indicates whether or not the filter should arrange to quarantine mail -## which fails verification. Intended for diagnostic use only. - -# Quarantine No - -## QueryCache { yes | no } -## default "no" -## -## Instructs the DKIM library to maintain its own local cache of keys and -## policies retrieved from DNS, rather than relying on the nameserver for -## caching service. Useful if the nameserver being used by the filter is -## not local. The filter must be compiled with the QUERY_CACHE flag to enable -## this feature, since it adds a library dependency. - -# QueryCache No - -## RedirectFailuresTo address -## default (none) -## -## Redirects signed messages to the specified address if none of the -## signatures present failed to verify. - -# RedirectFailuresTo postmaster@example.com - -## RemoveARAll { yes | no } -## default "no" -## -## Remove all Authentication-Results: headers on all arriving mail. - -# RemoveARAll No - -## RemoveARFrom dataset -## default (none) -## -## Remove all Authentication-Results: headers on all arriving mail that -## claim to have been added by hosts listed in this parameter. The list -## should be comma-separated. Entire domains may be specified by preceding -## the dopmain name by a single dot (".") character. - -# RemoveARFrom host1,host2,.domain1,.domain2,... - -## RemoveOldSignatures { yes | no } -## default "no" -## -## Remove old signatures on messages, if any, when generating a signature. - -# RemoveOldSignatures No - -## ReportAddress addr -## default (executing user)@(hostname) -## -## Specifies the sending address to be used on From: headers of outgoing -## failure reports. By default, the e-mail address of the user executing -## the filter is used. - -# ReportAddress "DKIM Error Postmaster" - -## ReportBccAddress addr -## default (none) -## -## Specifies additional recipient address(es) to receive outgoing failure -## reports. - -# ReportBccAddress postmaster@example.com, john@example.com - -## RequiredHeaders { yes | no } -## default no -## -## Rejects messages which don't conform to RFC5322 header count requirements. - -# RequiredHeaders No - -## RequireSafeKeys { yes | no } -## default yes -## -## Refuses to use key files that appear to have unsafe permissions. - -# RequireSafeKeys Yes - -## ResignAll { yes | no } -## default no -## -## Where ResignMailTo triggers a re-signing action, this flag indicates -## whether or not all mail should be signed (if set) versus only verified -## mail being signed (if not set). - -# ResignAll No - -## ResignMailTo dataset -## default (none) -## -## Checks each message recipient against the specified dataset for a -## matching record. The full address is checked in each case, then the -## hostname, then each domain preceded by ".". If there is a match, the -## value returned is presumed to be the name of a key in the KeyTable -## (if defined) to be used to re-sign the message in addition to -## verifying it. If there is a match without a KeyTable, the default key -## is applied. - -# ResignMailTo dataset - -## ResolverConfiguration string -## -## Passes arbitrary configuration data to the resolver. For the stock UNIX -## resolver, this is ignored; for Unbound, it names an unbound.conf(5)-style -## file that should be read for configuration information. - -# ResolverConfiguration string - -## ResolverTracing { yes | no } -## -## Requests enabling of resolver trace features, if available. The effect -## of setting this flag depends on how trace features, if any, are implemented -## in the resolver in use. Currently only effective when used with the -## OpenDKIM asynchronous resolver. - -# ResolverTracing no - -## Selector name -## -## The name of the selector to use when signing. No default; must be -## specified for signing. - -Selector mail - -## SenderHeaders dataset -## default (none) -## -## Overrides the default list of headers that will be used to determine -## the sending domain when deciding whether to sign the message and with -## with which key(s). See opendkim.conf(5) for details. - -# SenderHeaders From - -## SendReports { yes | no } -## default "no" -## -## Specifies whether or not the filter should generate report mail back -## to senders when verification fails and an address for such a purpose -## is provided. See opendkim.conf(5) for details. - -# SendReports No - -## SignatureAlgorithm signalg -## default "rsa-sha256" -## -## Signature algorithm to use when generating signatures. Must be one of -## "rsa-sha1", "rsa-sha256", or "ed25519-sha256". - -# SignatureAlgorithm rsa-sha256 - -## SignatureTTL seconds -## default "0" -## -## Specifies the lifetime in seconds of signatures generated by the -## filter. A value of 0 means no expiration time is included in the -## signature. - -# SignatureTTL 0 - -## SignHeaders dataset -## default (none) -## -## Specifies the list of headers which should be included when generating -## signatures. The string should be a comma-separated list of header names. -## See the opendkim.conf(5) man page for more information. - -# SignHeaders header1,header2,... - -## SigningTable dataset -## default (none) -## -## Defines a dataset that will be queried for the message sender's address -## to determine which private key(s) (if any) should be used to sign the -## message. The sender is determined from the value of the sender -## header fields as described with SenderHeaders above. The key for this -## lookup should be an address or address pattern that matches senders; -## see the opendkim.conf(5) man page for more information. The value -## of the lookup should return the name of a key found in the KeyTable -## that should be used to sign the message. If MultipleSignatures -## is set, all possible lookup keys will be attempted which may result -## in multiple signatures being applied. - -# SigningTable filename - -## SingleAuthResult { yes | no} -## default "no" -## -## When DomainKeys verification is enabled, multiple Authentication-Results -## will be added, one for DK and one for DKIM. With this enabled, only -## a DKIM result will be reported unless DKIM failed but DK passed, in which -## case only a DK result will be reported. - -# SingleAuthResult no - -## SMTPURI uri -## -## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent -## via SMTP when notifications are generated. - -# SMTPURI smtp://localhost - -## Socket socketspec -## -## Names the socket where this filter should listen for milter connections -## from the MTA. Required. Should be in one of these forms: -## -## inet:port@address to listen on a specific interface -## inet:port to listen on all interfaces -## local:/path/to/socket to listen on a UNIX domain socket - -Socket local:/run/opendkim/opendkim.sock - -## SoftwareHeader { yes | no } -## default "no" -## -## Add a DKIM-Filter header field to messages passing through this filter -## to identify messages it has processed. - -# SoftwareHeader no - -## StrictHeaders { yes | no } -## default "no" -## -## Requests that the DKIM library refuse to process a message whose -## header fields do not conform to the standards, in particular Section 3.6 -## of RFC5322. - -# StrictHeaders no - -## StrictTestMode { yes | no } -## default "no" -## -## Selects strict CRLF mode during testing (see the "-t" command line -## flag in the opendkim(8) man page). Messages for which all header -## fields and body lines are not CRLF-terminated are considered malformed -## and will produce an error. - -# StrictTestMode no - -## SubDomains { yes | no } -## default "no" -## -## Sign for subdomains as well? - -# SubDomains No - -## Syslog { yes | no } -## default "yes" -## -## Log informational and error activity to syslog? - -Syslog Yes - -## SyslogFacility facility -## default "mail" -## -## Valid values are : -## auth cron daemon kern lpr mail news security syslog user uucp -## local0 local1 local2 local3 local4 local5 local6 local7 -## -## syslog facility to be used - -# SyslogFacility mail - -## SyslogName ident -## default "opendkim" (or the name of the executable) -## -## Identifier to be prepended to all generated log entries. - -# SyslogName opendkim - -## SyslogSuccess { yes | no } -## default "no" -## -## Log success activity to syslog? - -# SyslogSuccess No - -## TemporaryDirectory path -## default /tmp -## -## Specifies which directory will be used for creating temporary files -## during message processing. - -# TemporaryDirectory /tmp - -## TestPublicKeys filename -## default (none) -## -## Names a file from which public keys should be read. Intended for use -## only during automated testing. - -# TestPublicKeys /tmp/testkeys - -## TrustAnchorFile filename -## default (none) -## -## Specifies a file from which trust anchor data should be read when doing -## DNS queries and applying the DNSSEC protocol. See the Unbound documentation -## at http://unbound.net for the expected format of this file. - -# TrustAnchorFile /var/named/trustanchor - -## UMask mask -## default (none) -## -## Change the process umask for file creation to the specified value. -## The system has its own default which will be used (usually 022). -## See the umask(2) man page for more information. - -UMask 002 - -## Userid userid -## default (none) -## -## Change to user "userid" before starting normal operation? May include -## a group ID as well, separated from the userid by a colon. - -UserID opendkim diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf deleted file mode 100644 index f8d8120c..00000000 --- a/etc/opendmarc/opendmarc.conf +++ /dev/null @@ -1,371 +0,0 @@ -## opendmarc.conf -- configuration file for OpenDMARC filter -## -## Copyright (c) 2012-2015, The Trusted Domain Project. All rights reserved. - -## DEPRECATED CONFIGURATION OPTIONS -## -## The following configuration options are no longer valid. They should be -## removed from your existing configuration file to prevent potential issues. -## Failure to do so may result in opendmarc being unable to start. -## -## Renamed in 1.3.0: -## ForensicReports became FailureReports -## ForensicReportsBcc became FailureReportsBcc -## ForensicReportsOnNone became FailureReportsOnNone -## ForensicReportsSentBy became FailureReportsSentBy - -## CONFIGURATION OPTIONS - -## AuthservID (string) -## defaults to MTA name -## -## Sets the "authserv-id" to use when generating the Authentication-Results: -## header field after verifying a message. If the string "HOSTNAME" is -## provided, the name of the host running the filter (as returned by the -## gethostname(3) function) will be used. -# -# AuthservID name -AuthservID HOSTNAME - -## AuthservIDWithJobID { true | false } -## default "false" -## -## If "true", requests that the authserv-id portion of the added -## Authentication-Results header fields contain the job ID of the message -## being evaluated. -# -# AuthservIDWithJobID false - -## AutoRestart { true | false } -## default "false" -## -## Automatically re-start on failures. Use with caution; if the filter fails -## instantly after it starts, this can cause a tight fork(2) loop. -# -# AutoRestart false - -## AutoRestartCount n -## default 0 -## -## Sets the maximum automatic restart count. After this number of automatic -## restarts, the filter will give up and terminate. A value of 0 implies no -## limit. -# -# AutoRestartCount 0 - -## AutoRestartRate n/t[u] -## default (no limit) -## -## Sets the maximum automatic restart rate. If the filter begins restarting -## faster than the rate defined here, it will give up and terminate. This -## is a string of the form n/t[u] where n is an integer limiting the count -## of restarts in the given interval and t[u] defines the time interval -## through which the rate is calculated; t is an integer and u defines the -## units thus represented ("s" or "S" for seconds, the default; "m" or "M" -## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a -## value of "10/1h" limits the restarts to 10 in one hour. There is no -## default, meaning restart rate is not limited. -# -# AutoRestartRate n/t[u] - -## Background { true | false } -## default "true" -## -## Causes opendmarc to fork and exits immediately, leaving the service -## running in the background. -# -# Background true - -## BaseDirectory (string) -## default (none) -## -## If set, instructs the filter to change to the specified directory using -## chdir(2) before doing anything else. This means any files referenced -## elsewhere in the configuration file can be specified relative to this -## directory. It's also useful for arranging that any crash dumps will be -## saved to a specific location. -# -# BaseDirectory /var/run/opendmarc - -## ChangeRootDirectory (string) -## default (none) -## -## Requests that the operating system change the effective root directory of -## the process to the one specified here prior to beginning execution. -## chroot(2) requires superuser access. A warning will be generated if -## UserID is not also set. -# -# ChangeRootDirectory /var/chroot/opendmarc - -## CopyFailuresTo (string) -## default (none) -## -## Requests addition of the specified email address to the envelope of -## any message that fails the DMARC evaluation. -# -# CopyFailuresTo postmaster@localhost - -## DNSTimeout (integer) -## default 5 -## -## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. -## (NOT YET IMPLEMENTED) -# -# DNSTimeout 5 - -## EnableCoredumps { true | false } -## default "false" -## -## On systems that have such support, make an explicit request to the kernel -## to dump cores when the filter crashes for some reason. Some modern UNIX -## systems suppress core dumps during crashes for security reasons if the -## user ID has changed during the lifetime of the process. Currently only -## supported on Linux. -# -# EnableCoreDumps false - -## FailureReports { true | false } -## default "false" -## -## Enables generation of failure reports when the DMARC test fails and the -## purported sender of the message has requested such reports. Reports are -## formatted per RFC6591. -# -# FailureReports false - -## FailureReportsBcc (string) -## default (none) -## -## When failure reports are enabled and one is to be generated, always -## send one to the address(es) specified here. If a failure report is -## requested by the domain owner, the address(es) are added in a Bcc: field. -## If no request is made, they address(es) are used in a To: field. There -## is no default. -# -# FailureReportsBcc postmaster@example.coom - -## FailureReportsOnNone { true | false } -## default "false" -## -## Supplements the "FailureReports" setting by generating reports for -## domains that advertise "none" policies. By default, reports are only -## generated (when enabled) for sending domains advertising a "quarantine" -## or "reject" policy. -# -# FailureReportsOnNone false - -## FailureReportsSentBy string -## default "USER@HOSTNAME" -## -## Specifies the email address to use in the From: field of failure -## reports generated by the filter. The default is to use the userid of -## the user running the filter and the local hostname to construct an -## email address. "postmaster" is used in place of the userid if a name -## could not be determined. -# -# FailureReportsSentBy USER@HOSTNAME - -## HistoryFile path -## default (none) -## -## If set, specifies the location of a text file to which records are written -## that can be used to generate DMARC aggregate reports. Records are groups -## of rows containing information about a single received message, and -## include all relevant information needed to generate a DMARC aggregate -## report. It is expected that this will not be used in its raw form, but -## rather periodically imported into a relational database from which the -## aggregate reports can be extracted by a tool such as opendmarc-import(8). -# -# HistoryFile /var/run/opendmarc.dat - -## IgnoreAuthenticatedClients { true | false } -## default "false" -## -## If set, causes mail from authenticated clients (i.e., those that used -## SMTP AUTH) to be ignored by the filter. -# -IgnoreAuthenticatedClients true - -## IgnoreHosts path -## default (internal) -## -## Specifies the path to a file that contains a list of hostnames, IP -## addresses, and/or CIDR expressions identifying hosts whose SMTP -## connections are to be ignored by the filter. If not specified, defaults -## to "127.0.0.1" only. -# -# IgnoreHosts /etc/opendmarc/ignore.hosts - -## IgnoreMailFrom domain[,...] -## default (none) -## -## Gives a list of domain names whose mail (based on the From: domain) is to -## be ignored by the filter. The list should be comma-separated. Matching -## against this list is case-insensitive. The default is an empty list, -## meaning no mail is ignored. -# -# IgnoreMailFrom example.com - -## MilterDebug (integer) -## default 0 -## -## Sets the debug level to be requested from the milter library. -# -# MilterDebug 0 - -## PidFile path -## default (none) -## -## Specifies the path to a file that should be created at process start -## containing the process ID. -# -# PidFile /var/run/opendmarc.pid - -## PublicSuffixList path -## default (none) -## -## Specifies the path to a file that contains top-level domains (TLDs) that -## will be used to compute the Organizational Domain for a given domain name, -## as described in the DMARC specification. If not provided, the filter will -## not be able to determine the Organizational Domain and only the presented -## domain will be evaluated. -# -# PublicSuffixList path - -## RecordAllMessages { true | false } -## default "false" -## -## If set and "HistoryFile" is in use, all received messages are recorded -## to the history file. If not set (the default), only messages for which -## the From: domain published a DMARC record will be recorded in the -## history file. -# -# RecordAllMessages false - -## RejectFailures { true | false } -## default "false" -## -## If set, messages will be rejected if they fail the DMARC evaluation, or -## temp-failed if evaluation could not be completed. By default, no message -## will be rejected or temp-failed regardless of the outcome of the DMARC -## evaluation of the message. Instead, an Authentication-Results header -## field will be added. -# -# RejectFailures false - -## ReportCommand string -## default "/usr/sbin/sendmail -t" -## -## Indicates the shell command to which failure reports should be passed for -## delivery when "FailureReports" is enabled. -# -# ReportCommand /usr/sbin/sendmail -t - -## RequiredHeaders { true | false } -## default "false" -## -## If set, the filter will ensure the header of the message conforms to the -## basic header field count restrictions laid out in RFC5322, Section 3.6. -## Messages failing this test are rejected without further processing. A -## From: field from which no domain name could be extracted will also be -## rejected. -# -# RequiredHeaders false - -## Socket socketspec -## default (none) -## -## Specifies the socket that should be established by the filter to receive -## connections from sendmail(8) in order to provide service. socketspec is -## in one of two forms: local:path, which creates a UNIX domain socket at -## the specified path, or inet:port[@host] or inet6:port[@host] which creates -## a TCP socket on the specified port for the appropriate protocol family. -## If the host is not given as either a hostname or an IP address, the -## socket will be listening on all interfaces. This option is mandatory -## either in the configuration file or on the command line. If an IP -## address is used, it must be enclosed in square brackets. -# -# Socket inet:8893@localhost -#Socket unix:/var/spool/opendmarc/opendmarc.sock -Socket unix:/run/opendmarc/opendmarc.sock - -## SoftwareHeader { true | false } -## default "false" -## -## Causes the filter to add a "DMARC-Filter" header field indicating the -## presence of this filter in the path of the message from injection to -## delivery. The product's name, version, and the job ID are included in -## the header field's contents. -# -# SoftwareHeader false - -## SPFIgnoreResults { true | false } -## default "false" -## -## Causes the filter to ignore any SPF results in the header of the -## message. This is useful if you want the filter to perfrom SPF checks -## itself, or because you don't trust the arriving header. -# -# SPFIgnoreResults false - -## SPFSelfValidate { true | false } -## default false -## -## Enable internal spf checking with --with-spf -## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path -## -## Causes the filter to perform a fallback SPF check itself when -## it can find no SPF results in the message header. If SPFIgnoreResults -## is also set, it never looks for SPF results in headers and -## always performs the SPF check itself when this is set. -# -SPFSelfValidate true - -## Syslog { true | false } -## default "false" -## -## Log via calls to syslog(3) any interesting activity. -# -# Syslog false - -## SyslogFacility facility-name -## default "mail" -## -## Log via calls to syslog(3) using the named facility. The facility names -## are the same as the ones allowed in syslog.conf(5). -# -# SyslogFacility mail - -## TrustedAuthservIDs string -## default HOSTNAME -## -## Specifies one or more "authserv-id" values to trust as relaying true -## upstream DKIM and SPF results. The default is to use the name of -## the MTA processing the message. To specify a list, separate each entry -## with a comma. The key word "HOSTNAME" will be replaced by the name of -## the host running the filter as reported by the gethostname(3) function. -# -# TrustedAuthservIDs HOSTNAME - -## UMask mask -## default (none) -## -## Requests a specific permissions mask to be used for file creation. This -## only really applies to creation of the socket when Socket specifies a -## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary -## files are normally created by the mkstemp(3) function that enforces a -## specific file mode on creation regardless of the process umask. See -## umask(2) for more information. -# -# UMask 077 -UMask 002 - -## UserID user[:group] -## default (none) -## -## Attempts to become the specified userid before starting operations. -## The process will be assigned all of the groups and primary group ID of -## the named userid unless an alternate group is specified. -# -# UserID opendmarc -# ATTENTION: user and group are enforced throug the systemd service file diff --git a/etc/postfix/aliases b/etc/postfix/aliases deleted file mode 100644 index 3e6ad4d9..00000000 --- a/etc/postfix/aliases +++ /dev/null @@ -1,284 +0,0 @@ -# -# Sample aliases file. Install in the location as specified by the -# output from the command "postconf alias_maps". Typical path names -# are /etc/aliases or /etc/mail/aliases. -# -# >>>>>>>>>> The program "newaliases" must be run after -# >> NOTE >> this file is updated for any changes to -# >>>>>>>>>> show through to Postfix. -# - -# Person who should get root's mail. Don't receive mail as root! -# https://wiki.archlinux.org/title/Postfix#Aliases -root: xyz - -# Basic system aliases -- these MUST be present -MAILER-DAEMON: postmaster -postmaster: root - -# General redirections for pseudo accounts -bin: root -daemon: root -named: root -nobody: root -uucp: root -www: root -ftp-bugs: root -postfix: root - -# Put your local aliases here. - -# Well-known aliases -manager: root -dumper: root -operator: root -abuse: postmaster - -# trap decode to catch security attacks -decode: root - -# ALIASES(5) ALIASES(5) -# -# NAME -# aliases - Postfix local alias database format -# -# SYNOPSIS -# newaliases -# -# postalias -q name [file-type]:[file-name] -# -# DESCRIPTION -# The optional aliases(5) table (alias_maps) redirects mail -# for local recipients. The redirections are processed by -# the Postfix local(8) delivery agent. This table is always -# searched with an email address localpart (no domain por- -# tion). -# -# This is unlike virtual(5) aliasing (virtual_alias_maps) -# which applies to all recipients: local(8), virtual, and -# remote, and which is implemented by the cleanup(8) daemon. -# That table is often searched with a full email address -# (including domain). -# -# Normally, the aliases(5) table is specified as a text file -# that serves as input to the postalias(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast lookup by the mail system. Execute the command -# newaliases in order to rebuild the indexed file after -# changing the Postfix alias database. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. -# -# Alternatively, the table can be provided as a regu- -# lar-expression map where patterns are given as regular -# expressions. In this case, the lookups are done in a -# slightly different way as described below under "REGULAR -# EXPRESSION TABLES". -# -# Users can control delivery of their own mail by setting up -# .forward files in their home directory. Lines in per-user -# .forward files have the same syntax as the right-hand side -# of aliases(5) entries. -# -# The format of the alias database input file is as follows: -# -# o An alias definition has the form -# -# name: value1, value2, ... -# -# o Empty lines and whitespace-only lines are ignored, -# as are lines whose first non-whitespace character -# is a `#'. -# -# o A logical line starts with non-whitespace text. A -# line that starts with whitespace continues a logi- -# cal line. -# -# The name is a local address (no domain part). Use double -# quotes when the name contains any special characters such -# as whitespace, `#', `:', or `@'. The name is folded to -# lowercase, in order to make database lookups case insensi- -# tive. -# -# In addition, when an alias exists for owner-name, this -# will override the envelope sender address, so that deliv- -# ery diagnostics are directed to owner-name, instead of the -# originator of the message (for details, see -# owner_request_special, expand_owner_alias and -# reset_owner_alias). This is typically used to direct -# delivery errors to the maintainer of a mailing list, who -# is in a better position to deal with mailing list delivery -# problems than the originator of the undelivered mail. -# -# The value contains one or more of the following: -# -# address -# Mail is forwarded to address, which is compatible -# with the RFC 822 standard. -# -# /file/name -# Mail is appended to /file/name. For details on how -# a file is written see the sections "EXTERNAL FILE -# DELIVERY" and "DELIVERY RIGHTS" in the local(8) -# documentation. Delivery is not limited to regular -# files. For example, to dispose of unwanted mail, -# deflect it to /dev/null. -# -# |command -# Mail is piped into command. Commands that contain -# special characters, such as whitespace, should be -# enclosed between double quotes. For details on how -# a command is executed see "EXTERNAL COMMAND DELIV- -# ERY" and "DELIVERY RIGHTS" in the local(8) documen- -# tation. -# -# When the command fails, a limited amount of command -# output is mailed back to the sender. The file -# /usr/include/sysexits.h defines the expected exit -# status codes. For example, use "|exit 67" to simu- -# late a "user unknown" error, and "|exit 0" to -# implement an expensive black hole. -# -# :include:/file/name -# Mail is sent to the destinations listed in the -# named file. Lines in :include: files have the same -# syntax as the right-hand side of aliases(5) -# entries. -# -# A destination can be any destination that is -# described in this manual page. However, delivery to -# "|command" and /file/name is disallowed by default. -# To enable, edit the allow_mail_to_commands and -# allow_mail_to_files configuration parameters. -# -# ADDRESS EXTENSION -# When alias database search fails, and the recipient local- -# part contains the optional recipient delimiter (e.g., -# user+foo), the search is repeated for the unextended -# address (e.g., user). -# -# The propagate_unmatched_extensions parameter controls -# whether an unmatched address extension (+foo) is propa- -# gated to the result of table lookup. -# -# CASE FOLDING -# The local(8) delivery agent always folds the search string -# to lowercase before database lookup. -# -# REGULAR EXPRESSION TABLES -# This section describes how the table lookups change when -# the table is given in the form of regular expressions. For -# a description of regular expression lookup table syntax, -# see regexp_table(5) or pcre_table(5). NOTE: these formats -# do not use ":" at the end of a pattern. -# -# Each regular expression is applied to the entire search -# string. Thus, a search string user+foo is not broken up -# into user and foo. -# -# Regular expressions are applied in the order as specified -# in the table, until a regular expression is found that -# matches the search string. -# -# Lookup results are the same as with indexed file lookups. -# For security reasons there is no support for $1, $2 etc. -# substring interpolation. -# -# SECURITY -# The local(8) delivery agent disallows regular expression -# substitution of $1 etc. in alias_maps, because that would -# open a security hole. -# -# The local(8) delivery agent will silently ignore requests -# to use the proxymap(8) server within alias_maps. Instead -# it will open the table directly. Before Postfix version -# 2.2, the local(8) delivery agent will terminate with a -# fatal error. -# -# CONFIGURATION PARAMETERS -# The following main.cf parameters are especially relevant. -# The text below provides only a parameter summary. See -# postconf(5) for more details including examples. -# -# alias_database (see 'postconf -d' output) -# The alias databases for local(8) delivery that are -# updated with "newaliases" or with "sendmail -bi". -# -# alias_maps (see 'postconf -d' output) -# Optional lookup tables that are searched only with -# an email address localpart (no domain) and that -# apply only to local(8) recipients; this is unlike -# virtual_alias_maps that are often searched with a -# full email address (including domain) and that -# apply to all recipients: local(8), virtual, and -# remote. -# -# allow_mail_to_commands (alias, forward) -# Restrict local(8) mail delivery to external com- -# mands. -# -# allow_mail_to_files (alias, forward) -# Restrict local(8) mail delivery to external files. -# -# expand_owner_alias (no) -# When delivering to an alias "aliasname" that has an -# "owner-aliasname" companion alias, set the envelope -# sender address to the expansion of the -# "owner-aliasname" alias. -# -# propagate_unmatched_extensions (canonical, virtual) -# What address lookup tables copy an address exten- -# sion from the lookup key to the lookup result. -# -# owner_request_special (yes) -# Enable special treatment for owner-listname entries -# in the aliases(5) file, and don't split owner-list- -# name and listname-request address localparts when -# the recipient_delimiter is set to "-". -# -# recipient_delimiter (empty) -# The set of characters that can separate an email -# address localpart, user name, or a .forward file -# name from its extension. -# -# Available in Postfix version 2.3 and later: -# -# frozen_delivered_to (yes) -# Update the local(8) delivery agent's idea of the -# Delivered-To: address (see prepend_deliv- -# ered_header) only once, at the start of a delivery -# attempt; do not update the Delivered-To: address -# while expanding aliases or .forward files. -# -# STANDARDS -# RFC 822 (ARPA Internet Text Messages) -# -# SEE ALSO -# local(8), local delivery agent -# newaliases(1), create/update alias database -# postalias(1), create/update alias database -# postconf(5), configuration parameters -# -# README FILES -# Use "postconf readme_directory" or "postconf html_direc- -# tory" to locate this information. -# DATABASE_README, Postfix lookup table overview -# -# LICENSE -# The Secure Mailer license must be distributed with this -# software. -# -# AUTHOR(S) -# Wietse Venema -# IBM T.J. Watson Research -# P.O. Box 704 -# Yorktown Heights, NY 10598, USA -# -# Wietse Venema -# Google, Inc. -# 111 8th Avenue -# New York, NY 10011, USA -# -# ALIASES(5) diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf deleted file mode 100644 index 63fa4261..00000000 --- a/etc/postfix/main.cf +++ /dev/null @@ -1,747 +0,0 @@ -# edit configs from: -# https://wiki.archlinux.org/title/Postfix -# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz -# https://wiki.archlinux.org/title/OpenDMARC -# https://wiki.archlinux.org/title/OpenDKIM -# maybe useful things: -# `man postconf.5` -# print config: `postconf` -# default config: `postconf -d` -myhostname = mail.flylightning.xyz - -# fix "relay access denied" error when receiving emails -# I choose to follow `man postconf.5` instruction to only add $mydomain -# emailwiz way add a lot more to mydestination, see: -# https://github.com/LukeSmithxyz/emailwiz/pull/275 -# https://github.com/LukeSmithxyz/emailwiz/issues/265 -mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain - -smtp_tls_security_level = may -smtpd_tls_security_level = may -smtpd_tls_cert_file = /etc/postfix/flylightning.pem -smtpd_tls_key_file = /etc/postfix/flylightning.key - -# Here we tell Postfix to look to Dovecot for authenticating users/passwords. -# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth -smtpd_sasl_auth_enable = yes -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth - -# NOTE: the trailing slash here, or for any directory name in the home_mailbox -# command, is necessary as it distinguishes a maildir (which is the actual -# directory that we want) from a spoolfile (which is what old unix boomers want -# and no one else). -home_mailbox = Mail/Inbox/ - -# https://wiki.archlinux.org/title/OpenDKIM -non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock -smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock - -# more emailwiz configs, maybe useful: - -# TLS required for authentication. -#smtpd_tls_auth_only = yes - -# Exclude insecure and obsolete encryption protocols. -#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 - -# helo, sender, relay and recipient restrictions -#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre -#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain -#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain -#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination -#smtpd_helo_required = yes -#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname - -# Global Postfix configuration file. This file lists only a subset -# of all parameters. For the syntax, and for a complete parameter -# list, see the postconf(5) manual page (command: "man 5 postconf"). -# -# TIP: use the command "postconf -n" to view main.cf parameter -# settings, "postconf parametername" to view a specific parameter, -# and "postconf 'parametername=value'" to set a specific parameter. -# -# For common configuration examples, see BASIC_CONFIGURATION_README -# and STANDARD_CONFIGURATION_README. To find these documents, use -# the command "postconf html_directory readme_directory", or go to -# https://www.postfix.org/BASIC_CONFIGURATION_README.html etc. -# -# For best results, change no more than 2-3 parameters at a time, -# and test if Postfix still works after every change. - -# COMPATIBILITY -# -# The compatibility_level determines what default settings Postfix -# will use for main.cf and master.cf settings. These defaults will -# change over time. -# -# To avoid breaking things, Postfix will use backwards-compatible -# default settings and log where it uses those old backwards-compatible -# default settings, until the system administrator has determined -# if any backwards-compatible default settings need to be made -# permanent in main.cf or master.cf. -# -# When this review is complete, update the compatibility_level setting -# below as recommended in the RELEASE_NOTES file. -# -# The level below is what should be used with new (not upgrade) installs. -# -compatibility_level = 3.10 - -# SOFT BOUNCE -# -# The soft_bounce parameter provides a limited safety net for -# testing. When soft_bounce is enabled, mail will remain queued that -# would otherwise bounce. This parameter disables locally-generated -# bounces, and prevents the SMTP server from rejecting mail permanently -# (by changing 5xx replies into 4xx replies). However, soft_bounce -# is no cure for address rewriting mistakes or mail routing mistakes. -# -#soft_bounce = no - -# LOCAL PATHNAME INFORMATION -# -# The queue_directory specifies the location of the Postfix queue. -# This is also the root directory of Postfix daemons that run chrooted. -# See the files in examples/chroot-setup for setting up Postfix chroot -# environments on different UNIX systems. -# -queue_directory = /var/spool/postfix - -# The command_directory parameter specifies the location of all -# postXXX commands. -# -command_directory = /usr/bin - -# The daemon_directory parameter specifies the location of all Postfix -# daemon programs (i.e. programs listed in the master.cf file). This -# directory must be owned by root. -# -daemon_directory = /usr/lib/postfix/bin - -# The data_directory parameter specifies the location of Postfix-writable -# data files (caches, random numbers). This directory must be owned -# by the mail_owner account (see below). -# -data_directory = /var/lib/postfix - -# QUEUE AND PROCESS OWNERSHIP -# -# The mail_owner parameter specifies the owner of the Postfix queue -# and of most Postfix daemon processes. Specify the name of a user -# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS -# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In -# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED -# USER. -# -mail_owner = postfix - -# The default_privs parameter specifies the default rights used by -# the local delivery agent for delivery to external file or command. -# These rights are used in the absence of a recipient user context. -# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. -# -#default_privs = nobody - -# INTERNET HOST AND DOMAIN NAMES -# -# The myhostname parameter specifies the internet hostname of this -# mail system. The default is to use the fully-qualified domain name -# from gethostname(). $myhostname is used as a default value for many -# other configuration parameters. -# -#myhostname = host.domain.tld -#myhostname = virtual.domain.tld - -# The mydomain parameter specifies the local internet domain name. -# The default is to use $myhostname minus the first component. -# $mydomain is used as a default value for many other configuration -# parameters. -# -#mydomain = domain.tld - -# SENDING MAIL -# -# The myorigin parameter specifies the domain that locally-posted -# mail appears to come from. The default is to append $myhostname, -# which is fine for small sites. If you run a domain with multiple -# machines, you should (1) change this to $mydomain and (2) set up -# a domain-wide alias database that aliases each user to -# user@that.users.mailhost. -# -# For the sake of consistency between sender and recipient addresses, -# myorigin also specifies the default domain name that is appended -# to recipient addresses that have no @domain part. -# -#myorigin = $myhostname -#myorigin = $mydomain - -# RECEIVING MAIL - -# The inet_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on. By default, -# the software claims all active interfaces on the machine. The -# parameter also controls delivery of mail to user@[ip.address]. -# -# See also the proxy_interfaces parameter, for network addresses that -# are forwarded to us via a proxy or network address translator. -# -# Note: you need to stop/start Postfix when this parameter changes. -# -#inet_interfaces = all -#inet_interfaces = $myhostname -#inet_interfaces = $myhostname, localhost - -# The proxy_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on by way of a -# proxy or network address translation unit. This setting extends -# the address list specified with the inet_interfaces parameter. -# -# You must specify your proxy/NAT addresses when your system is a -# backup MX host for other domains, otherwise mail delivery loops -# will happen when the primary MX host is down. -# -#proxy_interfaces = -#proxy_interfaces = 1.2.3.4 - -# The mydestination parameter specifies the list of domains that this -# machine considers itself the final destination for. -# -# These domains are routed to the delivery agent specified with the -# local_transport parameter setting. By default, that is the UNIX -# compatible delivery agent that lookups all recipients in /etc/passwd -# and /etc/aliases or their equivalent. -# -# The default is $myhostname + localhost.$mydomain + localhost. On -# a mail domain gateway, you should also include $mydomain. -# -# Do not specify the names of virtual domains - those domains are -# specified elsewhere (see VIRTUAL_README). -# -# Do not specify the names of domains that this machine is backup MX -# host for. Specify those names via the relay_domains settings for -# the SMTP server, or use permit_mx_backup if you are lazy (see -# STANDARD_CONFIGURATION_README). -# -# The local machine is always the final destination for mail addressed -# to user@[the.net.work.address] of an interface that the mail system -# receives mail on (see the inet_interfaces parameter). -# -# Specify a list of host or domain names, /file/name or type:table -# patterns, separated by commas and/or whitespace. A /file/name -# pattern is replaced by its contents; a type:table is matched when -# a name matches a lookup key (the right-hand side is ignored). -# Continue long lines by starting the next line with whitespace. -# -# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". -# -#mydestination = $myhostname, localhost.$mydomain, localhost -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, -# mail.$mydomain, www.$mydomain, ftp.$mydomain - -# REJECTING MAIL FOR UNKNOWN LOCAL USERS -# -# The local_recipient_maps parameter specifies optional lookup tables -# with all names or addresses of users that are local with respect -# to $mydestination, $inet_interfaces or $proxy_interfaces. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown local users. This parameter is defined by default. -# -# To turn off local recipient checking in the SMTP server, specify -# local_recipient_maps = (i.e. empty). -# -# The default setting assumes that you use the default Postfix local -# delivery agent for local delivery. You need to update the -# local_recipient_maps setting if: -# -# - You define $mydestination domain recipients in files other than -# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. -# For example, you define $mydestination domain recipients in -# the $virtual_mailbox_maps files. -# -# - You redefine the local delivery agent in master.cf. -# -# - You redefine the "local_transport" setting in main.cf. -# -# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" -# feature of the Postfix local delivery agent (see local(8)). -# -# Details are described in the LOCAL_RECIPIENT_README file. -# -# Beware: if the Postfix SMTP server runs chrooted, you probably have -# to access the passwd file via the proxymap service, in order to -# overcome chroot restrictions. The alternative, having a copy of -# the system passwd file in the chroot jail is just not practical. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify a bare username, an @domain.tld -# wild-card, or specify a user@domain.tld address. -# -#local_recipient_maps = unix:passwd.byname $alias_maps -#local_recipient_maps = proxy:unix:passwd.byname $alias_maps -#local_recipient_maps = - -# The unknown_local_recipient_reject_code specifies the SMTP server -# response code when a recipient domain matches $mydestination or -# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty -# and the recipient address or address local-part is not found. -# -# The default setting is 550 (reject mail) but it is safer to start -# with 450 (try again later) until you are certain that your -# local_recipient_maps settings are OK. -# -unknown_local_recipient_reject_code = 550 - -# TRUST AND RELAY CONTROL - -# The mynetworks parameter specifies the list of "trusted" SMTP -# clients that have more privileges than "strangers". -# -# In particular, "trusted" SMTP clients are allowed to relay mail -# through Postfix. See the smtpd_recipient_restrictions parameter -# in postconf(5). -# -# You can specify the list of "trusted" network addresses by hand -# or you can let Postfix do it for you (which is the default). -# -# By default (mynetworks_style = host), Postfix "trusts" only -# the local machine. -# -# Specify "mynetworks_style = subnet" when Postfix should "trust" -# SMTP clients in the same IP subnetworks as the local machine. -# On Linux, this works correctly only with interfaces specified -# with the "ifconfig" or "ip" command. -# -# Specify "mynetworks_style = class" when Postfix should "trust" SMTP -# clients in the same IP class A/B/C networks as the local machine. -# Don't do this with a dialup site - it would cause Postfix to "trust" -# your entire provider's network. Instead, specify an explicit -# mynetworks list by hand, as described below. -# -# Specify "mynetworks_style = host" when Postfix should "trust" -# only the local machine. -# -#mynetworks_style = class -#mynetworks_style = subnet -#mynetworks_style = host - -# Alternatively, you can specify the mynetworks list by hand, in -# which case Postfix ignores the mynetworks_style setting. -# -# Specify an explicit list of network/netmask patterns, where the -# mask specifies the number of bits in the network part of a host -# address. -# -# You can also specify the absolute pathname of a pattern file instead -# of listing the patterns here. Specify type:table for table-based lookups -# (the value on the table right-hand side is not used). -# -#mynetworks = 168.100.3.0/28, 127.0.0.0/8 -#mynetworks = $config_directory/mynetworks -#mynetworks = hash:/etc/postfix/network_table - -# The relay_domains parameter restricts what destinations this system will -# relay mail to. See the smtpd_relay_restrictions and -# smtpd_recipient_restrictions descriptions in postconf(5) for detailed -# information. -# -# By default, Postfix relays mail -# - from "trusted" clients (IP address matches $mynetworks, or is -# SASL authenticated) to any destination, -# - from "untrusted" clients to destinations that match $relay_domains or -# subdomains thereof, except addresses with sender-specified routing. -# The default relay_domains value is empty. -# -# In addition to the above, the Postfix SMTP server by default accepts mail -# that Postfix is final destination for: -# - destinations that match $inet_interfaces or $proxy_interfaces, -# - destinations that match $mydestination -# - destinations that match $virtual_alias_domains, -# - destinations that match $virtual_mailbox_domains. -# These destinations do not need to be listed in $relay_domains. -# -# Specify a list of hosts or domains, /file/name patterns or type:name -# lookup tables, separated by commas and/or whitespace. Continue -# long lines by starting the next line with whitespace. A file name -# is replaced by its contents; a type:name table is matched when a -# (parent) domain appears as lookup key. -# -# NOTE: Postfix will not automatically forward mail for domains that -# list this system as their primary or backup MX host. See the -# permit_mx_backup restriction description in postconf(5). -# -#relay_domains = - -# INTERNET OR INTRANET - -# The relayhost parameter specifies the default host to send mail to -# when no entry is matched in the optional transport(5) table. When -# no relayhost is given, mail is routed directly to the destination. -# -# On an intranet, specify the organizational domain name. If your -# internal DNS uses no MX records, specify the name of the intranet -# gateway host instead. -# -# In the case of SMTP, specify a domain, host, host:port, [host]:port, -# [address] or [address]:port; the form [host] turns off MX lookups. -# -# If you're connected via UUCP, see also the default_transport parameter. -# -#relayhost = $mydomain -#relayhost = [gateway.my.domain] -#relayhost = [mailserver.isp.tld] -#relayhost = uucphost -#relayhost = [an.ip.add.ress] - -# REJECTING UNKNOWN RELAY USERS -# -# The relay_recipient_maps parameter specifies optional lookup tables -# with all addresses in the domains that match $relay_domains. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown relay users. This feature is off by default. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify an @domain.tld wild-card, or specify -# a user@domain.tld address. -# -#relay_recipient_maps = hash:/etc/postfix/relay_recipients - -# INPUT RATE CONTROL -# -# The in_flow_delay configuration parameter implements mail input -# flow control. This feature is turned on by default, although it -# still needs further development (it's disabled on SCO UNIX due -# to an SCO bug). -# -# A Postfix process will pause for $in_flow_delay seconds before -# accepting a new message, when the message arrival rate exceeds the -# message delivery rate. With the default 100 SMTP server process -# limit, this limits the mail inflow to 100 messages a second more -# than the number of messages delivered per second. -# -# Specify 0 to disable the feature. Valid delays are 0..10. -# -#in_flow_delay = 1s - -# ADDRESS REWRITING -# -# The ADDRESS_REWRITING_README document gives information about -# address masquerading or other forms of address rewriting including -# username->Firstname.Lastname mapping. - -# ADDRESS REDIRECTION (VIRTUAL DOMAIN) -# -# The VIRTUAL_README document gives information about the many forms -# of domain hosting that Postfix supports. - -# "USER HAS MOVED" BOUNCE MESSAGES -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# TRANSPORT MAP -# -# See the discussion in the ADDRESS_REWRITING_README document. - -# ALIAS DATABASE -# -# The alias_maps parameter specifies the list of alias databases used -# by the local delivery agent. The default list is system dependent. -# -# On systems with NIS, the default is to search the local alias -# database, then the NIS alias database. See aliases(5) for syntax -# details. -# -# If you change the alias database, run "postalias /etc/aliases" (or -# wherever your system stores the mail alias file), or simply run -# "newaliases" to build the necessary DBM or DB file. -# -# It will take a minute or so before changes become visible. Use -# "postfix reload" to eliminate the delay. -# -#alias_maps = dbm:/etc/aliases -#alias_maps = hash:/etc/aliases -#alias_maps = hash:/etc/aliases, nis:mail.aliases -#alias_maps = netinfo:/aliases -alias_maps = lmdb:/etc/postfix/aliases - -# The alias_database parameter specifies the alias database(s) that -# are built with "newaliases" or "sendmail -bi". This is a separate -# configuration parameter, because alias_maps (see above) may specify -# tables that are not necessarily all under control by Postfix. -# -#alias_database = dbm:/etc/aliases -#alias_database = dbm:/etc/mail/aliases -#alias_database = hash:/etc/aliases -#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases -alias_database = $alias_maps - -# ADDRESS EXTENSIONS (e.g., user+foo) -# -# The recipient_delimiter parameter specifies the separator between -# user names and address extensions (user+foo). See canonical(5), -# local(8), relocated(5) and virtual(5) for the effects this has on -# aliases, canonical, virtual, relocated and .forward file lookups. -# Basically, the software tries user+foo and .forward+foo before -# trying user and .forward. -# -#recipient_delimiter = + - -# DELIVERY TO MAILBOX -# -# The home_mailbox parameter specifies the optional pathname of a -# mailbox file relative to a user's home directory. The default -# mailbox file is /var/spool/mail/user or /var/mail/user. Specify -# "Maildir/" for qmail-style delivery (the / is required). -# -#home_mailbox = Mailbox -#home_mailbox = Maildir/ - -# The mail_spool_directory parameter specifies the directory where -# UNIX-style mailboxes are kept. The default setting depends on the -# system type. -# -#mail_spool_directory = /var/mail -#mail_spool_directory = /var/spool/mail - -# The mailbox_command parameter specifies the optional external -# command to use instead of mailbox delivery. The command is run as -# the recipient with proper HOME, SHELL and LOGNAME environment settings. -# Exception: delivery for root is done as $default_privs. -# -# Other environment variables of interest: USER (recipient username), -# EXTENSION (address extension), DOMAIN (domain part of address), -# and LOCAL (the address localpart). -# -# Unlike other Postfix configuration parameters, the mailbox_command -# parameter is not subjected to $parameter substitutions. This is to -# make it easier to specify shell syntax (see example below). -# -# Avoid shell meta characters because they will force Postfix to run -# an expensive shell process. Procmail alone is expensive enough. -# -# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN -# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. -# -#mailbox_command = /some/where/procmail -#mailbox_command = /some/where/procmail -a "$EXTENSION" - -# The mailbox_transport specifies the optional transport in master.cf -# to use after processing aliases and .forward files. This parameter -# has precedence over the mailbox_command, fallback_transport and -# luser_relay parameters. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" -# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. -#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp -# -# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and -# subsequent line in master.cf. -#mailbox_transport = cyrus - -# The fallback_transport specifies the optional transport in master.cf -# to use for recipients that are not found in the UNIX passwd database. -# This parameter has precedence over the luser_relay parameter. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#fallback_transport = lmtp:unix:/file/name -#fallback_transport = cyrus -#fallback_transport = - -# The luser_relay parameter specifies an optional destination address -# for unknown recipients. By default, mail for unknown@$mydestination, -# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned -# as undeliverable. -# -# The following expansions are done on luser_relay: $user (recipient -# username), $shell (recipient shell), $home (recipient home directory), -# $recipient (full recipient address), $extension (recipient address -# extension), $domain (recipient domain), $local (entire recipient -# localpart), $recipient_delimiter. Specify ${name?value} or -# ${name:value} to expand value only when $name does (does not) exist. -# -# luser_relay works only for the default Postfix local delivery agent. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must specify "local_recipient_maps =" (i.e. empty) in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#luser_relay = $user@other.host -#luser_relay = $local@other.host -#luser_relay = admin+$local - -# JUNK MAIL CONTROLS -# -# The controls listed here are only a very small subset. The file -# SMTPD_ACCESS_README provides an overview. - -# The header_checks parameter specifies an optional table with patterns -# that each logical message header is matched against, including -# headers that span multiple physical lines. -# -# By default, these patterns also apply to MIME headers and to the -# headers of attached messages. With older Postfix versions, MIME and -# attached message headers were treated as body text. -# -# For details, see "man header_checks". -# -#header_checks = regexp:/etc/postfix/header_checks - -# FAST ETRN SERVICE -# -# Postfix maintains per-destination logfiles with information about -# deferred mail, so that mail can be flushed quickly with the SMTP -# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". -# See the ETRN_README document for a detailed description. -# -# The fast_flush_domains parameter controls what destinations are -# eligible for this service. By default, they are all domains that -# this server is willing to relay mail to. -# -#fast_flush_domains = $relay_domains - -# SHOW SOFTWARE VERSION OR NOT -# -# The smtpd_banner parameter specifies the text that follows the 220 -# code in the SMTP server's greeting banner. Some people like to see -# the mail version advertised. By default, Postfix shows no version. -# -# You MUST specify $myhostname at the start of the text. That is an -# RFC requirement. Postfix itself does not care. -# -#smtpd_banner = $myhostname ESMTP $mail_name -#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) - -# PARALLEL DELIVERY TO THE SAME DESTINATION -# -# How many parallel deliveries to the same user or domain? With local -# delivery, it does not make sense to do massively parallel delivery -# to the same user, because mailbox updates must happen sequentially, -# and expensive pipelines in .forward files can cause disasters when -# too many are run at the same time. With SMTP deliveries, 10 -# simultaneous connections to the same domain could be sufficient to -# raise eyebrows. -# -# Each message delivery transport has its XXX_destination_concurrency_limit -# parameter. The default is $default_destination_concurrency_limit for -# most delivery transports. For the local delivery agent the default is 2. - -#local_destination_concurrency_limit = 2 -#default_destination_concurrency_limit = 20 - -# DEBUGGING CONTROL -# -# The debug_peer_level parameter specifies the increment in verbose -# logging level when an SMTP client or server host name or address -# matches a pattern in the debug_peer_list parameter. -# -debug_peer_level = 2 - -# The debug_peer_list parameter specifies an optional list of domain -# or network patterns, /file/name patterns or type:name tables. When -# an SMTP client or server host name or address matches a pattern, -# increase the verbose logging level by the amount specified in the -# debug_peer_level parameter. -# -#debug_peer_list = 127.0.0.1 -#debug_peer_list = some.domain - -# The debugger_command specifies the external command that is executed -# when a Postfix daemon program is run with the -D option. -# -# Use "command .. & sleep 5" so that the debugger can attach before -# the process marches on. If you use an X-based debugger, be sure to -# set up your XAUTHORITY environment variable before starting Postfix. -# -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - ddd $daemon_directory/$process_name $process_id & sleep 5 - -# If you can't use X, use this to capture the call stack when a -# daemon crashes. The result is in a file in the configuration -# directory, and is named after the process name and the process ID. -# -# debugger_command = -# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; -# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 -# >$config_directory/$process_name.$process_id.log & sleep 5 -# -# Another possibility is to run gdb under a detached screen session. -# To attach to the screen session, su root and run "screen -r -# " where uniquely matches one of the detached -# sessions (from "screen -list"). -# -# debugger_command = -# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen -# -dmS $process_name gdb $daemon_directory/$process_name -# $process_id & sleep 1 - -# INSTALL-TIME CONFIGURATION INFORMATION -# -# The following parameters are used when installing a new Postfix version. -# -# sendmail_path: The full pathname of the Postfix sendmail command. -# This is the Sendmail-compatible mail posting interface. -# -sendmail_path = /usr/bin/sendmail - -# newaliases_path: The full pathname of the Postfix newaliases command. -# This is the Sendmail-compatible command to build alias databases. -# -newaliases_path = /usr/bin/newaliases - -# mailq_path: The full pathname of the Postfix mailq command. This -# is the Sendmail-compatible mail queue listing command. -# -mailq_path = /usr/bin/mailq - -# setgid_group: The group for mail submission and queue management -# commands. This must be a group name with a numerical group ID that -# is not shared with other accounts, not even with the Postfix account. -# -setgid_group = postdrop - -# html_directory: The location of the Postfix HTML documentation. -# -html_directory = no - -# manpage_directory: The location of the Postfix on-line manual pages. -# -manpage_directory = /usr/share/man - -# sample_directory: The location of the Postfix sample configuration files. -# This parameter is obsolete as of Postfix 2.1. -# -sample_directory = /etc/postfix - -# readme_directory: The location of the Postfix README files. -# -readme_directory = /usr/share/doc/postfix -inet_protocols = ipv4 -meta_directory = /etc/postfix -shlib_directory = /usr/lib/postfix diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf deleted file mode 100644 index 195327d4..00000000 --- a/etc/postfix/master.cf +++ /dev/null @@ -1,154 +0,0 @@ -# I follow these guides: -# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving) - -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master" or -# on-line: https://www.postfix.org/master.5.html). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (no) (never) (100) -# ========================================================================== -smtp inet n - n - - smtpd -#smtp inet n - n - 1 postscreen -#smtpd pass - - n - - smtpd -#dnsblog unix - - n - 0 dnsblog -#tlsproxy unix - - n - 0 tlsproxy -# Choose one: enable submission for loopback clients only, or for any client. -#127.0.0.1:submission inet n - n - - smtpd -submission inet n - n - - smtpd - -o syslog_name=postfix/submission -# -o smtpd_forbid_unauth_pipelining=no - -o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes - -o smtpd_tls_auth_only=yes -# -o local_header_rewrite_clients=static:all - -o smtpd_hide_client_session=yes - -o smtpd_reject_unlisted_recipient=no -# Instead of specifying complex smtpd__restrictions here, -# specify "smtpd__restrictions=$mua__restrictions" -# here, and specify mua__restrictions in main.cf (where -# "" is "client", "helo", "sender", "relay", or "recipient"). -# -o smtpd_client_restrictions= -# -o smtpd_helo_restrictions= -# -o smtpd_sender_restrictions= - -o smtpd_relay_restrictions= - -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -# Choose one: enable submissions for loopback clients only, or for any client. -#127.0.0.1:submissions inet n - n - - smtpd -submissions inet n - n - - smtpd - -o syslog_name=postfix/submissions -# -o smtpd_forbid_unauth_pipelining=no - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes -# -o local_header_rewrite_clients=static:all - -o smtpd_hide_client_session=yes - -o smtpd_reject_unlisted_recipient=no -# Instead of specifying complex smtpd__restrictions here, -# specify "smtpd__restrictions=$mua__restrictions" -# here, and specify mua__restrictions in main.cf (where -# "" is "client", "helo", "sender", "relay", or "recipient"). -# -o smtpd_client_restrictions= -# -o smtpd_helo_restrictions= -# -o smtpd_sender_restrictions= - -o smtpd_relay_restrictions= - -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -#628 inet n - n - - qmqpd -pickup unix n - n 60 1 pickup -cleanup unix n - n - 0 cleanup -qmgr unix n - n 300 1 qmgr -#qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -smtp unix - - n - - smtp -relay unix - - n - - smtp - -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - n - - showq -error unix - - n - - error -retry unix - - n - - error -discard unix - - n - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil -scache unix - - n - 1 scache -postlog unix-dgram n - n - 1 postlogd -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -#maildrop unix - n n - - pipe -# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# Recent Cyrus versions can use the existing "lmtp" master.cf entry. -# -# Specify in cyrus.conf: -# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 -# -# Specify in main.cf one or more of the following: -# mailbox_transport = lmtp:inet:localhost -# virtual_transport = lmtp:inet:localhost -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# -# Old example of delivery via Cyrus. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -#uucp unix - n n - - pipe -# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# ==================================================================== -# -# Other external delivery methods. -# -#ifmail unix - n n - - pipe -# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -# -#bsmtp unix - n n - - pipe -# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient -# -#scalemail-backend unix - n n - 2 pipe -# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store -# ${nexthop} ${user} ${extension} -# -#mailman unix - n n - - pipe -# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py -# ${nexthop} ${user} diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network deleted file mode 100644 index 70765533..00000000 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ /dev/null @@ -1,38 +0,0 @@ -# not fully understood -# https://unix.stackexchange.com/q/509430/ -# man `systemd.network` -# https://superuser.com/q/1562380 -# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html - -[Match] -Name=eth0 - -[Network] -IPv6AcceptRA=false - -[Address] -Address=216.126.232.27/22 - -[Address] -Address=2606:a8c0:3::75f/128 - -[Address] -# another ipv6 address for aa wireguard+swgp into -# not sure if it is corret, but it works -Address=2606:a8c0:3:773::b/64 - -[Address] -# the last address seems is the default? -# ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address -# 2024-06-27, ...:1/64 seems doe not work any more, not sure why -Address=2606:a8c0:3:773::a/64 -# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 -#Address=2606:a8c0:3:773::a/48 - -[Route] -Gateway=216.126.232.1 - -[Route] -Gateway=2606:a8c0:3::1 -# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 -GatewayOnLink=yes diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network new file mode 100644 index 00000000..b1b56f25 --- /dev/null +++ b/etc/systemd/network/default.network @@ -0,0 +1,6 @@ +[Match] +Name=eth0 + +[Network] +Gateway=198.176.49.1 +Address=198.176.49.213/24 diff --git a/etc/systemd/system/acme.sh.service.d/override.conf b/etc/systemd/system/acme.sh.service.d/override.conf deleted file mode 100644 index 722f60a6..00000000 --- a/etc/systemd/system/acme.sh.service.d/override.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -ReadWritePaths=/etc/acme.sh /var/log/acme.sh /etc/postfix diff --git a/etc/systemd/system/opendmarc.service.d/override.conf b/etc/systemd/system/opendmarc.service.d/override.conf deleted file mode 100644 index 40ab443c..00000000 --- a/etc/systemd/system/opendmarc.service.d/override.conf +++ /dev/null @@ -1,4 +0,0 @@ -# https://wiki.archlinux.org/title/OpenDMARC -[Service] -Group= -Group=postfix diff --git a/etc/systemd/system/paccache.service.d/10-remove-all.conf b/etc/systemd/system/paccache.service.d/10-remove-all.conf new file mode 100644 index 00000000..6aa29dc2 --- /dev/null +++ b/etc/systemd/system/paccache.service.d/10-remove-all.conf @@ -0,0 +1,8 @@ +[Service] +# may need `sudo systemctl daemon-reload` afterward +# need a line of `ExecStart=` to clear the list first, +# more about drop-in dir see `man systemd.unit`, more about ExecStart see `man systemd.service` +# https://wiki.archlinux.org/title/Systemd#Drop-in_files +# https://wiki.archlinux.org/title/Systemd#Examples +ExecStart= +ExecStart=/usr/bin/paccache -rk0 diff --git a/etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf b/etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf deleted file mode 100644 index 38d3c2d0..00000000 --- a/etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Service] -# keep original `ExecStart=/usr/bin/paccache -r` while adding to the list -# because I want the default behavior and also remove all uninstalled pacman package cache -# may need `sudo systemctl daemon-reload` afterward -# if I want to clear the list first, I should do a line of `ExecStart=` first -# more about drop-in dir see `man systemd.unit`, more about ExecStart see `man systemd.service` -# https://wiki.archlinux.org/title/Systemd#Drop-in_files -# https://wiki.archlinux.org/title/Systemd#Examples -ExecStart=/usr/bin/paccache -ruk0 diff --git a/etc/tmpfiles.d/opendmarc.conf b/etc/tmpfiles.d/opendmarc.conf deleted file mode 100644 index 126d2922..00000000 --- a/etc/tmpfiles.d/opendmarc.conf +++ /dev/null @@ -1 +0,0 @@ -D /run/opendmarc 0750 opendmarc postfix diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index e371e758..1224fcb3 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -29,7 +29,7 @@ esac # tput is better for different terminals? # but also need \[ and \] around color code for PS1! but seems no need for printf in script? why? # setaf and sgr0 see `man terminfo`, also it seems can have 256 different colors -PS1="\[$(tput setaf 6)\][\u@\h \W]\$ \[$(tput sgr0)\]" +PS1="\[$(tput setaf 3)\][\u@\h \W]\$ \[$(tput sgr0)\]" # https://github.com/LukeSmithxyz/voidrice/blob/master/.config/shell/aliasrc for cmd in hardcode-fixer ventoy units_cur fbgrab powertop nft rpi-imager fdisk dmesg; do diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 1ae88691..d93ec650 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -1,5 +1,4 @@ absolutely-proprietary -acme.sh-systemd atool2-git bash-complete-alias dashbinsh diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 1996e583..717fc767 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -2,10 +2,8 @@ base base-devel bash-completion -btrfs-progs dash devtools -dovecot fastfetch fio fsh-git @@ -20,15 +18,12 @@ lf linux lostfiles lsof -mailutils man-pages moreutils neovim nethogs nftables openbsd-netcat -opendkim -opendmarc openssh pacman-contrib pax-utils diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index a47a970f..36172544 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -1,10 +1,6 @@ UNIT FILE STATE PRESET -dovecot.service enabled disabled getty@.service enabled enabled nftables.service enabled disabled -opendkim.service enabled disabled -opendmarc.service enabled disabled -postfix.service enabled disabled sshd.service enabled disabled swgp-go.service enabled disabled systemd-network-generator.service enabled enabled @@ -16,8 +12,7 @@ systemd-timesyncd.service enabled enabled systemd-networkd.socket enabled disabled systemd-userdbd.socket enabled enabled remote-fs.target enabled enabled -acme.sh.timer enabled disabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -20 unit files listed. +15 unit files listed. -- cgit v1.2.3-70-g09d2