docker-mailserver/target/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian)
biff = no
append_dot_mydomain = no
readme_directory = no

# Basic configuration
# myhostname =
alias_maps = texthash:/etc/aliases
alias_database = texthash:/etc/aliases
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_tls_CAfile=
#smtp_tls_CAfile=
smtpd_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_loglevel = 1
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
tls_preempt_cipherlist = yes
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = /etc/ssl/certs

# Settings to prevent SPAM early
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf,
    reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain,
    reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
disable_vrfy_command = yes

# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot

smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

# Mail directory
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
virtual_mailbox_domains = /etc/postfix/vhost
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
virtual_alias_maps = texthash:/etc/postfix/virtual

# Additional option for filtering
content_filter = smtp-amavis:[127.0.0.1]:10024

# Milters used by DKIM
milter_protocol = 6
milter_default_action = accept
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
smtpd_milters = $dkim_milter,$dmarc_milter
non_smtpd_milters = $dkim_milter

# SPF policy settings
policyd-spf_time_limit = 3600

# Remove unwanted headers that reveail our privacy
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`# See /usr/share/postfix/main.cf.dist for a commented, more complete version`

debian stretch slim (#784) * Switch to stretch-slim as base image. - first step correct the testdata, as newer packages are more strict about the mail-structure. * Switch to stretch-slim: correcting the test-environment and the build - add missing build-step to make - clean the userdb aswell - use timeout of netcat, as postgrey would not close the connection - there is 2 extra mail-logs -> assert_output 5 - cosmetic: use "" instead of '' * Switch to stretch-slim: new image: - smaller size - 0 CVEs compared to 11 CVEs in ubuntu 16.04 Image better backport situation - postfix 3.1.6 vs 3.1.0 - fail2ban 0.9.6 vs 0.9.3 ... changes needed because of stretch-slim: - add missing gnupg and iproute2 package - remove non-free rar, unrar-free should do - rsyslog does not add syslog user and has different conf-structure - pyzor command discover was deprecated and is missing in the new stretch package - dovecot does not know SSLv2 anymore. removed because of warnings in log - iptables does not know imap3, IMAP working group chose imap2 in favor of imap3 * Switch to debian stretch slim: SSLv2 seems to be a not known protocol anymore - good! * switch to debian stretch slim: make this test more stable. there might be more than only one mail.log (mail.info, mail.warn, ...) * switch to debian stretc slim: new openssl 1.1.0 needs stronger ciphers, removed some weekers ones. Please, look through the new list of cipher! this needs to be done in another commit for all other SSL/TLS-Endpoints aswell. * Switch to debian stretch slim: let our server pre-empt the cipher list. Did a read through, wwwDOTpostfixDOTorg/FORWARD_SECRECY_READMEDOThtml and wwwDOTpostfixDOTorg/TLS_READMEDOThtml * Switch to debian stretch slim: lets give this openssl-based test a new and independent but identical container. many other test on the main 'mail' container might interfere here. * Switch to debian stretch slim: remove unused lines 2017-12-31 12:33:48 +01:00			`smtpd_banner = $myhostname ESMTP $mail_name (Debian)`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`biff = no`
			`append_dot_mydomain = no`
			`readme_directory = no`

			`# Basic configuration`
Hardening TLS ciphers (#492) * Hardening Dovecot TLS ciphers * Mitigate Logjam vulnerability on Dovecot * Mitigate Logjam vulnerability on Postfix * Add Nmap tests of PCI compliance for Postfix and Dovecot * Increase sleep duration on Makefile steps to avoid races 2017-01-25 14:10:40 +01:00			`# myhostname =`
use "texthash" Postfix database format instead of "hash" 2016-11-15 20:48:09 +01:00			`alias_maps = texthash:/etc/aliases`
			`alias_database = texthash:/etc/aliases`
Hardening TLS ciphers (#492) * Hardening Dovecot TLS ciphers * Mitigate Logjam vulnerability on Dovecot * Mitigate Logjam vulnerability on Postfix * Add Nmap tests of PCI compliance for Postfix and Dovecot * Increase sleep duration on Makefile steps to avoid races 2017-01-25 14:10:40 +01:00			`mydestination =`
			`relayhost =`
Adding the PERMIT_DOCKER option (#270) * Adding the PERMIT_DOCKER option See README.md for more informations * Adding some test for PERMIT_DOCKER option * Fix test cases * Opendkim and Openmarc configuration Fix docker network range Adding opendkim and openmarc configuration * Adding some options for tests * Update log message * Update tests 2016-08-21 22:10:13 +02:00			`mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`mailbox_size_limit = 0`
			`recipient_delimiter = +`
			`inet_interfaces = all`
			`inet_protocols = all`

			`# TLS parameters`
			`smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem`
			`smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key`
			`#smtpd_tls_CAfile=`
			`#smtp_tls_CAfile=`
			`smtpd_tls_security_level = may`
			`smtpd_use_tls=yes`
debian stretch slim (#784) * Switch to stretch-slim as base image. - first step correct the testdata, as newer packages are more strict about the mail-structure. * Switch to stretch-slim: correcting the test-environment and the build - add missing build-step to make - clean the userdb aswell - use timeout of netcat, as postgrey would not close the connection - there is 2 extra mail-logs -> assert_output 5 - cosmetic: use "" instead of '' * Switch to stretch-slim: new image: - smaller size - 0 CVEs compared to 11 CVEs in ubuntu 16.04 Image better backport situation - postfix 3.1.6 vs 3.1.0 - fail2ban 0.9.6 vs 0.9.3 ... changes needed because of stretch-slim: - add missing gnupg and iproute2 package - remove non-free rar, unrar-free should do - rsyslog does not add syslog user and has different conf-structure - pyzor command discover was deprecated and is missing in the new stretch package - dovecot does not know SSLv2 anymore. removed because of warnings in log - iptables does not know imap3, IMAP working group chose imap2 in favor of imap3 * Switch to debian stretch slim: SSLv2 seems to be a not known protocol anymore - good! * switch to debian stretch slim: make this test more stable. there might be more than only one mail.log (mail.info, mail.warn, ...) * switch to debian stretc slim: new openssl 1.1.0 needs stronger ciphers, removed some weekers ones. Please, look through the new list of cipher! this needs to be done in another commit for all other SSL/TLS-Endpoints aswell. * Switch to debian stretch slim: let our server pre-empt the cipher list. Did a read through, wwwDOTpostfixDOTorg/FORWARD_SECRECY_READMEDOThtml and wwwDOTpostfixDOTorg/TLS_READMEDOThtml * Switch to debian stretch slim: lets give this openssl-based test a new and independent but identical container. many other test on the main 'mail' container might interfere here. * Switch to debian stretch slim: remove unused lines 2017-12-31 12:33:48 +01:00			`smtpd_tls_loglevel = 1`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`smtp_tls_security_level = may`
			`smtp_tls_loglevel = 1`
			`tls_ssl_options = NO_COMPRESSION`
debian stretch slim (#784) * Switch to stretch-slim as base image. - first step correct the testdata, as newer packages are more strict about the mail-structure. * Switch to stretch-slim: correcting the test-environment and the build - add missing build-step to make - clean the userdb aswell - use timeout of netcat, as postgrey would not close the connection - there is 2 extra mail-logs -> assert_output 5 - cosmetic: use "" instead of '' * Switch to stretch-slim: new image: - smaller size - 0 CVEs compared to 11 CVEs in ubuntu 16.04 Image better backport situation - postfix 3.1.6 vs 3.1.0 - fail2ban 0.9.6 vs 0.9.3 ... changes needed because of stretch-slim: - add missing gnupg and iproute2 package - remove non-free rar, unrar-free should do - rsyslog does not add syslog user and has different conf-structure - pyzor command discover was deprecated and is missing in the new stretch package - dovecot does not know SSLv2 anymore. removed because of warnings in log - iptables does not know imap3, IMAP working group chose imap2 in favor of imap3 * Switch to debian stretch slim: SSLv2 seems to be a not known protocol anymore - good! * switch to debian stretch slim: make this test more stable. there might be more than only one mail.log (mail.info, mail.warn, ...) * switch to debian stretc slim: new openssl 1.1.0 needs stronger ciphers, removed some weekers ones. Please, look through the new list of cipher! this needs to be done in another commit for all other SSL/TLS-Endpoints aswell. * Switch to debian stretch slim: let our server pre-empt the cipher list. Did a read through, wwwDOTpostfixDOTorg/FORWARD_SECRECY_READMEDOThtml and wwwDOTpostfixDOTorg/TLS_READMEDOThtml * Switch to debian stretch slim: lets give this openssl-based test a new and independent but identical container. many other test on the main 'mail' container might interfere here. * Switch to debian stretch slim: remove unused lines 2017-12-31 12:33:48 +01:00			`tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256`
			`tls_preempt_cipherlist = yes`
Should fix #426 (#427) 2016-12-24 14:24:29 +01:00			`smtpd_tls_protocols=!SSLv2,!SSLv3`
			`smtp_tls_protocols=!SSLv2,!SSLv3`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`smtpd_tls_mandatory_ciphers = high`
Should fix #426 (#427) 2016-12-24 14:24:29 +01:00			`smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL`
Hardening TLS ciphers (#492) * Hardening Dovecot TLS ciphers * Mitigate Logjam vulnerability on Dovecot * Mitigate Logjam vulnerability on Postfix * Add Nmap tests of PCI compliance for Postfix and Dovecot * Increase sleep duration on Makefile steps to avoid races 2017-01-25 14:10:40 +01:00			`smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem`
Add paths to CA to postifx Fixes untrusted TLS connections See: http://giantdorks.org/alain/fix-for-postfix-untrusted-certificate-tls-error/ 2016-07-25 22:50:36 +02:00			`smtpd_tls_CApath = /etc/ssl/certs`
			`smtp_tls_CApath = /etc/ssl/certs`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00
Adapted Postfix configuration to block typical spam sending mail servers using an enhanced client, sender and helo restriction configuration. The configuration has been adapted using this blog post: https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/ Basically mail servers having invalid configuration (as e.g. sending from and dynamic IP or a misconfigured hostname) will have their mails rejected. Additionnally three RBL servers are used to detect spam sending IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net. The results of a 12h test drive using a 100+ daily spam mail account (SpamAssasin was always enabled, just counting delivered mails to inbox not counting what SA detected): - Before: 34 incoming mails - Afer change: 6 incoming mails (82% reduction) Fixes #161. 2016-04-26 19:33:25 +02:00			`# Settings to prevent SPAM early`
			`smtpd_helo_required = yes`
			`smtpd_delay_reject = yes`
Postfix: reject_invalid_hostname configuration option changed to reject_invalid_helo_hostname string which is the "modern" Postfix variant since version >=2.3. (same for non_fqdn_hostname) 2016-04-27 09:44:21 +02:00			`smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit`
Adapted Postfix configuration to block typical spam sending mail servers using an enhanced client, sender and helo restriction configuration. The configuration has been adapted using this blog post: https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/ Basically mail servers having invalid configuration (as e.g. sending from and dynamic IP or a misconfigured hostname) will have their mails rejected. Additionnally three RBL servers are used to detect spam sending IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net. The results of a 12h test drive using a 100+ daily spam mail account (SpamAssasin was always enabled, just counting delivered mails to inbox not counting what SA detected): - Before: 34 incoming mails - Afer change: 6 incoming mails (82% reduction) Fixes #161. 2016-04-26 19:33:25 +02:00			`smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination`
Fixes #451 - add incoming mail SPF policy checks (#543) 2017-03-14 17:21:17 +01:00			`smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf,`
Postfix: reject_invalid_hostname configuration option changed to reject_invalid_helo_hostname string which is the "modern" Postfix variant since version >=2.3. (same for non_fqdn_hostname) 2016-04-27 09:44:21 +02:00			`reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain,`
Fixed #197 removing SORBS from RBL 2016-05-30 10:09:32 +02:00			`reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net`
Adapted Postfix configuration to block typical spam sending mail servers using an enhanced client, sender and helo restriction configuration. The configuration has been adapted using this blog post: https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/ Basically mail servers having invalid configuration (as e.g. sending from and dynamic IP or a misconfigured hostname) will have their mails rejected. Additionnally three RBL servers are used to detect spam sending IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net. The results of a 12h test drive using a 100+ daily spam mail account (SpamAssasin was always enabled, just counting delivered mails to inbox not counting what SA detected): - Before: 34 incoming mails - Afer change: 6 incoming mails (82% reduction) Fixes #161. 2016-04-26 19:33:25 +02:00			`smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining`
			`smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain`
disable_vrfy_command: (#798) Prevents Spammers from collecting existing mail-addresses by probing the mailserver for them. 2018-01-25 08:32:00 +01:00			`disable_vrfy_command = yes`
Adapted Postfix configuration to block typical spam sending mail servers using an enhanced client, sender and helo restriction configuration. The configuration has been adapted using this blog post: https://www.webstershome.co.uk/2014/04/07/postfix-blocking-spam-enters-server/ Basically mail servers having invalid configuration (as e.g. sending from and dynamic IP or a misconfigured hostname) will have their mails rejected. Additionnally three RBL servers are used to detect spam sending IPs: dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net. The results of a 12h test drive using a 100+ daily spam mail account (SpamAssasin was always enabled, just counting delivered mails to inbox not counting what SA detected): - Before: 34 incoming mails - Afer change: 6 incoming mails (82% reduction) Fixes #161. 2016-04-26 19:33:25 +02:00
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`# SASL`
			`smtpd_sasl_auth_enable = yes`
			`smtpd_sasl_path = /var/spool/postfix/private/auth`
			`smtpd_sasl_type = dovecot`

			`smtpd_sasl_security_options = noanonymous`
			`smtpd_sasl_local_domain = $myhostname`
			`broken_sasl_auth_clients = yes`

			`# Mail directory`
make Postfix -> Dovecot delivery over LMTP (was LDA) (#305) (#360) 2016-10-24 15:03:08 +02:00			`virtual_transport = lmtp:unix:/var/run/dovecot/lmtp`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`virtual_mailbox_domains = /etc/postfix/vhost`
use "texthash" Postfix database format instead of "hash" 2016-11-15 20:48:09 +01:00			`virtual_mailbox_maps = texthash:/etc/postfix/vmailbox`
			`virtual_alias_maps = texthash:/etc/postfix/virtual`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00
			`# Additional option for filtering`
			`content_filter = smtp-amavis:[127.0.0.1]:10024`

			`# Milters used by DKIM`
improve OpenDKIM and OpenDMARC milters integration (#361) 2016-10-25 08:57:08 +02:00			`milter_protocol = 6`
Fixed part of tests for #109 2016-04-15 21:02:41 +02:00			`milter_default_action = accept`
improve OpenDKIM and OpenDMARC milters integration (#361) 2016-10-25 08:57:08 +02:00			`dkim_milter = inet:localhost:8891`
			`dmarc_milter = inet:localhost:8893`
			`smtpd_milters = $dkim_milter,$dmarc_milter`
			`non_smtpd_milters = $dkim_milter`
Fixes #451 - add incoming mail SPF policy checks (#543) 2017-03-14 17:21:17 +01:00
			`# SPF policy settings`
			`policyd-spf_time_limit = 3600`
Improve the privacy of the client by removing sensitive details 2017-08-09 23:19:00 +02:00
			`# Remove unwanted headers that reveail our privacy`
			`smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre`