# Uncomment soft_bounce for testing #soft_bounce = yes # Generic postfix parameters compatibility_level = 2 smtpd_banner = $myhostname ESMTP $mail_name biff = no append_dot_mydomain = no readme_directory = no inet_interfaces = all inet_protocols = all message_size_limit = 50000000 recipient_delimiter = + owner_request_special = no unknown_local_recipient_reject_code = 550 strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_helo_required = yes relayhost = # Postscreen (pre-greet only, rspamd does the rest) postscreen_greet_banner = $myhostname ESMTP $mail_name postscreen_greet_action = enforce # Network parameters mydomain = {{ mail_domain }} myhostname = {{ ansible_fqdn }} myorigin = $myhostname mydestination = localhost.$mydomain, localhost, {{ mail_srs_domain }} mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {% for cidr in mail_trusted %} {{ cidr | ipwrap }} {% endfor %} # Alias configuration alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # Client TLS parameters smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_CApath = /etc/ssl/certs smtp_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt smtp_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_fingerprint_digest=sha256 # Server TLS parameters smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_ciphers = medium smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_fingerprint_digest=sha256 # Submission SASL configuration smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous # SMTPd restrictions smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks warn_if_reject reject_non_fqdn_hostname check_helo_access hash:/etc/postfix/helo_access smtpd_client_restrictions = permit_sasl_authenticated permit_mynetworks reject_unknown_reverse_client_hostname smtpd_sender_restrictions = permit_mynetworks reject_unknown_sender_domain reject_non_fqdn_sender permit_tls_clientcerts permit_sasl_authenticated reject_unauth_pipelining reject_unauthenticated_sender_login_mismatch reject_sender_login_mismatch smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_non_fqdn_recipient permit_mynetworks permit_tls_clientcerts permit_sasl_authenticated reject_unauth_destination reject_unauth_pipelining reject_unverified_recipient # SMTP Smuggling smtpd_forbid_bare_newline = yes # rspamd Milter setup smtpd_milters = inet:localhost:11332 non_smtpd_milters = inet:localhost:11332 milter_default_action = accept milter_protocol = 6 # mailbox / forward definitions virtual_mailbox_domains = {{ mail_domain }} {% for domain in mail_domains %} {{ domain }} {% endfor %} virtual_alias_maps = hash:/etc/postfix/virtual-alias virtual_transport = lmtp:unix:private/dovecot-lmtpd unverified_recipient_reject_code = 550 unverified_recipient_reject_reason = Recipient unknown # mailman relay_domains = hash:/var/lib/mailman3/data/postfix_domains local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp transport_maps = hash:/var/lib/mailman3/data/postfix_lmtp # postsrsd # sender_canonical_maps = tcp:localhost:10001 - > see master.cf sender_canonical_classes = envelope_sender recipient_canonical_maps = tcp:localhost:10002 recipient_canonical_classes = envelope_recipient