Initial commit

Kanzlei-Kiel/main.cf.Kanzlei-Kiel

@@ -0,0 +1,269 @@
+# ============ Basic settings ============
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = /usr/share/doc/postfix
+html_directory = /usr/share/doc/postfix/html
+
+## - The Internet protocols Postfix will attempt to use when making 
+## - or accepting connections.
+## - DEFAULT: ipv4
+inet_protocols = ipv4
+
+#inet_interfaces = all
+inet_interfaces =
+   127.0.0.1
+   192.168.100.254
+
+myhostname = gw-ah.kanzlei-kiel.netz
+
+mydestination =
+   gw-ah.kanzlei-kiel.netz
+   localhost
+
+## - The list of "trusted" SMTP clients that have more 
+## - privileges than "strangers"
+## -
+mynetworks =
+   127.0.0.0/8
+   192.168.100.0/24
+   #192.168.100.254/32
+
+#smtp_bind_address = 192.168.100.254
+#smtp_bind_address6 = 
+
+
+## - The method to generate the default value for the mynetworks parameter.
+## -
+## -   mynetworks_style = host" when Postfix should "trust" only the local machine
+## -   mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP 
+## -                       clients in the same IP subnetworks as the local machine.
+## -   mynetworks_style = class" when Postfix should "trust" SMTP clients in the same 
+## -                      IP class A/B/C networks as the local machine.
+## -
+#mynetworks_style = host
+
+
+## - The maximal size of any local(8) individual mailbox or maildir file, 
+## - or zero (no limit). In fact, this limits the size of any file that is 
+## - written to upon local delivery, including files written by external 
+## - commands that are executed by the local(8) delivery agent. 
+## -
+mailbox_size_limit = 0
+
+## - The maximal size in bytes of a message, including envelope information.
+## -
+## - we user 50MB
+## -
+message_size_limit = 52480000
+
+## - The system-wide recipient address extension delimiter
+## -
+recipient_delimiter = +
+
+## - The alias databases that are used for local(8) delivery.
+## -
+alias_maps =
+   hash:/etc/aliases
+
+## - The alias databases for local(8) delivery that are updated 
+## - with "newaliases" or with "sendmail -bi". 
+## -
+alias_database =
+   hash:/etc/aliases
+
+
+## - The maximal time a message is queued before it is sent back as 
+## - undeliverable. Defaults to 5d (5 days)
+## - Specify 0 when mail delivery should be tried only once.
+## - 
+maximal_queue_lifetime = 3d
+bounce_queue_lifetime = $maximal_queue_lifetime
+
+## - delay_warning_time (default: 0h)
+## -
+## - The time after which the sender receives a copy of the message 
+## - headers of mail that is still queued. To enable this feature, 
+## - specify a non-zero time value (an integral value plus an optional 
+## - one-letter suffix that specifies the time unit). 
+## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 
+## - The default time unit is h (hours). 
+delay_warning_time = 1d
+
+
+
+# ============ Relay parameters ============
+
+#relayhost =
+
+
+# ============ SASL authentication ============
+
+# Enable SASL authentication
+smtp_sasl_auth_enable = yes
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [b.mx.oopen.de]
+
+# File including login data
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+
+# Force using a (TLS) security connection
+# obsulete - use smtp_tls_security_level instead
+#smtp_use_tls = yes
+#smtp_tls_enforce_peername = no
+smtp_tls_security_level = encrypt
+
+# Disallow methods that allow anonymous authentication.
+smtp_sasl_security_options = noanonymous
+
+
+
+# ============ TLS parameters ============
+
+## - Aktiviert TLS für den Mailempfang
+## -
+## - may:
+## - Opportunistic TLS. Use TLS if this is supported by the remote 
+## - SMTP server, otherwise use plaintext
+## -
+## - This overrides the obsolete parameters smtpd_use_tls and 
+## - smtpd_enforce_tls. This parameter is ignored with 
+## - "smtpd_tls_wrappermode = yes".
+#smtpd_use_tls=yes
+smtp_tls_security_level=encrypt
+
+## - Aktiviert TLS für den Mailversand
+## -
+## - may:
+## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+## - but do not require that clients use TLS encryption.
+# smtp_use_tls=yes
+smtpd_tls_security_level=may
+
+## -    0 Disable logging of TLS activity. 
+## -    1 Log TLS handshake and certificate information. 
+## -    2 Log levels during TLS negotiation. 
+## -    3 Log hexadecimal and ASCII dump of TLS negotiation process. 
+## -    4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. 
+## -
+smtpd_tls_loglevel = 1
+smtp_tls_loglevel = 1
+
+smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
+smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
+## -
+smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
+## - also possible to use 2048 key with that parameter
+## -
+#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. 
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
+## -
+smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
+
+
+## - File containing CA certificates of root CAs trusted to sign either remote SMTP 
+## - server certificates or intermediate CA certificates. These are loaded into 
+## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
+## - 
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
+## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
+## - necessary "hash" links with, for example, "
+## - /bin/c_rehash /etc/postfix/certs". 
+## -
+## - !! Note !!
+## - To use this option in chroot mode, this directory (or a copy) must be inside 
+## - the chroot jail. 
+## -
+## - Note that a chrooted daemon resolves all filenames relative to the Postfix 
+## - queue directory (/var/spool/postfix)
+## -
+#smtpd_tls_CApath = /etc/postfix/certs
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# 
+# List of TLS protocols that the Postfix SMTP server will exclude or  
+# include with opportunistic TLS encryption.  
+smtpd_tls_protocols = !SSLv2, !SSLv3
+# 
+# The SSL/TLS protocols accepted by the Postfix SMTP server  
+# with mandatory TLS encryption. 
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP client 
+#  
+# List of TLS protocols that the Postfix SMTP client will exclude or  
+# include with opportunistic TLS encryption.  
+smtp_tls_protocols = !SSLv2, !SSLv3
+# 
+# List of SSL/TLS protocols that the Postfix SMTP client will use  
+# with mandatory TLS encryption 
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
+## -    openssl > 1.0
+## -
+smtpd_tls_eecdh_grade = strong
+
+# standard list cryptographic algorithm
+tls_preempt_cipherlist = yes
+
+# Disable ciphers which are less than 256-bit:
+#
+#smtpd_tls_mandatory_ciphers = high
+#
+# opportunistic
+smtpd_tls_ciphers = high
+
+
+# Exclude ciphers
+#smtpd_tls_exclude_ciphers =
+#   RC4
+#   aNULL
+#   SEED-SHA
+#   EXP
+#   MD5
+smtpd_tls_exclude_ciphers =
+   aNULL
+   eNULL
+   EXPORT
+   DES
+   RC4
+   MD5
+   PSK
+   aECDH
+   EDH-DSS-DES-CBC3-SHA
+   EDH-RSA-DES-CDC3-SHA
+   KRB5-DE5, CBC3-SHA
+
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+