From dddbf00aca3f9181d7ce372d6e057e2708e5e9b9 Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Fri, 5 Apr 2024 06:41:43 +0000
Subject: default

---
 etc/opendmarc/opendmarc.conf | 370 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 370 insertions(+)
 create mode 100644 etc/opendmarc/opendmarc.conf

(limited to 'etc/opendmarc')

diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf
new file mode 100644
index 00000000..84ea1a83
--- /dev/null
+++ b/etc/opendmarc/opendmarc.conf
@@ -0,0 +1,370 @@
+## opendmarc.conf -- configuration file for OpenDMARC filter
+##
+## Copyright (c) 2012-2015, The Trusted Domain Project.  All rights reserved.
+
+## DEPRECATED CONFIGURATION OPTIONS
+## 
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendmarc being unable to start.
+## 
+## Renamed in 1.3.0:
+##   ForensicReports became FailureReports
+##   ForensicReportsBcc became FailureReportsBcc
+##   ForensicReportsOnNone became FailureReportsOnNone
+##   ForensicReportsSentBy became FailureReportsSentBy
+
+## CONFIGURATION OPTIONS
+
+##  AuthservID (string)
+##  	defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.  
+#
+# AuthservID name
+AuthservID HOSTNAME
+
+##  AuthservIDWithJobID { true | false }
+##  	default "false"
+##
+##  If "true", requests that the authserv-id portion of the added
+##  Authentication-Results header fields contain the job ID of the message
+##  being evaluated.
+#
+# AuthservIDWithJobID false
+
+##  AutoRestart { true | false }
+##  	default "false"
+##
+##  Automatically re-start on failures. Use with caution; if the filter fails
+##  instantly after it starts, this can cause a tight fork(2) loop.
+#
+# AutoRestart false
+
+##  AutoRestartCount n
+##  	default 0
+##
+##  Sets the maximum automatic restart count.  After this number of automatic
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
+##  limit.
+#
+# AutoRestartCount 0
+
+##  AutoRestartRate n/t[u]
+##  	default (no limit)
+##
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
+##  faster than the rate defined here, it will give up and terminate.  This
+##  is a string of the form n/t[u] where n is an integer limiting the count
+##  of restarts in the given interval and t[u] defines the time interval
+##  through which the rate is calculated; t is an integer and u defines the
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
+##  default, meaning restart rate is not limited.
+#
+# AutoRestartRate n/t[u]
+
+##  Background { true | false }
+##  	default "true"
+##
+##  Causes opendmarc to fork and exits immediately, leaving the service
+##  running in the background.
+#
+# Background true
+
+##  BaseDirectory (string)
+##  	default (none)
+##
+##  If set, instructs the filter to change to the specified directory using
+##  chdir(2) before doing anything else.  This means any files referenced
+##  elsewhere in the configuration file can be specified relative to this
+##  directory.  It's also useful for arranging that any crash dumps will be
+##  saved to a specific location.
+#
+# BaseDirectory /var/run/opendmarc
+
+##  ChangeRootDirectory (string)
+##  	default (none)
+##
+##  Requests that the operating system change the effective root directory of
+##  the process to the one specified here prior to beginning execution.
+##  chroot(2) requires superuser access.  A warning will be generated if
+##  UserID is not also set.
+# 
+# ChangeRootDirectory /var/chroot/opendmarc
+
+##  CopyFailuresTo (string)
+##  	default (none)
+##
+##  Requests addition of the specified email address to the envelope of
+##  any message that fails the DMARC evaluation.
+#
+# CopyFailuresTo postmaster@localhost
+
+##  DNSTimeout (integer)
+##  	default 5
+## 
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
+##  (NOT YET IMPLEMENTED)
+#
+# DNSTimeout 5
+
+##  EnableCoredumps { true | false }
+##  	default "false"
+##
+##  On systems that have such support, make an explicit request to the kernel
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
+##  systems suppress core dumps during crashes for security reasons if the
+##  user ID has changed during the lifetime of the process.  Currently only
+##  supported on Linux.
+#
+# EnableCoreDumps false
+
+##  FailureReports { true | false }
+##  	default "false"
+##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+# 
+# FailureReports false
+
+##  FailureReportsBcc (string)
+##  	default (none)
+##
+##  When failure reports are enabled and one is to be generated, always
+##  send one to the address(es) specified here.  If a failure report is
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
+##  If no request is made, they address(es) are used in a To: field.  There
+##  is no default.
+# 
+# FailureReportsBcc postmaster@example.coom
+
+##  FailureReportsOnNone { true | false }
+##  	default "false"
+##
+##  Supplements the "FailureReports" setting by generating reports for
+##  domains that advertise "none" policies.  By default, reports are only
+##  generated (when enabled) for sending domains advertising a "quarantine"
+##  or "reject" policy.
+# 
+# FailureReportsOnNone false
+
+##  FailureReportsSentBy string
+##  	default "USER@HOSTNAME"
+##
+##  Specifies the email address to use in the From: field of failure
+##  reports generated by the filter.  The default is to use the userid of
+##  the user running the filter and the local hostname to construct an
+##  email address.  "postmaster" is used in place of the userid if a name
+##  could not be determined.
+# 
+# FailureReportsSentBy USER@HOSTNAME
+
+##  HistoryFile path
+##  	default (none)
+##
+##  If set, specifies the location of a text file to which records are written
+##  that can be used to generate DMARC aggregate reports.  Records are groups
+##  of rows containing information about a single received message, and
+##  include all relevant information needed to generate a DMARC aggregate
+##  report.  It is expected that this will not be used in its raw form, but
+##  rather periodically imported into a relational database from which the
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
+#
+# HistoryFile /var/run/opendmarc.dat
+
+##  IgnoreAuthenticatedClients { true | false }
+##  	default "false"
+##
+##  If set, causes mail from authenticated clients (i.e., those that used
+##  SMTP AUTH) to be ignored by the filter.
+#
+IgnoreAuthenticatedClients true
+
+##  IgnoreHosts path
+##  	default (internal)
+##
+##  Specifies the path to a file that contains a list of hostnames, IP
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
+##  connections are to be ignored by the filter.  If not specified, defaults
+##  to "127.0.0.1" only.
+#
+# IgnoreHosts /etc/opendmarc/ignore.hosts
+
+##  IgnoreMailFrom domain[,...]
+##  	default (none)
+##
+##  Gives a list of domain names whose mail (based on the From: domain) is to
+##  be ignored by the filter.  The list should be comma-separated.  Matching
+##  against this list is case-insensitive.  The default is an empty list,
+##  meaning no mail is ignored.
+#
+# IgnoreMailFrom example.com
+
+##  MilterDebug (integer)
+##  	default 0
+##
+##  Sets the debug level to be requested from the milter library.
+#
+# MilterDebug 0
+
+##  PidFile path
+##  	default (none)
+##
+##  Specifies the path to a file that should be created at process start
+##  containing the process ID.
+#
+# PidFile /var/run/opendmarc.pid
+
+##  PublicSuffixList path
+##  	default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+# PublicSuffixList path
+
+##  RecordAllMessages { true | false }
+##  	default "false"
+##
+##  If set and "HistoryFile" is in use, all received messages are recorded
+##  to the history file.  If not set (the default), only messages for which
+##  the From: domain published a DMARC record will be recorded in the
+##  history file.
+#
+# RecordAllMessages false
+
+##  RejectFailures { true | false }
+##  	default "false"
+##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
+# RejectFailures false
+
+##  ReportCommand string
+##  	default "/usr/sbin/sendmail -t"
+##
+##  Indicates the shell command to which failure reports should be passed for
+##  delivery when "FailureReports" is enabled.
+#
+# ReportCommand /usr/sbin/sendmail -t
+
+##  RequiredHeaders { true | false }
+##  	default "false"
+##
+##  If set, the filter will ensure the header of the message conforms to the
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
+##  Messages failing this test are rejected without further processing.  A
+##  From: field from which no domain name could be extracted will also be
+##  rejected.
+#
+# RequiredHeaders false
+
+##  Socket socketspec
+##  	default (none)
+##
+##  Specifies the socket that should be established by the filter to receive
+##  connections from sendmail(8) in order to provide service.  socketspec is
+##  in one of two forms: local:path, which creates a UNIX domain socket at
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
+##  a TCP socket on the specified port for the appropriate protocol family.
+##  If the host is not given as either a hostname or an IP address, the
+##  socket will be listening on all interfaces.  This option is mandatory
+##  either in the configuration file or on the command line.  If an IP
+##  address is used, it must be enclosed in square brackets.
+#
+# Socket inet:8893@localhost
+Socket unix:/var/spool/opendmarc/opendmarc.sock
+
+##  SoftwareHeader { true | false }
+##  	default "false"
+##
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
+##  presence of this filter in the path of the message from injection to
+##  delivery.  The product's name, version, and the job ID are included in
+##  the header field's contents.
+#
+# SoftwareHeader false
+
+##  SPFIgnoreResults { true | false }
+##	default "false"
+##
+##  Causes the filter to ignore any SPF results in the header of the
+##  message.  This is useful if you want the filter to perfrom SPF checks
+##  itself, or because you don't trust the arriving header.
+#
+# SPFIgnoreResults false
+
+##  SPFSelfValidate { true | false }
+##	default false
+##
+##  Enable internal spf checking with --with-spf
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
+##
+##  Causes the filter to perform a fallback SPF check itself when
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
+##  is also set, it never looks for SPF results in headers and
+##  always performs the SPF check itself when this is set.
+#
+SPFSelfValidate true
+
+##  Syslog { true | false }
+##  	default "false"
+##
+##  Log via calls to syslog(3) any interesting activity.
+#
+# Syslog false
+
+##  SyslogFacility facility-name
+##  	default "mail"
+##
+##  Log via calls to syslog(3) using the named facility.  The facility names
+##  are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+
+##  TrustedAuthservIDs string
+##  	default HOSTNAME
+##
+##  Specifies one or more "authserv-id" values to trust as relaying true
+##  upstream DKIM and SPF results.  The default is to use the name of
+##  the MTA processing the message.  To specify a list, separate each entry
+##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
+##  the host running the filter as reported by the gethostname(3) function.
+#
+# TrustedAuthservIDs HOSTNAME
+
+##  UMask mask
+##  	default (none)
+##
+##  Requests a specific permissions mask to be used for file creation.  This
+##  only really applies to creation of the socket when Socket specifies a
+##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+##  files are normally created by the mkstemp(3) function that enforces a
+##  specific file mode on creation regardless of the process umask.  See
+##  umask(2) for more information.
+#
+# UMask 077
+UMask 002
+
+##  UserID user[:group]
+##  	default (none)
+##
+##  Attempts to become the specified userid before starting operations.
+##  The process will be assigned all of the groups and primary group ID of
+##  the named userid unless an alternate group is specified.
+#
+# UserID opendmarc
+# ATTENTION: user and group are enforced throug the systemd service file
-- 
cgit v1.2.3-70-g09d2


From 416a0ca8403db1d0b841b958ad4bc5e93990af5e Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Fri, 5 Apr 2024 12:02:22 +0000
Subject: Add email server configs

References:
https://github.com/LukeSmithxyz/emailwiz
https://landchad.net/
https://wiki.archlinux.org/title/Postfix
https://wiki.archlinux.org/title/Dovecot
https://wiki.archlinux.org/title/OpenDKIM
https://wiki.archlinux.org/title/OpenDMARC

Maybe useful:
https://doc.dovecot.org/settings/core/#dovecot-core-settings
https://workaround.org
https://kyun.host/docs/guides/email
`man postconf.5`

More necessary commands notes see arch_install.md
---
 etc/dovecot/conf.d/10-mail.conf   |  2 +-
 etc/dovecot/conf.d/10-master.conf | 12 ++++----
 etc/dovecot/conf.d/10-ssl.conf    |  8 +++---
 etc/nftables.conf                 | 16 +++++++----
 etc/opendkim/opendkim.conf        | 14 +++++-----
 etc/opendmarc/opendmarc.conf      |  3 +-
 etc/postfix/main.cf               | 59 +++++++++++++++++++++++++++++++++++++++
 etc/postfix/master.cf             | 37 +++++++++++++-----------
 8 files changed, 110 insertions(+), 41 deletions(-)

(limited to 'etc/opendmarc')

diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf
index de48f92d..49e70cb9 100644
--- a/etc/dovecot/conf.d/10-mail.conf
+++ b/etc/dovecot/conf.d/10-mail.conf
@@ -27,7 +27,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-#mail_location = 
+mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf
index 64fa0f2c..fb03c64c 100644
--- a/etc/dovecot/conf.d/10-master.conf
+++ b/etc/dovecot/conf.d/10-master.conf
@@ -100,16 +100,18 @@ service auth {
   # To give the caller full permissions to lookup all users, set the mode to
   # something else than 0666 and Dovecot lets the kernel enforce the
   # permissions (e.g. 0777 allows everyone full permissions).
-  unix_listener auth-userdb {
+  #unix_listener auth-userdb {
     #mode = 0666
     #user = 
     #group = 
-  }
+  #}
 
   # Postfix smtp-auth
-  #unix_listener /var/spool/postfix/private/auth {
-  #  mode = 0666
-  #}
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
 
   # Auth process is run as this user.
   #user = $default_internal_user
diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf
index ad847664..b9c2263e 100644
--- a/etc/dovecot/conf.d/10-ssl.conf
+++ b/etc/dovecot/conf.d/10-ssl.conf
@@ -3,14 +3,14 @@
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-#ssl = yes
+ssl = required
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/dovecot.pem
-ssl_key = </etc/ssl/private/dovecot.pem
+ssl_cert = </etc/postfix/flylightning.pem
+ssl_key = </etc/postfix/flylightning.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -51,7 +51,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
 # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
 # Or migrate from old ssl-parameters.dat file with the command dovecot
 # gives on startup when ssl_dh is unset.
-#ssl_dh = </etc/dovecot/dh.pem
+ssl_dh = </etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
diff --git a/etc/nftables.conf b/etc/nftables.conf
index bd943c12..c4ca7f45 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -33,12 +33,16 @@ table inet my_table {
 		#udp dport qbt accept
 		#tcp dport iperf3 accept
 		udp dport wireguard accept
-		# email ports
-		#tcp dport smtp accept
-		#udp dport smtp accept
-		# other email ports? seems blocked by crunchbits
-		#tcp dport 465 accept
-		#tcp dport 587 accept
+		# for acme.sh standalone mode builtin webserver to renew ssl cert
+		tcp dport http accept
+		# email related ports
+		tcp dport smtp accept
+		tcp dport pop3 accept
+		tcp dport imap accept
+		tcp dport submissions accept
+		tcp dport submission accept
+		tcp dport imaps accept
+		tcp dport pop3s accept
 
 		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
 		counter comment "count any other traffic"
diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf
index fa3559a3..373c7213 100644
--- a/etc/opendkim/opendkim.conf
+++ b/etc/opendkim/opendkim.conf
@@ -127,7 +127,7 @@
 ##  omitted, "simple" is used.  Valid values for each are "simple" and
 ##  "relaxed".
 
-# Canonicalization	simple/simple
+Canonicalization	relaxed/simple
 
 ##  ClockDrift n
 ##  	default 300
@@ -160,7 +160,7 @@
 ##  Specify for which domain(s) signing should be done.  No default; must
 ##  be specified for signing.
 
-Domain			example.com
+Domain flylightning.xyz
 
 ##  DomainKeysCompat { yes | no }
 ##  	default "no"
@@ -245,7 +245,7 @@ Domain			example.com
 ##  SigningTable and KeyTable are used.  No default; must be specified for 
 ##  signing if SigningTable/KeyTable are not in use.
 
-KeyFile			/var/db/dkim/example.private
+KeyFile /etc/opendkim/mail.private
 
 ##  KeyTable dataset
 ##  	default (none)
@@ -570,7 +570,7 @@ KeyFile			/var/db/dkim/example.private
 ##  The name of the selector to use when signing.  No default; must be
 ##  specified for signing.
 
-Selector		my-selector-name
+Selector mail
 
 ##  SenderHeaders 	dataset
 ##  	default (none)
@@ -658,7 +658,7 @@ Selector		my-selector-name
 ##  inet:port			to listen on all interfaces
 ##  local:/path/to/socket	to listen on a UNIX domain socket
 
-Socket			inet:port@localhost
+Socket local:/run/opendkim/opendkim.sock
 
 ##  SoftwareHeader { yes | no }
 ##  	default "no"
@@ -758,7 +758,7 @@ Syslog			Yes
 ##  The system has its own default which will be used (usually 022).
 ##  See the umask(2) man page for more information.
 
-# UMask			022
+UMask 002
 
 ##  Userid userid
 ##  	default (none)
@@ -766,4 +766,4 @@ Syslog			Yes
 ##  Change to user "userid" before starting normal operation?  May include
 ##  a group ID as well, separated from the userid by a colon.
 
-# UserID		userid
+UserID opendkim
diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf
index 84ea1a83..f8d8120c 100644
--- a/etc/opendmarc/opendmarc.conf
+++ b/etc/opendmarc/opendmarc.conf
@@ -286,7 +286,8 @@ IgnoreAuthenticatedClients true
 ##  address is used, it must be enclosed in square brackets.
 #
 # Socket inet:8893@localhost
-Socket unix:/var/spool/opendmarc/opendmarc.sock
+#Socket unix:/var/spool/opendmarc/opendmarc.sock
+Socket unix:/run/opendmarc/opendmarc.sock
 
 ##  SoftwareHeader { true | false }
 ##  	default "false"
diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf
index 1d93a701..0c36d421 100644
--- a/etc/postfix/main.cf
+++ b/etc/postfix/main.cf
@@ -1,3 +1,62 @@
+# edit configs from:
+# https://wiki.archlinux.org/title/Postfix
+# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz
+# https://wiki.archlinux.org/title/OpenDMARC
+# https://wiki.archlinux.org/title/OpenDKIM
+# maybe useful things:
+# `man postconf.5`
+# print config: `postconf`
+# default config: `postconf -d`
+myhostname = mail.flylightning.xyz
+
+# fix "relay access denied" error when receiving emails
+# I choose to follow `man postconf.5` instruction to only add $mydomain
+# emailwiz way add a lot more to mydestination, see:
+# https://github.com/LukeSmithxyz/emailwiz/pull/275
+# https://github.com/LukeSmithxyz/emailwiz/issues/265
+mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+
+smtp_tls_security_level = may
+smtpd_tls_security_level = may
+smtpd_use_tls = yes
+smtpd_tls_cert_file = /etc/postfix/flylightning.pem
+smtpd_tls_key_file = /etc/postfix/flylightning.key
+
+# Here we tell Postfix to look to Dovecot for authenticating users/passwords.
+# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+
+# NOTE: the trailing slash here, or for any directory name in the home_mailbox
+# command, is necessary as it distinguishes a maildir (which is the actual
+# directory that we want) from a spoolfile (which is what old unix boomers want
+# and no one else).
+home_mailbox = Mail/Inbox/
+
+# https://wiki.archlinux.org/title/OpenDKIM
+non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
+smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
+
+# more emailwiz configs, maybe useful:
+
+# TLS required for authentication.
+#smtpd_tls_auth_only = yes
+
+# Exclude insecure and obsolete encryption protocols.
+#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+
+# helo, sender, relay and recipient restrictions
+#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
+#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain
+#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain
+#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
+#smtpd_helo_required = yes
+#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
+
 # Global Postfix configuration file. This file lists only a subset
 # of all parameters. For the syntax, and for a complete parameter
 # list, see the postconf(5) manual page (command: "man 5 postconf").
diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf
index fd282dd2..7ce6e816 100644
--- a/etc/postfix/master.cf
+++ b/etc/postfix/master.cf
@@ -1,3 +1,6 @@
+# I follow these guides:
+# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving)
+
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master" or
@@ -16,13 +19,13 @@ smtp      inet  n       -       n       -       -       smtpd
 #tlsproxy  unix  -       -       n       -       0       tlsproxy
 # Choose one: enable submission for loopback clients only, or for any client.
 #127.0.0.1:submission inet n -   n       -       -       smtpd
-#submission inet n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_tls_auth_only=yes
+submission inet n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_tls_auth_only=yes
 #  -o local_header_rewrite_clients=static:all
-#  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
 #     here, and specify mua_<xxx>_restrictions in main.cf (where
@@ -30,17 +33,17 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o smtpd_client_restrictions=
 #  -o smtpd_helo_restrictions=
 #  -o smtpd_sender_restrictions=
-#  -o smtpd_relay_restrictions=
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
+  -o smtpd_relay_restrictions=
+  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
 # Choose one: enable submissions for loopback clients only, or for any client.
 #127.0.0.1:submissions inet n  -       n       -       -       smtpd
-#submissions     inet  n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/submissions
-#  -o smtpd_tls_wrappermode=yes
-#  -o smtpd_sasl_auth_enable=yes
+submissions     inet  n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submissions
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
 #  -o local_header_rewrite_clients=static:all
-#  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
 #     here, and specify mua_<xxx>_restrictions in main.cf (where
@@ -48,9 +51,9 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o smtpd_client_restrictions=
 #  -o smtpd_helo_restrictions=
 #  -o smtpd_sender_restrictions=
-#  -o smtpd_relay_restrictions=
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
+  -o smtpd_relay_restrictions=
+  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       n       -       -       qmqpd
 pickup    unix  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
-- 
cgit v1.2.3-70-g09d2