View Single Post
  #3  
Old 1st September 2011, 18:24
CopalFreak CopalFreak is offline
Junior Member
 
Join Date: May 2011
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Thanks for responding Mark!
587 for TLS, 465 for SSL...important stuff to know! Thanks!

~/postfix/master.cf
Code:
# ==========================================================================
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
   -o content_filter=scan:127.0.0.1:10025
# ============================================================================================
# SHOULD I LEAVE THESE SETTINGS AS-IS IF I WANT TO ALLOW 
# TLS OVER 587 FOR THE MOMENT?
submission inet n       -       n       -       -       smtpd
#   -o smtpd_tls_security_level=encrypt 
   -o smtpd_tls_security_level=may 
   -o smtpd_sasl_auth_enable=yes 
   -o smtpd_sasl_type=dovecot 
   -o smtpd_sasl_path=/var/spool/postfix/private/auth 
   -o smtpd_sasl_security_options=noanonymous 
   -o smtpd_sasl_local_domain=$myhostname
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
#  -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf
#  -o smtpd_sender_restrictions=permit
#  -o smtpd_sender_restrictions=reject_sender_login_mismatch
#  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_sender_strictions=
#  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=reject_unauth_destination
#  -o smtpd_recipient_restrictions=permit
#
#
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

# ============================================================================================
# I AM GUESSING I SHOULD UN-COMMENT SOME OF THE STUFF BELOW 
# AND COPY SOME OF THE STUFF FROM ABOVE TO ENABLE SSL 
# ENCRYPTION FOR 465 ?
smtps inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# ============================================================================================
### AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no
# ============================================================================================
#628       inet  n       -       n       -       -      qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
	-o smtp_fallback_relay=
	# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
# ============================================================================================
spamassassin unix -      n      n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}
# ============================================================================================
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd

        -o content_filter=spamassassin
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
# ============================================================================================
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -d ${recipient}
# ============================================================================================
# ============================================================================================

~/postfix/main.cf
Code:
myhostname = mail.MyDomain.com
mail_name = mail.MyDomain.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
#debug_peer_list = XX.XX.XX.XX
append_dot_mydomain = no
#delay_warning_time = 4h
myhostname = mail.MyDomain.com
myorigin = MyDomain.com
mydomain = MyDomain.com
mailbox_command = /usr/bin/procmail
mynetworks = /etc/postfix/mynetworks
mailbox_size_limit = 0
message_size_limit = 104857600

#debugging
debug_peer_level = 4
soft_bounce = yes


disable_vrfy_command = yes

transport_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
alias_database = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
local_recipient_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf 


#Virtual mailbox settings
virtual_mailbox_base = /var/vmail
virtual_minimum_uid = 202
virtual_uid_maps = static:202
virtual_gid_maps = static:202
virtual_transport = dovecot

dovecot_destination_recipient_limit = 1
#does this allow for CC and BCC?

sender_bcc_maps = hash:/etc/postfix/sender_bcc
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

virtual_alias_domains = proxy:mysql:/etc/postfix/mysql_virtual_alias_domains.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_login_maps = proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

mydestination = $myhostname, $mynetworks, localhost, localhost.localdomain, proxy_read_maps
proxy_read_maps = $myhostname $mynetworks $alias_maps $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_domains $virtual_login_maps $virtual_mailbox_maps $local_recipient_maps

relay_domains = $mynetworks 


#SASL Authentication
smtp_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_login_maps
smtpd_sasl_path = /var/spool/postfix/private/auth

smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions = reject_invalid_hostname 


smtpd_sender_restrictions = reject_invalid_hostname reject_unknown_sender_domain reject_unauthenticated_sender_login_mismatch permit_sasl_authenticated permit_mynetworks permit

smtpd_recipient_restrictions =
	reject_invalid_hostname,
#reject_sender_login_mismatch,
	reject_unknown_recipient_domain,
    reject_unauth_pipelining,
	permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
	check_client_access hash:/etc/postfix/rbl_client_exceptions,
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client ix.dnsbl.manitu.net,
	reject_rbl_client multi.uribl.com,
	reject_rbl_client dsn.rfc-ignorant.org,
 	reject_rbl_client abuse.rfc-ignorant.org,
	reject_rbl_client dul.dnsbl.sorbs.net,
	reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
	reject_rbl_client dnsbl.sorbs.net,
	reject_rbl_client dyna.spamrats.com,
	reject_rbl_client cbl.abuseat.org,
	reject_rbl_client rabl.nuclearelephant.com,

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20


# check_relay_domains reject_unlisted_recipient permit_sasl_authenticated reject_unauth_destination permit 

# stops bulk mail senders
# smtpd_data_restictions = reject_unauth_pipelining 
strict_rfc821_envelopes = no
disable_vrfy_command = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554


#TSL Certs
smtpd_tls_cert_file = /etc/postfix/certs/MyDomain.com.pem
smtpd_tls_key_file = /etc/postfix/certs/MyDomain.com.pem
smtpd_tls_CAfile = /etc/postfix/certs/gd_bundle.pem


smtpd_tls_ask_ccert = no
smtpd_tls_req_ccert = no
# smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = no
smtpd_tls_loglevel = 1
# tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes

header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
Reply With Quote