Hi lists:
My needs:
1. serving as a mail server of a friend's web site.
2. TLS encrypt only, auth plain
3. 587 for client sending mails, 995 pop3s for client receiving mails, 25 for
server sending and receiving mails
4. amavis-new
5. spamassassin
6. spf check
7. dmarc
8. opendkim
Are there any configuration errors below,
and could you give me some suggestion to enhance the mail server, such as
security?
Here is my postconf -n :
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mailbox_size_limit = 0
milter_default_action = reject
milter_protocol = 6
mime_header_checks = $header_checks
mydestination = localhost, $mydomain
mydomain = example.com
myhostname = mail.example.com
mynetworks = host
myorigin = $mydomain
nested_header_checks = $header_checks
non_smtpd_milters = inet:localhost:12301, inet:localhost:54321
policyd-spf_time_limit = 3600
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp-amavis_destination_concurrency_limit = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname
smtpd_helo_required = yes
smtpd_helo_restrictions =
reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname,reject_unknown_helo_hostname
smtpd_junk_command_limit = 4
smtpd_milters = inet:localhost:12301, inet:localhost:54321
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service
unix:private/policyd-spf,reject_invalid_hostname,reject_unauth_pipelining,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,check_recipient_access
hash:/etc/postfix/recipient_access
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_sender_login_mismatch,reject_unverified_sender,check_sender_access
hash:/etc/postfix/sender_access
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/commando/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/commando/live/mail.example.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
################
Thanks,
yours sincerely.
