blob: ffd1ac47b5398429cce1804b97a8d96af1628033 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +01001# inter-mx with postscreen on 25/tcp
2smtp inet n - n - 1 postscreen
310025 inet n - n - 1 postscreen
4 -o postscreen_upstream_proxy_protocol=haproxy
5 -o syslog_name=haproxy
6smtpd pass - - n - - smtpd
7 -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
8 -o smtpd_sasl_auth_enable=no
9 -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain
10
11# smtpd tls-wrapped (smtps) on 465/tcp
12# TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf
13smtps inet n - n - - smtpd
14 -o smtpd_tls_wrappermode=yes
15 -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
16 -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
17 -o tls_preempt_cipherlist=yes
18 -o cleanup_service_name=smtp_sender_cleanup
19 -o syslog_name=postfix/smtps
20 -o smtpd_end_of_data_restrictions=$smtpd_last_auth
2110465 inet n - n - - smtpd
22 -o smtpd_upstream_proxy_protocol=haproxy
23 -o smtpd_tls_wrappermode=yes
24 -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
25 -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
26 -o tls_preempt_cipherlist=yes
27 -o cleanup_service_name=smtp_sender_cleanup
28 -o syslog_name=postfix/smtps-haproxy
29 -o smtpd_end_of_data_restrictions=$smtpd_last_auth
30
31# smtpd with starttls on 587/tcp
32# TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
33submission inet n - n - - smtpd
34 -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
35 -o smtpd_enforce_tls=yes
36 -o smtpd_tls_security_level=encrypt
37 -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
38 -o tls_preempt_cipherlist=yes
39 -o cleanup_service_name=smtp_sender_cleanup
40 -o syslog_name=postfix/submission
41 -o smtpd_end_of_data_restrictions=$smtpd_last_auth
4210587 inet n - n - - smtpd
43 -o smtpd_upstream_proxy_protocol=haproxy
44 -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
45 -o smtpd_enforce_tls=yes
46 -o smtpd_tls_security_level=encrypt
47 -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
48 -o tls_preempt_cipherlist=yes
49 -o cleanup_service_name=smtp_sender_cleanup
50 -o syslog_name=postfix/submission-haproxy
51 -o smtpd_end_of_data_restrictions=$smtpd_last_auth
52
53# used by SOGo
54# smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function
55588 inet n - n - - smtpd
56 -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
57 -o smtpd_tls_auth_only=no
58 -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain
59 -o cleanup_service_name=smtp_sender_cleanup
60 -o syslog_name=postfix/sogo
61 -o smtpd_end_of_data_restrictions=$smtpd_last_auth
62
63# used to reinject quarantine mails
64590 inet n - n - - smtpd
65 -o smtpd_helo_restrictions=
66 -o smtpd_client_restrictions=permit_mynetworks,reject
67 -o smtpd_tls_auth_only=no
68 -o smtpd_milters=
69 -o non_smtpd_milters=
70 -o syslog_name=postfix/quarantine
71 -o smtpd_end_of_data_restrictions=$smtpd_last_auth
72
73# enforced smtp connector
74smtp_enforced_tls unix - - n - - smtp
75 -o smtp_tls_security_level=encrypt
76 -o syslog_name=enforced-tls-smtp
77 -o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter
78
79# smtp connector used, when a transport map matched
80# this helps to have different sasl maps than we have with sender dependent transport maps
81smtp_via_transport_maps unix - - n - - smtp
82 -o smtp_sasl_password_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf
83
84tlsproxy unix - - n - 0 tlsproxy
85dnsblog unix - - n - 0 dnsblog
86pickup fifo n - n 60 1 pickup
87cleanup unix n - n - 0 cleanup
88qmgr fifo n - n 300 1 qmgr
89tlsmgr unix - - n 1000? 1 tlsmgr
90rewrite unix - - n - - trivial-rewrite
91bounce unix - - n - 0 bounce
92defer unix - - n - 0 bounce
93trace unix - - n - 0 bounce
94verify unix - - n - 1 verify
95flush unix n - n 1000? 0 flush
96proxymap unix - - n - - proxymap
97proxywrite unix - - n - 1 proxymap
98smtp unix - - n - - smtp
99relay unix - - n - - smtp
100showq unix n - n - - showq
101error unix - - n - - error
102retry unix - - n - - error
103discard unix - - n - - discard
104local unix - n n - - local
105virtual unix - n n - - virtual
106lmtp unix - - n - - lmtp
107anvil unix - - n - 1 anvil
108scache unix - - n - 1 scache
109maildrop unix - n n - - pipe flags=DRhu
110 user=vmail argv=/usr/bin/maildrop -d ${recipient}
111
112# used to anonymize sender IP
113smtp_sender_cleanup unix n - y - 0 cleanup
114 -o header_checks=$smtp_header_checks
115
116# start whitelist_fwd
117127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh
118127.0.0.1:10028 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/smtpd_last_login.sh
119# end whitelist_fwd
120
121# start watchdog-specific
122# logs to local7 (hidden)
123589 inet n - n - - smtpd
124 -o smtpd_client_restrictions=permit_mynetworks,reject
125 -o syslog_name=watchdog
126 -o syslog_facility=local7
127 -o smtpd_milters=
128 -o cleanup_service_name=watchdog_cleanup
129 -o non_smtpd_milters=
130watchdog_cleanup unix n - n - 0 cleanup
131 -o syslog_name=watchdog
132 -o syslog_facility=local7
133 -o queue_service_name=watchdog_qmgr
134watchdog_qmgr fifo n - n 300 1 qmgr
135 -o syslog_facility=local7
136 -o syslog_name=watchdog
137 -o rewrite_service_name=watchdog_rewrite
138watchdog_rewrite unix - - n - - trivial-rewrite
139 -o syslog_facility=local7
140 -o syslog_name=watchdog
141 -o local_transport=watchdog_discard
142watchdog_discard unix - - n - - discard
143 -o syslog_facility=local7
144 -o syslog_name=watchdog
145# end watchdog-specific