# A little shortcut to our query files query = sqlite:$config_directory/query # we use Mailman here, it maintains its own aliases alias_database=hash:/var/lib/mailman/aliases alias_maps = $query/maps-alias.query, $alias_database append_dot_mydomain = no # This is a Postfix 2.9 feature. This will have no effect in Postfix # 2.8 installs. enable_long_queue_ids = yes # We're doing the same thing with local and virtual delivery, delivering # to $HOME/Mail/ maildir. Dovecot likes consistency. home_mailbox = Mail/ html_directory = /usr/doc/postfix/html inet_protocols = ipv4 # uncomment this if you want to force all addresses into SQLite # local_recipient_maps = $query/maps-local.query mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/man mydestination = $query/dom-local.query ### ### Note: myhostname is of crucial importance here. ### It is presumed that it is defined as a local domain (domClass 1) in ### the database. It also should be the system primary hostname, and the ### value of your reverse DNS PTR record. ### myhostname = myhostname.example.org mydomain = $myhostname # myorigin can be a cause of problems if misunderstood, as well. myorigin = $myhostname mynetworks = 127.0.0.0/8, 172.16.1.0/24, 192.168.0.0/20 newaliases_path = /usr/bin/newaliases # require explicit ".domain.tld" patterns when subdomain matching is # desired parent_domain_matches_subdomains = ### IMPORTANT ### # See the Postscreen README before enabling these options ### # The postscreen access file must exist, even if empty. postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce # Likewise, this file must exist if defined. postscreen_dnsbl_reply_map = pcre:$config_directory/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.njabl.org*2 dnsbl.ahbl.org*2 bl.spamcop.net dnsbl.sorbs.net spamtrap.trblspam.com swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-4 list.dnswl.org=127.[0..255].[0..255].[2..255]*-6 postscreen_dnsbl_threshold = 3 postscreen_greet_action = enforce postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes # This is a Postfix 2.9 feature. .211 is my primary MX IP address, .214 # is the secondary. Both are bound on this host. We should never get # mail on the rest of the /29. postscreen_whitelist_interfaces = 192.0.2.211 !192.0.2.208/29 static:all queue_directory = /var/spool/postfix readme_directory = /usr/doc/postfix/README_FILES ### Recipient Delimiter ### # The Sendmail default is "+". The qmail default is "-". In general I # prefer to be positive rather than negative, but I have found many web # forms which stupidly insist that email addresses must not contain a # "+" character. Such is what happens when clueless people who don't # read standards are writing software. Sigh, I can't beat them, so I # joined them. recipient_delimiter = - ### IMPORTANT ### # If you change this, you must also change the maps-valias.query file # which has hardcoded the use of "-". It's also set in Dovecot's file, # dovecot/conf.d/15-lda.conf . # Unset relay_domains ("relay_domains =") and comment # relay_recipient_maps if not using relay domains. Although, if you # simply do not define any "domClass=2" in Domains, it is the same. relay_domains = $query/dom-relay.query relay_recipient_maps = $query/maps-relay.query sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop # Look how simple this is! All the heavy lifting is done in one quick # sqlite query. smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_recipient_access $query/access-rcpt.query # check_recipient_access $query/access-rcptDomain.query # the above is needed if using a catchall virtual alias smtpd_reject_footer = See your own postmaster for help, or http://nospam4.nodns4.us/ for more information about the policies of this site. # We only enabled SASL on port 587: MUAs and postscreen do not mix. # This setting is called from master.cf for 587. submission_rcpt_restrictions = permit_sasl_authenticated, permit_mynetworks, reject smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot # Note: TLS configuration is not covered in this document; see here for # details: http://www.postfix.org/TLS_README.html smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_cert_file = /etc/ssl/certs/myhostname.example.org.crt smtpd_tls_key_file = /etc/ssl/private/myhostname.example.org.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache # If you are not going to use this feature, comment it transport_maps = $query/maps-transport.query unknown_address_reject_code = 550 virtual_alias_domains = $query/dom-valias.query virtual_alias_maps = $query/maps-valias.query virtual_gid_maps = $query/maps-vgid.query virtual_mailbox_base = /home virtual_mailbox_domains = $query/dom-vmbox.query virtual_mailbox_maps = $query/maps-vmbox.query virtual_minimum_uid = 800 virtual_uid_maps = $query/maps-vuid.query # restriction classes below # # NAMING SCHEME: # - ^RCdd Composite restriction choices for domain owners where # 'dd' is a numeric ranking, low=less/high=more spam. # - ^z-* Component elements used to make up the RCdd classes # This keeps relevant parts together in the alphabetic-sorted output of # postconf(1), and the component elements collected at the end. # Note: it would have been nice if we could have kept this list and the # class definitions themselves in the SQLite database. I suspect there # are structural reasons why this would not work. I did originally try # keeping the classes and restrictions in SQLite, but since it had to be # dumped to main.cf anyway, it made the data larger and more confusing # for no benefit. # Style note: because I had these in SQLite, I used commas in place of # spaces. In postconf(5) syntax there is no distinction between forms of # whitespace: spaces, tabs, commas, and newline followed by whitespace. smtpd_restriction_classes = z-swl,z-dnswlAll,z-dnswlLo,z-dnswlMed, z-dnswlHi,z-dnswlBLesp,z-zen,z-brbl,z-sem,z-ahbl,z-njabl, z-spamcop,z-sorbs,z-trbl,z-common,z-helo,z-noSender,z-unlist, z-semBscat,z-bscatOrg,z-bscat,z-dblC,z-dblH,z-dblS, z-noPtr,z-noFCrDns,z-unkHelo,z-warnDefer, RC00 RC01 RC10 RC20 RC29 RC30 RC40 RC50 # RC00-reject, RC01-nuts,RC10-aggressive,RC20-moderate, # RC29-whn,RC30-conservative,RC40-weak,RC50-open ### Composite classes # # This is here to make our query easy. We could just return "reject" # in the query, but the tables store an integer for this purpose. RC00 = reject # The next five, in descending order of aggressiveness, are what are # presented to domain owners as their choices (although use of "weak" # and "open" are highly discouraged # # RC01-nuts: don't use this, it is nuts. You will block good mail. RC01 = z-common,z-noFCrDns,z-unkHelo,z-dblC,z-dblH,z-dblS,z-brbl, z-sem,z-ahbl,z-njabl,z-trbl,z-sorbs,z-spamcop,z-bscat, z-dnswlBLesp # RC10-aggressive: when strong anti-spam policies are more important # than occasionally missing a legitimate email RC10 = z-common,z-noFCrDns,warn_if_reject,z-unkHelo, z-dblC,z-dblH,z-dblS,z-swl,z-dnswlHi,z-brbl,z-sem, z-dnswlMed,z-ahbl,z-njabl, z-dnswlAll,z-trbl,z-sorbs,z-spamcop,z-bscat # RC20-moderate RC20 = z-common,z-noPtr,z-dblS,z-dblH,z-dblC, z-swl,z-dnswlLo,z-brbl,z-sem,z-ahbl,z-njabl,z-bscat # RC30-conservative: when more spam is considered better than the # occasional rejection of legitimate email RC30 = z-common,warn_if_reject,z-noPtr, z-dblC,z-dblH,z-dblS,z-swl,z-dnswlAll,z-brbl,z-sem,z-ahbl, z-njabl,warn_if_reject,z-bscat # RC40-weak: does very little against spam RC40 = z-common # uncomment the following to get logs of what could have been # rejected: # warn_if_reject,z-noPtr,warn_if_reject,z-dblC, # warn_if_reject,z-dblH,warn_if_reject,z-dblS, # warn_if_reject,z-brbl,warn_if_reject,z-sem, # warn_if_reject,z-ahbl,warn_if_reject,z-njabl, # warn_if_reject,z-bscat # RC50-open: does nothing against spam. But do note, with postscreen in # use, this host cannot be truly "open". RC50 = permit # RC29-whn: a custom class designed for a particular domain RC29 = z-common,z-noPtr,z-dblS,z-dblH,z-dblC,z-swl,z-dnswlAll, z-brbl,z-sem,z-ahbl,z-njabl,z-bscat ### Component classes ### Most of these will only do one thing, although some will call other ### components. z-ahbl = reject_rbl_client,dnsbl.ahbl.org z-brbl = reject_rbl_client,b.barracudacentral.org z-bscat = check_sender_access,$query/access-bscat.query z-bscatOrg = reject_rbl_client,ips.backscatterers.org z-common = z-helo,z-unlist,z-noSender,z-zen z-dblC = reject_rhsbl_client,dbl.spamhaus.org z-dblH = reject_rhsbl_helo,dbl.spamhaus.org z-dblS = reject_rhsbl_sender,dbl.spamhaus.org z-dnswlAll = permit_dnswl_client,list.dnswl.org ### ! using dnswl's code for ESP as a blacklist ! z-dnswlBLesp = reject_dnsbl_client,list.dnswl.org=127.[0..255].15.0 ### ! Kids, don't try that at home ! z-dnswlHi = permit_dnswl_client,list.dnswl.org=127.[0..255].[0..255].[3..255] z-dnswlLo = permit_dnswl_client,list.dnswl.org=127.[0..255].[0..255].[1..255] z-dnswlMed = permit_dnswl_client,list.dnswl.org=127.[0..255].[0..255].[2..255] z-helo = check_helo_access,pcre:$config_directory/helo_checks, z-njabl = reject_rbl_client,dnsbl.njabl.org z-noFCrDns = reject_unknown_client_hostname z-noPtr = reject_unknown_reverse_client_hostname z-noSender = reject_unknown_sender_domain, z-sem = reject_rbl_client,bl.spameatingmonkey.net z-semBscat = reject_rbl_client,backscatter.spameatingmonkey.net z-sorbs = reject_rbl_client,dnsbl.sorbs.net z-spamcop = reject_rbl_client,bl.spamcop.net z-swl = permit_dnswl_client,swl.spamhaus.org z-trbl = reject_rbl_client,spamtrap.trblspam.com z-unkHelo = reject_unknown_helo_hostname z-unlist = reject_unlisted_recipient z-warnDefer = check_client_access,static:warn,defer_if_reject z-zen = reject_rbl_client,zen.spamhaus.org ### end of main.cf