michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/Makefile -- maintainance procedures
michael@146: ##
michael@146:
michael@146: # path configuration
michael@146: PREFIX = @l_prefix@
michael@146: SBINDIR = $(PREFIX)/sbin
michael@146: ETCDIR = $(PREFIX)/etc
michael@146:
michael@146: # program configuration
michael@146: RC = $(ETCDIR)/rc
michael@146: POSTALIAS = $(SBINDIR)/postalias
michael@146: POSTMAP = $(SBINDIR)/postmap
michael@146: POSTFIX = $(SBINDIR)/postfix
michael@146:
michael@146: # table filename configuration
michael@146: T_ACCESS = access
michael@146: T_CANONICAL = canonical
michael@146: T_GENERIC = generic
michael@146: T_VIRTUAL = virtual
michael@146: T_RELOCATED = relocated
michael@146: T_TRANSPORT = transport
michael@146: T_ALIASES = aliases
michael@179: T_CLIENTS = clients
michael@179: T_SENDERS = senders
michael@181: T_CLICRT = clicrt
michael@676: T_RECIPIENT = recipient
michael@676: T_HELO = helo
michael@146:
michael@146: # dependency tracking
michael@146: TIMESTAMP = .up-to-date
michael@146: DEPENDENCIES = Makefile master.cf main.cf $(TABLES)
michael@146:
michael@146: # managed tables:
michael@146: # - use extension ".db" for hash tables ("hash")
michael@146: # - use no extension for regex tables ("pcre")
michael@146: TABLES = \
michael@146: $(T_ACCESS).db \
michael@146: $(T_CANONICAL).db \
michael@146: $(T_GENERIC).db \
michael@146: $(T_VIRTUAL).db \
michael@146: $(T_RELOCATED).db \
michael@146: $(T_TRANSPORT).db \
michael@179: $(T_ALIASES).db \
michael@179: $(T_CLIENTS).db \
michael@179: $(T_SENDERS).db \
michael@676: $(T_CLICRT).db \
michael@676: $(T_RECIPIENT).db \
michael@676: $(T_HELO).db
michael@146:
michael@146: # default target
michael@146: all: $(TABLES) $(TIMESTAMP)
michael@146:
michael@146: # implicit checking and reloading
michael@146: $(TIMESTAMP): $(DEPENDENCIES)
michael@146: $(POSTFIX) check
michael@146: $(POSTFIX) reload >/dev/null 2>&1 || true
michael@146: touch $(TIMESTAMP) && chmod 600 $(TIMESTAMP)
michael@146:
michael@146: # explicit checking
michael@146: check:
michael@146: $(POSTFIX) check
michael@146:
michael@146: # hash table update targets
michael@146: $(T_ACCESS).db: $(T_ACCESS) $(MAKEFILE)
michael@146: $(POSTMAP) hash:$(T_ACCESS)
michael@146: $(T_CANONICAL).db: $(T_CANONICAL) $(MAKEFILE)
michael@146: $(POSTMAP) hash:$(T_CANONICAL)
michael@146: $(T_GENERIC).db: $(T_GENERIC) $(MAKEFILE)
michael@146: $(POSTMAP) hash:$(T_GENERIC)
michael@146: $(T_VIRTUAL).db: $(T_VIRTUAL) $(MAKEFILE)
michael@146: $(POSTMAP) hash:$(T_VIRTUAL)
michael@146: $(T_RELOCATED).db: $(T_RELOCATED) $(MAKEFILE)
michael@146: $(POSTMAP) hash:$(T_RELOCATED)
michael@146: $(T_TRANSPORT).db: $(T_TRANSPORT) $(MAKEFILE)
michael@146: $(POSTMAP) hash:$(T_TRANSPORT)
michael@146: $(T_ALIASES).db: $(T_ALIASES) $(MAKEFILE)
michael@146: $(POSTALIAS) hash:$(T_ALIASES)
michael@179: $(T_CLIENTS).db: $(T_CLIENTS) $(MAKEFILE)
michael@179: $(POSTMAP) hash:$(T_CLIENTS)
michael@179: $(T_SENDERS).db: $(T_SENDERS) $(MAKEFILE)
michael@179: $(POSTMAP) hash:$(T_SENDERS)
michael@181: $(T_CLICRT).db: $(T_CLICRT) $(MAKEFILE)
michael@181: $(POSTMAP) hash:$(T_CLICRT)
michael@676: $(T_RECIPIENT).db: $(T_RECIPIENT) $(MAKEFILE)
michael@676: $(POSTMAP) hash:$(T_RECIPIENT)
michael@676: $(T_HELO).db: $(T_HELO) $(MAKEFILE)
michael@676: $(POSTMAP) hash:$(T_HELO)
michael@146:
michael@146: # cleanup target
michael@146: clean:
michael@146: -rm -f $(TABLES)
michael@146: -rm -f $(TIMESTAMP)
michael@146:
michael@146: # process management
michael@146: start:
michael@146: $(RC) postfix start
michael@146: reload:
michael@146: $(RC) postfix reload
michael@146: stop:
michael@146: $(RC) postfix stop
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/master.cf -- Postfix master process table
michael@146: ##
michael@146: # ==========================================================================
michael@146: # service type private unpriv chroot wakeup maxproc command + args
michael@146: # (yes) (yes) (yes) (never) (100)
michael@146: # ==========================================================================
michael@146: smtp inet n - n - - smtpd
michael@495: #smtp inet n - n - - smtpd -o content_filter=spamass
michael@495: #smtp inet n - n - 1 postscreen
michael@495: #smtpd pass - - n - - smtpd
michael@495: #dnsblog unix - - n - 0 dnsblog
michael@495: #tlsproxy unix - - n - 0 tlsproxy
michael@146: #628 inet n - n - - qmqpd
michael@146: pickup fifo n - n 60 1 pickup
michael@146: cleanup unix n - n - 0 cleanup
michael@146: qmgr fifo n - n 300 1 qmgr
michael@146: tlsmgr unix - - n 1000? 1 tlsmgr
michael@146: rewrite unix - - n - - trivial-rewrite
michael@146: bounce unix - - n - 0 bounce
michael@146: defer unix - - n - 0 bounce
michael@146: trace unix - - n - 0 bounce
michael@146: verify unix - - n - 1 verify
michael@146: flush unix n - n 1000? 0 flush
michael@146: proxymap unix - - n - - proxymap
michael@146: proxywrite unix - - n - - proxymap
michael@146: smtp unix - - n - - smtp
michael@146: relay unix - - n - - smtp -o fallback_relay=
michael@146: showq unix n - n - - showq
michael@146: error unix - - n - - error
michael@146: retry unix - - n - - error
michael@146: local unix - n n - - local
michael@146: virtual unix - n n - - virtual
michael@146: lmtp unix - - n - - lmtp
michael@146: anvil unix - - n - 1 anvil
michael@146: scache unix - - n - 1 scache
michael@146: #maildrop unix - n n - - pipe flags=DRhu user=@l_nusr@ argv=@l_prefix@/bin/maildrop -d ${recipient}
michael@146: #cyrus unix - n n - - pipe user=@l_nusr@ argv=@l_prefix@/bin/cyrdeliver -e -r ${sender} -m ${extension} ${user}
michael@495: #dovecot unix - n n - - pipe flags=DR user=@l_rusr@ argv=@l_prefix@/libexec/dovecot/deliver -f ${sender} -d ${user} -n -m ${extension}
michael@495: #spamass unix - n n - - pipe flags=R user=@l_rusr@ argv=@l_prefix@/bin/spamc -f -u ${user} -e @l_prefix@/sbin/sendmail -oi -f ${sender} ${recipient}
michael@146: #uucp unix - n n - - pipe flags=Fqhu user=@l_nusr@ argv=@l_prefix@/bin/uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
michael@146: #ifmail unix - n n - - pipe flags=F user=@l_nusr@ argv=@l_prefix@/bin/ifmail -r $nexthop ($recipient)
michael@146: #bsmtp unix - n n - - pipe flags=Fq. user=@l_nusr@ argv=@l_prefix@/bin/bsmtp -f $sender $nexthop $recipient
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/main.cf -- Postfix main configuration
michael@146: ##
michael@146: ## Run "@l_prefix@/sbin/postconf -n" to see all parameters overriding
michael@146: ## defaults, run "@l_prefix@/sbin/postconf -d" to see all possible
michael@146: ## parameters and their defaults and read the following manual
michael@146: ## pages for description of each parameter: bounce(8), cleanup(8),
michael@146: ## defer(8), error(8), flush(8), lmtp(8), local(8), master(8),
michael@146: ## pickup(8), pipe(8), qmgr(8), showq(8), smtp(8), smtpd(8), spawn(8),
michael@146: ## trivial-rewrite(8).
michael@146: ##
michael@146:
michael@146: # users
michael@146: mail_owner = @l_musr@
michael@146: setgid_group = @l_rgrp@
michael@146: default_privs = @l_nusr@
michael@146:
michael@146: # local host
michael@146: myhostname = mail.example.com
michael@146: mydomain = example.com
michael@146: myorigin = $myhostname
michael@146:
michael@146: # smtp daemon
michael@146: #smtpd_banner = $myhostname ESMTP $mail_name
michael@146: inet_interfaces = 127.0.0.1
michael@146:
michael@146: # smtp client
michael@146: smtp_bind_address = 127.0.0.1
michael@146:
michael@146: # relaying
michael@146: mynetworks = 127.0.0.0/8
michael@146: #mydestination = $myhostname, localhost.$mydomain
michael@146: #relay_domains = $mydestination,
michael@146: # hash:@l_prefix@/etc/postfix/access
michael@664: #relay_clientcerts = hash:@l_prefix@/etc/postfix/clicrt
michael@146: #smtpd_recipient_restrictions = permit_mynetworks,
michael@146: # check_client_access hash:@l_prefix@/etc/postfix/access,
michael@146: # reject_unauth_destination
michael@146:
michael@146: # maps
michael@146: #canonical_maps = hash:@l_prefix@/etc/postfix/canonical
michael@146: #smtp_generic_maps = hash:@l_prefix@/etc/postfix/generic
michael@146: #virtual_alias_maps = hash:@l_prefix@/etc/postfix/virtual
michael@146: #relocated_maps = hash:@l_prefix@/etc/postfix/relocated
michael@146: #transport_maps = hash:@l_prefix@/etc/postfix/transport
michael@146: alias_maps = hash:@l_prefix@/etc/postfix/aliases
michael@146: alias_database = hash:@l_prefix@/etc/postfix/aliases
michael@146:
michael@146: # local delivery
michael@146: #local_recipient_maps = proxy:unix:passwd.byname $alias_maps
michael@146: recipient_delimiter = +
michael@146: mailbox_command = @l_prefix@/bin/procmail -a "$EXTENSION"
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/access -- access control for relaying
michael@146: ##
michael@146: ## Searched for both the client (hostname, parent domains, IP address,
michael@146: ## networks obtained by stripping least significant octets from IP
michael@146: ## address) and destination address (resolved destination address,
michael@146: ## parent domain, or localpart@) in order to allow relaying. Rejects
michael@146: ## the request if the result is REJECT or "[45]XX text". Permits the
michael@146: ## request if the result is OK or RELAY or all-numerical.
michael@146: ##
michael@146:
michael@146: # Syntax (see access(5)):
michael@146: # | user@domain action
michael@146: # | domain action
michael@146: # | user@ action
michael@146: # | net.work.addr.ess action
michael@146: # | net.work.addr action
michael@146: # | net.work action
michael@146: # | net action
michael@146: # where "action" is one of:
michael@146: # "[45]NN text", "REJECT", "OK", "restriction..."
michael@146: #
michael@146: # Examples:
michael@146: # | mail.example.com OK
michael@146: # | example.com REJECT
michael@146: # | 192.168.0.1 OK
michael@146: # | 192.168 REJECT
michael@146: # | postmaster@ OK
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/virtual -- virtual address translation
michael@146: ##
michael@146: ## Searched for virtual addresses user@domain, user and @domain
michael@146: ## (in this order). It redirect mail for all recipients, local or
michael@146: ## remote. The mapping affects only envelope recipients.
michael@146: ##
michael@146:
michael@146: # Syntax (see virtual(5)):
michael@146: # | user@domain address, address, ...
michael@146: # | user address, address, ...
michael@146: # | @domain address, address, ...
michael@146: #
michael@146: # Examples:
michael@146: # | @example.com john@example.com
michael@146: # | postmaster@example.com postmaster
michael@146: # | john@example1.com john1
michael@146: # | john@example2.com john2
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/aliases -- local mailbox aliases
michael@146: ##
michael@146: ## Searched for virtual addresses user@domain, user and @domain
michael@146: ## (in this order). It redirect mail for all recipients, local or
michael@146: ## remote. The mapping affects only envelope recipients.
michael@146: ##
michael@146:
michael@146: # Syntax (see aliases(5)):
michael@146: # | name: value, value, ...
michael@146: # where value is one of:
michael@146: # "address", "/file/name", "|command", ":include:/file/name"
michael@146: #
michael@146: # Examples:
michael@146: # | john.doe: john, doe
michael@146: # | robot: |/path/to/robot
michael@146: # | archive: /path/to/archive
michael@146: # | users: :include:/path/to/users.list
michael@146: # | owner-users: john.doe
michael@146:
michael@146: # standard mail targets
michael@146: nobody: /dev/null
michael@146: MAILER-DAEMON: postmaster
michael@146:
michael@146: # mailbox names for common services, roles and functions
michael@146: # (see RFC2142 for more details and expanded list of names)
michael@146: postmaster: root
michael@146: hostmaster: root
michael@146: security: root
michael@146: abuse: root
michael@146:
michael@146: # save unprivileged user storage of careless admins
michael@146: root: /dev/null
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/canonical -- address canonification on mail receiving
michael@146: ##
michael@146: ## Searched for canonical addresses for user@domain, user and @domain
michael@146: ## (in this order).
michael@146: ##
michael@146:
michael@146: # Syntax (see canonical(5)):
michael@146: # | user@domain address
michael@146: # | user address
michael@146: # | @domain address
michael@146: #
michael@146: # Examples:
michael@146: # | postmaster@mail.example.com postmaster@example.com
michael@146: # | john John.Doe
michael@146: # | @example.com @example.com
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/relocated -- relocate obsolete addresses
michael@146: ##
michael@146: ## Searched for relocated addresses user@domain, user and @domain
michael@146: ## (in this order). It bounces mail for all recipients.
michael@146: ##
michael@146:
michael@146: # Syntax (see relocated(5)):
michael@146: # | user@domain address
michael@146: # | user address
michael@146: # | @domain address
michael@146: #
michael@146: # Examples:
michael@146: # | john@invalid john@example.com
michael@146: # | john john@example.com
michael@146: # | @invalid john@example.com
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/generic -- address canonification on mail sending
michael@146: ##
michael@146: ## Searched for canonical addresses for user@domain, user and @domain
michael@146: ## (in this order).
michael@146: ##
michael@146:
michael@146: # Syntax (see generic(5)):
michael@146: # | user@domain address
michael@146: # | user address
michael@146: # | @domain address
michael@146: #
michael@146: # Examples:
michael@146: # | postmaster@mail.example.com postmaster@example.com
michael@146: # | john John.Doe
michael@146: # | @example.com @example.com
michael@146:
michael@146:
michael@146:
michael@146: ##
michael@146: ## @l_prefix@/etc/postfix/transport -- transport selection
michael@146: ##
michael@146: ## Searched for domain and .domain (in this order). It selects the
michael@146: ## specified transport facility for delivery.
michael@146: ##
michael@146:
michael@146: # Syntax (see transport(5)):
michael@146: # | domain transport:nexthop
michael@146: # | .domain transport:nexthop
michael@146: #
michael@146: # Examples:
michael@146: # | me.example.com local:
michael@146: # | you.example.com smtp:mail.example.com:2525
michael@146: # | example.com smtp:mail.example.com
michael@146: # | .example.com smtp:mail.example.com
michael@146:
michael@146:
michael@181:
michael@179: ##
michael@181: ## @l_prefix@/etc/postfix/clients -- control for relaying clients
michael@181: ##
michael@181: ## Searched for both the client (hostname, parent domains, IP address,
michael@181: ## networks obtained by stripping least significant octets from IP
michael@181: ## address) and destination address (resolved destination address,
michael@181: ## parent domain, or localpart@) in order to allow relaying. Rejects
michael@181: ## the request if the result is REJECT or "[45]XX text". Permits the
michael@181: ## request if the result is OK or RELAY or all-numerical.
michael@181: ##
michael@181:
michael@181: # Syntax (see postmap(5)):
michael@181: # | user@domain action
michael@181: # | domain action
michael@181: # | user@ action
michael@181: # | net.work.addr.ess action
michael@181: # | net.work.addr action
michael@181: # | net.work action
michael@181: # | net action
michael@181: # where "action" is one of:
michael@181: # "[45]NN text", "REJECT", "OK", "restriction..."
michael@181: #
michael@181: # Examples:
michael@181: # | mail.example.com OK
michael@181: # | example.com REJECT
michael@181: # | 192.168.0.1 OK
michael@181: # | 192.168 REJECT
michael@181: # | postmaster@ OK
michael@181:
michael@181:
michael@181:
michael@181: ##
michael@181: ## @l_prefix@/etc/postfix/senders -- control for relaying senders
michael@181: ##
michael@181: ## Searched for both the client (hostname, parent domains, IP address,
michael@181: ## networks obtained by stripping least significant octets from IP
michael@181: ## address) and destination address (resolved destination address,
michael@181: ## parent domain, or localpart@) in order to allow relaying. Rejects
michael@181: ## the request if the result is REJECT or "[45]XX text". Permits the
michael@181: ## request if the result is OK or RELAY or all-numerical.
michael@181: ##
michael@181:
michael@181: # Syntax (see access(5)):
michael@181: # | user@domain action
michael@181: # | domain action
michael@181: # | user@ action
michael@181: # | net.work.addr.ess action
michael@181: # | net.work.addr action
michael@181: # | net.work action
michael@181: # | net action
michael@181: # where "action" is one of:
michael@181: # "[45]NN text", "REJECT", "OK", "restriction..."
michael@181: #
michael@181: # Examples:
michael@181: # | mail.example.com OK
michael@181: # | example.com REJECT
michael@181: # | 192.168.0.1 OK
michael@181: # | 192.168 REJECT
michael@181: # | postmaster@ OK
michael@181:
michael@181:
michael@181:
michael@181: ##
michael@181: ## @l_prefix@/etc/postfix/clicrt -- user identity verification
michael@179: ##
michael@179: ## Searched for user names matching TLS certificate fingerprints
michael@179: ## when a client responding to the MTA's client certificate request
michael@179: ## presents a valid (signed from proper CA) certificate.
michael@179: ##
michael@179: ## To find such fingerprints given a valid client certificate:
michael@179: ## @l_prefix@/bin/openssl x509 -noout -fingerprint -sha1 -in certfile.pem
michael@179: ##
michael@179:
michael@181: # Syntax (fingerprint according to smtpd_tls_fingerprint_digest):
michael@181: # | fingerprint arbitrary-value
michael@181: #
michael@179: # Examples:
michael@181: # | B8:B8:A8:AE:B8:2A:2B:74:EC:43:FF:4F:B2:B2:AC:1E:B4:CE:26:1D user1
michael@181: # | 18:81:F5:22:18:BA:EB:15:FF:40:30:00:EA:C0:B4:2E:EC:AE:86:8E user2
michael@179:
michael@179:
michael@676:
michael@676: ##
michael@676: ## @l_prefix@/etc/postfix/recipient -- control for relaying recipients
michael@676: ##
michael@676: ## Searched for RCPT TO address, domain, parent domains, or localpart@
michael@676: ## and rejects the request if the result is REJECT or "[45]XX text" or
michael@676: ## permits the request if the result is OK or RELAY or all-numerical.
michael@676: ##
michael@676:
michael@676: # Syntax (see access(5)):
michael@676: # | user@domain action
michael@676: # | domain action
michael@676: # | user@ action
michael@676: # | net.work.addr.ess action
michael@676: # | net.work.addr action
michael@676: # | net.work action
michael@676: # | net action
michael@676: # where "action" is one of:
michael@676: # "[45]NN text", "REJECT", "OK", "restriction..."
michael@676: #
michael@676: # Examples:
michael@676: # | mail.example.com OK
michael@676: # | example.com REJECT
michael@676: # | 192.168.0.1 OK
michael@676: # | 192.168 REJECT
michael@676: # | postmaster@ OK
michael@676:
michael@676:
michael@676:
michael@676: ##
michael@676: ## @l_prefix@/etc/postfix/helo -- control for relaying helo transmissions
michael@676: ##
michael@676: ## Searched for HELO or EHLO hostname or parent domains and rejects the
michael@676: ## request if the result is REJECT or "[45]XX text" or permits the request
michael@676: ## if the result is OK or RELAY or all-numerical.
michael@676: ##
michael@676:
michael@676: # Syntax (see access(5)):
michael@676: # | user@domain action
michael@676: # | domain action
michael@676: # | user@ action
michael@676: # | net.work.addr.ess action
michael@676: # | net.work.addr action
michael@676: # | net.work action
michael@676: # | net action
michael@676: # where "action" is one of:
michael@676: # "[45]NN text", "REJECT", "OK", "restriction..."
michael@676: #
michael@676: # Examples:
michael@676: # | mail.example.com OK
michael@676: # | example.com REJECT
michael@676: # | 192.168.0.1 OK
michael@676: # | 192.168 REJECT
michael@676: # | postmaster@ OK
michael@676:
michael@676: