Postfix:main.cf

From Hackepedia
Jump to navigationJump to search

This is a sample main.cf, not including the default variables. You can find the official options here. If you like and understand the following, add it to the bottom of your main.cf file and run

# postfix reload

main.cf:

strict_rfc821_envelopes = yes
smtpd_helo_required = yes
smtpd_etrn_restrictions = reject
smtpd_helo_restrictions = 
 permit_mynetworks
 reject_invalid_hostname
 reject_non_fqdn_hostname
 permit
smtpd_sender_restrictions = 
 permit_mynetworks
 reject_unknown_sender_domain
 reject_non_fqdn_sender
 permit_sasl_authenticated
 permit_tls_clientcerts
 warn_if_reject reject_unverified_sender
# Incoming email maximum size of one meg:
message_size_limit = 1024000
# This file needs to exist if you're going to use it.
header_checks = regexp:/usr/local/etc/postfix/header_checks
# If you don't have the following file, comment this out.
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
html_directory = no
syslog_facility = mail
syslog_name = postfix
disable_vrfy_command = yes
smtpd_banner = NO UCE ESMTP
# SASL 
smtpd_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
# This will only allow authentication of users once TLS has been
# started and information being transferred is encrypted.
smtpd_tls_auth_only = yes
# TLS
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_cert_file = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_CAfile = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_recipient_restrictions = 
 permit_mynetworks
 reject_invalid_hostname
 reject_unauth_pipelining
 reject_unknown_recipient_domain
 reject_unknown_sender_domain
 reject_non_fqdn_hostname
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 permit_sasl_authenticated
 permit_tls_clientcerts
 reject_unauth_destination 
# A source of RBLs to use: https://www.dnsbl.info/dnsbl-list.php 
 reject_rbl_client relays.ordb.org
 reject_rbl_client list.dsbl.org
 reject_rbl_client sbl.spamhaus.org
 reject_rbl_client cbl.abuseat.org
 reject_rbl_client dul.dnsbl.sorbs.net
 reject_rbl_client proxies.relays.monkeys.com
 reject_rbl_client opm.blitzed.org
 reject_rbl_client blackholes.wirehub.net

Also note these example header_checks