| Current File : //etc/postfix/main.cf |
# generated by Ansible role ndn_postfix
###########################################################
### Basic info about where this machine sits in the network.
# WHOAMI, FQDN
myhostname = vps28280.dreamhostps.com
# IPs to bind to
inet_interfaces = all
# Use IPv4 only for now. IPv6 is a spearate project.
inet_protocols = ipv4
# Send all mail through a specified mail server, don't send directly to recipient.
relayhost =
smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password_maps
# Send all deferred mail to a separate server to retry delivery.
smtp_fallback_relay =
###########################################################
### Local executable & filesystem settings.
bounce_template_file = /etc/postfix/bounce.cf
tls_random_source = dev:/dev/urandom
# Use longer message IDs, so they get reused less often.
enable_long_queue_ids = yes
###########################################################
### Settings used for local email delivery to local users
# Allow user+tag@domain.tld
recipient_delimiter = +
propagate_unmatched_extensions =
# delivery via maildir (versus mbox)
home_mailbox = Maildir/
# make sure home_dir exists (in case of nfs funkiness!)
require_home_directory = yes
# Allowed filenames to control forwarding to ex procmail.
forward_path = $home/.forward, $home/.forward.postfix
###########################################################
### Settings that affect what emails are accepted for users here.
# List of our BFFs, trusted networks allowed to send mail out or relay mail through here
# without facing the spanish inquisition.
mynetworks = localhost $inet_interfaces
# Destination is myhostname = vps28280.dreamhostps.com
mydestination = $myhostname = vps28280.dreamhostps.com
# What destination domains this system will relay mail for (and generally treat the same as if the recipient was local).
relay_domains =
# Which recipient address/domain to deliver locally.
local_recipient_maps = $alias_maps, unix:passwd.byname
# Email alias info used for local delivery.
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_maps = hash:/etc/postfix/virtusertable
virtual_alias_maps =
###########################################################
### Performance settings
fast_flush_domains = $myhostname = vps28280.dreamhostps.com
# Do not delay accepting new mail, regardless of the message arrival rate.
in_flow_delay = 0
# Max number of parallel deliveries to the same destination.
default_destination_concurrency_limit = 50
# Max number of parallel deliveries to the same local recipient.
local_destination_concurrency_limit = 2
# Max number of parallel deliveries when done via SMTP (ex remote server)
smtp_destination_concurrency_limit = 100
# Max size of Maildir files (implemented via ulimit -f, so it's the size of ANY file postfix/procmail touches)
mailbox_size_limit = 153600000
# Timeout for incoming SMTP connections, in seconds.
smtpd_timeout = 30
# Pause after errors, and limit the number of errors a remote client can make
# before they're disconnected.
smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# Don't retry sending bounce / nondelivery notifications, once is enough.
bounce_queue_lifetime = 0
# Retry sending regular emails for this long before giving up
maximal_queue_lifetime = 3d
# Min & max amount to delay between delivery reattempts.
minimal_backoff_time = 1m
maximal_backoff_time = 5m
# How often to scan the deferred queue for emails due to be reattempted.
queue_run_delay = 1m
###########################################################
### Settings to block possible spam or abuse.
# 40MB limit for total email size
message_size_limit = 40960000
# Don't apply header checks to quoted / attached message headers.
nested_header_checks =
# Disable unused feature that can be abused.
allow_percent_hack = no
# Disable the SMTP VRFY command to prevent harvesting target addys to spam.
disable_vrfy_command = yes
# Don't advertise the dsn in the EHLO response
smtpd_discard_ehlo_keywords = silent-discard, dsn
# Require a HELO/EHLO before a MAIL transaction.
smtpd_helo_required = yes
# Domain matches only itself, not a subdomain.
parent_domain_matches_subdomains =
# security through obscurity, don't mention OS info or postfix version
smtpd_banner = $myhostname = vps28280.dreamhostps.com
# Max number of simultaneous connections from a single client.
smtpd_client_connection_count_limit = 10
# Max connection attempts from a single client per minute.
smtpd_client_connection_rate_limit = 600
###########################################################
### Encryption
# Record info about any encryption used for incoming mail in the message headers.
smtpd_tls_received_header = yes
# TLS on outward bound connections
smtp_tls_security_level = may
smtp_tls_ciphers = medium
smtp_tls_mandatory_ciphers = $smtp_tls_ciphers
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = $smtpd_tls_protocols
# TLS caching for outward connections
smtp_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Root CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
###########################################################
### Access restrictions applied to various stages of SMTP conversations.
# Each set or class of restrictions are applied in order. The first matching
# permit or reject is used.
#
# http://www.postfix.org/SMTPD_ACCESS_README.html#lists
# Restrictions applied to the HELO/EHLO hostname sent by the client. These
# should generally not be used where SASL is permitted, because human users
# often have their systems setup with terrible hostname info.
# Permit only applies to this set of restrictions, the other restriction sets
# may still reject.
# Translation:
# * permit our BFFs
# * reject if the hostname is malformed
# * reject if the hostname is not in FQDN or address literal form (required by RFC)
# * reject if the hostname has no DNS A or MX record
# * permit anything that got this far
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
permit
# Restrictions on the recipient, and general relay access.
# TODO at some future point: implement custom smtpd_relay_restrictions for all general relay access restrictions, leaving smtpd_recipient_restrictions just for anti-spam type restrictions.
# Translation:
# * reject if the client jumps the gun with SMTP commands
# * reject if the message does not have a FQDN for the sender & recipient
# * if user info is stored in mysql, check for any recipient access info there
# * if ratelimiting is used here, check_policy_service uses policyd to rejent
# if sending too fast
# * permit our BFFs
# * permit if there was a successful SASL login
# * permit if the recipient is a domain this server delivers or relays for
# * reject by default
smtpd_recipient_restrictions =
reject_unauth_pipelining
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_mynetworks
permit_sasl_authenticated
permit_auth_destination
reject
###########################################################
### Settings for authenticated sending by mail users. http://www.postfix.org/SASL_README.html
# Allow SASL? If this is false, no other SASL settings matter.
smtpd_sasl_auth_enable = no
# Must authenticate as a real user, no anonymous users
smtpd_sasl_security_options = noanonymous
# Record SASL info used in the message headers.
smtpd_sasl_authenticated_header = yes
# Use Dovecot to authenticate (postfix cannot do that part itself)
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# Allow repeat AUTH statement in format old/broken clients can understand
broken_sasl_auth_clients = yes
###########################################################
### Misc
# What sorts of messages to notify the postmaster about
notify_classes =