container/mailsrv/assets/postfix/main.cf.part

### Network ###
# interfaces & protocols to listen on
inet_interfaces = all
inet_protocols = all
myorigin = $mydomain
# what host to use as a relay
relayhost =
# hosts to forward mail to
#relay_domains =
# only forward mail from local host
mynetworks_style = host
# domains to consider primary (local) endpoints
mydestination = $myhostname, $mydomain, localhost.localdomain, localhost

### Users ###
# get list of valid users from here instead of /etc/passwd
local_recipient_maps = hash:/etc/postfix/users
# get list of user aliases from this file
virtual_alias_maps = hash:/etc/postfix/aliases
# Address tag delimiter. If an email is sent to ${user}${delimiter}*,
# the email is sent to ${user} if that address is not already explicitly defined.
recipient_delimiter = -

### Delivery ###
# what backend to use to deliver local & virtual mail
local_transport = dovecot
# set recipient limit to 1 so X-Original-To header addition will work
dovecot_destination_recipient_limit = 1

### Outgoing Mail ###
# enable opportunistic TLS for outgoing mail
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# log whether connection has completed encryption handshake
smtp_tls_loglevel = 1

### Incoming Mail ###
# enable opportunistic TLS for incoming mail
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# prevent sending passwords over unsecured connections
smtpd_tls_auth_only = yes
# where to find certs
smtpd_tls_cert_file=/vol/ssl/fullchain.pem
smtpd_tls_key_file=/vol/ssl/privkey.pem
# what to use for sasl
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes

### Security ###
# these settings apply to BOTH authenticated and unauthenticated mail
# for security settings for only authenticated mail, use options in master.cf
smtpd_delay_reject = yes
smtpd_helo_required = yes
# reject hosts with malformed HELO identifiers
smtpd_helo_restrictions = 
        permit_mynetworks, 
        permit_sasl_authenticated, 
        reject_invalid_helo_hostname, 
        reject_non_fqdn_helo_hostname, 
        reject_unknown_helo_hostname
# reject hosts that improperly use SMTP commands
smtpd_data_restrictions = reject_unauth_pipelining
# reject unauthorized relay attempts
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# reject blacklisted addresses
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/deny, permit
# reject hosts that are likely to be spammers
smtpd_client_restrictions = 
        permit_mynetworks, 
        permit_sasl_authenticated, 
# weaker version of reject_unknown_client_hostname
# the strong version may cause problems with some legitimate senders
        reject_unknown_reverse_client_hostname,
# check if sender meets SPF policy for its domain
        check_policy_service unix:private/policy-spf,
# reject clients from lists of known spammers
#        reject_rbl_client zen.spamhaus.org,
#        reject_rhsbl_reverse_client dbl.spamhaus.org,
#        reject_rhsbl_helo dbl.spamhaus.org,
#        reject_rhsbl_sender dbl.spamhaus.org,
        permit

### Misc ###
# whether to send "new mail" notifications to users
# on by default, but we turn off because we're not using system users
biff = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# maximum size allowed for sent messages, in bytes
message_size_limit = 102400000
# longer timeout for SPF policy server
policy-spf_time_limit = 3600s