Initial commit

etc/postfix/header_checks

@@ -0,0 +1,2 @@
+/^To:.*@[^@]*\.de-mail\.de/ REJECT "Sorry, you tried contacting a De-Mail Address. This is a special System by the German government, not compatible with E-Mail. More info here: https://www.cio.bund.de/Web/DE/Innovative-Vorhaben/De-Mail/de_mail_node.html"
+/^(To|From).*@example\.com/    REJECT

etc/postfix/helo_checks

@@ -0,0 +1 @@
+DESKTOPRaihan REJECT

etc/postfix/main.cf

@@ -0,0 +1,87 @@
+# general configuration options
+smtpd_banner = danwin1210.de ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+delay_warning_time = 10h
+myhostname = danwin1210.de
+alias_maps = 
+alias_database = 
+myorigin = danwin1210.de
+mydestination = 
+mynetworks = 127.0.0.0/8 192.168.178.0/24 10.9.0.0/24
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+ignore_mx_lookup_error = yes
+always_add_missing_headers = yes
+message_drop_headers = bcc content-length resent-bcc return-path x-mailer x-originating-ip user-agent x-received x-sender-ip x-client-ip x-client-hostname
+notify_classes = 2bounce data delay resource software
+message_size_limit = 52428800
+backwards_bounce_logfile_compatibility = no
+show_user_unknown_table_name = no
+virtual_transport = lmtp:unix:/private/dovecot-lmtp
+compatibility_level = 3.6
+smtputf8_autodetect_classes = all
+
+# TLS parameters
+smtpd_tls_cert_file = /etc/acme.sh/danwin1210.de_ecc/fullchain.cer
+smtpd_tls_key_file = /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
+smtpd_tls_ciphers = HIGH
+smtpd_tls_mandatory_ciphers = HIGH
+smtp_tls_ciphers = HIGH
+smtp_tls_mandatory_ciphers = HIGH
+tls_eecdh_auto_curves = X448 X25519 secp521r1 secp384r1 prime256v1
+smtpd_tls_protocols = TLSv1.2 TLSv1.3
+smtp_tls_protocols = TLSv1.2 TLSv1.3
+smtpd_tls_exclude_ciphers = aNULL MD5 SHA CAMELLIA
+smtpd_tls_mandatory_exclude_ciphers = aNULL MD5 SHA CAMELLIA
+smtp_tls_exclude_ciphers = aNULL MD5 SHA CAMELLIA AES+SHA256 AES+SHA384
+smtp_tls_mandatory_exclude_ciphers = aNULL MD5 SHA CAMELLIA AES+SHA256 AES+SHA384
+tls_preempt_cipherlist = yes
+smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.pem
+smtpd_tls_security_level = may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_security_level = may
+smtp_tls_CApath = /etc/ssl/certs
+smtp_dns_support_level = dnssec
+tls_ssl_options = NO_RENEGOTIATION
+smtp_tls_chain_files = /etc/postfix/danwin1210-mail.chain
+smtpd_tls_received_header = yes
+
+#lookup maps for domains and email addresses
+relay_domains = torbox.danwin1210.me torbox.danwin1210.de
+canonical_maps = inline:{{@mail2tor.onion=@mail2tor.com}, {@torbox3uiot6wchz.onion=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}, {@torbox.onion=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}, {@torbox.danwin1210.me=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}, {@torbox.danwin1210.de=@torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion}}
+sender_canonical_maps = inline:{{@localhost=@danwin1210.de}, {@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion=@danwin1210.de}, {@danwin1210.me=@danwin1210.de}}
+transport_maps = inline:{{torbox3uiot6wchz.onion=relay:[torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion]:25}, {.onion=smtp}, {mail2tor.com=relay:[xc7tgk2c5onxni2wsy76jslfsitxjbbptejnqhw6gy2ft7khpevhc7ad.onion]:25}, {blackhost.xyz=relay:[blackhost7pws76u6vohksdahnm6adf7riukgcmahrwt43wv2drvyxid.onion]:25}} proxy:mysql:/etc/postfix/sql/mysql_transport_maps.cf inline:{*=relay:[10.9.0.1]:1025}
+virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
+virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
+virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
+
+#sasl authentication and restrictions
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = danwin1210.de
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_client_restrictions = reject_unauth_pipelining
+smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:12340, permit_sasl_authenticated, check_recipient_access proxy:mysql:/etc/postfix/sql/mysql_tls_policy_in.cf
+smtpd_sender_restrictions = reject_sender_login_mismatch, check_sender_access inline:{{<> = REJECT}}, permit_sasl_authenticated
+smtpd_relay_restrictions = permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination
+smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_auth_maps.cf
+smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_checks
+
+# anti-spam settings
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = inet:127.0.0.1:11332
+milter_default_action = accept
+milter_protocol = 6
+header_checks = regexp:/etc/postfix/header_checks
+body_checks = regexp:/etc/postfix/body_checks
+disable_vrfy_command = yes
+smtpd_discard_ehlo_keywords = silent-discard, dsn
+smtpd_delay_reject = yes
+smtpd_helo_required = yes
+strict_rfc821_envelopes = yes
+default_destination_concurrency_limit = 2
+smtpd_recipient_limit = 10

etc/postfix/master.cf

@@ -0,0 +1,132 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       2       smtpd
+ -o smtpd_sasl_auth_enable=no
+ -o { smtpd_sender_restrictions = check_sender_access inline:{double-bounce@mail.danwin1210.de=OK} check_sender_access mysql:/etc/postfix/sql/mysql_virtual_domain_unauth_block.cf }
+26      inet  n       -       n       -       2       smtpd
+ -o smtpd_sasl_auth_enable=no
+ -o { smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/sql/mysql_virtual_domain_unauth_block.cf }
+ -o smtpd_tls_security_level=may
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+smtps     inet  n       -       n       -       2       smtpd
+  -o smtpd_tls_wrappermode=yes
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+587       inet  n       -       y       -       2       smtpd
+ -o smtpd_tls_security_level=encrypt
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+#proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+relay     unix  -       -       y       -       5       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+#local    unix  -       n       n       -       -       local
+#virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+#scalemail-backend unix	-	n	n	-	2	pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}
+

etc/postfix/sql/mysql_tls_policy_in.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT 'reject_plaintext_session' FROM mailbox WHERE username=CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = 1 AND enforce_tls_in = 1 UNION SELECT 'reject_plaintext_session' FROM alias WHERE address=CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = 1 AND enforce_tls_in = 1

etc/postfix/sql/mysql_transport_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT ':' FROM domain WHERE domain='%d' AND active = '1'

etc/postfix/sql/mysql_virtual_alias_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT goto FROM alias WHERE address = CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = 1;

etc/postfix/sql/mysql_virtual_auth_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT username FROM mailbox WHERE username=CONCAT('%u', '@', COALESCE((SELECT target_domain FROM alias_domain WHERE alias_domain = '%d' AND active='1'), '%d')) AND active = '1'

etc/postfix/sql/mysql_virtual_domain_unauth_block.cf

@@ -0,0 +1,6 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT 'REJECT' FROM domain WHERE domain='%d' AND active = '1'
+

etc/postfix/sql/mysql_virtual_domains_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'

etc/postfix/sql/mysql_virtual_mailbox_maps.cf

@@ -0,0 +1,5 @@
+user = postfix_readonly
+password = YOUR_PASSWORD
+hosts = localhost
+dbname = postfix
+query = SELECT 1 FROM mailbox WHERE username='%s' AND active = '1'