-
Notifications
You must be signed in to change notification settings - Fork 41
/
smtpd.conf
191 lines (177 loc) · 4.33 KB
/
smtpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# $OpenBSD: smtpd.conf,v 1.11 2018/06/04 21:10:58 jmc Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
# Options
#
queue compression
queue encryption \
5101bef20f4d02c826bffc243e15a7c0 # `openssl rand -hex 16`
queue ttl \
4d
bounce warn-interval \
1h, 6h, 2d # default: 4h
smtp max-message-size \
35M # (!) match "quota_max_mail_size" from 90-quota.conf
mta max-deferred \
100
# Pass the message through Rspamd and delegate message delivery to Dovecot LDA
mda wrapper dovecot \
"rspamc -h /var/run/rspamd/rspamd.sock \
-t 120 \
--mime \
-e '%{mda}'"
# PKI
#
pki mercury.example.com \
cert "/etc/ssl/acme/mercury.example.com.fullchain.pem"
pki mercury.example.com \
key "/etc/ssl/acme/private/mercury.example.com.key"
# Tables
#
# Local host aliases
table aliases \
file:/etc/mail/aliases
#
# Virtual host aliases
table virtuals \
file:/etc/mail/virtual
#
# Virtual domains
table vdomains \
file:/etc/mail/vdomains
#
# Virtual passwd
table passwd \
passwd:/etc/mail/passwd
#
# Blacklist sender's address or entire @example.bad
table blacklist \
file:/etc/mail/blacklist
#
# Local sender's entire @mailname (or local hostname)
table localhost \
{ "@mercury.example.com" }
#
# Local session HELO/EHLO for mda, lmtp, and smtp level notifications
table localhelo \
{ "localhost", "mercury.example.com" }
#
# OpenPGP WKS Submission Address
table submission-address \
file:/var/www/openpgpkey/submission-address
#
# Source IP addresses of relays that may legitimately originate mail ...
table relays \
file:/etc/mail/relays
# ... with our email address or entire @vdomains as the sender
table whitelist \
file:/etc/mail/whitelist
# Incoming connections
#
# Local messages
listen on socket
#
# DKIM signed messages (dkimproxy_out relay)
listen on lo0 port 10028 \
tag DKIM
#
# Mail Transfer Agent (opportunistic STARTTLS)
listen on egress port 25 \
tls pki mercury.example.com \
tag MTA #no-dsn
#
# Message Submission Agent (Implicit TLS)
listen on egress port 465 \
smtps pki mercury.example.com \
auth <passwd> received-auth mask-src \
tag MSA
#
# Message Submission Agent requires STARTTLS and authentication
listen on egress port submission \
tls-require pki mercury.example.com \
auth <passwd> received-auth mask-src \
tag MSA
# Dispatchers
#
# Relay the message to any MX using opportunistic STARTTLS
action "relay" \
relay
#
# Relay the message as backp MX using mandatory STARTTLS with valid certificate
action "backup" \
relay backup tls
#
# Relay the message to dkimproxy_out listen address:port
action "dkim" \
relay host smtp://127.0.0.1:10027
#
# Only accept the message if alias to a remote address
action "forward" \
forward-only \
alias <aliases>
#
# Deliver the message to Dovecot LMTP using "virtuals" virtual expansion
action "lmtp" \
lmtp "/var/dovecot/lmtp" rcpt-to \
virtual <virtuals>
#
# Delegate message delivery to wrapper "dovecot" using virtual expansion
action "mda" \
mda "/usr/local/libexec/dovecot/dovecot-lda \
-a %{rcpt} \
-d %{dest} \
-f %{mbox.from}" \
virtual <virtuals> \
wrapper "dovecot"
# Rules (first match wins)
#
# Local messages to forward
match from local \
for local \
action "forward"
#
# Local messages for virtual domains to MDA (or backup MX)
match from local \
!mail-from <blacklist> \
for domain <vdomains> \
action "mda" # "backup", "lmtp", or "mda"
#
# DKIM signed messages to MTA
match tag DKIM \
from src 127.0.0.1 \
for any \
action "relay"
#
# Reject forged messages that claim to be from the local domain
match tag MTA \
!from src <relays> \
mail-from <whitelist> \
for any \
reject
#
# External messages for virtual domains to MDA (or backup MX)
# (!) WKS Trust Management: reject foreign Key Submission request
match tag MTA \
from any \
!mail-from <blacklist> \
for domain <vdomains> \
!rcpt-to <submission-address> \
action "mda" # "backup", or "mda"
#
# Outgoing messages (from auth users) to dkimproxy_out for signing
# (!) do not accept mail FROM local host and IP, nor FOR local domain
match tag MSA \
!from local \
!mail-from <localhost> \
!for local \
auth \
action "dkim"
#
# Outgoing messages (DSN and MDN with empty reverse path "MAIL FROM: <>")
# from localhost to dkimproxy_out for signing (RFC1123 section 5.2.9)
match !tag MSA \
helo <localhelo> \
from local \
!for local \
!mail-from <localhost> \
action "dkim"