mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-04 15:56:03 +02:00
24e73359c6
As announced on the mailing list[2] pacman has been migrated to gitlab and there is no real use for patchwork left, so it can be decommissioned. A static copy[1] is kept around for the time being to avoid link rot. [1] https://gitlab.archlinux.org/archlinux/patchwork-archive [2] https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/message/7B6R5HVEC67U7B2VQ3SKUVXU4RDCRRMM/ Fix #487
185 lines
5.1 KiB
Django/Jinja
185 lines
5.1 KiB
Django/Jinja
#
|
|
# {{ansible_managed}}
|
|
#
|
|
|
|
compatibility_level = 2
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
|
biff = no
|
|
|
|
smtputf8_enable = no
|
|
|
|
append_dot_mydomain = no
|
|
|
|
smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
|
|
smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
|
|
|
|
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
|
|
smtpd_tls_eecdh_grade = ultra
|
|
tls_preempt_cipherlist = yes
|
|
smtpd_tls_loglevel = 1
|
|
smtpd_tls_security_level = may
|
|
tls_ssl_options = NO_COMPRESSION
|
|
|
|
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
|
|
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
|
|
smtp_tls_protocols = !SSLv2, !SSLv3
|
|
smtpd_tls_protocols = !SSLv2 !SSLv3
|
|
smtpd_tls_mandatory_ciphers=high
|
|
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAA
|
|
|
|
smtp_tls_loglevel = 1
|
|
smtp_tls_security_level = may
|
|
|
|
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
|
|
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
|
|
|
|
smtp_use_tls = yes
|
|
smtp_tls_CApath = /etc/ssl/certs
|
|
|
|
# TODO: daemon_directory should be the same as the default. drop it
|
|
daemon_directory = /usr/lib/postfix/bin
|
|
mydomain = {{inventory_hostname}}
|
|
myhostname = {{inventory_hostname}}
|
|
myorigin = archlinux.org
|
|
mydestination = archlinux.org
|
|
|
|
default_database_type=btree
|
|
indexed = ${default_database_type}:${config_directory}
|
|
|
|
mynetworks =
|
|
127.0.0.1
|
|
[::ffff:127.0.0.0]/104
|
|
[::1]/128
|
|
mailbox_transport = lmtp:unix:private/dovecot-lmtp
|
|
lmtp_destination_recipient_limit=1
|
|
mailbox_size_limit = 0
|
|
message_size_limit = 104857600
|
|
recipient_delimiter = +
|
|
inet_interfaces = all
|
|
inet_protocols = all
|
|
disable_vrfy_command = yes
|
|
strict_rfc821_envelopes = yes
|
|
|
|
# enable for testing new config
|
|
soft_bounce = no
|
|
debug_peer_list =
|
|
|
|
smtp_connection_cache_on_demand = yes
|
|
|
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
|
|
|
# custom restriction classes
|
|
policy_check =
|
|
# postfwd (rate-limiting)
|
|
check_policy_service inet:127.0.0.1:10040
|
|
|
|
smtpd_recipient_restrictions =
|
|
# policy services
|
|
$policy_check,
|
|
# white-/blacklisting
|
|
check_recipient_access ${indexed}/access_recipient,
|
|
check_client_access ${indexed}/access_client,
|
|
check_helo_access ${indexed}/access_helo,
|
|
check_sender_access ${indexed}/access_sender,
|
|
# reject unclean mails
|
|
reject_unauth_pipelining,
|
|
reject_non_fqdn_recipient,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_recipient_domain,
|
|
reject_unknown_sender_domain,
|
|
# allow our users
|
|
reject_authenticated_sender_login_mismatch,
|
|
permit_sasl_authenticated,
|
|
permit_mynetworks,
|
|
# reject mailservers without proper rDNS and hostname->IP
|
|
#warn_if_reject reject_unknown_client_hostname,
|
|
# check RBLs
|
|
# check the HELO
|
|
#warn_if_reject reject_invalid_helo_hostname,
|
|
# reject relaying
|
|
reject_unauth_destination,
|
|
# cache if recipient exists
|
|
#reject_unverified_recipient,
|
|
#permit_mx_backup,
|
|
permit
|
|
|
|
# some rate limiting rules only work after data so check it again
|
|
smtpd_end_of_data_restrictions =
|
|
$policy_check
|
|
|
|
address_verify_map = ${default_database_type}:/var/lib/postfix/verify_cache
|
|
|
|
unverified_recipient_reject_code = 550
|
|
unknown_hostname_reject_code = 550
|
|
unknown_client_reject_code = 550
|
|
unknown_address_reject_code = 550
|
|
|
|
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
|
|
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_tls_auth_only = yes
|
|
|
|
smtpd_sasl_security_options = noanonymous
|
|
broken_sasl_auth_clients = yes
|
|
smtpd_sasl_type = dovecot
|
|
smtpd_sasl_path = /var/run/dovecot/auth-client
|
|
smtpd_tls_received_header = yes
|
|
# needed for SA
|
|
smtpd_sasl_authenticated_header = yes
|
|
|
|
submission_recipient_restrictions=
|
|
# allow postmaster
|
|
check_recipient_access ${indexed}/access_recipient,
|
|
permit_sasl_authenticated,
|
|
reject
|
|
|
|
smtpd_milters=inet:localhost:11332
|
|
non_smtpd_milters=inet:localhost:11332
|
|
|
|
# Pass internal mails through filters so they get signed by opendkim
|
|
# XXX: Be careful not to have filters that may reject mails!
|
|
internal_mail_filter_classes = bounce
|
|
|
|
smtpd_sender_login_maps =
|
|
${indexed}/smtp_sender_map,
|
|
${indexed}/users
|
|
smtpd_helo_required = yes
|
|
|
|
smtpd_client_connection_rate_limit = 400
|
|
smtpd_client_message_rate_limit = 500
|
|
smtpd_client_recipient_rate_limit = 500
|
|
|
|
alias_maps = ${indexed}/aliases
|
|
alias_database = ${indexed}/aliases
|
|
|
|
|
|
virtual_alias_maps =
|
|
${indexed}/users
|
|
pcre:${config_directory}/users.pcre
|
|
virtual_alias_domains = ${indexed}/domains
|
|
|
|
# reject mails to system users (nobody looks in those mailboxes)
|
|
local_recipient_maps =
|
|
${indexed}/users
|
|
$alias_maps
|
|
pcre:${config_directory}/transport.pcre
|
|
relocated_maps = ${indexed}/relocated
|
|
|
|
relay_domains =
|
|
|
|
transport_maps =
|
|
${indexed}/transport
|
|
pcre:${config_directory}/transport.pcre
|
|
|
|
wiki_bouncehandler_destination_recipient_limit = 1
|
|
|
|
authorized_mailq_users = root
|
|
|
|
header_checks = pcre:/etc/postfix/header_checks
|
|
body_checks = pcre:/etc/postfix/body_checks
|
|
|
|
delay_warning_time = 4h
|
|
|
|
# vim: set ft=pfmain:
|