[postfix] Une config foireuse dans les anciennes, et configuration plus souple de TLS
This commit is contained in:
Pierre-Elliott Bécue
parent
171186bb04
commit
935bcf88ca
1 changed files with 32 additions and 36 deletions
|
|
@ -172,55 +172,51 @@ if mx:
|
||||||
# Pour les non-mx il n'y a plus rien d'interessant
|
# Pour les non-mx il n'y a plus rien d'interessant
|
||||||
if not mx:
|
if not mx:
|
||||||
done()
|
done()
|
||||||
|
@
|
||||||
@# +-------------+
|
@# +-------------+
|
||||||
@# | TLS et SASL |
|
@# | TLS et SASL |
|
||||||
@# +-------------+
|
@# +-------------+
|
||||||
|
@
|
||||||
@# TLS pour la reception
|
@# TLS pour la reception
|
||||||
smtpd_tls_cert_file = "/etc/ssl/certs/smtp.pem"
|
@smtpd_use_tls=yes
|
||||||
smtpd_tls_key_file = "/etc/ssl/private/smtp.pem"
|
@smtpd_tls_security_level=may
|
||||||
smtpd_tls_CAfile = "/etc/ssl/certs/cacert.org.pem"
|
@smtpd_tls_cert_file=/etc/ssl/certs/smtp.pem
|
||||||
smtpd_tls_loglevel = 0
|
@smtpd_tls_key_file=/etc/ssl/private/smtp.pem
|
||||||
smtpd_use_tls = True
|
@smtpd_tls_CAfile=/etc/ssl/certs/cacert.org.pem
|
||||||
smtpd_tls_received_header = True
|
@smtpd_tls_loglevel=0
|
||||||
|
@smtpd_tls_received_header=yes
|
||||||
|
@
|
||||||
@# On utilise aussi TLS pour envoyer les mails
|
@# On utilise aussi TLS pour envoyer les mails
|
||||||
smtp_tls_cert_file = ""
|
@smtp_use_tls=yes
|
||||||
smtp_tls_key_file = ""
|
@smtp_tls_security_level=may
|
||||||
smtp_tls_CAfile = "/etc/ssl/certs/cacert.org.pem"
|
@smtp_tls_loglevel=1
|
||||||
smtp_tls_loglevel = 1
|
@smtp_tls_cert_file=
|
||||||
smtp_use_tls = True
|
@smtp_tls_key_file=
|
||||||
|
@smtp_tls_CAfile=/etc/ssl/certs/cacert.org.pem
|
||||||
|
@
|
||||||
|
@
|
||||||
@# On cache les sessions TLS car elles sont couteuses. Il parait que btree est mieux que sdbm,
|
@# On cache les sessions TLS car elles sont couteuses. Il parait que btree est mieux que sdbm,
|
||||||
@# a essayer quand on aura postfix > 2.2
|
@# a essayer quand on aura postfix > 2.2
|
||||||
smtpd_tls_session_cache_database = "sdbm:/var/run/smtpd_tls_session_cache"
|
@smtpd_tls_session_cache_database=btree:/var/run/smtpd_tls_session_cache
|
||||||
smtp_tls_session_cache_database = "sdbm:/var/run/smtp_tls_session_cache"
|
@smtp_tls_session_cache_database=btree:/var/run/smtp_tls_session_cache
|
||||||
|
@
|
||||||
tls_random_source = "dev:/dev/urandom"
|
@tls_random_source=dev:/dev/urandom
|
||||||
tls_daemon_random_source = "dev:/dev/urandom"
|
@tls_daemon_random_source=dev:/dev/urandom
|
||||||
|
@
|
||||||
if main:
|
if main:
|
||||||
@# Authentification SASL pour relayer du mail
|
|
||||||
@smtpd_sasl_auth_enable=yes
|
|
||||||
@# Auth que si tls pour eviter des pass en clair sur le reseau
|
@# Auth que si tls pour eviter des pass en clair sur le reseau
|
||||||
@smtpd_tls_auth_only=yes
|
@smtpd_tls_auth_only=yes
|
||||||
|
@# Authentification SASL pour relayer du mail
|
||||||
|
@smtpd_sasl_auth_enable=yes
|
||||||
|
@
|
||||||
@# +--------------------------+
|
@# +--------------------------+
|
||||||
@# | Filtrages et limitations |
|
@# | Filtrages et limitations |
|
||||||
@# +--------------------------+
|
@# +--------------------------+
|
||||||
|
@
|
||||||
if main:
|
if main:
|
||||||
@# Filtrage sur les sources de connexions
|
@# Filtrage sur les sources de connexions
|
||||||
@smtpd_client_restrictions=permit_mynetworks
|
@smtpd_client_restrictions=permit_mynetworks
|
||||||
@
|
@
|
||||||
@#
|
|
||||||
@# Requiring this will stop some UCE software.
|
|
||||||
@# (UCE = Unsolicited Commercial Email = SPAM)
|
|
||||||
@#
|
|
||||||
@smtpd_require_helo=yes
|
|
||||||
@
|
|
||||||
@# Reject the request when the client HELO or EHLO parameter has a bad hostname syntax.
|
@# Reject the request when the client HELO or EHLO parameter has a bad hostname syntax.
|
||||||
@# reject_unknown_hostname value not recommended, because it may causes mail losting.
|
@# reject_unknown_hostname value not recommended, because it may causes mail losting.
|
||||||
@# (for example: after paypal.com registration you don't receive activation mail! I've tried it.)
|
@# (for example: after paypal.com registration you don't receive activation mail! I've tried it.)
|
||||||
|
|
@ -238,14 +234,14 @@ if main:
|
||||||
@smtpd_client_event_limit_exceptions=local_networks
|
@smtpd_client_event_limit_exceptions=local_networks
|
||||||
if mx:
|
if mx:
|
||||||
add(adm_networks)
|
add(adm_networks)
|
||||||
|
@
|
||||||
@# On limite à 10 messages par minute
|
@# On limite à 10 messages par minute
|
||||||
@smtpd_client_message_rate_limit=10
|
@smtpd_client_message_rate_limit=10
|
||||||
|
@
|
||||||
@## Filtrage au MAIL FROM
|
@## Filtrage au MAIL FROM
|
||||||
@# Rejet si le domaine de l'envoyeur n'est pas dans un DNS
|
@# Rejet si le domaine de l'envoyeur n'est pas dans un DNS
|
||||||
@smtpd_sender_restrictions=reject_unknown_sender_domain
|
@smtpd_sender_restrictions=reject_unknown_sender_domain
|
||||||
|
@
|
||||||
@## Filtrage au RCPT TO
|
@## Filtrage au RCPT TO
|
||||||
@# permet si le client est dans le reseau local
|
@# permet si le client est dans le reseau local
|
||||||
@smtpd_recipient_restrictions=permit_mynetworks
|
@smtpd_recipient_restrictions=permit_mynetworks
|
||||||
|
|
@ -262,7 +258,7 @@ if public:
|
||||||
@# accepte si la greylist est d'accord
|
@# accepte si la greylist est d'accord
|
||||||
add("check_policy_service inet:127.0.0.1:2501")
|
add("check_policy_service inet:127.0.0.1:2501")
|
||||||
@# jette le reste
|
@# jette le reste
|
||||||
|
@
|
||||||
@# Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
|
@# Tailles maximales : 20Mo pour les msgs et 75 pour les mbox
|
||||||
message_size_limit = 20971520
|
message_size_limit = 20971520
|
||||||
mailbox_size_limit = 78643000
|
mailbox_size_limit = 78643000
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue