This is the global configuration file for the smtp server.
Global Postfix configuration file. This file lists only a subset of all parameters. For the syntax, and for a complete parameter list, see the postconf(5) manual page (command: "man 5 postconf").
In the code below, I removed the remarks.
# cd /etc/postfix/ # vi main.cf compatibility_level = 2 #soft_bounce = no # LOCAL PATHNAME INFORMATION queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix # QUEUE AND PROCESS OWNERSHIP mail_owner = postfix #default_privs = nobody
Normal the servername is received from the system by the gethostname() function. If you want to use an alternative, set it by your self. This is not a name related to the maildomains.
# INTERNET HOST AND DOMAIN NAMES myhostname = smtp.example.com mydomain = example.com # SENDING MAIL myorigin = $mydomain
The default is listening only on localhost. We want it to listen to external clients also:
# RECEIVING MAIL inet_interfaces = all inet_protocols = all #proxy_interfaces = mydestination = localhost.$mydomain, localhost # REJECTING MAIL FOR UNKNOWN LOCAL USERS #local_recipient_maps = unknown_local_recipient_reject_code = 550 # TRUST AND RELAY CONTROL mynetworks_style = host #relay_domains = $mydestination # INTERNET OR INTRANET #relayhost = $mydomain # REJECTING UNKNOWN RELAY USERS #relay_recipient_maps = hash:/etc/postfix/relay_recipients # INPUT RATE CONTROL # Specify 0 to disable the feature. Valid delays are 0..10. #in_flow_delay = 1s # ADDRESS REWRITING # ADDRESS REDIRECTION (VIRTUAL DOMAIN) # # The VIRTUAL_README document gives information about the many forms # of domain hosting that Postfix supports. # "USER HAS MOVED" BOUNCE MESSAGES # # See the discussion in the ADDRESS_REWRITING_README document.
Even when we use virtualhosting the alias database is still working.
# ALIAS DATABASE alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # ADDRESS EXTENSIONS (e.g., user+foo) #recipient_delimiter = +
We use virtual mailboxes.
# DELIVERY TO MAILBOX #home_mailbox = Mailbox #home_mailbox = Maildir/ #mail_spool_directory = /var/mail #mail_spool_directory = /var/spool/mail #mailbox_command = /some/where/procmail #mailbox_command = /some/where/procmail -a "$EXTENSION" #mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp #mailbox_transport = cyrus #fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp #fallback_transport = #luser_relay = $user@other.host #luser_relay = $local@other.host #luser_relay = admin+$local
The junk mail controls will extended in permissions.
# JUNK MAIL CONTROLS #header_checks = regexp:/etc/postfix/header_checks # FAST ETRN SERVICE #fast_flush_domains = $relay_domains # SHOW SOFTWARE VERSION OR NOT #smtpd_banner = $myhostname ESMTP $mail_name smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) # PARALLEL DELIVERY TO THE SAME DESTINATION #local_destination_concurrency_limit = 2 #default_destination_concurrency_limit = 20 # DEBUGGING CONTROL debug_peer_level = 2 #debug_peer_list = 127.0.0.1 #debug_peer_list = some.domain debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 # INSTALL-TIME CONFIGURATION INFORMATION sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop # manpage_directory: The location of the Postfix on-line manual pages. manpage_directory = /usr/share/man # readme_directory: The location of the Postfix README files. readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples append_dot_mydomain = no biff = no config_directory = /etc/postfix #dovecot_destination_recipient_limit = 1 message_size_limit = 4194304 meta_directory = /etc/postfix shlib_directory = /usr/lib64/postfix
Settings for logging in.
We use dovecot to authenticate users.
# SASL smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_local_domain = smtpd_sasl_authenticated_header = no # EHLO smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname # SMPTD configuration smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_policy_service unix:/var/spool/postfix/postgrey/socket, reject_unknown_reverse_client_hostname, reject_unauth_destination smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname # SMTP configuration #smtp_dns_support_level = dnssec
We setup the TLS protocols and ciphers to use.
# TLS configuration
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
tls_preempt_cipherlist = yes
# SMPTD TLS configuration
smtpd_tls_cert_file = /etc/pki/tls/certs/example.com_fc.pem
smtpd_tls_key_file = /etc/pki/tls/private/example.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only = yes
#smtpd_use_tls = yes
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtpd_tls_mandatory_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_loglevel = 0
smtpd_tls_eecdh_grade = ultra
smtpd_tls_received_header = yes
# SMTP TLS configuration
smtp_tls_note_starttls_offer = yes
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
#smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_loglevel = 0
Now we setup the virtual mail hosts. The data is stored in mysql.
# Virtual virtual_minimum_uid = 5000 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_mailbox_base = /srv/mail/vhosts virtual_mailbox_domains = mysql:/etc/postfix/mariadb-vdomains.cf virtual_mailbox_maps = mysql:/etc/postfix/mariadb-vusers.cf virtual_alias_maps = mysql:/etc/postfix/mariadb-valias.cf virtual_alias_domains = localhost
This is the end of the standard main.cf file.
For SPF, DKIM and DMARC is extra configuration required in this file.
We can save the file and test the config.
# postfix check
Check after every change in main.cf or master.cf before you restart postfix.