# Global Postfix configuration file. This file lists only a subset # of all 300+ parameters. See the postconf(5) manual page for a # complete list. # # The general format of each line is: parameter = value. Lines # that begin with whitespace continue the previous line. A value can # contain references to other $names or ${name}s. # # NOTE - CHANGE NO MORE THAN 2-3 PARAMETERS AT A TIME, AND TEST IF # POSTFIX STILL WORKS AFTER EVERY CHANGE. # SOFT BOUNCE # # The soft_bounce parameter provides a limited safety net for # testing. When soft_bounce is enabled, mail will remain queued that # would otherwise bounce. This parameter disables locally-generated # bounces, and prevents the SMTP server from rejecting mail permanently # (by changing 5xx replies into 4xx replies). However, soft_bounce # is no cure for address rewriting mistakes or mail routing mistakes. # #soft_bounce = no # LOCAL PATHNAME INFORMATION # # The queue_directory specifies the location of the Postfix queue. # This is also the root directory of Postfix daemons that run chrooted. # See the files in examples/chroot-setup for setting up Postfix chroot # environments on different UNIX systems. # queue_directory = /var/spool/postfix # The command_directory parameter specifies the location of all # postXXX commands. # command_directory = /usr/sbin # The daemon_directory parameter specifies the location of all Postfix # daemon programs (i.e. programs listed in the master.cf file). This # directory must be owned by root. # daemon_directory = /usr/libexec/postfix # QUEUE AND PROCESS OWNERSHIP # # The mail_owner parameter specifies the owner of the Postfix queue # and of most Postfix daemon processes. Specify the name of a user # account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS # AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In # particular, don't specify nobody or daemon. PLEASE USE A DEDICATED # USER. # mail_owner = postfix # The default_privs parameter specifies the default rights used by # the local delivery agent for delivery to external file or command. # These rights are used in the absence of a recipient user context. # DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. # #default_privs = nobody # INTERNET HOST AND DOMAIN NAMES # # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many # other configuration parameters. # #myhostname = host.domain.tld #myhostname = virtual.domain.tld # The mydomain parameter specifies the local internet domain name. # The default is to use $myhostname minus the first component. # $mydomain is used as a default value for many other configuration # parameters. # #mydomain = domain.tld # SENDING MAIL # # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append $myhostname, # which is fine for small sites. If you run a domain with multiple # machines, you should (1) change this to $mydomain and (2) set up # a domain-wide alias database that aliases each user to # user@that.users.mailhost. # # For the sake of consistency between sender and recipient addresses, # myorigin also specifies the default domain name that is appended # to recipient addresses that have no @domain part. # #myorigin = $myhostname #myorigin = $mydomain # RECEIVING MAIL # The inet_interfaces parameter specifies the network interface # addresses that this mail system receives mail on. By default, # the software claims all active interfaces on the machine. The # parameter also controls delivery of mail to user@[ip.address]. # # See also the proxy_interfaces parameter, for network addresses that # are forwarded to us via a proxy or network address translator. # # Note: you need to stop/start Postfix when this parameter changes. # inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost #inet_interfaces = localhost # The proxy_interfaces parameter specifies the network interface # addresses that this mail system receives mail on by way of a # proxy or network address translation unit. This setting extends # the address list specified with the inet_interfaces parameter. # # You must specify your proxy/NAT addresses when your system is a # backup MX host for other domains, otherwise mail delivery loops # will happen when the primary MX host is down. # #proxy_interfaces = #proxy_interfaces = 1.2.3.4 # The mydestination parameter specifies the list of domains that this # machine considers itself the final destination for. # # These domains are routed to the delivery agent specified with the # local_transport parameter setting. By default, that is the UNIX # compatible delivery agent that lookups all recipients in /etc/passwd # and /etc/aliases or their equivalent. # # The default is $myhostname + localhost.$mydomain. On a mail domain # gateway, you should also include $mydomain. # # Do not specify the names of virtual domains - those domains are # specified elsewhere (see VIRTUAL_README). # # Do not specify the names of domains that this machine is backup MX # host for. Specify those names via the relay_domains settings for # the SMTP server, or use permit_mx_backup if you are lazy (see # STANDARD_CONFIGURATION_README). # # The local machine is always the final destination for mail addressed # to user@[the.net.work.address] of an interface that the mail system # receives mail on (see the inet_interfaces parameter). # # Specify a list of host or domain names, /file/name or type:table # patterns, separated by commas and/or whitespace. A /file/name # pattern is replaced by its contents; a type:table is matched when # a name matches a lookup key (the right-hand side is ignored). # Continue long lines by starting the next line with whitespace. # # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". # mydestination = $myhostname, localhost.$mydomain, localhost, mailgw1.$mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, # mail.$mydomain, www.$mydomain, ftp.$mydomain # REJECTING MAIL FOR UNKNOWN LOCAL USERS # # The local_recipient_maps parameter specifies optional lookup tables # with all names or addresses of users that are local with respect # to $mydestination, $inet_interfaces or $proxy_interfaces. # # If this parameter is defined, then the SMTP server will reject # mail for unknown local users. This parameter is defined by default. # # To turn off local recipient checking in the SMTP server, specify # local_recipient_maps = (i.e. empty). # # The default setting assumes that you use the default Postfix local # delivery agent for local delivery. You need to update the # local_recipient_maps setting if: # # - You define $mydestination domain recipients in files other than # /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. # For example, you define $mydestination domain recipients in # the $virtual_mailbox_maps files. # # - You redefine the local delivery agent in master.cf. # # - You redefine the "local_transport" setting in main.cf. # # - You use the "luser_relay", "mailbox_transport", or "fallback_transport" # feature of the Postfix local delivery agent (see local(8)). # # Details are described in the LOCAL_RECIPIENT_README file. # # Beware: if the Postfix SMTP server runs chrooted, you probably have # to access the passwd file via the proxymap service, in order to # overcome chroot restrictions. The alternative, having a copy of # the system passwd file in the chroot jail is just not practical. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify a bare username, an @domain.tld # wild-card, or specify a user@domain.tld address. # #local_recipient_maps = unix:passwd.byname $alias_maps #local_recipient_maps = proxy:unix:passwd.byname $alias_maps #local_recipient_maps = # The unknown_local_recipient_reject_code specifies the SMTP server # response code when a recipient domain matches $mydestination or # ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty # and the recipient address or address local-part is not found. # # The default setting is 550 (reject mail) but it is safer to start # with 450 (try again later) until you are certain that your # local_recipient_maps settings are OK. # unknown_local_recipient_reject_code = 550 # TRUST AND RELAY CONTROL # The mynetworks parameter specifies the list of "trusted" SMTP # clients that have more privileges than "strangers". # # In particular, "trusted" SMTP clients are allowed to relay mail # through Postfix. See the smtpd_recipient_restrictions parameter # in postconf(5). # # You can specify the list of "trusted" network addresses by hand # or you can let Postfix do it for you (which is the default). # # By default (mynetworks_style = subnet), Postfix "trusts" SMTP # clients in the same IP subnetworks as the local machine. # On Linux, this does works correctly only with interfaces specified # with the "ifconfig" command. # # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. # # Specify "mynetworks_style = host" when Postfix should "trust" # only the local machine. # #mynetworks_style = class #mynetworks_style = subnet #mynetworks_style = host # Alternatively, you can specify the mynetworks list by hand, in # which case Postfix ignores the mynetworks_style setting. # # Specify an explicit list of network/netmask patterns, where the # mask specifies the number of bits in the network part of a host # address. # # You can also specify the absolute pathname of a pattern file instead # of listing the patterns here. Specify type:table for table-based lookups # (the value on the table right-hand side is not used). # #mynetworks = 168.100.189.0/28, 127.0.0.0/8 #mynetworks = $config_directory/mynetworks #mynetworks = hash:/etc/postfix/network_table mynetworks = 147.32.4.0/24, 147.32.5.0/24, 147.32.6.0/24, 147.32.7.0/24, 147.32.8.0/24, 147.32.9.0/24, 147.32.10.0/24, 147.32.19.0/24, 147.32.22.0/25, 147.32.25.0/24, 127.0.0.0/8, [2001:718:2:1700::/56], [2001:718:2:1800::/56], [2001:718:2:1900::/56], [::1/128], fjfi.cvut.cz #mynetworks = 127.0.0.0/8,fjfi.cvut.cz # using only domain name all has to have correct DNS record # The relay_domains parameter restricts what destinations this system will # relay mail to. See the smtpd_recipient_restrictions description in # postconf(5) for detailed information. # # By default, Postfix relays mail # - from "trusted" clients (IP address matches $mynetworks) to any destination, # - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces or $proxy_interfaces, # - destinations that match $mydestination # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. # # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name # is replaced by its contents; a type:name table is matched when a # (parent) domain appears as lookup key. # # NOTE: Postfix will not automatically forward mail for domains that # list this system as their primary or backup MX host. See the # permit_mx_backup restriction description in postconf(5). # #relay_domains = $mydestination relay_domains = fjfi.cvut.cz # INTERNET OR INTRANET # The relayhost parameter specifies the default host to send mail to # when no entry is matched in the optional transport(5) table. When # no relayhost is given, mail is routed directly to the destination. # # On an intranet, specify the organizational domain name. If your # internal DNS uses no MX records, specify the name of the intranet # gateway host instead. # # In the case of SMTP, specify a domain, host, host:port, [host]:port, # [address] or [address]:port; the form [host] turns off MX lookups. # # If you're connected via UUCP, see also the default_transport parameter. # #relayhost = $mydomain #relayhost = [gateway.my.domain] #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] # REJECTING UNKNOWN RELAY USERS # # The relay_recipient_maps parameter specifies optional lookup tables # with all addresses in the domains that match $relay_domains. # # If this parameter is defined, then the SMTP server will reject # mail for unknown relay users. This feature is off by default. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify an @domain.tld wild-card, or specify # a user@domain.tld address. # #relay_recipient_maps = hash:/etc/postfix/relay_recipients # INPUT RATE CONTROL # # The in_flow_delay configuration parameter implements mail input # flow control. This feature is turned on by default, although it # still needs further development (it's disabled on SCO UNIX due # to an SCO bug). # # A Postfix process will pause for $in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 100 SMTP server process # limit, this limits the mail inflow to 100 messages a second more # than the number of messages delivered per second. # # Specify 0 to disable the feature. Valid delays are 0..10. # #in_flow_delay = 1s # ADDRESS REWRITING # # The ADDRESS_REWRITING_README document gives information about # address masquerading or other forms of address rewriting including # username->Firstname.Lastname mapping. # ADDRESS REDIRECTION (VIRTUAL DOMAIN) # # The VIRTUAL_README document gives information about the many forms # of domain hosting that Postfix supports. # "USER HAS MOVED" BOUNCE MESSAGES # # See the discussion in the ADDRESS_REWRITING_README document. # TRANSPORT MAP # # See the discussion in the ADDRESS_REWRITING_README document. # ALIAS DATABASE # # The alias_maps parameter specifies the list of alias databases used # by the local delivery agent. The default list is system dependent. # # On systems with NIS, the default is to search the local alias # database, then the NIS alias database. See aliases(5) for syntax # details. # # If you change the alias database, run "postalias /etc/aliases" (or # wherever your system stores the mail alias file), or simply run # "newaliases" to build the necessary DBM or DB file. # # It will take a minute or so before changes become visible. Use # "postfix reload" to eliminate the delay. # #alias_maps = dbm:/etc/aliases alias_maps = hash:/etc/aliases #alias_maps = hash:/etc/aliases, nis:mail.aliases #alias_maps = netinfo:/aliases, ldap:/etc/postfix/aliases-ldap.cf # The alias_database parameter specifies the alias database(s) that # are built with "newaliases" or "sendmail -bi". This is a separate # configuration parameter, because alias_maps (see above) may specify # tables that are not necessarily all under control by Postfix. # #alias_database = dbm:/etc/aliases #alias_database = dbm:/etc/mail/aliases alias_database = hash:/etc/aliases #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases # ADDRESS EXTENSIONS (e.g., user+foo) # # The recipient_delimiter parameter specifies the separator between # user names and address extensions (user+foo). See canonical(5), # local(8), relocated(5) and virtual(5) for the effects this has on # aliases, canonical, virtual, relocated and .forward file lookups. # Basically, the software tries user+foo and .forward+foo before # trying user and .forward. # #recipient_delimiter = + # DELIVERY TO MAILBOX # # The home_mailbox parameter specifies the optional pathname of a # mailbox file relative to a user's home directory. The default # mailbox file is /var/spool/mail/user or /var/mail/user. Specify # "Maildir/" for qmail-style delivery (the / is required). # #home_mailbox = Mailbox #home_mailbox = Maildir/ # The mail_spool_directory parameter specifies the directory where # UNIX-style mailboxes are kept. The default setting depends on the # system type. # #mail_spool_directory = /var/mail #mail_spool_directory = /var/spool/mail # The mailbox_command parameter specifies the optional external # command to use instead of mailbox delivery. The command is run as # the recipient with proper HOME, SHELL and LOGNAME environment settings. # Exception: delivery for root is done as $default_user. # # Other environment variables of interest: USER (recipient username), # EXTENSION (address extension), DOMAIN (domain part of address), # and LOCAL (the address localpart). # # Unlike other Postfix configuration parameters, the mailbox_command # parameter is not subjected to $parameter substitutions. This is to # make it easier to specify shell syntax (see example below). # # Avoid shell meta characters because they will force Postfix to run # an expensive shell process. Procmail alone is expensive enough. # # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. # #mailbox_command = /some/where/procmail #mailbox_command = /some/where/procmail -a "$EXTENSION" # The mailbox_transport specifies the optional transport in master.cf # to use after processing aliases and .forward files. This parameter # has precedence over the mailbox_command, fallback_transport and # luser_relay parameters. # # Specify a string of the form transport:nexthop, where transport is # the name of a mail delivery transport defined in master.cf. The # :nexthop part is optional. For more details see the sample transport # configuration file. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #mailbox_transport = lmtp:unix:/file/name #mailbox_transport = cyrus # The fallback_transport specifies the optional transport in master.cf # to use for recipients that are not found in the UNIX passwd database. # This parameter has precedence over the luser_relay parameter. # # Specify a string of the form transport:nexthop, where transport is # the name of a mail delivery transport defined in master.cf. The # :nexthop part is optional. For more details see the sample transport # configuration file. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #fallback_transport = lmtp:unix:/file/name #fallback_transport = cyrus #fallback_transport = # The luser_relay parameter specifies an optional destination address # for unknown recipients. By default, mail for unknown@$mydestination, # unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned # as undeliverable. # # The following expansions are done on luser_relay: $user (recipient # username), $shell (recipient shell), $home (recipient home directory), # $recipient (full recipient address), $extension (recipient address # extension), $domain (recipient domain), $local (entire recipient # localpart), $recipient_delimiter. Specify ${name?value} or # ${name:value} to expand value only when $name does (does not) exist. # # luser_relay works only for the default Postfix local delivery agent. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must specify "local_recipient_maps =" (i.e. empty) in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #luser_relay = $user@other.host #luser_relay = $local@other.host #luser_relay = admin+$local # JUNK MAIL CONTROLS # # The controls listed here are only a very small subset. The file # SMTPD_ACCESS_README provides an overview. # The header_checks parameter specifies an optional table with patterns # that each logical message header is matched against, including # headers that span multiple physical lines. # # By default, these patterns also apply to MIME headers and to the # headers of attached messages. With older Postfix versions, MIME and # attached message headers were treated as body text. # # For details, see "man header_checks". # #header_checks = regexp:/etc/postfix/header_checks # FAST ETRN SERVICE # # Postfix maintains per-destination logfiles with information about # deferred mail, so that mail can be flushed quickly with the SMTP # "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". # See the ETRN_README document for a detailed description. # # The fast_flush_domains parameter controls what destinations are # eligible for this service. By default, they are all domains that # this server is willing to relay mail to. # #fast_flush_domains = $relay_domains # SHOW SOFTWARE VERSION OR NOT # # The smtpd_banner parameter specifies the text that follows the 220 # code in the SMTP server's greeting banner. Some people like to see # the mail version advertised. By default, Postfix shows no version. # # You MUST specify $myhostname at the start of the text. That is an # RFC requirement. Postfix itself does not care. # #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_banner = $myhostname ESMTP CTU FNSPE 1st MX NO UCE NO SPAM # PARALLEL DELIVERY TO THE SAME DESTINATION # # How many parallel deliveries to the same user or domain? With local # delivery, it does not make sense to do massively parallel delivery # to the same user, because mailbox updates must happen sequentially, # and expensive pipelines in .forward files can cause disasters when # too many are run at the same time. With SMTP deliveries, 10 # simultaneous connections to the same domain could be sufficient to # raise eyebrows. # # Each message delivery transport has its XXX_destination_concurrency_limit # parameter. The default is $default_destination_concurrency_limit for # most delivery transports. For the local delivery agent the default is 2. #local_destination_concurrency_limit = 2 #default_destination_concurrency_limit = 20 # DEBUGGING CONTROL # # The debug_peer_level parameter specifies the increment in verbose # logging level when an SMTP client or server host name or address # matches a pattern in the debug_peer_list parameter. # debug_peer_level = 2 # The debug_peer_list parameter specifies an optional list of domain # or network patterns, /file/name patterns or type:name tables. When # an SMTP client or server host name or address matches a pattern, # increase the verbose logging level by the amount specified in the # debug_peer_level parameter. # #debug_peer_list = 127.0.0.1 #debug_peer_list = some.domain # The debugger_command specifies the external command that is executed # when a Postfix daemon program is run with the -D option. # # Use "command .. & sleep 5" so that the debugger can attach before # the process marches on. If you use an X-based debugger, be sure to # set up your XAUTHORITY environment variable before starting Postfix. # debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 # If you don't have X installed on the Postfix machine, try: # debugger_command = # PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; # echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 # >$config_directory/$process_name.$process_id.log & sleep 5 # INSTALL-TIME CONFIGURATION INFORMATION # # The following parameters are used when installing a new Postfix version. # # sendmail_path: The full pathname of the Postfix sendmail command. # This is the Sendmail-compatible mail posting interface. # sendmail_path = /usr/sbin/sendmail.postfix # newaliases_path: The full pathname of the Postfix newaliases command. # This is the Sendmail-compatible command to build alias databases. # newaliases_path = /usr/bin/newaliases.postfix # mailq_path: The full pathname of the Postfix mailq command. This # is the Sendmail-compatible mail queue listing command. # mailq_path = /usr/bin/mailq.postfix # setgid_group: The group for mail submission and queue management # commands. This must be a group name with a numerical group ID that # is not shared with other accounts, not even with the Postfix account. # setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # html_directory = no # manpage_directory: The location of the Postfix on-line manual pages. # manpage_directory = /usr/share/man # sample_directory: The location of the Postfix sample configuration files. # This parameter is obsolete as of Postfix 2.1. # sample_directory = /usr/share/doc/postfix-2.1.5/samples # readme_directory: The location of the Postfix README files. # readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES # This file contains example settings of Postfix configuration # parameters that control the behaviour of the TLS extensions. # # We strictly seperate between server side TLS (smtpd_) and client side # TLS (smtp_), as for practical reasons we might choose differently. # Section with SMTPD specific settings # To use TLS we do need a certificate and a private key. Both must be in # "pem" format, the private key must not be encrypted, that does mean: # it must be accessable without password. Both parts (certificate and # private key) may be in the same file. # # Both RSA and DSA are certificates are supported. Typically you will only # have RSA certificates issued by a commercial CA, also the tools supplied # with OpenSSL will by default issue RSA certificates. # You can have both at the same time, in this case the cipher used decides, # which certificate is presented. For Netscape and OpenSSL clients without # special cipher choices, the RSA certificate is preferred. # # In order to check the certificates, the CA-certificate (in case of a # certificate chain, all CA-certificates) must be available. # You should add these certificates to the server certificate, the server # certificate first, then the issuing CA(s). # # Example: the certificate for "server.dom.ain" was issued by "intermediate CA" # which itself has a certificate of "root CA". Create the server.pem file by # 'cat server_cert.pem intemediate_CA.pem root_CA.pem > server.pem' # # If you want to accept certificates issued by these CAs yourself, you can # also add the CA-certificates to the smtpd_tls_CAfile, in which case it is # not necessary to have them in the smtpd_tls_[d]cert_file. # # A certificate supplied here must be useable as SSL server certificate and # hence pass the "openssl verify -purpose sslserver ..." test. # smtpd_tls_cert_file = /usr/share/ssl/certs/mailgw1.fjfi.cvut.cz.pem smtpd_tls_key_file = $smtpd_tls_cert_file # # Its DSA counterparts: #smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem #smtpd_tls_dkey_file = $smtpd_tls_dcert_file # The certificate was issued by a certification authority (CA), the CA-cert # of which must be available, if not in the certificate file. # This file may also contain the the CA certificates of other trusted CAs. # You must use this file for the list of trusted CAs if you want to use # chroot-mode. No default is supplied for this value as of now. # smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt # To verify the peer certificate, we need to know the certificates of # certification authorities. These certificates in "pem" format are # collected in a directory. The same CAs are offered to clients for # client verification. Don't forget to create the necessary "hash" # links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical # place for the CA-certs may also be $OPENSSL_HOME/certs, so there is # no default and you explicitly have to set the value here! # # To use this option in chroot mode, this directory itself or a copy of it # must be inside the chroot jail. Please note also, that the CAs in this # directory are not listed to the client, so that e.g. Netscape might not # offer certificates issued by them. # # I therefore discourage the use of this option. # smtpd_tls_CApath = /usr/share/ssl/certs/ # To get additional information during the TLS setup and negotiations # you can increase the loglevel from 0..4: # 0: No output about the TLS subsystem # 1: Printout startup and certificate information # 2: 1 + Printout of levels during negotiation # 3: 2 + Hex and ASCII dump of negotiation process # 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS # Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly # discouraged. # smtpd_tls_loglevel = 1 # To include information about the protocol and cipher used as well as the # client and issuer CommonName into the "Received:" header, set the # smtpd_tls_received_header variable to true. The default is no, as the # information is not necessarily authentic. Only the final destination # is reliable, since the headers might have been changed in between. # smtpd_tls_received_header = yes # By default TLS is disabled, so no difference to plain postfix is visible. # Explicitely switch it on using "smtpd_use_tls". (Note: when invoked # via "sendmail -bs", STARTTLS is never offered due to insufficient # privileges to access the private key. This is intended behaviour.) # smtpd_use_tls = yes # You can ENFORCE the use of TLS, so that no commands (except QUIT of course) # are allowed without TLS. According to RFC2487 this MUST NOT be applied # in case of a publicly-referenced SMTP server. So this option is off # by default and should only seldom be used. Using this option implies # smtpd_use_tls = yes. (Note: when invoked via "sendmail -bs", STARTTLS # is never offered due to insufficient privileges to access the private key. # This is intended behaviour.) # # smtpd_enforce_tls = no # Besides RFC2487 some clients, namely Outlook [Express] prefer to run the # non-standard "wrapper" mode, not the STARTTLS enhancement to SMTP. # This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port!=25 # and OE (5.01 Mac on all ports). # It is strictly discouraged to use this mode from main.cf. If you want to # support this service, enable a special port in master.cf. Port 465 (smtps) # was once chosen for this feature. # # smtpd_tls_wrappermode = no # To receive a client certificate, the server must explicitly ask for one. # Hence netscape will either complain if no certificate is available (for # the list of CAs in /etc/postfix/certs) or will offer you client certificates # to choose from. This might be annoying, so this option is "off" by default. # You will however need the certificate if you want to to e.g. certificate # based relaying. # # smtpd_tls_ask_ccert = no # You may also decide to REQUIRE a client certificate to allow TLS connections. # I don't think it will be necessary often, it is however included here for # completeness. This option implies smtpd_tls_ask_ccert = yes # # Please be aware, that this will inhibit TLS connections without a proper # certificate and only makes sense, when normal submission is disabled and # TLS is enforced (smtpd_enforce_tls). Otherwise clients may bypass by simply # not using STARTTLS at all. When TLS is not enforced, the connection will be # handled, as if only smtpd_tls_ask_ccert = yes would be set and an information # is logged. # # smtpd_tls_req_ccert = no # The verification depth for client certificates. A depth of 1 is sufficient, # if the certificate ist directly issued by a CA listed in the CA locations. # The default value (5) should also suffice for longer chains (root CA issues # special CA which then issues the actual certificate...) # # smtpd_tls_ccert_verifydepth = 5 # Sending AUTH data over an unencrypted channel poses a security risk. When # smtpd_tls_enforce_tls is set, AUTH will only be announced and accepted, # once the TLS layer has been activated via the STARTTLS protocol. If # TLS layer encryption is optional, it may however still be useful to only # offer AUTH, when TLS is active. To not break compatiblity with unpatched # postfix versions, the default is to accept AUTH without encryption. In # order to change this behaviour, set smtpd_tls_auth_only = yes. # smtpd_tls_auth_only = yes # The server and client negotiate a session, which takes some computer time # and network bandwidth. The session is cached only in the smtpd process # actually using this session and is lost when the process dies. # To share the session information between the smtpd processes, a disc based # session cache can be used based on the SDBM databases (routines included # in Postfix/TLS). Since concurrent writing must be supported, only SDBM # can be used. # smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache # The cached sessions time out after a certain amount of time. For Postfix/TLS # I do not use the OpenSSL default of 300sec, but a longer time of 3600sec # (=1 hour). RFC2246 recommends a maximum of 24 hours. # smtpd_tls_session_cache_timeout = 3600s # Two additional options has been added for relay control to the UCE rules: # permit_tls_clientcerts (a) # and # permit_tls_all_clientcerts. (b) # # If one of these options is added to # smtpd_recipient_restrictions, # postfix will relay if # (a) a valid (it passed the verification) client certificate is presented # and its fingerprint is listed in the list of client certs # (relay_clientcerts), # (b) any valid (it passed the verification) client certificate is presented. # # Option (b) must only be used, if a special CA issues the certificates and # only this CA is listed as trusted CA. If other CAs are trusted, any owner # of a valid (SSL client)-certificate can relay. Option (b) can be practical # for a specically created email relay. It is however recommended to stay with # option (a) and list all certificates, as (b) does not permit any control # when a certificate must no longer be used (e.g. an employee leaving). # # smtpd_recipient_restrictions = ... permit_tls_clientcerts ... # The list of client certificates for which relaying will be allowed. # Unfortunately the routines for lists in postfix use whitespaces as # seperators and choke on special chars. So using the certificate # X509ONELINES is quite impractical. We will use the fingerprints at # this point, as they are difficult to fake but easy to use for lookup. # As postmap (when using e.g. db) insists of having a pair of key and value, # but we only need the key, the value can be chosen freely, e.g. the name # of the user or host: # D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home # # relay_clientcerts = hash:/etc/postfix/relay_clientcerts # To influence the cipher selection scheme, you can give cipherlist-string. # A detailed description would go to far here, please refer to the openssl # documentation. # If you don't know what to do with it, simply don't touch it and leave the # (openssl-)compiled in default! # # DO NOT USE " to enclose the string, just the string!!! # # smtpd_tls_cipherlist = DEFAULT # If you want to take advantage of ciphers with EDH, DH parameters are needed. # There are built in DH parameters for both 1025bit and 512bit available. It # is however better to have "own" parameters, since otherwise it would "pay" # for a possible attacker to start a brute force attack against these # parameters commonly used by everybody. For this reason, the parameters # chosen are already different from those distributed with other TLS packages. # # To generate your own set of parameters, use # openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024 # openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512 # (your source for "entropy" might vary; on Linux there is /dev/random, on # other system, you might consider the "Entropy Gathering Daemon EGD", # available at http://www.lothar.com/tech/crypto/. # smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem # The smtpd_starttls_timeout parameter limits the time in seconds to write and # read operations during TLS start and stop handhake procedures. # # smtpd_starttls_timeout = 300s # Section with SMTP specific settings # During the startup negotiation we might present a certificate to the server. # Netscape is rather clever here and lets the user select between only those # certs that will match the CAs accepted from the server. As I simply use # the integrated "SSL_connect()" from the OpenSSL package, this is not # possible by now and we have to chose just one cert. # So for now the default is to use _no_ cert and key unless explictly # set here. It is possible to use the same key/cert pair as for the server. # If a cert is to be presented, it must be in "pem" format, the private key # must not be encrypted, that does mean: it must be accessable without # password. Both parts (certificate and private key) may be in the # same file. # # In order to check the certificates, the CA-certificate (in case of a # certificate chain, all CA-certificates) must be available. # You should add these certificates to the server certificate, the server # certificate first, then the issuing CA(s). # # Example: the certificate for "client.dom.ain" was issued by "intermediate CA" # which itself has a certificate of "root CA". Create the client.pem file by # 'cat client_cert.pem intemediate_CA.pem root_CA.pem > client.pem' # # If you want to accept certificates issued by these CAs yourself, you can # also add the CA-certificates to the smtp_tls_CAfile, in which case it is # not necessary to have them in the smtp_tls_[d]cert_file. # # A certificate supplied here must be useable as SSL client certificate and # hence pass the "openssl verify -purpose sslclient ..." test. # #smtp_tls_cert_file = /etc/postfix/client.pem #smtp_tls_key_file = $smtp_tls_cert_file # The certificate was issued by a certification authority (CA), the CA-cert # of which must be available, if not in the certificate file. # This file may also contain the the CA certificates of other trusted CAs. # You must use this file for the list of trusted CAs if you want to use # chroot-mode. No default is supplied for this value as of now. # smtp_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt # To verify the peer certificate, we need to know the certificates of # certification authorities. These certificates in "pem" format are # collected in a directory. Don't forget to create the necessary "hash" # links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical # place for the CA-certs may also be $OPENSSL_HOME/certs, so there is # no default and you explicitly have to set the value here! # # To use this option in chroot mode, this directory itself or a copy of it # must be inside the chroot jail. # smtp_tls_CApath = /usr/share/ssl/certs/ # To get additional information during the TLS setup and negotiations # you can increase the loglevel from 0..4: # 0: No output about the TLS subsystem # 1: Printout startup and certificate information # 2: 1 + Printout of levels during negotiation # 3: 2 + Hex and ASCII dump of negotiation process # 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS # Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly # discouraged. # smtp_tls_loglevel = 1 # The server and client negotiate a session, which takes some computer time # and network bandwidth. The session is cached only in the smtpd process # actually using this session and is lost when the process dies. # To share the session information between the smtp processes, a disc based # session cache can be used based on the SDBM databases (routines included # in Postfix/TLS). Since concurrent writing must be supported, only SDBM # can be used. # smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache # The cached sessions time out after a certain amount of time. For Postfix/TLS # I do not use the OpenSSL default of 300sec, but a longer time of 3600sec # (=1 hour). RFC2246 recommends a maximum of 24 hours. # smtp_tls_session_cache_timeout = 3600s # By default TLS is disabled, so no difference to plain postfix is visible. # If you enable TLS it will be used when offered by the server. # WARNING: I didn't have access to other software (except those explicitely # listed) to test the interaction. On corresponding mailing list # there was a discussion going on about MS exchange servers offering # STARTTLS even if it is not configured, so it might be wise to not # use this option on your central mail hub, as you don't know in advance # whether you are going to hit such host. Use the recipient/site specific # options instead. # HINT: I have it switched on on my mailservers and did experience one # single failure since client side TLS is implemented. (There was one # misconfired MS Exchange server; I contacted ths admin.) Hence, I am happy # with it running all the time, but I am interested in testing anyway. # You have been warned, however :-) # # In case of failure, a "4xx" code is issued and the mail stays in the queue. # # Explicitely switch it on here, if you want it. # smtp_use_tls = yes # You can ENFORCE the use of TLS, so that only connections with TLS will # be accepted. Additionally, the hostname of the receiving host is matched # against the CommonName in the certificate. Also, the certificate must # be verified "Ok", so that a CA trusted by the client must have issued # the certificate. If the certificate doesn't verify or the hostname doesn't # match, a "4xx" will be issued and the mail stays in the queue. # The hostname used in the check is beyond question, as it must be the # principle hostname (no CNAME allowed here). Checks are performed against # all names provided as dNSNames in the SubjectAlternativeName. If no # dNSNames are specified, the CommonName is checked. # The behaviour may be changed with the smtp_tls_enforce_peername option # # This option is useful only if you are definitely sure that you will only # connect to servers supporting RFC2487 _and_ with valid certificates. # I use it for my clients which will only send email to one mailhub, which # does offer the necessary STARTTLS support. # # smtp_enforce_tls = no # As of RFC2487 the requirements for hostname checking for MTA clients are # not set. When in smtp_enforce_tls mode, the option smtp_tls_enforce_peername # can be set to "no" to disable strict peername checking. In this case, the # mail delivery will be continued, if a TLS connection was established # _and_ the peer certificate passed verification _but_ regardless of the # CommonName listed in the certificate. This option only applies to the # default setting smtp_enforce_tls_mode, special settings in the # smtp_tls_per_site table override smtp_tls_enforce_peername. # # This can make sense in closed environment where special CAs are created. # If not used carefully, this option opens the danger of a "man-in-the-middle" # attack (the CommonName of this attacker is logged). # # smtp_tls_enforce_peername = yes # As generally trying TLS can be a bad idea (some hosts offer STARTTLS but # the negotiation will fail leading to unexplainable failures, it may be # a good idea to decide based on the recipient or the mailhub to which you are # connecting. # # Deciding per recipient may be difficult, since a singe email can have # several recipients. We use the "nexthop" mechanism inside postfix. # When an email is to be delivered, the "nexthop" is obtained. If it matches # an entry in the smtp_tls_per_site list, appropriate action is taken. # Since entries in the transport table or the use of a relay_host override # the nexthop setting, in these cases the relay_host etc must be listed # in the table. In any case, the hostname of the peer to be contacted is # looked up (that is: the MX or the name of the host, if no MX is given). # # Special hint for enforcement mode: # Since there is no secure mechanism for DNS lookups available, the # recommended setup is: put the sensible domains with their mailhost # into the transport table (since you can asure security of this table # unlike DNS), then set MUST mode for this mailhost. # # Format of the table: # The keys entries are on the left hand side, no wildcards allowed. On the # right hand side the keywords NONE (don't use TLS at all), MAY (try to use # STARTTLS if offered, no problem if not), MUST (enforce usage of STARTTLS, # check server certificate CommonName against server FQDN), MUST_NOPEERMATCH # (enforce usage of STARTTLS and verify certificate, but ignore differences # between CommonName and server FQDN). # dom.ain NONE # host.dom.ain MAY # important.host MUST # some.host.dom.ain MUST_NOPEERMATCH # # If an entry is not matched, the default policy is applied; if the default # policy is "enforce", NONE explicitely switches it off, otherwise the # "enforce" mode is used even for MAY entries. # #smtp_tls_per_site = hash:/etc/postfix/tls_per_site # The verification depth for server certificates. A depth of 1 is sufficient, # if the certificate ist directly issued by a CA listed in the CA locations. # The default value (5) should also suffice for longer chains (root CA issues # special CA which then issues the actual certificate...) # # smtp_tls_scert_verifydepth = 5 # As we decide on a "per site" basis, wether to use TLS or not, it would be # good to have a list of sites, that offered "STARTTLS'. We can collect it # ourselves with this option. # # If activated and TLS is not already enabled for this host, a line is added # to the logfile: # postfix/smtp[pid]: Host offered STARTTLS: [name.of.host] # smtp_tls_note_starttls_offer = yes # To influence the cipher selection scheme, you can give cipherlist-string. # A detailed description would go to far here, please refer to the openssl # documentation. # If you don't know what to do with it, simply don't touch it and leave the # (openssl-)compiled in default! # # DO NOT USE " to enclose the string, just the string!!! # # smtp_tls_cipherlist = DEFAULT # The smtp_starttls_timeout parameter limits the time in seconds to write and # read operations during TLS start and stop handhake procedures. # # In case of problems the client does NOT try the next address on # the mail exchanger list. # # smtp_starttls_timeout = 300s # In order to seed the PRNG Pseude Random Number Generator, random data is # needed. The PRNG pool is maintained by the "tlsmgr" daemon and is used # (read) by the smtp[d] processes after adding some more entropy by stirring # in time and process id. # The file, which is from time to time rewritten by the tlsmgr, is created # if not existant. A default value is given; the default should probably # be on the /var partition but _not_ inside chroot jail. # # tls_random_exchange_name = /etc/postfix/prng_exch # To feed the PRNG pool, entropy is being read from an external source, # both at startup and during run. # Specify a good entropy source here, like EGD or /dev/urandom; make sure # to only use non-blocking sources. # In both cases, 32 bytes are read at each re-seeding event (which is an # amount of 256bits and hence good enough for 128bit symmetric keys). # You must specify the type of source: "dev:" for a device special file # or "egd:" for a source with EGD compatible socket interface. A maximum # 255 bytes is read from these sources in each step. # If you specify a normal file, a larger amount of data can be read. # # The entropy source is queried again after a certain amount of time. The # time is calculated using the PRNG, it is between 0 and the time specified, # default is a maximum of 1 hour. # tls_random_source = dev:/dev/urandom # tls_random_source = egd:/var/run/egd-pool # tls_random_bytes = 32 # tls_random_reseed_period = 3600s # The PRNG pool inside tlsmgr is used to re-generate the 1024 byte file # being read by smtp[d]. The time, after which the exchange file is # rewritten is calculated using the PRNG, it is between 0 and the time # specified, default is a maximum of 60 seconds. # # tls_random_upd_period = 60s # If you have a entropy source available, that is not easily drained (like # /dev/urandom), the daemons can also load additional entropy on startup from # the source specified. By default an amount of 32 bytes is read, the # equivalent to 256 bits. This is more than enough to generate a 128bit # (or 168bit) session key, but we may have to generate more than one. # Usage of this option may drain EGD (consider the case of 50 smtp starting # up with a full queue and "postfix start", which will request 1600bytes # of entropy). This is however not fatal, as long as "entropy" data could # be read from the exchange file. # tls_daemon_random_source = dev:/dev/urandom # tls_daemon_random_source = egd:/var/run/egd-pool # tls_daemon_random_bytes = 32 # SASL # In order to enable SASL support in the SMTP server: smtpd_sasl_auth_enable = yes # Older Microsoft SMTP client software implements a non-standard version # of the AUTH protocol syntax, and expects that the SMTP server replies # to EHLO with "250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate # such clients in addition to conformant clients, set # "broken_sasl_auth_clients = yes" broken_sasl_auth_clients = yes # On the Postfix side, you can have only one realm per smtpd instance, # and only the users belonging to that realm would be able to authenticate. # The variable smtpd_sasl_local_domain controls the realm used by smtpd: #smtpd_sasl_local_domain = $myhostname # # Mailing tables # # List of canonical mapping tables. #canonical_maps = hash:/etc/postfix/canonical canonical_maps = hash:/etc/postfix/canonical, ldap:/etc/postfix/canonical-ldap.cf # Address mapping lookup table for envelope and # header recipient addresses. #recipient_canonical_maps = hash:/etc/postfix/canonical_recipient # Address mapping lookup table for envelope and # header sender addresses. #sender_canonical_maps = hash:/etc/postfix/canonical_sender # List of lookup tables for relocated users or sites. relocated_maps = hash:/etc/postfix/relocated # List of transport lookup tables. transport_maps = hash:/etc/postfix/transport # List of virtual aliasing tables. #virtual_alias_domains = mailgw.fjfi.cvut.cz #virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/virtual-ldap.cf #, ldap:/etc/postfix/virtual-aliases-ldap.cf # # LIMITS # mailbox_size_limit = 0 message_size_limit = 20480000 # # Antispam restrictions # # When it is set, hard reject responses (5xx) are converted to soft reject # responses (4xx). When you add a new restriction that you're not sure about, # you might want to turn soft_bounce on and then watch your logs for what's # rejected so that you can fine-tune your settings by the time another # delivery attempt is made. #soft_bounce = yes # Require HELO command at the beginning of smtp session. Requiring this # will stop bulk mail programs smtpd_helo_required = yes # Require strict RFC 821 envelopes. This will stop unwanted emails, but # there are a number of clients that don't get address formatting correct #strict_rfc821_envelopes = yes # verification cache address_verify_map = btree:/etc/postfix/verify #address_verify_poll_count = 3 #address_verify_poll_delay = 3s # # ACCESS CONTROL RESPONSES # # The following parameters control numerical SMTP reply codes and/or # text responses. # The numerical Postfix SMTP server response code when a client is rejected # by an access(5) map restriction. #access_map_reject_code (554) # The numerical Postfix SMTP server response code when a remote SMTP # client request is rejected by the "defer" restriction. #defer_code (450) # The numerical Postfix SMTP server response code when the client HELO # or EHLO command parameter is rejected by the reject_invalid_hostname # restriction. #invalid_hostname_reject_code (501) # The numerical Postfix SMTP server response code when a remote SMTP # client request is blocked by the reject_rbl_client, # reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient # restriction. #maps_rbl_reject_code (554) # The numerical Postfix SMTP server reply code when a client request is # rejected by the reject_non_fqdn_hostname, reject_non_fqdn_sender or # reject_non_fqdn_recipient restriction. #non_fqdn_reject_code (504) # The numerical Postfix SMTP server response code when a remote SMTP # client request is rejected by the "reject" restriction. #reject_code (554) # The numerical Postfix SMTP server response code when a client request # is rejected by the reject_unauth_destination recipient restriction. #relay_domains_reject_code (554) # The numerical Postfix SMTP server response code when a sender or # recipient address is rejected by the reject_unknown_sender_domain or # reject_unknown_recipient_domain restriction. #unknown_address_reject_code (450) # The numerical Postfix SMTP server response code when a client without # valid address <=> name mapping is rejected by the # reject_unknown_client restriction. #unknown_client_reject_code (450) # The numerical Postfix SMTP server response code when the hostname # specified with the HELO or EHLO command is rejected by the # reject_unknown_hostname restriction. #unknown_hostname_reject_code (450) # rejecting unknown recipients unverified_recipient_reject_code = 550 # config debug possible from following hosts smtpd_authorized_xclient_hosts = mailgw1.fjfi.cvut.cz,mailgw2.fjfi.cvut.cz # # # # # #[smtp server advertises its settings] #MAIL FROM: #RCPT TO: #[Got rejected? If yes, skip header and body checks below. Otherwise, #apply them.] #DATA # # # used blacklists maps_rbl_domains = relays.ordb.org relays.mail-abuse.org dialups.mail-abuse.org blackholes.mail-abuse.org sbl.spamhaus.org blackholes.easynet.nl dul.dnsbl.sorbs.net # bl.spamcop.net # dnsbl.njabl.org, # dnsbl.ahbl.org # cbl.abuseat.org # proxies.blackholes.wirehub.net # opm.blitzed.org # list.dsbl.org # multihop.dsbl.org smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated warn_if_reject reject_unknown_client warn_if_reject reject_rbl_client relays.ordb.org warn_if_reject reject_rbl_client relays.mail-abuse.org warn_if_reject reject_rbl_client dialups.mail-abuse.org warn_if_reject reject_rbl_client blackholes.mail-abuse.org warn_if_reject reject_rbl_client sbl.spamhaus.org warn_if_reject reject_rbl_client blackholes.easynet.nl warn_if_reject reject_rbl_client dul.dnsbl.sorbs.net # warn_if_reject reject_maps_rbl # check_client_access hash:/etc/postfix/client_access # FIXME: reject_unknown_client is dangerous, because of bad configured DNS smtpd_etrn_restrictions = permit_mynetworks # not used check_etrn_access hash:/etc/postfix/etrn_access smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo_access warn_if_reject reject_non_fqdn_hostname warn_if_reject reject_unknown_hostname # FIXME: last rule can be dangerous # check_helo_access pcre:/etc/postfix/helo_access_regex smtpd_sender_restrictions = permit_mynetworks reject_unknown_sender_domain check_sender_mx_access hash:/etc/postfix/mx_access reject_non_fqdn_sender check_sender_access pcre:/etc/postfix/sender_access # reject_unverified_sender (ADDRESS_VERIFICATION_README - not always safe) # reject_rhsbl_sender dsn.rfc-ignorant.org # reject_rhsbl_client blackhole.securitysage.com # reject_rhsbl_sender blackhole.securitysage.com smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/spam_recipient_access permit_mynetworks permit_sasl_authenticated reject_invalid_hostname reject_unauth_destination reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/recipient_access check_recipient_mx_access hash:/etc/postfix/mx_access # reject_unverified_recipient # in recipient_access # permit_tls_clientcerts # postfix 2.2 # permit_auth_destination # check_policy_service inet: 127.0.0.1:2525, ### THIS is the GREYLISTING activation # check_client_access hash:/etc/mail/pop-before-smtp # check_relay_domains # permit_mx_backup smtpd_data_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_pipelining warn_if_reject reject_multi_recipient_bounce #FIXME: testing reject_multi_recipient_bounce # http://www.postfix.org/postconf.5.html#reject_multi_recipient_bounce #header_checks = pcre:/etc/postfix/header_checks #mime_header_checks = pcre:/etc/postfix/mime_header_checks #nested_header_checks = pcre:/etc/postfix/nested_header_checks #body_checks = pcre:/etc/postfix/body_checks smtpd_restriction_classes = spam_client_access_class, spam_recipient_filter_class spam_client_access_class = check_client_access hash:/etc/postfix/spam_client_access spam_recipient_filter_class = check_recipient_access hash:/etc/postfix/spam_recipient_filter # AMaViS content_filter = smtp:[127.0.0.1]:10024