501 lines
21 KiB
CFEngine3
501 lines
21 KiB
CFEngine3
# $NetBSD: sample-smtpd.cf,v 1.1.1.5 2002/06/08 22:36:16 itojun Exp $
|
|
#
|
|
# DO NOT EDIT THIS FILE. EDIT THE MAIN.CF FILE INSTEAD. THE STUFF
|
|
# HERE JUST SERVES AS AN EXAMPLE.
|
|
#
|
|
# This file contains example settings of Postfix configuration parameters
|
|
# that control the SMTP server program.
|
|
|
|
#
|
|
# SENDER ANTI-SPOOFING
|
|
#
|
|
|
|
# The smtpd_sender_login_maps parameter specifies the (SASL) login
|
|
# name that owns a sender (MAIL FROM) address.
|
|
#
|
|
# Specify zero or more maptype:mapname entries. Maps are created with
|
|
# postmap(1) or with equivalent means. The maps are searched in the
|
|
# specified order. Regexp tables are allowed.
|
|
#
|
|
# Each map entry specifies a sender address and the login name that
|
|
# owns the address. The search order is:
|
|
#
|
|
# 1) user@domain owner
|
|
#
|
|
# This form has the highest precedence.
|
|
#
|
|
# 2) user owner
|
|
#
|
|
# This matches user@site when site is equal to $myorigin, when site
|
|
# is listed in $mydestination, or when it is listed in $inet_interfaces.
|
|
#
|
|
# 3) @domain owner
|
|
#
|
|
# This matches every address in the specified domain, and has the
|
|
# lowest precedence.
|
|
#
|
|
#smtpd_sender_login_maps =
|
|
|
|
#
|
|
# MISCELLANEOUS
|
|
#
|
|
|
|
# The disable_vrfy_command parameter allows you to disable the SMTP
|
|
# VRFY command. This stops some techniques used by spammers to harvest
|
|
# email addresses.
|
|
#
|
|
#disable_vrfy_command = no
|
|
|
|
# The smtpd_banner parameter specifies the text that follows the 220
|
|
# status code in the SMTP greeting banner. Some people like to see
|
|
# the mail version advertised. By default, Postfix shows no version.
|
|
#
|
|
# You MUST specify the $myhostname at the start of the text.
|
|
#
|
|
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
|
|
|
# The smtpd_etrn_restrictions parameter restricts what clients are
|
|
# allowed to issue the ETRN command.
|
|
#
|
|
# The Postfix ETRN command accepts only destinations that are eligible
|
|
# for the Postfix "fast flush" service. See the sample-flush.cf file
|
|
# for details.
|
|
#
|
|
# The default is to allow ETRN from any host. The following restrictions
|
|
# are available:
|
|
#
|
|
# reject_unknown_client: reject the request if the client hostname is unknown.
|
|
# permit_mynetworks: permit if the client address matches $mynetworks.
|
|
# check_client_access maptype:mapname
|
|
# maptype:mapname: look up client name, parent domains, client address,
|
|
# or networks obtained by stripping octets.
|
|
# Reject if result is REJECT or "[45]xx text"
|
|
# Permit if result is OK or all numerical.
|
|
# reject_maps_rbl: reject if the reverse client network address
|
|
# is listed under $maps_rbl_domains.
|
|
# reject: reject the request. Place this at the end of a restriction.
|
|
# permit: permit the request. Place this at the end of a restriction.
|
|
# warn_if_reject: next restriction logs a warning instead of rejecting.
|
|
smtpd_etrn_restrictions =
|
|
|
|
# The smtpd_history_flush_threshold specifies how many lines the SMTP
|
|
# server command history is allowed to contain before it is flushed
|
|
# to postmaster upon receipt of EHLO, RSET, or end of DATA.
|
|
#
|
|
smtpd_history_flush_threshold = 100
|
|
|
|
# The smtpd_noop_commands parameter specifies a list of commands that
|
|
# the Postfix SMTP server replies to with "250 Ok", without doing any
|
|
# syntax checks and without changing state. This list overrides any
|
|
# commands built into the Postfix SMTP server.
|
|
#
|
|
smtpd_noop_commands =
|
|
|
|
# The smtpd_recipient_limit parameter restricts the number of recipients
|
|
# that the SMTP server accepts per message delivery.
|
|
#
|
|
smtpd_recipient_limit = 1000
|
|
|
|
# The smtpd_timeout parameter limits the time to send an SMTP server
|
|
# response and to receive an SMTP client request.
|
|
#
|
|
# Note: if you set SMTP timeouts to large values you must update the
|
|
# global ipc_timeout parameter as well. See sample-misc.cf for details.
|
|
#
|
|
# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
|
|
# The default time unit is s (seconds).
|
|
#
|
|
smtpd_timeout = 300s
|
|
|
|
# The strict_rfc821_envelopes configuration parameter controls whether
|
|
# the Postfix SMTP server requires that MAIL FROM and RCPT TO addresses
|
|
# are specified within <>, and that MAIL FROM and RCPT TO addresses
|
|
# do not contain RFC822-style comments or phrases. It's great to
|
|
# stop SPAM mailers. But it also trips up broken peecee clients.
|
|
#
|
|
# By default, Postfix SMTPD allows RFC822 syntax in MAIL FROM and RCPT TO.
|
|
#
|
|
strict_rfc821_envelopes = no
|
|
|
|
#
|
|
# TARPIT CONTROLS
|
|
#
|
|
|
|
# The smtpd_error_sleep_time parameter specifies the time in seconds
|
|
# the SMTP server waits before sending a 4xx or 5xx SMTP server error
|
|
# response. This prevents naive clients from going into an error -
|
|
# disconnect - connect - error loop.
|
|
#
|
|
smtpd_error_sleep_time = 5
|
|
|
|
# The smtpd_soft_error_limit parameter specifies an error count lower
|
|
# limit. When an SMTP client has made this number of errors within
|
|
# a session, the server waits error_count seconds before responding
|
|
# to any client request.
|
|
#
|
|
smtpd_soft_error_limit = 10
|
|
|
|
# The smtpd_hard_error_limit parameter specifies an error count upper
|
|
# limit. The SMTP server disconnects after an SMTP client makes this
|
|
# number of errors within a session.
|
|
#
|
|
smtpd_hard_error_limit = 100
|
|
|
|
#
|
|
# UCE RESTRICTIONS
|
|
#
|
|
|
|
# The mynetworks parameter specifies the list of "trusted" SMTP
|
|
# clients that have more privileges than "strangers".
|
|
#
|
|
# In particular, "trusted" SMTP clients are allowed to relay mail
|
|
# through Postfix. See the smtpd_recipient_restrictions parameter
|
|
# in file sample-smtpd.cf.
|
|
#
|
|
# You can specify the list of "trusted" network addresses by hand
|
|
# or you can let Postfix do it for you (which is the default).
|
|
#
|
|
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
|
|
# clients in the same IP subnetworks as the local machine.
|
|
#
|
|
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
|
|
# clients in the same IP class A/B/C networks as the local machine.
|
|
# Don't do this with a dialup site - it would cause Postfix to "trust"
|
|
# your entire provider's network. Instead, specify an explicit
|
|
# mynetworks list by hand, as described below.
|
|
#
|
|
# Specify "mynetworks_style = host" when Postfix should "trust"
|
|
# only the local machine.
|
|
#
|
|
#mynetworks_style = class
|
|
mynetworks_style = subnet
|
|
#mynetworks_style = host
|
|
|
|
# Alternatively, you can specify the mynetworks list by hand, in
|
|
# which case Postfix ignores the mynetworks_style setting.
|
|
#
|
|
# Specify an explicit list of network/netmask patterns, where the
|
|
# mask specifies the number of bits in the network part of a host
|
|
# address.
|
|
#
|
|
# You can also specify the absolute pathname of a pattern file instead
|
|
# of listing the patterns here. Specify type:table for table-based lookups
|
|
# (the value on the table right-hand side is not used).
|
|
#
|
|
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
|
|
#mynetworks = $config_directory/mynetworks
|
|
#mynetworks = hash:/etc/postfix/network_table
|
|
|
|
# The smtpd_client_restrictions parameter specifies optional restrictions
|
|
# on SMTP client host names and addresses.
|
|
#
|
|
# The default is to allow connections from any host. The following
|
|
# restrictions are available:
|
|
#
|
|
# reject_unknown_client: reject the request if the client hostname is unknown.
|
|
# permit_mynetworks: permit if the client address matches $mynetworks.
|
|
# check_client_access maptype:mapname
|
|
# maptype:mapname: look up client name, parent domains, client address,
|
|
# or networks obtained by stripping octets.
|
|
# Reject if result is REJECT or "[45]xx text"
|
|
# Permit if result is OK or all numerical.
|
|
# reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
|
|
# reject: reject the request. Place this at the end of a restriction.
|
|
# permit: permit the request. Place this at the end of a restriction.
|
|
# warn_if_reject: next restriction logs a warning instead of rejecting.
|
|
#
|
|
# Restrictions are applied in the order as specified; the first
|
|
# restriction that matches wins.
|
|
#
|
|
# Specify a list of restrictions, separated by commas and/or whitespace.
|
|
# Continue long lines by starting the next line with whitespace.
|
|
#
|
|
#smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
|
|
#smtpd_client_restrictions = reject_maps_rbl, reject_unknown_client
|
|
smtpd_client_restrictions =
|
|
|
|
# The smtpd_helo_required parameter optionally turns on the requirement
|
|
# that SMTP clients must introduce themselves at the beginning of an
|
|
# SMTP session.
|
|
#
|
|
#smtpd_helo_required = yes
|
|
smtpd_helo_required = no
|
|
|
|
# The smtpd_helo_restrictions parameter specifies optional restrictions
|
|
# on what SMTP clients can send in SMTP HELO and EHLO commands.
|
|
#
|
|
# The default is to permit everything. The following restrictions
|
|
# are available:
|
|
#
|
|
# permit_mynetworks: permit if the client address matches $mynetworks.
|
|
# reject_unknown_client: reject the request if the client hostname is unknown.
|
|
# reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
|
|
# reject_invalid_hostname: reject HELO hostname with bad syntax.
|
|
# reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
|
|
# reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
|
|
# check_helo_access maptype:mapname
|
|
# maptype:mapname: look up HELO hostname or parent domains.
|
|
# Reject if result is REJECT or "[45]xx text"
|
|
# Permit if result is OK or all numerical.
|
|
# check_client_access maptype:mapname: see smtpd_client_restrictions.
|
|
# reject: reject the request. Place this at the end of a restriction.
|
|
# permit: permit the request. Place this at the end of a restriction.
|
|
# warn_if_reject: next restriction logs a warning instead of rejecting.
|
|
#
|
|
# Restrictions are applied in the order as specified; the first
|
|
# restriction that matches wins.
|
|
#
|
|
# Specify a list of restrictions, separated by commas and/or whitespace.
|
|
# Continue long lines by starting the next line with whitespace.
|
|
#
|
|
#smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
|
|
#smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname
|
|
smtpd_helo_restrictions =
|
|
|
|
# The smtpd_sender_restrictions parameter specifies optional restrictions
|
|
# on sender addresses that SMTP clients can send in MAIL FROM commands.
|
|
#
|
|
# The default is to permit any sender address. The following
|
|
# restrictions are available:
|
|
#
|
|
# permit_mynetworks: permit if the client address matches $mynetworks.
|
|
# reject_unknown_client: reject the request if the client hostname is unknown.
|
|
# reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
|
|
# reject_invalid_hostname: reject HELO hostname with bad syntax.
|
|
# reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
|
|
# reject_unknown_sender_domain: reject sender domain without A or MX record.
|
|
# check_sender_access maptype:mapname
|
|
# maptype:mapname: look up sender address, parent domain, or localpart@.
|
|
# Reject if result is REJECT or "[45]xx text"
|
|
# Permit if result is OK or all numerical.
|
|
# check_client_access maptype:mapname: see smtpd_client_restrictions.
|
|
# check_helo_access maptype:mapname: see smtpd_helo_restrictions.
|
|
# reject_sender_login_mismatch: reject if $smtpd_sender_login_maps specifies
|
|
# a MAIL FROM address owner, but the client is not (SASL) logged in as
|
|
# that MAIL FROM address owner; or if the client is (SASL) logged in, but
|
|
# the client login name doesn't own the MAIL FROM address according to
|
|
# $smtpd_sender_login_maps (see above).
|
|
# reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
|
|
# reject_non_fqdn_sender: reject sender address that is not in FQDN form
|
|
# reject: reject the request. Place this at the end of a restriction.
|
|
# permit: permit the request. Place this at the end of a restriction.
|
|
# warn_if_reject: next restriction logs a warning instead of rejecting.
|
|
#
|
|
# Restrictions are applied in the order as specified; the first
|
|
# restriction that matches wins.
|
|
#
|
|
# Specify a list of restrictions, separated by commas and/or whitespace.
|
|
# Continue long lines by starting the next line with whitespace.
|
|
#
|
|
#smtpd_sender_restrictions = reject_unknown_sender_domain
|
|
#smtpd_sender_restrictions = reject_unknown_sender_domain, hash:/etc/postfix/access
|
|
smtpd_sender_restrictions =
|
|
|
|
# The smtpd_recipient_restrictions parameter specifies restrictions on
|
|
# recipient addresses that SMTP clients can send in RCPT TO commands.
|
|
#
|
|
# By default, Postfix relays mail
|
|
# - from trusted clients whose IP address matches $mynetworks,
|
|
# - from trusted clients matching $relay_domains or subdomains thereof,
|
|
# - from untrusted clients to destinations that match $relay_domains
|
|
# or subdomains thereof, except addresses with sender-specified routing.
|
|
# The default relay_domains value is $mydestination.
|
|
#
|
|
# In addition to the above, the Postfix SMTP server by default accepts mail
|
|
# that Postfix is final destination for:
|
|
# - destinations that match $inet_interfaces,
|
|
# - destinations that match $mydestination
|
|
# - destinations that match $virtual_maps.
|
|
# These destinations do not need to be listed in $relay_domains.
|
|
#
|
|
# The following restrictions are available (* is part of default setting):
|
|
#
|
|
# *permit_mynetworks: permit if the client address matches $mynetworks.
|
|
# reject_unknown_client: reject the request if the client hostname is unknown.
|
|
# reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
|
|
# reject_invalid_hostname: reject HELO hostname with bad syntax.
|
|
# reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
|
|
# reject_unknown_sender_domain: reject sender domain without A or MX record.
|
|
# *check_relay_domains: permit only mail
|
|
# - to destinations matching $inet_interfaces, $mydestination,
|
|
# or $virtual_maps,
|
|
# - from trusted clients matching $relay_domains or subdomain thereof,
|
|
# - from untrusted clients to destinations matching $relay_domains or
|
|
# subdomain thereof (except addresses with sender-specified routing),
|
|
# Reject anything else.
|
|
# permit_auth_destination: permit mail
|
|
# - to destinations matching $inet_interfaces, $mydestination,
|
|
# or $virtual_maps.
|
|
# - to destinations matching $relay_domains or subdomain thereof,
|
|
# except for addresses with sender-specified routing.
|
|
# reject_unauth_destination: reject mail unless it is sent
|
|
# - to destinations matching $inet_interfaces, $mydestination,
|
|
# or $virtual_maps.
|
|
# - to destinations matching $relay_domains or subdomain thereof,
|
|
# except for addresses with sender-specified routing.
|
|
# reject_unauth_pipelining: reject mail from improperly pipelining spamware
|
|
# permit_mx_backup: accept mail for sites that list me as MX host.
|
|
# Use the optional permit_mx_backup_networks parameter to also
|
|
# require that the primary MX hosts match a list of network blocks.
|
|
# reject_unknown_recipient_domain: reject domains without A or MX record.
|
|
# check_recipient_access maptype:mapname
|
|
# maptype:mapname: look up recipient address, parent domain, or localpart@.
|
|
# Reject if result is REJECT or "[45]xx text"
|
|
# Permit if result is OK or all numerical.
|
|
# check_client_access maptype:mapname: see smtpd_client_restrictions.
|
|
# check_helo_access maptype:mapname: see smtpd_helo_restrictions.
|
|
# check_sender_access maptype:mapname: see smtpd_sender_restrictions.
|
|
# reject_sender_login_mismatch: reject if $smtpd_sender_login_maps specifies
|
|
# a MAIL FROM address owner, but the client is not (SASL) logged in as
|
|
# that MAIL FROM address owner; or if the client is (SASL) logged in, but
|
|
# the client login name doesn't own the MAIL FROM address according to
|
|
# $smtpd_sender_login_maps (see above).
|
|
# reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
|
|
# reject_non_fqdn_sender: reject sender address that is not in FQDN form
|
|
# reject_non_fqdn_recipient: reject recipient address that is not in FQDN form
|
|
# reject: reject the request. Place this at the end of a restriction.
|
|
# permit: permit the request. Place this at the end of a restriction.
|
|
# warn_if_reject: next restriction logs a warning instead of rejecting.
|
|
#
|
|
# Restrictions are applied in the order as specified; the first
|
|
# restriction that matches wins.
|
|
#
|
|
# Specify a list of restrictions, separated by commas and/or whitespace.
|
|
# Continue long lines by starting the next line with whitespace.
|
|
#
|
|
# NOTE: YOU MUST SPECIFY AT LEAST ONE OF THE FOLLOWING RESTRICTIONS
|
|
# OTHERWISE POSTFIX REFUSES TO RECEIVE MAIL:
|
|
# reject, check_relay_domains, reject_unauth_destination
|
|
#
|
|
smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains
|
|
|
|
#
|
|
# ADDITIONAL UCE CONTROLS
|
|
#
|
|
|
|
# The allow_untrusted_routing parameter controls if Postfix will
|
|
# forward mail with sender-specified routing (user[@%!]remote[@%!]site)
|
|
# from untrusted clients to destinations that are blessed by the
|
|
# relay_domains parameter.
|
|
#
|
|
# By default, untrusted clients are not allowed to specify routing.
|
|
# This closes a nasty open relay loophole where a backup MX host can
|
|
# be tricked into forwarding junk mail to a primary MX host which
|
|
# then spams it out to the world.
|
|
#
|
|
# This parameter also controls if non-local addresses with sender-specified
|
|
# routing can match Postfix access tables. By default, such addresses
|
|
# cannot match Postfix access tables, because the address is ambigous.
|
|
#
|
|
allow_untrusted_routing = no
|
|
|
|
# The maps_rbl_domains parameter specifies an optional list of DNS
|
|
# domains that publish the network addresses of blacklisted hosts.
|
|
#
|
|
# By default, RBL blacklist lookups are disabled. See the
|
|
# smtpd_client_restrictions parameter.
|
|
#
|
|
# The real-time blackhole list works as follows: reverse the client
|
|
# network address, and reject service if it is listed below any of
|
|
# the following domains.
|
|
#
|
|
#maps_rbl_domains = blackholes.mail-abuse.org relays.mail-abuse.org
|
|
maps_rbl_domains = blackholes.mail-abuse.org
|
|
|
|
# The relay_domains parameter restricts what client hostname domains
|
|
# (and subdomains thereof) this mail system will relay mail from,
|
|
# and restricts what destination domains (and subdomains thereof)
|
|
# this system will relay mail to.
|
|
#
|
|
# By default, Postfix relays mail
|
|
# - from trusted clients whose IP address matches $mynetworks,
|
|
# - from trusted clients matching $relay_domains or subdomains thereof,
|
|
# - from untrusted clients to destinations that match $relay_domains
|
|
# or subdomains thereof, except addresses with sender-specified routing.
|
|
# The default relay_domains value is $mydestination.
|
|
#
|
|
# In addition to the above, the Postfix SMTP server by default accepts mail
|
|
# that Postfix is final destination for:
|
|
# - destinations that match $inet_interfaces,
|
|
# - destinations that match $mydestination
|
|
# - destinations that match $virtual_maps.
|
|
# These destinations do not need to be listed in $relay_domains.
|
|
#
|
|
# Specify a list of hosts or domains, /file/name patterns or type:name
|
|
# lookup tables, separated by commas and/or whitespace. Continue
|
|
# long lines by starting the next line with whitespace. A file name
|
|
# is replaced by its contents; a type:name table is matched when a
|
|
# (parent) domain appears as lookup key.
|
|
#
|
|
# NOTE: Postfix will not automatically forward mail for domains that
|
|
# list this system as their primary or backup MX host. See the
|
|
# permit_mx_backup restriction, in the description of the
|
|
# smtpd_recipient_restrictions parameter.
|
|
#
|
|
relay_domains = $mydestination
|
|
|
|
#
|
|
# RESPONSE CODES
|
|
#
|
|
|
|
# The access_map_reject_code parameter specifies the SMTP server
|
|
# response code when a client violates an access map restriction.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
access_map_reject_code = 550
|
|
|
|
# The invalid_hostname_reject_code parameter specifies the SMTP server
|
|
# response when a client violates the reject_invalid_hostname anti-UCE
|
|
# restriction.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
invalid_hostname_reject_code = 501
|
|
|
|
# The maps_rbl_reject_code parameter specifies the SMTP server response
|
|
# when a client violates the maps_rbl_domains restriction.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
maps_rbl_reject_code = 550
|
|
|
|
# The reject_code parameter specifies the SMTP server response code
|
|
# when an SMTP client matches a reject restriction.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
reject_code = 550
|
|
|
|
# The relay_domains_reject_code parameter specifies the SMTP server
|
|
# response when a client attempts to violate the mail relay policy.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
relay_domains_reject_code = 550
|
|
|
|
# The unknown_address_reject_code parameter specifies the SMTP server
|
|
# response when a client violates the reject_unknown_sender_domain
|
|
# or reject_unknown_recipient_domain restrictions.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
unknown_address_reject_code = 450
|
|
|
|
# The unknown_client_reject_code parameter specifies the SMTP server
|
|
# response when a client without address to name mapping violates
|
|
# the reject_unknown_clients restriction.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
unknown_client_reject_code = 450
|
|
|
|
# The unknown_hostname_reject_code parameter specifies the SMTP server
|
|
# response when a client violates the reject_unknown_hostname
|
|
# restriction.
|
|
#
|
|
# Do not change this unless you have a complete understanding of RFC 821.
|
|
#
|
|
unknown_hostname_reject_code = 450
|