| # inter-mx with postscreen on 25/tcp |
| smtp inet n - n - 1 postscreen |
| 10025 inet n - n - 1 postscreen |
| -o postscreen_upstream_proxy_protocol=haproxy |
| -o syslog_name=haproxy |
| smtpd pass - - n - - smtpd |
| -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname |
| -o smtpd_sasl_auth_enable=no |
| -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain |
| |
| # smtpd tls-wrapped (smtps) on 465/tcp |
| # TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf |
| smtps inet n - n - - smtpd |
| -o smtpd_tls_wrappermode=yes |
| -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols |
| -o tls_preempt_cipherlist=yes |
| -o cleanup_service_name=smtp_sender_cleanup |
| -o syslog_name=postfix/smtps |
| 10465 inet n - n - - smtpd |
| -o smtpd_upstream_proxy_protocol=haproxy |
| -o smtpd_tls_wrappermode=yes |
| -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols |
| -o tls_preempt_cipherlist=yes |
| -o cleanup_service_name=smtp_sender_cleanup |
| -o syslog_name=postfix/smtps-haproxy |
| |
| # smtpd with starttls on 587/tcp |
| # TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf |
| submission inet n - n - - smtpd |
| -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| -o smtpd_enforce_tls=yes |
| -o smtpd_tls_security_level=encrypt |
| -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols |
| -o tls_preempt_cipherlist=yes |
| -o cleanup_service_name=smtp_sender_cleanup |
| -o syslog_name=postfix/submission |
| 10587 inet n - n - - smtpd |
| -o smtpd_upstream_proxy_protocol=haproxy |
| -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| -o smtpd_enforce_tls=yes |
| -o smtpd_tls_security_level=encrypt |
| -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols |
| -o tls_preempt_cipherlist=yes |
| -o cleanup_service_name=smtp_sender_cleanup |
| -o syslog_name=postfix/submission-haproxy |
| |
| # used by SOGo |
| # smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function |
| 588 inet n - n - - smtpd |
| -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| -o smtpd_tls_auth_only=no |
| -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain |
| -o cleanup_service_name=smtp_sender_cleanup |
| -o syslog_name=postfix/sogo |
| |
| # used to reinject quarantine mails |
| 590 inet n - n - - smtpd |
| -o smtpd_helo_restrictions= |
| -o smtpd_client_restrictions=permit_mynetworks,reject |
| -o smtpd_tls_auth_only=no |
| -o smtpd_milters= |
| -o non_smtpd_milters= |
| -o syslog_name=postfix/quarantine |
| |
| # used to send bcc mails |
| 591 inet n - n - - smtpd |
| -o smtpd_helo_restrictions= |
| -o smtpd_client_restrictions=permit_mynetworks,reject |
| -o smtpd_tls_auth_only=no |
| -o smtpd_milters= |
| -o non_smtpd_milters= |
| -o syslog_name=postfix/bcc |
| |
| # enforced smtp connector |
| smtp_enforced_tls unix - - n - - smtp |
| -o smtp_tls_security_level=encrypt |
| -o syslog_name=enforced-tls-smtp |
| -o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter |
| |
| # smtp connector used, when a transport map matched |
| # this helps to have different sasl maps than we have with sender dependent transport maps |
| smtp_via_transport_maps unix - - n - - smtp |
| -o smtp_sasl_password_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf |
| |
| tlsproxy unix - - n - 0 tlsproxy |
| dnsblog unix - - n - 0 dnsblog |
| pickup fifo n - n 60 1 pickup |
| cleanup unix n - n - 0 cleanup |
| qmgr fifo n - n 300 1 qmgr |
| tlsmgr unix - - n 1000? 1 tlsmgr |
| rewrite unix - - n - - trivial-rewrite |
| bounce unix - - n - 0 bounce |
| defer unix - - n - 0 bounce |
| trace unix - - n - 0 bounce |
| verify unix - - n - 1 verify |
| flush unix n - n 1000? 0 flush |
| proxymap unix - - n - - proxymap |
| proxywrite unix - - n - 1 proxymap |
| smtp unix - - n - - smtp |
| relay unix - - n - - smtp |
| showq unix n - n - - showq |
| error unix - - n - - error |
| retry unix - - n - - error |
| discard unix - - n - - discard |
| local unix - n n - - local |
| virtual unix - n n - - virtual |
| lmtp unix - - n - - lmtp |
| anvil unix - - n - 1 anvil |
| scache unix - - n - 1 scache |
| maildrop unix - n n - - pipe flags=DRhu |
| user=vmail argv=/usr/bin/maildrop -d ${recipient} |
| |
| # used to anonymize sender IP |
| smtp_sender_cleanup unix n - y - 0 cleanup |
| -o header_checks=$smtp_header_checks |
| |
| # start whitelist_fwd |
| 127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh |
| # end whitelist_fwd |
| |
| # start watchdog-specific |
| # logs to local7 (hidden) |
| 589 inet n - n - - smtpd |
| -o smtpd_client_restrictions=permit_mynetworks,reject |
| -o syslog_name=watchdog |
| -o syslog_facility=local7 |
| -o smtpd_milters= |
| -o cleanup_service_name=watchdog_cleanup |
| -o non_smtpd_milters= |
| watchdog_cleanup unix n - n - 0 cleanup |
| -o syslog_name=watchdog |
| -o syslog_facility=local7 |
| -o queue_service_name=watchdog_qmgr |
| watchdog_qmgr fifo n - n 300 1 qmgr |
| -o syslog_facility=local7 |
| -o syslog_name=watchdog |
| -o rewrite_service_name=watchdog_rewrite |
| watchdog_rewrite unix - - n - - trivial-rewrite |
| -o syslog_facility=local7 |
| -o syslog_name=watchdog |
| -o local_transport=watchdog_discard |
| watchdog_discard unix - - n - - discard |
| -o syslog_facility=local7 |
| -o syslog_name=watchdog |
| # end watchdog-specific |