sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2025-12-09 18:38:32 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
dcae6034d34c69faecf6230d22043a04e8957cfe
no-secrets-athq-ansible/roles/mail/files/main.cf

103 lines
4.1 KiB
CFEngine3
Raw Blame History

# let's confuse atackers
smtpd_banner = $myhostname Postfix
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
# delay_warning_time = 10h
queue_directory = /var/spool/postfix
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/atlantishq.de/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# tls paramaters
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
# breaks mailman for obvious reasons
smtpd_tls_security_level=may
smtpd_tls_auth_only = yes
# SMTP (mainly from dovecot documentation)
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_mandatory_ciphers=high
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders
## restrictions
# PERMIT MY NETWORKS MUST ALWAYS BE THE FIRST ARGUMENT OR YOU CANNOT SEND TO NON-LOCAL domains from NOT-DOVECOT
#policyd-spf_time_limit = 3600
smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated
# USER mappings (not reliant on unix users)
# MAILMAN #
virtual_mailbox_domains = atlantishq.de,darknet-fashion.de,darknet-fashion.com,potaris.de
virtual_alias_maps = hash:/etc/postfix/virtual
#recipient_cononical_maps = hash:/etc/postfix/canonical-recipient
virtual_transport = lmtp:unix:private/dovecot_lmtp_target
#relocated_maps = hash:/etc/postfix/mail_redirect
alias_maps = hash:/etc/aliases
virtual_minimum_uid = 100
virtual_uid_maps = static:1009
virtual_gid_maps = static:1009
#receive_override_options = no_address_mappings
# spam redirect happens here
header_checks = regexp:/etc/postfix/header_checks
# random shit
biff = no
readme_directory = no
compatibility_level = 2
myhostname = mail.atlantishq.de
#mydestination = localhost.divercitystudio.de,localhost.atlantishq.de, ,localhost
mydestination = localhost
#,localhost.esports-erlangen.de,esports-erlangen.de
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
message_size_limit = 80480000
inet_interfaces = all
inet_protocols = all
#alias_maps = hash:/etc/aliases
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = $smtpd_milters
disable_mime_output_conversion = yes
authorized_submit_users = !check,static:all
Reference in New Issue View Git Blame Copy Permalink