mail/postfix/postfix.sh

#!/bin/sh
cat > /etc/postfix/main.cf << MAINCF
# FQDN of system !reverse DNS!
myhostname = $HOSTNAME

# aliases
virtual_alias_maps = hash:/etc/postfix/virtual

recipient_delimiter = +

smtpd_relay_restictions =

smtpd_recipient_restrictions =
# white/blacklists
        check_recipient_access hash:/etc/postfix/access_recipient
        check_sender_access hash:/etc/postfix/access_sender,
        check_helo_access hash:/etc/postfix/access_helo,  
        check_client_access cidr:/etc/postfix/access_client, 
# deny mails for nonexistend recipients
        reject_non_fqdn_sender,   
        reject_non_fqdn_recipient,   
        reject_unknown_sender_domain,   
        reject_unknown_recipient_domain,
# allow mails of our users
        permit_sasl_authenticated,
        permit_mynetworks,
# deny mails to external destinations
        reject_unauth_destination,
# check against RBL
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client ix.dnsbl.manitu.net,
# check greylisting
        check_policy_service inet:postgrey:25
# check if the user exists in dovecot
        reject_unverified_recipient,
# let it out
        permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_path= inet:dovecot:100
smtpd_sasl_type = dovecot

# out
smtp_tls_security_level = may

# in
smtpd_tls_security_level = may
smtpd_tls_cert_file = $TLS_CERT
smtpd_tls_CAfile = $TLS_CHAIN
smtpd_tls_key_file = $TLS_KEY

smtpd_tls_dh1024_param_file = /etc/postfix/dh-params/2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh-params/512.pem
smtpd_tls_eecdh_grade = strong
tls_preempt_cipherlist = yes

smtpd_tls_auth_only = yes

# for lmtp relaying to dovecot
relay_domains = hash:/etc/postfix/relay_domains
MAINCF

[ -e /etc/postfix/relay_domains ] && rm /etc/postfix/relay_domains
for virtual_host in $VIRTUAL_HOSTS;do
	echo "$virtual_host lmtp:[dovecot]" >> /etc/postfix/relay_domains
done
postmap /etc/postfix/relay_domains

[ -e /etc/postfix/dh_512.pem ] || openssl gendh -out /etc/postfix/dh-params/512.pem -2 512
[ -e /etc/postfix/dh_2048.pem ] || openssl gendh -out /etc/postfix/dh-params/2048.pem -2 2048

postmap /etc/postfix/virtual
/usr/lib/postfix/master -c /etc/postfix -d
init 2018-03-08 15:45:31 +01:00			`#!/bin/sh`
			`cat > /etc/postfix/main.cf << MAINCF`
			`# FQDN of system !reverse DNS!`
			`myhostname = $HOSTNAME`

			`# aliases`
			`virtual_alias_maps = hash:/etc/postfix/virtual`

			`recipient_delimiter = +`

			`smtpd_relay_restictions =`

			`smtpd_recipient_restrictions =`
			`# white/blacklists`
			`check_recipient_access hash:/etc/postfix/access_recipient`
			`check_sender_access hash:/etc/postfix/access_sender,`
			`check_helo_access hash:/etc/postfix/access_helo,`
			`check_client_access cidr:/etc/postfix/access_client,`
			`# deny mails for nonexistend recipients`
			`reject_non_fqdn_sender,`
			`reject_non_fqdn_recipient,`
			`reject_unknown_sender_domain,`
			`reject_unknown_recipient_domain,`
			`# allow mails of our users`
			`permit_sasl_authenticated,`
			`permit_mynetworks,`
			`# deny mails to external destinations`
			`reject_unauth_destination,`
			`# check against RBL`
			`reject_rbl_client zen.spamhaus.org,`
			`reject_rbl_client ix.dnsbl.manitu.net,`
			`# check greylisting`
			`check_policy_service inet:postgrey:25`
			`# check if the user exists in dovecot`
			`reject_unverified_recipient,`
			`# let it out`
			`permit`

			`smtpd_sasl_auth_enable = yes`
			`smtpd_sasl_path= inet:dovecot:100`
			`smtpd_sasl_type = dovecot`

			`# out`
			`smtp_tls_security_level = may`

			`# in`
			`smtpd_tls_security_level = may`
			`smtpd_tls_cert_file = $TLS_CERT`
			`smtpd_tls_CAfile = $TLS_CHAIN`
			`smtpd_tls_key_file = $TLS_KEY`

			`smtpd_tls_dh1024_param_file = /etc/postfix/dh-params/2048.pem`
			`smtpd_tls_dh512_param_file = /etc/postfix/dh-params/512.pem`
			`smtpd_tls_eecdh_grade = strong`
			`tls_preempt_cipherlist = yes`

			`smtpd_tls_auth_only = yes`

			`# for lmtp relaying to dovecot`
			`relay_domains = hash:/etc/postfix/relay_domains`
			`MAINCF`

			`[ -e /etc/postfix/relay_domains ] && rm /etc/postfix/relay_domains`
			`for virtual_host in $VIRTUAL_HOSTS;do`
			`echo "$virtual_host lmtp:[dovecot]" >> /etc/postfix/relay_domains`
			`done`
			`postmap /etc/postfix/relay_domains`

			`[ -e /etc/postfix/dh_512.pem ] \|\| openssl gendh -out /etc/postfix/dh-params/512.pem -2 512`
			`[ -e /etc/postfix/dh_2048.pem ] \|\| openssl gendh -out /etc/postfix/dh-params/2048.pem -2 2048`

			`postmap /etc/postfix/virtual`
			`/usr/lib/postfix/master -c /etc/postfix -d`