# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# after changing sth. in this file don't forget to execute:
# systemctl restart postfix.service && systemctl status postfix.service
# --- postfix general configuration START ---
# postfix settings in alphabetical order, comments in general taken from:
# http://www.postfix.org/BASIC_CONFIGURATION_README.html
# http://www.postfix.org/postconf.5.html
# alias_database (default: see "postconf -d" output)
# The alias databases for local(8) delivery that are updated with "newaliases" or with "sendmail -bi".
alias_database = hash:/etc/aliases
# alias_maps (default: see "postconf -d" output)
# The alias databases that are used for local(8) delivery.
alias_maps = hash:/etc/aliases
# append_dot_mydomain (default: Postfix ≥ 3.0: no, Postfix < 3.0: yes)
# With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information. With remotely submitted mail, append the string ".$remote_header_rewrite_domain" instead.
# Proxmox hint: appending .domain is the MUA's job.
append_dot_mydomain = no
# biff (default: yes)
# Whether or not to use the local biff service. This service sends "new mail" notifications to users who have requested new mail notification with the UNIX command "biff y".
biff = no
# delay_warning_time (default: 0h)
# The time after which the sender receives a copy of the message headers of mail that is still queued. The confirm_delay_cleared parameter controls sender notification when the delay clears up.
delay_warning_time = 4h
# inet_interfaces (default: all)
# The network interface addresses that this mail system receives mail on. Specify "all" to receive mail on all network interfaces (default), and "loopback-only" to receive mail on loopback network interfaces only (Postfix version 2.2 and later). The parameter also controls delivery of mail to user@[ip.address].
inet_interfaces = loopback-only
# inet_protocols (default: all)
# The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" or "ipv6", separated by whitespace or commas. The form "all" is equivalent to "ipv4, ipv6" or "ipv4", depending on whether the operating system implements IPv6.
inet_protocols = all
# mailbox_size_limit (default: 51200000)
# The maximal size of any local(8) individual mailbox or maildir file, or zero (no limit). In fact, this limits the size of any file that is written to upon local delivery, including files written by external commands that are executed by the local(8) delivery agent.
# for no limit:
mailbox_size_limit = 0
# for 20 MB:
#message_size_limit = 20971520
# for 100 MB:
#message_size_limit = 104857600
# mydestination (default: $myhostname, localhost.$mydomain, localhost)
# The list of domains that are delivered via the $local_transport mail delivery transport. By default this is the Postfix local(8) delivery agent which looks up all recipients in /etc/passwd and /etc/aliases. The SMTP server validates recipient addresses with $local_recipient_maps and rejects non-existent recipients. See also the local domain class in the ADDRESS_CLASS_README file.
#mydestination = $myhostname, localhost.$mydomain, localhost
mydestination = hostname.your.ddns.net, $myhostname, localhost.your.ddns.net, localhost
# mydomain (default: see "postconf -d" output)
# The internet domain name of this mail system. The default is to use $myhostname minus the first component, or "localdomain" (Postfix 2.3 and later). $mydomain is used as a default value for many other configuration parameters.
# Example: mydomain = domain.tld
mydomain = your.ddns.net
# myhostname (default: see "postconf -d" output)
# The internet hostname of this mail system. The default is to use the fully-qualified domain name (FQDN) from gethostname(), or to use the non-FQDN result from gethostname() and append ".$mydomain". $myhostname is used as a default value for many other configuration parameters.
# Example: myhostname = host.example.com
myhostname = hostname.your.ddns.net
# mynetworks (default: see "postconf -d" output)
# The list of "trusted" remote SMTP clients that have more privileges than "strangers".
#mynetworks = 127.0.0.0/8
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# myorigin (default: $myhostname)
# The myorigin parameter specifies the domain that appears in mail that is posted on this machine.
myorigin = /etc/mailname
# relayhost (default: empty)
# The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. The default, $myhostname, is adequate for small sites. If you run a domain with multiple machines, you should (1) change this to $mydomain and (2) set up a domain-wide alias database that aliases each user to user@that.users.mailhost.
# Example: myorigin = $mydomain
#relayhost =
relayhost = [mail.riseup.net]:587
# recipient_delimiter (default: empty)
# The address extension delimiter that was found in the recipient address (Postfix 2.11 and later), or the system-wide recipient address extension delimiter (Postfix 2.10 and earlier).
# Examples:
# Handle Postfix-style extensions:
# recipient_delimiter = +
recipient_delimiter = +
# sender_canonical_classes (default: envelope_sender, header_sender)
# What addresses are subject to sender_canonical_maps address mapping. By default, sender_canonical_maps address mapping is applied to envelope sender addresses, and to header sender addresses.
sender_canonical_classes = envelope_sender
# sender_canonical_maps (default: empty)
# Optional address mapping lookup tables for envelope and header sender addresses. The table format and lookups are documented in canonical(5).
# Example: you want to rewrite the SENDER address "user@ugly.domain" to "user@pretty.domain", while still being able to send mail to the RECIPIENT address "user@ugly.domain".
sender_canonical_maps = hash:/etc/postfix/sender_canonical
# smtp_header_checks (default: empty)
# Restricted header_checks(5) tables for the Postfix SMTP client. These tables are searched while mail is being delivered. Actions that change the delivery time or destination are not available.
# Personal note: ensures that "MAIL FROM" is not empty
smtp_header_checks = regexp:/etc/postfix/header_check
# smtp_use_tls (default: no)
# Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. Beware: some SMTP servers offer STARTTLS even if it is not configured. With Postfix < 2.3, if the TLS handshake fails, and no other server is available, delivery is deferred and mail stays in the queue. If this is a concern for you, use the smtp_tls_per_site feature instead.
# Proxmox hint: use tls
smtp_use_tls = yes
# ---- Simple Authentication and Security Layer settings START ----
# smtp_sasl_auth_enable (default: no)
# Enable SASL authentication in the Postfix SMTP client. By default, the Postfix SMTP client uses no authentication.
smtp_sasl_auth_enable = yes
# smtp_sasl_password_maps (default: empty)
# Optional Postfix SMTP client lookup tables with one username:password entry per sender, remote hostname or next-hop domain. Per-sender lookup is done only when sender-dependent authentication is enabled. If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host.
# Proxmox hint: use sasl when authenticating to foreign SMTP servers
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
# smtp_sasl_security_options (default: noplaintext, noanonymous)
# Postfix SMTP client SASL security options; as of Postfix 2.3 the list of available features depends on the SASL client implementation that is selected with smtp_sasl_type.
smtp_sasl_security_options = noanonymous
# smtp_sasl_type (default: cyrus)
# The SASL plug-in type that the Postfix SMTP client should use for authentication. The available types are listed with the "postconf -A" command.
smtp_sasl_type = cyrus
# ---- Simple Authentication and Security Layer settings END ----
# smtpd_banner (default: $myhostname ESMTP $mail_name)
# The text that follows the 220 status code in the SMTP greeting banner. Some people like to see the mail version advertised. By default, Postfix shows no version.
# You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
# smtpd_recipient_restrictions (default: see "postconf -d" output)
# Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# --- postfix general configuration END ---
# --- TLS configuration START ---
# - x509 certificates and Co.
# smtp_tls_CAfile (default: empty)
# A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates.
# Proxmox hint: list of CAs to trust when verifying server certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# smtp_tls_ciphers (default: medium)
# The minimum TLS cipher grade that the Postfix SMTP client will use with opportunistic TLS encryption. Cipher types listed in smtp_tls_exclude_ciphers are excluded from the base definition of the selected cipher grade. The default value is "medium" for Postfix releases after the middle of 2015, "export" for older releases.
smtp_tls_ciphers = high
# smtp_tls_exclude_ciphers (default: empty)
# List of ciphers or cipher types to exclude from the Postfix SMTP client cipher list at all TLS security levels. This is not an OpenSSL cipherlist, it is a simple list separated by whitespace and/or commas. The elements are a single cipher, or one or more "+" separated cipher properties, in which case only ciphers matching all the properties are excluded.
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
# smtp_tls_loglevel (default: 0)
# Enable additional Postfix SMTP client logging of TLS activity. Each logging level also includes the information that is logged at a lower logging level.
# 0 Disable logging of TLS activity:
smtp_tls_loglevel = 0
# 1 Log only a summary message on TLS handshake completion — no logging of remote SMTP server certificate trust-chain verification errors if server certificate verification is not required. With Postfix 2.8 and earlier, log the summary message and unconditionally log trust-chain verification errors:
#smtp_tls_loglevel = 1
# 2 Also log levels during TLS negotiation:
#smtp_tls_loglevel = 2
# 3 Also log hexadecimal and ASCII dump of TLS negotiation process:
#smtp_tls_loglevel = 3
# 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS:
#smtp_tls_loglevel = 4
# smtp_tls_mandatory_ciphers (default: medium)
# The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption. The default value "medium" is suitable for most destinations with which you may want to enforce TLS, and is beyond the reach of today's cryptanalytic methods. See smtp_tls_policy_maps for information on how to configure ciphers on a per-destination basis.
smtp_tls_mandatory_ciphers = high
# smtp_tls_mandatory_exclude_ciphers (default: empty)
# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher list at mandatory TLS security levels. This list works in addition to the exclusions listed with smtp_tls_exclude_ciphers (see there for syntax details).
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
# smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
# List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons.
smtp_tls_mandatory_protocols = TLSv1.2,!TLSv1.1,!SSLv2,!SSLv3
# smtp_tls_protocols (default: !SSLv2, !SSLv3)
# List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption.
smtp_tls_protocols = TLSv1.2,!TLSv1.1,!SSLv2,!SSLv3
# smtp_tls_security_level (default: empty)
# The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
smtp_tls_security_level = encrypt
# smtp_tls_session_cache_database (default: empty)
# Name of the file containing the optional Postfix SMTP client TLS session cache.
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# smtpd_tls_cert_file (default: empty)
# File with the Postfix SMTP server RSA certificate in PEM format. This file may also contain the Postfix SMTP server private RSA key.
smtpd_tls_cert_file = /etc/letsencrypt/live/your.ddns.net/fullchain.pem
# smtpd_tls_ciphers (default: medium)
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the base definition of the selected cipher grade.
smtpd_tls_ciphers = high
# smtpd_tls_dh1024_param_file (default: empty)
# File with DH parameters that the Postfix SMTP server should use with non-export EDH ciphers.
# openssl dhparam -out /etc/postfix/dh4096.param 4096
smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.param
# smtpd_tls_eecdh_grade (default: see "postconf -d" output)
# The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. The available choices are:
# none - Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the default in Postfix versions 2.6 and 2.7:
#smtpd_tls_eecdh_grade = none
# strong - Use EECDH with approximately 128 bits of security at a reasonable computational cost. This is the current best-practice trade-off between security and computational efficiency. This is the default in Postfix version 2.8 and later:
smtpd_tls_eecdh_grade = strong
# ultra - Use EECDH with approximately 192 bits of security at computational cost that is approximately twice as high as 128 bit strength ECC. Barring significant progress in attacks on elliptic curve crypto-systems, the "strong" curve is sufficient for most users:
#smtpd_tls_eecdh_grade = ultra
# auto - Use the most preferred curve that is supported by both the client and the server. This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This is the default setting under the above conditions:
#smtpd_tls_eecdh_grade = auto
# smtpd_tls_exclude_ciphers (default: empty)
# List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers can create interoperability problems. DO NOT exclude ciphers unless it is essential to do so.
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
# smtpd_tls_key_file (default: $smtpd_tls_cert_file)
# File with the Postfix SMTP server RSA private key in PEM format. This file may be combined with the Postfix SMTP server RSA certificate file specified with $smtpd_tls_cert_file.
smtpd_tls_key_file = /etc/letsencrypt/live/your.ddns.net/privkey.pem
# smtpd_tls_loglevel (default: 0)
# Enable additional Postfix SMTP server logging of TLS activity. Each logging level also includes the information that is logged at a lower logging level.
# 0 Disable logging of TLS activity:
smtpd_tls_loglevel = 0
# 1 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate verification is not required. With Postfix 2.8 and earlier, log the summary message, peer certificate summary information and unconditionally log trust-chain verification errors:
#smtpd_tls_loglevel = 1
# 2 Also log levels during TLS negotiation:
#smtpd_tls_loglevel = 2
# 3 Also log hexadecimal and ASCII dump of TLS negotiation process:
#smtpd_tls_loglevel = 3
# 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS:
#smtpd_tls_loglevel = 4
# smtpd_tls_mandatory_ciphers (default: medium)
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption. The default grade ("medium") is sufficiently strong that any benefit from globally restricting TLS sessions to a more stringent grade is likely negligible, especially given the fact that many implementations still do not offer any stronger ("high" grade) ciphers, while those that do, will always use "high" grade ciphers. So insisting on "high" grade ciphers is generally counter-productive. Allowing "export" or "low" ciphers is typically not a good idea, as systems limited to just these are limited to obsolete browsers. No known SMTP clients fail to support at least one "medium" or "high" grade cipher.
smtpd_tls_mandatory_ciphers = high
# smtpd_tls_mandatory_exclude_ciphers (default: empty)
# Additional list of ciphers or cipher types to exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. This list works in addition to the exclusions listed with smtpd_tls_exclude_ciphers (see there for syntax details).
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
# smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)
# The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all available SSL/TLS protocol versions.
smtpd_tls_mandatory_protocols = TLSv1.2,TLSv1.1,!SSLv2,!SSLv3,!TLSv1
# smtpd_tls_protocols (default: !SSLv2, !SSLv3)
# List of TLS protocols that the Postfix SMTP server will exclude or include with opportunistic TLS encryption.
smtpd_tls_protocols = TLSv1.2,TLSv1.1,!SSLv2,!SSLv3,!TLSv1
# smtpd_tls_security_level (default: empty)
# The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with "smtpd_tls_wrappermode = yes". Specify one of the following security levels:
# none - TLS will not be used.
#none - TLS will not be used.
# may - Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption.
#smtpd_tls_security_level = may
# encrypt - Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.
smtpd_tls_security_level = encrypt
# smtpd_tls_session_cache_database (default: empty)
# Name of the file containing the optional Postfix SMTP server TLS session cache.
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# tls_preempt_cipherlist (default: no)
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead of the remote client's cipher preference order.
tls_preempt_cipherlist = yes
# tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)
# The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with mandatory TLS encryption. If the list is empty, the server supports all available SSL/TLS protocol versions.
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
# --- TLS configuration END ---
