| Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | # inter-mx with postscreen on 25/tcp |
| 2 | smtp inet n - n - 1 postscreen |
| 3 | 10025 inet n - n - 1 postscreen |
| 4 | -o postscreen_upstream_proxy_protocol=haproxy |
| 5 | -o syslog_name=haproxy |
| 6 | smtpd pass - - n - - smtpd |
| 7 | -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname |
| 8 | -o smtpd_sasl_auth_enable=no |
| 9 | -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain |
| 10 | |
| 11 | # smtpd tls-wrapped (smtps) on 465/tcp |
| 12 | # TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf |
| 13 | smtps inet n - n - - smtpd |
| 14 | -o smtpd_tls_wrappermode=yes |
| 15 | -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| 16 | -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols |
| 17 | -o tls_preempt_cipherlist=yes |
| 18 | -o cleanup_service_name=smtp_sender_cleanup |
| 19 | -o syslog_name=postfix/smtps |
| 20 | -o smtpd_end_of_data_restrictions=$smtpd_last_auth |
| 21 | 10465 inet n - n - - smtpd |
| 22 | -o smtpd_upstream_proxy_protocol=haproxy |
| 23 | -o smtpd_tls_wrappermode=yes |
| 24 | -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| 25 | -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols |
| 26 | -o tls_preempt_cipherlist=yes |
| 27 | -o cleanup_service_name=smtp_sender_cleanup |
| 28 | -o syslog_name=postfix/smtps-haproxy |
| 29 | -o smtpd_end_of_data_restrictions=$smtpd_last_auth |
| 30 | |
| 31 | # smtpd with starttls on 587/tcp |
| 32 | # TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf |
| 33 | submission inet n - n - - smtpd |
| 34 | -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| 35 | -o smtpd_enforce_tls=yes |
| 36 | -o smtpd_tls_security_level=encrypt |
| 37 | -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols |
| 38 | -o tls_preempt_cipherlist=yes |
| 39 | -o cleanup_service_name=smtp_sender_cleanup |
| 40 | -o syslog_name=postfix/submission |
| 41 | -o smtpd_end_of_data_restrictions=$smtpd_last_auth |
| 42 | 10587 inet n - n - - smtpd |
| 43 | -o smtpd_upstream_proxy_protocol=haproxy |
| 44 | -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| 45 | -o smtpd_enforce_tls=yes |
| 46 | -o smtpd_tls_security_level=encrypt |
| 47 | -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols |
| 48 | -o tls_preempt_cipherlist=yes |
| 49 | -o cleanup_service_name=smtp_sender_cleanup |
| 50 | -o syslog_name=postfix/submission-haproxy |
| 51 | -o smtpd_end_of_data_restrictions=$smtpd_last_auth |
| 52 | |
| 53 | # used by SOGo |
| 54 | # smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function |
| 55 | 588 inet n - n - - smtpd |
| 56 | -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
| 57 | -o smtpd_tls_auth_only=no |
| 58 | -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain |
| 59 | -o cleanup_service_name=smtp_sender_cleanup |
| 60 | -o syslog_name=postfix/sogo |
| 61 | -o smtpd_end_of_data_restrictions=$smtpd_last_auth |
| 62 | |
| 63 | # used to reinject quarantine mails |
| 64 | 590 inet n - n - - smtpd |
| 65 | -o smtpd_helo_restrictions= |
| 66 | -o smtpd_client_restrictions=permit_mynetworks,reject |
| 67 | -o smtpd_tls_auth_only=no |
| 68 | -o smtpd_milters= |
| 69 | -o non_smtpd_milters= |
| 70 | -o syslog_name=postfix/quarantine |
| 71 | -o smtpd_end_of_data_restrictions=$smtpd_last_auth |
| 72 | |
| 73 | # enforced smtp connector |
| 74 | smtp_enforced_tls unix - - n - - smtp |
| 75 | -o smtp_tls_security_level=encrypt |
| 76 | -o syslog_name=enforced-tls-smtp |
| 77 | -o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter |
| 78 | |
| 79 | # smtp connector used, when a transport map matched |
| 80 | # this helps to have different sasl maps than we have with sender dependent transport maps |
| 81 | smtp_via_transport_maps unix - - n - - smtp |
| 82 | -o smtp_sasl_password_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf |
| 83 | |
| 84 | tlsproxy unix - - n - 0 tlsproxy |
| 85 | dnsblog unix - - n - 0 dnsblog |
| 86 | pickup fifo n - n 60 1 pickup |
| 87 | cleanup unix n - n - 0 cleanup |
| 88 | qmgr fifo n - n 300 1 qmgr |
| 89 | tlsmgr unix - - n 1000? 1 tlsmgr |
| 90 | rewrite unix - - n - - trivial-rewrite |
| 91 | bounce unix - - n - 0 bounce |
| 92 | defer unix - - n - 0 bounce |
| 93 | trace unix - - n - 0 bounce |
| 94 | verify unix - - n - 1 verify |
| 95 | flush unix n - n 1000? 0 flush |
| 96 | proxymap unix - - n - - proxymap |
| 97 | proxywrite unix - - n - 1 proxymap |
| 98 | smtp unix - - n - - smtp |
| 99 | relay unix - - n - - smtp |
| 100 | showq unix n - n - - showq |
| 101 | error unix - - n - - error |
| 102 | retry unix - - n - - error |
| 103 | discard unix - - n - - discard |
| 104 | local unix - n n - - local |
| 105 | virtual unix - n n - - virtual |
| 106 | lmtp unix - - n - - lmtp |
| 107 | anvil unix - - n - 1 anvil |
| 108 | scache unix - - n - 1 scache |
| 109 | maildrop unix - n n - - pipe flags=DRhu |
| 110 | user=vmail argv=/usr/bin/maildrop -d ${recipient} |
| 111 | |
| 112 | # used to anonymize sender IP |
| 113 | smtp_sender_cleanup unix n - y - 0 cleanup |
| 114 | -o header_checks=$smtp_header_checks |
| 115 | |
| 116 | # start whitelist_fwd |
| 117 | 127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh |
| 118 | 127.0.0.1:10028 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/smtpd_last_login.sh |
| 119 | # end whitelist_fwd |
| 120 | |
| 121 | # start watchdog-specific |
| 122 | # logs to local7 (hidden) |
| 123 | 589 inet n - n - - smtpd |
| 124 | -o smtpd_client_restrictions=permit_mynetworks,reject |
| 125 | -o syslog_name=watchdog |
| 126 | -o syslog_facility=local7 |
| 127 | -o smtpd_milters= |
| 128 | -o cleanup_service_name=watchdog_cleanup |
| 129 | -o non_smtpd_milters= |
| 130 | watchdog_cleanup unix n - n - 0 cleanup |
| 131 | -o syslog_name=watchdog |
| 132 | -o syslog_facility=local7 |
| 133 | -o queue_service_name=watchdog_qmgr |
| 134 | watchdog_qmgr fifo n - n 300 1 qmgr |
| 135 | -o syslog_facility=local7 |
| 136 | -o syslog_name=watchdog |
| 137 | -o rewrite_service_name=watchdog_rewrite |
| 138 | watchdog_rewrite unix - - n - - trivial-rewrite |
| 139 | -o syslog_facility=local7 |
| 140 | -o syslog_name=watchdog |
| 141 | -o local_transport=watchdog_discard |
| 142 | watchdog_discard unix - - n - - discard |
| 143 | -o syslog_facility=local7 |
| 144 | -o syslog_name=watchdog |
| 145 | # end watchdog-specific |