# Global Postfix configuration file. This file lists only a subset # of all parameters. For the syntax, and for a complete parameter # list, see the postconf(5) manual page (command: "man 5 postconf"). # # For common configuration examples, see BASIC_CONFIGURATION_README # and STANDARD_CONFIGURATION_README. To find these documents, use # the command "postconf html_directory readme_directory", or go to # http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. # # For best results, change no more than 2-3 parameters at a time, # and test if Postfix still works after every change. # COMPATIBILITY # # The compatibility_level determines what default settings Postfix # will use for main.cf and master.cf settings. These defaults will # change over time. # # To avoid breaking things, Postfix will use backwards-compatible # default settings and log where it uses those old backwards-compatible # default settings, until the system administrator has determined # if any backwards-compatible default settings need to be made # permanent in main.cf or master.cf. # # When this review is complete, update the compatibility_level setting # below as recommended in the RELEASE_NOTES file. # # The level below is what should be used with new (not upgrade) installs. # compatibility_level = 2 # SOFT BOUNCE # # The soft_bounce parameter provides a limited safety net for # testing. When soft_bounce is enabled, mail will remain queued that # would otherwise bounce. This parameter disables locally-generated # bounces, and prevents the SMTP server from rejecting mail permanently # (by changing 5xx replies into 4xx replies). However, soft_bounce # is no cure for address rewriting mistakes or mail routing mistakes. # #soft_bounce = no # LOCAL PATHNAME INFORMATION # # The queue_directory specifies the location of the Postfix queue. # This is also the root directory of Postfix daemons that run chrooted. # See the files in examples/chroot-setup for setting up Postfix chroot # environments on different UNIX systems. # queue_directory = @PREFIX@/var/spool/postfix # The command_directory parameter specifies the location of all # postXXX commands. # command_directory = @PREFIX@/sbin # The daemon_directory parameter specifies the location of all Postfix # daemon programs (i.e. programs listed in the master.cf file). This # directory must be owned by root. # daemon_directory = @PREFIX@/libexec/postfix # The data_directory parameter specifies the location of Postfix-writable # data files (caches, random numbers). This directory must be owned # by the mail_owner account (see below). # data_directory = @PREFIX@/var/lib/postfix # QUEUE AND PROCESS OWNERSHIP # # The mail_owner parameter specifies the owner of the Postfix queue # and of most Postfix daemon processes. Specify the name of a user # account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS # AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In # particular, don't specify nobody or daemon. PLEASE USE A DEDICATED # USER. # mail_owner = _postfix # The default_privs parameter specifies the default rights used by # the local delivery agent for delivery to external file or command. # These rights are used in the absence of a recipient user context. # DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. # default_privs = nobody # INTERNET HOST AND DOMAIN NAMES # # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many # other configuration parameters. # #myhostname = host.domain.tld #myhostname = virtual.domain.tld # The mydomain parameter specifies the local internet domain name. # The default is to use $myhostname minus the first component. # $mydomain is used as a default value for many other configuration # parameters. # #mydomain = domain.tld # SENDING MAIL # # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append $myhostname, # which is fine for small sites. If you run a domain with multiple # machines, you should (1) change this to $mydomain and (2) set up # a domain-wide alias database that aliases each user to # user@that.users.mailhost. # # For the sake of consistency between sender and recipient addresses, # myorigin also specifies the default domain name that is appended # to recipient addresses that have no @domain part. # #myorigin = $myhostname #myorigin = $mydomain # RECEIVING MAIL # The inet_interfaces parameter specifies the network interface # addresses that this mail system receives mail on. By default, # the software claims all active interfaces on the machine. The # parameter also controls delivery of mail to user@[ip.address]. # # See also the proxy_interfaces parameter, for network addresses that # are forwarded to us via a proxy or network address translator. # # Note: you need to stop/start Postfix when this parameter changes. # #inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost # The proxy_interfaces parameter specifies the network interface # addresses that this mail system receives mail on by way of a # proxy or network address translation unit. This setting extends # the address list specified with the inet_interfaces parameter. # # You must specify your proxy/NAT addresses when your system is a # backup MX host for other domains, otherwise mail delivery loops # will happen when the primary MX host is down. # #proxy_interfaces = #proxy_interfaces = 1.2.3.4 # The mydestination parameter specifies the list of domains that this # machine considers itself the final destination for. # # These domains are routed to the delivery agent specified with the # local_transport parameter setting. By default, that is the UNIX # compatible delivery agent that lookups all recipients in /etc/passwd # and /etc/aliases or their equivalent. # # The default is $myhostname + localhost.$mydomain + localhost. On # a mail domain gateway, you should also include $mydomain. # # Do not specify the names of virtual domains - those domains are # specified elsewhere (see VIRTUAL_README). # # Do not specify the names of domains that this machine is backup MX # host for. Specify those names via the relay_domains settings for # the SMTP server, or use permit_mx_backup if you are lazy (see # STANDARD_CONFIGURATION_README). # # The local machine is always the final destination for mail addressed # to user@[the.net.work.address] of an interface that the mail system # receives mail on (see the inet_interfaces parameter). # # Specify a list of host or domain names, /file/name or type:table # patterns, separated by commas and/or whitespace. A /file/name # pattern is replaced by its contents; a type:table is matched when # a name matches a lookup key (the right-hand side is ignored). # Continue long lines by starting the next line with whitespace. # # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". # #mydestination = $myhostname, localhost.$mydomain, localhost #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, # mail.$mydomain, www.$mydomain, ftp.$mydomain # REJECTING MAIL FOR UNKNOWN LOCAL USERS # # The local_recipient_maps parameter specifies optional lookup tables # with all names or addresses of users that are local with respect # to $mydestination, $inet_interfaces or $proxy_interfaces. # # If this parameter is defined, then the SMTP server will reject # mail for unknown local users. This parameter is defined by default. # # To turn off local recipient checking in the SMTP server, specify # local_recipient_maps = (i.e. empty). # # The default setting assumes that you use the default Postfix local # delivery agent for local delivery. You need to update the # local_recipient_maps setting if: # # - You define $mydestination domain recipients in files other than # /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. # For example, you define $mydestination domain recipients in # the $virtual_mailbox_maps files. # # - You redefine the local delivery agent in master.cf. # # - You redefine the "local_transport" setting in main.cf. # # - You use the "luser_relay", "mailbox_transport", or "fallback_transport" # feature of the Postfix local delivery agent (see local(8)). # # Details are described in the LOCAL_RECIPIENT_README file. # # Beware: if the Postfix SMTP server runs chrooted, you probably have # to access the passwd file via the proxymap service, in order to # overcome chroot restrictions. The alternative, having a copy of # the system passwd file in the chroot jail is just not practical. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify a bare username, an @domain.tld # wild-card, or specify a user@domain.tld address. # #local_recipient_maps = unix:passwd.byname $alias_maps #local_recipient_maps = proxy:unix:passwd.byname $alias_maps #local_recipient_maps = # The unknown_local_recipient_reject_code specifies the SMTP server # response code when a recipient domain matches $mydestination or # ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty # and the recipient address or address local-part is not found. # # The default setting is 550 (reject mail) but it is safer to start # with 450 (try again later) until you are certain that your # local_recipient_maps settings are OK. # unknown_local_recipient_reject_code = 550 # TRUST AND RELAY CONTROL # The mynetworks parameter specifies the list of "trusted" SMTP # clients that have more privileges than "strangers". # # In particular, "trusted" SMTP clients are allowed to relay mail # through Postfix. See the smtpd_recipient_restrictions parameter # in postconf(5). # # You can specify the list of "trusted" network addresses by hand # or you can let Postfix do it for you (which is the default). # # By default (mynetworks_style = subnet), Postfix "trusts" SMTP # clients in the same IP subnetworks as the local machine. # On Linux, this does works correctly only with interfaces specified # with the "ifconfig" command. # # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. # # Specify "mynetworks_style = host" when Postfix should "trust" # only the local machine. # #mynetworks_style = class #mynetworks_style = subnet #mynetworks_style = host # Alternatively, you can specify the mynetworks list by hand, in # which case Postfix ignores the mynetworks_style setting. # # Specify an explicit list of network/netmask patterns, where the # mask specifies the number of bits in the network part of a host # address. # # You can also specify the absolute pathname of a pattern file instead # of listing the patterns here. Specify type:table for table-based lookups # (the value on the table right-hand side is not used). # #mynetworks = 168.100.189.0/28, 127.0.0.0/8 #mynetworks = $config_directory/mynetworks #mynetworks = hash:@PREFIX@/etc/postfix/network_table # The relay_domains parameter restricts what destinations this system will # relay mail to. See the smtpd_recipient_restrictions description in # postconf(5) for detailed information. # # By default, Postfix relays mail # - from "trusted" clients (IP address matches $mynetworks) to any destination, # - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces or $proxy_interfaces, # - destinations that match $mydestination # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. # # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name # is replaced by its contents; a type:name table is matched when a # (parent) domain appears as lookup key. # # NOTE: Postfix will not automatically forward mail for domains that # list this system as their primary or backup MX host. See the # permit_mx_backup restriction description in postconf(5). # #relay_domains = $mydestination # INTERNET OR INTRANET # The relayhost parameter specifies the default host to send mail to # when no entry is matched in the optional transport(5) table. When # no relayhost is given, mail is routed directly to the destination. # # On an intranet, specify the organizational domain name. If your # internal DNS uses no MX records, specify the name of the intranet # gateway host instead. # # In the case of SMTP, specify a domain, host, host:port, [host]:port, # [address] or [address]:port; the form [host] turns off MX lookups. # # If you're connected via UUCP, see also the default_transport parameter. # #relayhost = $mydomain #relayhost = [gateway.my.domain] #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] # REJECTING UNKNOWN RELAY USERS # # The relay_recipient_maps parameter specifies optional lookup tables # with all addresses in the domains that match $relay_domains. # # If this parameter is defined, then the SMTP server will reject # mail for unknown relay users. This feature is off by default. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify an @domain.tld wild-card, or specify # a user@domain.tld address. # #relay_recipient_maps = hash:@PREFIX@/etc/postfix_relay_recipients # INPUT RATE CONTROL # # The in_flow_delay configuration parameter implements mail input # flow control. This feature is turned on by default, although it # still needs further development (it's disabled on SCO UNIX due # to an SCO bug). # # A Postfix process will pause for $in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 100 SMTP server process # limit, this limits the mail inflow to 100 messages a second more # than the number of messages delivered per second. # # Specify 0 to disable the feature. Valid delays are 0..10. # #in_flow_delay = 1s # ADDRESS REWRITING # # The ADDRESS_REWRITING_README document gives information about # address masquerading or other forms of address rewriting including # username->Firstname.Lastname mapping. # ADDRESS REDIRECTION (VIRTUAL DOMAIN) # # The VIRTUAL_README document gives information about the many forms # of domain hosting that Postfix supports. # "USER HAS MOVED" BOUNCE MESSAGES # # See the discussion in the ADDRESS_REWRITING_README document. # TRANSPORT MAP # # See the discussion in the ADDRESS_REWRITING_README document. # ALIAS DATABASE # # The alias_maps parameter specifies the list of alias databases used # by the local delivery agent. The default list is system dependent. # # On systems with NIS, the default is to search the local alias # database, then the NIS alias database. See aliases(5) for syntax # details. # # If you change the alias database, run "postalias /etc/aliases" (or # wherever your system stores the mail alias file), or simply run # "newaliases" to build the necessary DBM or DB file. # # It will take a minute or so before changes become visible. Use # "postfix reload" to eliminate the delay. # #alias_maps = dbm:/etc/aliases #alias_maps = hash:/etc/aliases #alias_maps = hash:/etc/aliases, nis:mail.aliases #alias_maps = netinfo:/aliases # The alias_database parameter specifies the alias database(s) that # are built with "newaliases" or "sendmail -bi". This is a separate # configuration parameter, because alias_maps (see above) may specify # tables that are not necessarily all under control by Postfix. # #alias_database = dbm:/etc/aliases #alias_database = dbm:/etc/mail/aliases #alias_database = hash:/etc/aliases #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases # ADDRESS EXTENSIONS (e.g., user+foo) # # The recipient_delimiter parameter specifies the separator between # user names and address extensions (user+foo). See canonical(5), # local(8), relocated(5) and virtual(5) for the effects this has on # aliases, canonical, virtual, relocated and .forward file lookups. # Basically, the software tries user+foo and .forward+foo before # trying user and .forward. # #recipient_delimiter = + # DELIVERY TO MAILBOX # # The home_mailbox parameter specifies the optional pathname of a # mailbox file relative to a user's home directory. The default # mailbox file is /var/spool/mail/user or /var/mail/user. Specify # "Maildir/" for qmail-style delivery (the / is required). # #home_mailbox = Mailbox #home_mailbox = Maildir/ # The mail_spool_directory parameter specifies the directory where # UNIX-style mailboxes are kept. The default setting depends on the # system type. # #mail_spool_directory = /var/mail #mail_spool_directory = /var/spool/mail # The mailbox_command parameter specifies the optional external # command to use instead of mailbox delivery. The command is run as # the recipient with proper HOME, SHELL and LOGNAME environment settings. # Exception: delivery for root is done as $default_user. # # Other environment variables of interest: USER (recipient username), # EXTENSION (address extension), DOMAIN (domain part of address), # and LOCAL (the address localpart). # # Unlike other Postfix configuration parameters, the mailbox_command # parameter is not subjected to $parameter substitutions. This is to # make it easier to specify shell syntax (see example below). # # Avoid shell meta characters because they will force Postfix to run # an expensive shell process. Procmail alone is expensive enough. # # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. # #mailbox_command = /some/where/procmail #mailbox_command = /some/where/procmail -a "$EXTENSION" # The mailbox_transport specifies the optional transport in master.cf # to use after processing aliases and .forward files. This parameter # has precedence over the mailbox_command, fallback_transport and # luser_relay parameters. # # Specify a string of the form transport:nexthop, where transport is # the name of a mail delivery transport defined in master.cf. The # :nexthop part is optional. For more details see the sample transport # configuration file. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # # Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" # listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. #mailbox_transport = lmtp:unix:/var/imap/socket/lmtp # # Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and # subsequent line in master.cf. #mailbox_transport = cyrus # The fallback_transport specifies the optional transport in master.cf # to use for recipients that are not found in the UNIX passwd database. # This parameter has precedence over the luser_relay parameter. # # Specify a string of the form transport:nexthop, where transport is # the name of a mail delivery transport defined in master.cf. The # :nexthop part is optional. For more details see the sample transport # configuration file. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #fallback_transport = lmtp:unix:/file/name #fallback_transport = cyrus #fallback_transport = # The luser_relay parameter specifies an optional destination address # for unknown recipients. By default, mail for unknown@$mydestination, # unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned # as undeliverable. # # The following expansions are done on luser_relay: $user (recipient # username), $shell (recipient shell), $home (recipient home directory), # $recipient (full recipient address), $extension (recipient address # extension), $domain (recipient domain), $local (entire recipient # localpart), $recipient_delimiter. Specify ${name?value} or # ${name:value} to expand value only when $name does (does not) exist. # # luser_relay works only for the default Postfix local delivery agent. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must specify "local_recipient_maps =" (i.e. empty) in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #luser_relay = $user@other.host #luser_relay = $local@other.host #luser_relay = admin+$local # JUNK MAIL CONTROLS # # The controls listed here are only a very small subset. The file # SMTPD_ACCESS_README provides an overview. # The header_checks parameter specifies an optional table with patterns # that each logical message header is matched against, including # headers that span multiple physical lines. # # By default, these patterns also apply to MIME headers and to the # headers of attached messages. With older Postfix versions, MIME and # attached message headers were treated as body text. # # For details, see "man header_checks". # #header_checks = regexp:@PREFIX@/etc/postfix/header_checks # FAST ETRN SERVICE # # Postfix maintains per-destination logfiles with information about # deferred mail, so that mail can be flushed quickly with the SMTP # "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". # See the ETRN_README document for a detailed description. # # The fast_flush_domains parameter controls what destinations are # eligible for this service. By default, they are all domains that # this server is willing to relay mail to. # #fast_flush_domains = $relay_domains # SHOW SOFTWARE VERSION OR NOT # # The smtpd_banner parameter specifies the text that follows the 220 # code in the SMTP server's greeting banner. Some people like to see # the mail version advertised. By default, Postfix shows no version. # # You MUST specify $myhostname at the start of the text. That is an # RFC requirement. Postfix itself does not care. # #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) # PARALLEL DELIVERY TO THE SAME DESTINATION # # How many parallel deliveries to the same user or domain? With local # delivery, it does not make sense to do massively parallel delivery # to the same user, because mailbox updates must happen sequentially, # and expensive pipelines in .forward files can cause disasters when # too many are run at the same time. With SMTP deliveries, 10 # simultaneous connections to the same domain could be sufficient to # raise eyebrows. # # Each message delivery transport has its XXX_destination_concurrency_limit # parameter. The default is $default_destination_concurrency_limit for # most delivery transports. For the local delivery agent the default is 2. #local_destination_concurrency_limit = 2 #default_destination_concurrency_limit = 20 # DEBUGGING CONTROL # # The debug_peer_level parameter specifies the increment in verbose # logging level when an SMTP client or server host name or address # matches a pattern in the debug_peer_list parameter. # debug_peer_level = 2 # The debug_peer_list parameter specifies an optional list of domain # or network patterns, /file/name patterns or type:name tables. When # an SMTP client or server host name or address matches a pattern, # increase the verbose logging level by the amount specified in the # debug_peer_level parameter. # #debug_peer_list = 127.0.0.1 #debug_peer_list = some.domain debug_peer_list = mit.edu # The debugger_command specifies the external command that is executed # when a Postfix daemon program is run with the -D option. # # Use "command .. & sleep 5" so that the debugger can attach before # the process marches on. If you use an X-based debugger, be sure to # set up your XAUTHORITY environment variable before starting Postfix. # debugger_command = PATH=@PREFIX@/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 # If you can't use X, use this to capture the call stack when a # daemon crashes. The result is in a file in the configuration # directory, and is named after the process name and the process ID. # # debugger_command = # PATH=@PREFIX@/bin:/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; # echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 # >$config_directory/$process_name.$process_id.log & sleep 5 # # Another possibility is to run gdb under a detached screen session. # To attach to the screen session, su root and run "screen -r # " where uniquely matches one of the detached # sessions (from "screen -list"). # # debugger_command = # PATH=@PREFIX@/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen # -dmS $process_name gdb $daemon_directory/$process_name # $process_id & sleep 1 # INSTALL-TIME CONFIGURATION INFORMATION # # The following parameters are used when installing a new Postfix version. # # sendmail_path: The full pathname of the Postfix sendmail command. # This is the Sendmail-compatible mail posting interface. # sendmail_path = @PREFIX@/sbin/sendmail # newaliases_path: The full pathname of the Postfix newaliases command. # This is the Sendmail-compatible command to build alias databases. # newaliases_path = @PREFIX@/bin/newaliases # mailq_path: The full pathname of the Postfix mailq command. This # is the Sendmail-compatible mail queue listing command. # mailq_path = @PREFIX@/bin/mailq # setgid_group: The group for mail submission and queue management # commands. This must be a group name with a numerical group ID that # is not shared with other accounts, not even with the Postfix account. # setgid_group = _postdrop # html_directory: The location of the Postfix HTML documentation. # html_directory = no # manpage_directory: The location of the Postfix on-line manual pages. # manpage_directory = @PREFIX@/share/man # sample_directory: The location of the Postfix sample configuration files. # This parameter is obsolete as of Postfix 2.1. # sample_directory = @PREFIX@/share/postfix/sample # readme_directory: The location of the Postfix README files. # readme_directory = @PREFIX@/share/postfix/readme # inet_protocols = ipv4 # macOS Server v.5.6 configuration: inet_protocols = all meta_directory = @PREFIX@/etc/postfix shlib_directory = @PREFIX@/libexec/postfix #====================================================================== ############################ # macOS Open Source Server # ############################ # Based on /Library/Server_v56/Mail/Config/postfix/main.cf, # https://www.c0ffee.net/blog/mail-server-guide/ ## Create these directories, files # sudo mkdir @PREFIX@/var/log/mail # sudo chmod go-rwx @PREFIX@/var/log/mail ## Create @PREFIX@/etc/postfix/sasl/passwd, passwd.db with secure permissions # sudo rsync -a /Library/Server_v56/Mail/Config/postfix/sasl @PREFIX@/etc/postfix # sudo newaliases # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048 ## TLS authentication of mail relays # openssl s_client -showcerts -servername smtp.comcast.net -connect smtp.comcast.net:587 -starttls smtp < /dev/null > smtp_comcast_net.pem ## For smtp_tls_CApath: ## break into three (or the necessary trust chain #) of .pem files delineated by ## '-----BEGIN CERTIFICATE-----' ## Use openssl x509 to track and check the trust chain: # openssl x509 -text -noout -in COMODORSAAddTrustCA.pem | less ## Download and convert issuer certs based on e.g. ## "CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt" # curl -O http://crt.comodoca.com/COMODORSAAddTrustCA.crt # openssl x509 -inform der -outform -pem -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem # rm COMODORSAAddTrustCA.crt ## Check the certificate chain of trust # openssl verify -CAfile UTN-DATACorpSGC.pem AddTrustExternalCARoot.pem # openssl verify -CAfile UTN-DATACorpSGC.pem -untrusted AddTrustExternalCARoot.pem COMODORSAAddTrustCA.pem ## Compate SHA1 hashes of issuers in the chain # openssl x509 -text -noout -in smtp_comcast_net.pem | grep -A1 "Authority Key Identifier" | tail -1 # openssl x509 -text -noout -in COMODORSAOrganizationValidationSecureServerCA.pem | grep -A1 "Subject Key Identifier" | tail -1 ## Create smtp_tls_CApath under ./postfix (for chroot jail) and copy the files: # sudo mkdir -p @PREFIX@/etc/postfix/etc/certificates # sudo cp *.pem @PREFIX@/etc/postfix/etc/certificates # sudo chgrp -R mail @PREFIX@/etc/postfix/etc/certificates # sudo dseditgroup -o edit -a _postfix -t user mail # sudo dseditgroup -o edit -a _dovecot -t user mail # sudo dseditgroup -o edit -a _dovenull -t user mail # dscacheutil -q group -a name certusers # dscacheutil -q group -a name mail ## For smtp_tls_CAfile: # vi smtp_comcast_net.pem # delete non-certificate outputs before 1st --- and after last --- ## SASL authentication for mail relays # sudo mkdir @PREFIX@/etc/postfix/sasl # sudo vi @PREFIX@/etc/postfix/sasl/passwd # sudo chgrp -R _postfix @PREFIX@/etc/postfix/sasl # sudo chmod -R o-rwx @PREFIX@/etc/postfix/sasl # sudo postmap @PREFIX@/etc/postfix/sasl/passwd ## NOTE: Do *not* copy over HUGE Berkeley .db files from High Sierra APNS file systems; ## this APNS/Berkeley DB bug was fixed in Mojave, which doesn't run Server.app v.5.6. ## Rather, # sudo find /Library/Server_v56/Mail/Config -type f -name '*.db' -exec sudo du -sm {} ';' | sort -rn ## to find affected files, then use postmap to recreate them on the new server. ## The only way to fix these on an old server is to create the .db files on ## an attached HDFS drive, then create symbolic links on the High Sierra APNS drive. ## Observed to be necessary for /Library/Server/Mail/Data/scanner/amavis/.spamassassin/, ./postfix/*.db # Debugging # mailq # sudo postsuper -d ALL # sudo vi @PREFIX@/etc/postfix/main.cf # sudo bash -c 'postfix reload ; sleep 1 ; nmap -p 25 localhost ; lsof -i ":25" ; postfix status ; postfix check' # sendmail -vt < ~/mail.txt # sudo less @PREFIX@/var/log/mail/postfix.log ## mail.txt # To: me@isp.net # Subject: postfix configuration test # From: admin@domain.tld # # My first SMTP email test. # Logging maillog_file = @PREFIX@/var/log/mail/postfix.log maillog_file_compressor = bzip2 maillog_file_prefixes = @PREFIX@/var/log/mail # maillog_file_rotate_suffix = # macOS Server v.5.6 configuration: smtp_tls_loglevel = 1 # use 0 for Postfix >= 2.9, and 1 for earlier versions # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_loglevel = 0 # macOS Server v.5.6 configuration settings that do not appear elsewhere # Commented-out settings are often specific to macOS Server.app's postfix build # dovecot # macOS Server v.5.6 configuration: # dovecot_destination_recipient_limit = 1 # Alias maps, database if mailman is used # alias_maps = hash:@PREFIX@/etc/postfix/aliases, hash:@PREFIX@/var/mailman/data/aliases # alias_database = hash:@PREFIX@/etc/postfix/aliases, hash:@PREFIX@/var/mailman/data/aliases # Protect SSL/TLS encryption keys tls_random_source = dev:/dev/urandom # (APPLE) Credentials for using URLAUTH with IMAP servers. # imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred # (APPLE) The SACL cache caches the results of Mail Service ACL lookups. # Tune these to make the cache more responsive to changes in the SACL. # The cache is only in memory, so bouncing the sacl-cache service clears it. # use_sacl_cache = yes # sacl_cache_positive_expire_time = 7d # sacl_cache_negative_expire_time = 1d # sacl_cache_disabled_expire_time = 1m # (APPLE) Reject messages having any MIME body part (attachment, etc.) # larger than this number of bytes. 0, the default, means no limit. # mime_max_body_size = 0 #====================================================================== # macOS Server v.5.6 configuration: # mydomain_fallback = localhost mynetworks = 127.0.0.0/8, [::1]/128 inet_interfaces = all # macOS Server v.5.6 configuration; site-specific, pre-defined # config_directory = /Library/Server/Mail/Config/postfix # smtpd_require_virtual_map = yes # virtual_alias_domains = $virtual_alias_maps, hash:@PREFIX@/etc/postfix/virtual_domains # virtual_alias_maps = $virtual_maps, hash:@PREFIX@/etc/postfix/virtual_users # macOS Server v.5.6 configuration: # enable_server_options = yes # smtpd_pw_server_security_options = cram-md5,digest-md5,gssapi,login,plain # content_filter = smtp-amavis:[127.0.0.1]:10024 # macOS Server v.5.6 configuration: # smtpd_use_pw_server = yes header_checks = pcre:@PREFIX@/etc/postfix/custom_header_checks recipient_canonical_maps = hash:@PREFIX@/etc/postfix/system_user_maps postscreen_dnsbl_sites = zen.spamhaus.org*2 mailbox_transport = lmtp:unix:private/dovecot-lmtp # Added by Server.app>Mail>Filtering Settings... > Enable greylist filtering # smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy permit # SMTP Recipient and Relay Restrictions # http://www.postfix.org/SMTPD_ACCESS_README.html # https://bbs.archlinux.org/viewtopic.php?id=158020 # http://superuser.com/questions/664516/noqueue-reject-relay-access-denied #smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy permit #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination compatibility_level = 2 # disable "new mail" notifications for local users biff = no # Name of this mail server, used in the SMTP HELO for outgoing mail. Make # sure this resolves to the same IP as your reverse DNS hostname. myhostname = mail.@domain@.@tld@ mydomain = @domain@.@tld@ # Domains for which postfix will deliver local mail. Does not apply to # virtual domains, which are configured below. Make sure to specify the FQDN # of your sever, as well as localhost. # Note: NEVER specify any virtual domains here!!! Those come later. # macOS Server v.5.6 configuration: mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain # Domain appended to mail sent locally from this machine - such as mail sent # via the `sendmail` command. # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) myorigin = $mydomain # prevent spammers from searching for valid users # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) disable_vrfy_command = yes # require properly formatted email addresses - prevents a lot of spam # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) strict_rfc821_envelopes = yes # don't give any helpful info when a mailbox doesn't exist # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) show_user_unknown_table_name = no # limit maximum e-mail size to 25MB. mailbox size must be at least as big as # the message size for the mail to be accepted, but has no meaning after # that since we are using Dovecot for delivery. # default mailbox size limit set to no limit message_size_limit = 25165824 mailbox_size_limit = 0 # require addresses of the form "user@domain.tld" # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) allow_percent_hack = no swap_bangpath = no # allow plus-aliasing: "user+tag@domain.tld" delivers to "user" mailbox # Handle both Postfix and qmail extensions (Postfix 2.11 and later). # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) # `recipient_delimiter = +` used by CalendarServer # Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …` # if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see # dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf recipient_delimiter = + # PKI for Client (smtp) and Server (smtpd) # To use macOS Server v5.10 generated certificates: # # 0. Identify the file that looks like @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem # and verify its issue date and issuer "* Intermediate CA" with: # # $ ls /etc/certificates # $ openssl x509 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem -text -noout # $ openssl x509 -noout -fingerprint -sha1 -inform pem -in openssl x509 -noout -fingerprint -sha1 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||' | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||' # # Use this SHA1 to obtain the passphraphse for this certificate's private key from: # # Keychain Access.app> System> Search for this SHA1> # Double-click "Mac OS X Server certificate management"> Show password # # 1. Create a secure storage for this passphrase and desctrypted key: # # $ sudo mkdir -p @PREFIX@/etc/certificates/private # $ sudo chmod 0700 @PREFIX@/etc/certificates/private # $ sudo vi @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase /etc/certificates/private # $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private # # `ssl_key_password` wasn't working on my install, so put the decrypted key in @PREFIX@/etc/certificates/private # # $ sudo openssl pkey -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem -out @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted -passin file:@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase # $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private # # 2. Link to the existing TLS chain. # # $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem @PREFIX@/etc/certificates # $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem @PREFIX@/etc/certificates # $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem @PREFIX@/etc/certificates # $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.concat.pem @PREFIX@/etc/certificates # # 3. Confirm restricted permissions: # # $ ls -l @PREFIX@/etc/certificates # $ sudo ls -l @PREFIX@/etc/certificates/private # # 4. Finally, reconfigure dovecot's conf.d/10-ssl.conf, postfix's master.cf, # and, if installed, calendar-contacts-server's proxy nginx.conf: # # $ sudo vi @PREFIX@/etc/dovecot/conf.d/10-ssl.conf # $ sudo vi @PREFIX@/etc/postfix/main.cf # $ sudo vi @PREFIX@/var/calendarserver/Library/CalendarServer/etc/nginx.conf # Enter the filenames directly (not the `default_certificate` link) because key files are also necessary smtpd_tls_chain_files = @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem # Put this Server.app certificate in smtp_tls_CApath; see below # smtp_tls_CAfile = @PREFIX@/etc/postfix/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem smtp_tls_CAfile = @PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem # smtp_ (postfix client) configuration smtp_enforce_tls = yes # These two lines define how postfix will connect to other mail servers. # DANE is a stronger form of opportunistic TLS. You can read about it here: # http://www.postfix.org/TLS_README.html#client_tls_dane smtp_tls_security_level = dane smtp_dns_support_level = dnssec # DANE requires a DNSSEC capable resolver. If your DNS resolver doesn't # support DNSSEC, remove the above two lines and uncomment the below: # Implement DNSSEC if named is ever put outside the firewall, and DNSSEC infrastructure uses ED25519 # smtp_tls_security_level = may # macOS Server v.5.6 configuration: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 # Trimmed cipherlist improves interoperability with old Exchange servers # and reduces exposure to obsolete and rarely used crypto. See: # http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers # http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 # SMTP Relay and SASL Authentication Configuration # macOS Server v.5.6 configuration: # `relayhost` is the host:port of the SMTP relay e.g. smtp.comcast.net:587 relayhost = [@RELAYHOST@]:submission # `smtp_sasl_password_maps` has SMTP server authentication credentials of the form: # [host]:port\t username:password\n [\t == , \n == ] # with group ownership _postfix and no "other" permissions: # sudo mkdir @PREFIX@/etc/postfix/sasl # sudo vi @PREFIX@/etc/postfix/sasl/passwd # sudo chgrp -R _postfix @PREFIX@/etc/postfix/sasl # sudo chmod -R o-rwx @PREFIX@/etc/postfix/sasl # sudo postmap @PREFIX@/etc/postfix/sasl/passwd smtp_sasl_password_maps = hash:@PREFIX@/etc/postfix/sasl/passwd smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sasl_mechanism_filter = plain, gssapi # `smtp_tls_CApath` is the directory with the certificate authorities for the SMTP relay and/or servers # `postfix check` says that these must belong to root. # Example retrieval of this certificate chain from ISP: # echo "quit" | openssl s_client -showcerts -servername smtp.comcast.net -connect smtp.comcast.net:587 -starttls smtp > smtp_comcast_net.pem ## For smtp_tls_CApath: ## break into three (or the necessary trust chain #) of .pem files delineated by ## '-----BEGIN CERTIFICATE-----' ## Use openssl x509 to track and check the trust chain: # openssl x509 -text -noout -in COMODORSAAddTrustCA.pem | less ## Download and convert issuer certs based on e.g. ## "CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt" # curl -O http://crt.comodoca.com/COMODORSAAddTrustCA.crt # openssl x509 -inform der -outform -pem -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem # rm COMODORSAAddTrustCA.crt ## Check the certificate chain of trust # openssl verify -CAfile UTN-DATACorpSGC.pem AddTrustExternalCARoot.pem # openssl verify -CAfile UTN-DATACorpSGC.pem -untrusted AddTrustExternalCARoot.pem COMODORSAAddTrustCA.pem ## Compate SHA1 hashes of issuers in the chain # openssl x509 -text -noout -in smtp_comcast_net.pem | grep -A1 "Authority Key Identifier" | tail -1 # openssl x509 -text -noout -in COMODORSAOrganizationValidationSecureServerCA.pem | grep -A1 "Subject Key Identifier" | tail -1 ## Create smtp_tls_CApath under ./postfix (for chroot jail) and copy the files: # sudo mkdir -p @PREFIX@/etc/postfix/etc/certificates # sudo cp *.pem @PREFIX@/etc/postfix/etc/certificates # sudo chgrp -R mail @PREFIX@/etc/postfix/etc/certificates # sudo dseditgroup -o edit -a _postfix -t user mail # sudo dseditgroup -o edit -a _dovecot -t user mail # sudo dseditgroup -o edit -a _dovenull -t user mail # dscacheutil -q group -a name certusers # dscacheutil -q group -a name mail smtp_tls_CApath = @PREFIX@/etc/postfix/etc/certificates ## For smtp_tls_CAfile: # vi smtp_comcast_net.pem # delete non-certificate outputs before 1st --- and after last --- # concatenate Server.app's hostname.domainname.SHA-1.cert.pem file into this file # smtp_tls_CAfile = @PREFIX@/etc/postfix/etc/certificates/smtp_tls_CAfile.pem # IP address used by postfix to send outgoing mail. You only need this if # your machine has multiple IP addresses - set it to your MX address to # satisfy your SPF record. # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) # smtp_bind_address = my IP == `host $mydomain` # smtp_bind_address6 = my IPv6 == `host -6 $mydomain` # macOS Server v.5.6 configuration that doesn't appear elewhere # smtpd (postfix server) configuration # Also see this for rationale on postfix TLS configuration: # https://drownattack.com/postfix.html # https://serverfault.com/questions/693179/postfix-mandatory-smtp-smtpd-vs-not-mandatory-difference-and-configuration # allow other mail servers to connect using TLS, but don't require it # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_security_level = may # macOS Server v.5.6 configuration: smtpd_enforce_tls = no smtpd_use_tls = yes # Here we define the options for "mandatory" TLS. In our setup, TLS is only # "mandatory" for authenticating users. I got these settings from Mozilla's # SSL reccomentations page. # # NOTE: do not attempt to make TLS mandatory for all incoming/outgoing # connections. Do not attempt to change the default cipherlist for non- # mandatory connections either. There are still a lot of mail servers out # there that do not use TLS, and many that do only support old ciphers. # Forcing TLS for everyone *will* cause you to lose mail. # man 5 postconf /smtpd_tls_mandatory_protocols: "Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not recommended." # Note: if `smtpd_tls_security_level = may`, then bad encryption is better than no encryption; # therefore, do *not* set smtpd_tls_mandatory_protocols or smtpd_tls_protocols to be too restrictive smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_mandatory_ciphers = high # macOS Server v.5.6 configuration: smtpd_tls_ciphers = medium # man 5 postconf /tls_high_cipherlist: "You are strongly encouraged to not change this setting." # tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 # macOS Server v.5.6 configuration: # smtpd_tls_protocols = !SSLv2, !SSLv3 # smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 # List of ciphers or cipher types to exclude from the SMTP server cipher # list at all TLS security levels. # # macOS Server v.5.6 configuration: # smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT, LOW, MD5, SEED, IDEA, RC2 # Enable forward-secrecy with a 2048-bit prime and the P-256 EC curve. See # http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs # http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file # http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade # # The default DH parameters use a 2048-bit strong prime as of Postfix 3.1.0. # # man 5 postconf /smtpd_tls_dh1024_param_file # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh512.pem 512 # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 1024 # sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048 # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_dh1024_param_file=${data_directory}/dh2048.pem smtpd_tls_eecdh_grade = ultra # cache incoming and outgoing TLS sessions # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) # man 5 postconf : "for Postfix >= 2.11 this parameter should generally be left empty" # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache # smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache # enable SMTPD auth. Dovecot will place an `auth` socket in postfix's # runtime directory that we will use for authentication. smtpd_sasl_auth_enable = yes # Kerberos authentication settings import_environment="KRB5_KTNAME=@PREFIX@/etc/postfix/smtp.keytab" # Kerberos REALM smtpd_sasl_local_domain = @HOST@.@DOMAIN@.@TLD@ # Dovecot SASL # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot ## SASLAUTHD SASL ## smtpd_sasl_path = saslauthd ## smtpd_sasl_type = cyrus # only allow authentication over TLS # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_auth_only = yes # don't allow plaintext auth methods on unencrypted connections # macOS Server v.5.6 configuration: # smtpd_sasl_security_options = noanonymous # smtpd_sasl_security_options = noanonymous, noplaintext # but plaintext auth is fine when using TLS # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_sasl_tls_security_options = noanonymous # add a message header when email was recieved over TLS # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_tls_received_header = yes # require that connecting mail servers identify themselves - this greatly # reduces spam smtpd_helo_required = yes # The following block specifies some security restrictions for incoming # mail. The gist of it is, authenticated users and connections from # localhost can do anything they want. Random people connecting over the # internet are treated with more suspicion: they must have a reverse DNS # entry and present a valid, FQDN HELO hostname. In addition, they can only # send mail to valid mailboxes on the server, and the sender's domain must # actually exist. # macOS Server v.5.6 configuration: # smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client, zen.spamhaus.org, permit # The settings `reject_unknown_reverse_client_hostname, reject_unauth_pipelining` here cause "451 4.3.5 Server configuration error" # smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client, reject_unknown_reverse_client_hostname, reject_unauth_pipelining, zen.spamhaus.org, permit # you might want to consider: # reject_unknown_client_hostname, # here. This will reject all incoming connections without a reverse DNS # entry that resolves back to the client's IP address. This is a very # restrictive check and may reject legitimate mail. # macOS Server v.5.6 configuration: # smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname # you might want to consider: # reject_unknown_helo_hostname, # here. This will reject all incoming mail without a HELO hostname that # properly resolves in DNS. This is a somewhat restrictive check and may # reject legitimate mail # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf); but commented out # #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!! reject_unauth_destination # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!! # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf); but commented out # # Added by Server.app>Mail>Filtering Settings... > Enable greylist filtering # # smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy permit # # SMTP Recipient and Relay Restrictions # # http://www.postfix.org/SMTPD_ACCESS_README.html # # https://bbs.archlinux.org/viewtopic.php?id=158020 # # http://superuser.com/questions/664516/noqueue-reject-relay-access-denied ## smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy permit # #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination # Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …` # if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see # dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce, reject_unauth_pipelining # Check: # sudo bash -c 'port unload postfix ; port unload dovecot2 ; ( cd @PREFIX@/var/log/mail ; > postfix.log ; > mail-err.log ; > mail-debug.log ; > mail-info.log ); port load postfix ; port load dovecot2' # sudo cp -p /etc/pam.d/dovecot /etc/pam.d/smtp # sudo mkdir -p @PREFIX@/var/spool/postfix/etc # sudo touch @PREFIX@/var/spool/postfix/etc/sasldb2 # sudo chgrp mail @PREFIX@/var/spool/postfix/etc/sasldb2 # sudo chmod 0640 @PREFIX@/var/spool/postfix/etc/sasldb2 # gtelnet @host@.@domain@.@tld@ 25 # EHLO @host@.@domain@.@tld@ # AUTH PLAIN `printf "username\000username\000password" | base64` ## Test base64-encoded credentials: # printf "username\000username\000password" | base64 | openssl based64 -d | od -c ## SASL authentication alone ## sudo touch @PREFIX@/etc/sasldb2 ## sudo chgrp mail @PREFIX@/etc/sasldb2 ## sudo chmod 0640 @PREFIX@/etc/sasldb2 ## sudo saslauthd -a pam ## testsaslauthd -u username -p "password" -s smtp # Virtual users. Uncomment these after LDAP authentication set up # deliver mail for virtual users to Dovecot's LMTP socket # (Not set in /Library/Server_v56/Mail/Config/postfix/main.cf) virtual_transport = lmtp:unix:private/dovecot-lmtp # LDAP query to find which domains we accept mail for #virtual_mailbox_domains = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-domains.cf # LDAP query to find which email addresses we accept mail for #virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-maps.cf, hash:/usr/local/etc/postfix/system-virtual-mailboxes # LDAP query to find a user's email aliases #virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-virtual-alias-maps.cf # Rspamd milter [email broken_richtext.eml to test] milter_protocol = 6 # if rspamd is down, don't reject mail milter_default_action = accept # Use rspamd's default worker-proxy (add $queue_directory/etc/hosts in chroot) #smtpd_milters = inet:localhost:11332 # Use rspamd's socket (add $queue_directory@PREFIX@/var/run/rspamd/milter.sock in chroot) smtpd_milters = unix:@PREFIX@/var/run/rspamd/milter.sock milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}