mirror of
https://github.com/tomav/docker-mailserver.git
synced 2024-07-02 14:11:12 +02:00
04059cd618
To prevent announcing software or version to malicious people or scripts, it is advised to hide such information. This information is provided as part of the Lynis community project. It is related to Lynis control MAIL-8818 and should be considered as-is and without guarantees. https://cisofy.com/lynis/controls/MAIL-8818/
106 lines
4.1 KiB
CFEngine3
106 lines
4.1 KiB
CFEngine3
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
|
|
|
smtpd_banner = $myhostname ESMTP
|
|
biff = no
|
|
append_dot_mydomain = no
|
|
readme_directory = no
|
|
|
|
# Basic configuration
|
|
# myhostname =
|
|
alias_maps = hash:/etc/aliases
|
|
alias_database = hash:/etc/aliases
|
|
mydestination = $myhostname, localhost.$mydomain, localhost
|
|
relayhost =
|
|
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64
|
|
mailbox_size_limit = 0
|
|
recipient_delimiter = +
|
|
inet_interfaces = all
|
|
inet_protocols = all
|
|
|
|
# TLS parameters
|
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
|
#smtpd_tls_CAfile=
|
|
#smtp_tls_CAfile=
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_loglevel = 1
|
|
smtp_tls_security_level = may
|
|
smtp_tls_loglevel = 1
|
|
|
|
# Reduces CPU overhead with `NO_COMPRESSION`, SMTP not at risk of CRIME attack (see git blame for details)
|
|
# Reduce opportunities for a potential CPU exhaustion attack with `NO_RENEGOTIATION`
|
|
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
|
|
|
|
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
|
tls_preempt_cipherlist = yes
|
|
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtpd_tls_mandatory_ciphers = high
|
|
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
|
|
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
|
|
smtpd_tls_CApath = /etc/ssl/certs
|
|
smtp_tls_CApath = /etc/ssl/certs
|
|
|
|
# Settings to prevent SPAM early
|
|
smtpd_helo_required = yes
|
|
smtpd_delay_reject = yes
|
|
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
|
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
|
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
|
|
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
|
|
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
|
|
disable_vrfy_command = yes
|
|
|
|
# Postscreen settings to drop zombies/open relays/spam early
|
|
postscreen_dnsbl_action = enforce
|
|
postscreen_dnsbl_sites = zen.spamhaus.org*3
|
|
bl.mailspike.net
|
|
b.barracudacentral.org*2
|
|
bl.spameatingmonkey.net
|
|
bl.spamcop.net
|
|
dnsbl.sorbs.net
|
|
psbl.surriel.com
|
|
list.dnswl.org=127.0.[0..255].0*-2
|
|
list.dnswl.org=127.0.[0..255].1*-3
|
|
list.dnswl.org=127.0.[0..255].[2..3]*-4
|
|
postscreen_dnsbl_threshold = 3
|
|
postscreen_dnsbl_whitelist_threshold = -1
|
|
postscreen_greet_action = enforce
|
|
postscreen_bare_newline_action = enforce
|
|
|
|
# SASL
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_path = /var/spool/postfix/private/auth
|
|
smtpd_sasl_type = dovecot
|
|
|
|
smtpd_sasl_security_options = noanonymous
|
|
smtpd_sasl_local_domain = $mydomain
|
|
broken_sasl_auth_clients = yes
|
|
|
|
# Mail directory
|
|
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
|
|
virtual_mailbox_domains = /etc/postfix/vhost
|
|
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
|
|
virtual_alias_maps = texthash:/etc/postfix/virtual
|
|
|
|
# Additional option for filtering
|
|
content_filter = smtp-amavis:[127.0.0.1]:10024
|
|
|
|
# Milters used by DKIM
|
|
milter_protocol = 6
|
|
milter_default_action = accept
|
|
dkim_milter = inet:localhost:8891
|
|
dmarc_milter = inet:localhost:8893
|
|
smtpd_milters = $dkim_milter,$dmarc_milter
|
|
non_smtpd_milters = $dkim_milter
|
|
|
|
# SPF policy settings
|
|
policyd-spf_time_limit = 3600
|
|
|
|
# Header checks for content inspection on receiving
|
|
header_checks = pcre:/etc/postfix/maps/header_checks.pcre
|
|
|
|
# Remove unwanted headers that reveail our privacy
|
|
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
|