Harry

Merge branch 'config' into 'master'

Saving config files



See merge request !1
# A Records
mail.onnix.io. 3600 IN A 104.236.204.239
imap.onnix.io. 3600 IN A 104.236.204.239
smtp.onnix.io. 3600 IN A 104.236.204.239
pop3.onnix.io. 3600 IN A 104.236.204.239
# MX Record
onnix.io. 14400 IN MX 10 mail.onnix.io.
# TXT Records
# SPF
onnix.io. 3600 IN TXT "v=spf1 ip4:104.236.204.239 -all"
# DMARC
_dmarc.onnix.io. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:rua@onnix.io; ruf=mailto:ruf@onnix.io; sp=none; ri=86400"
# DKIM
default._domainkey.onnix.io. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEc/P7mtLiKDNs4t8MfK8oZC+cjhW7Qihyi8I1bP+P5S983O8EM537Ynb/c7OlA7yuDl7EMNjWE/+ooHbuIdtJW1tGj+nvTw6rZGzkjRHDB6Ry0kUZ8O8iGNtQ8EFGbOzq0KRNMAFVgDGft7+tIqjY0YLoYFlMrwnudwh0SNAP2QIDAQAB"
... ...
postmaster_address = aaron@onnix.io
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail
ssl=required
ssl_cert = </etc/pki/tls/private/onnix.io.crt
ssl_key = </etc/pki/tls/private/onnix.io.key
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = "imap"
protocol imap {
mail_plugins = "autocreate"
}
plugin {
autocreate = Trash
autocreate2 = Sent
autocreate3 = Inbox
autosubscribe = Trash
autosubscribe2 = Sent
autosubscribe3 = Inbox
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
... ...
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode s
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
... ...
default._domainkey.onnix.io onnix.io:default:/etc/pki/tls/private/onnix.dkim.key
... ...
*@onnix.io default._domainkey.onnix.io
... ...
127.0.0.1
::1
mail.onnix.io
104.236.204.239/32
... ...
# Host information
mail_owner = postfix
myhostname = mail.onnix.io
mydomain = onnix.io
myorigin = $mydomain
# Directories
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
tls_random_source = dev:/dev/urandom
# Networking
inet_interfaces = all
inet_protocols = all
mynetworks_style = host
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
# Maps
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
# Checks
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/body_checks
# Relay
relay_domains =
relayhost =
# Debug
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
# Limits and Settings
html_directory = no
local_destination_recipient_limit = 300
local_destination_concurrency_limit = 5
mailbox_size_limit = 0
recipient_delimiter = +
setgid_group = postdrop
soft_bounce = no
unknown_local_recipient_reject_code = 550
broken_sasl_auth_clients = yes
# Mailbox handler
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
# Inbound SMTP
smtp_tls_CAfile = /etc/pki/tls/cert.pem
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !TLSv1, !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Outbound SMTP
smtpd_banner = $myhostname
smtpd_helo_required = yes
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_application_name = smtpd
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
# Incoming message requirements
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dnsbl.sorbs.net,
permit
# Outgoing TLS
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pki/tls/private/onnix.io.crt
smtpd_tls_key_file = /etc/pki/tls/private/onnix.io.key
smtpd_tls_CAfile = /etc/pki/tls/cert.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, CAMELLIA, DES, IDEA, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-RC4-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-SEED-SHA, SEED-SHA
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, CAMELLIA, EXPORT, DES, IDEA, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-RC4-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-SEED-SHA, SEED-SHA
smtpd_tls_mandatory_protocols = !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# DKIM
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 6
... ...
# Basic SMTP
smtp inet n - n - - smtpd
# Dovecot Handler
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_wrappermode=no
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smptd_sasl_path=private/auth
# Defaults
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
... ...
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
... ...