#
# /etc/postfix/main.cf (Salt managed)
#


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

compatibility_level=2

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/mail.ffho.net.cert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.ffho.net.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_protocols = TLSv1.3 TLSv1.2 TLSv1.1 !TLSv1 !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3 TLSv1.2 TLSv1.1 !TLSv1 !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL

# SASL parameters
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.ffho.net
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
virtual_alias_domains = hash:/etc/postfix/virtual-domains
virtual_alias_maps = hash:/etc/postfix/virtual-aliases

myorigin = /etc/mailname
mydestination = ffho.net, mail.in.ffho.net, mail.ffho.net, lists.ffho.net, localhost
relayhost = 

# Read mynetworks from file
mynetworks = /etc/postfix/mynetworks
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
 				
smtpd_sender_restrictions =     check_sender_access hash:/etc/postfix/sender_checks,   
				check_sender_access regexp:/etc/postfix/sender_checks_regexp,
                                reject_non_fqdn_sender,
                                reject_unknown_sender_domain

smtpd_recipient_restrictions =  check_recipient_access hash:/etc/postfix/access_recipient-rfc,
                                reject_non_fqdn_recipient,
                                reject_unknown_recipient_domain, 
                                permit_mynetworks, 
                                permit_sasl_authenticated,
                                reject_unauth_destination, 
                                reject_unauth_pipelining,
                                # Local Whitelist to override greylisting
                                check_client_access hash:/etc/postfix/greylist_override,
                                # greylisting by greyfix:
				check_policy_service unix:private/greyfix,
				permit

# switched from policyd-weight to postscreen on buster (policyd-weight didn't work anymore)
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_greet_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
			pbl.spamhaus.org*2
			sbl-xbl.spamhaus.org*3
			bl.spamcop.net*2
			ix.dnsbl.manitu.net*3

# MailScanner checks
header_checks = regexp:/etc/postfix/header_checks