○ main.cf

・postfix-3.1.4で使っています
・完全コピーしないこと (エラーが出ることあり)

・compatibility_levelによっていくつかのパラメータが変わります
・main.cf.defaultではipv6が有効になっています
・このサイトではipv4のみ有効にしています
・inet_protocols = all → inet_protocols = ipv4
・smtpd_relay_restrictionsパラメータが
・smtpd_recipient_restrictionsから分離されています

橙色文字 SASL認証 (DOVECOT) 追加分 (必要なければ削除)
青色文字 s25r+Starpit (必要なければ削除)
緑色文字 TLS (SSL) 接続を使う場合 (必要なければ削除)
・SSLv2, SSLv3はデフォルトで無効になってます(3.0.2以降)
・smtpd_tls_mandatory_ciphers (デフォルトはmedium)
・mediumとhighの違いは"postconf -d"でcipherlistを調べます
赤色文字 postscreen を使う場合 (必要なければ削除)
・ヴァージョンUPにともない パラメータ値 に変更があります
・postfixドキュメント等で充分に確認してください
・dbファイルの情報は"# db_stat -d ファイル名"で確認できます
紫色文字 (変更追加分)

○/etc/postfix/main.cf

 
001 

 
002 

 
003
004
005
006

 
007
008

 
009
010
011
012
013

 
014
015

 
016
017
018
019
020
021
022
023
024

 
025
026
027
028

 
029
030
031
032
033
034
035

 
036
037
038
039
040

 
041

 
042

 
043

 

 

 

 
044
045
046
047
048
049
050
051

 
052

 
053
054
055
056

 
 
057
058
059
060
061
062
063
064
065
066

 
067
068

 
069

 
070
071
072

 
073
074

 
075
076
077
078
079
080

081
082
083
084

085
086
087
088

 
089
090
091
092
093
094
095
096
097
098
099

100
101

 
102
103
104
105
106

107

108
109
110
111
112
113
114
115
116
117
118
119

 
120
121
122
123
124
125
126

 
127
128
129
130
131
132
133
# COMPATIBILITY
compatibility_level = 2

# SOFT BOUNCE
#soft_bounce = no

# LOCAL PATHNAME INFORMATION
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix

# QUEUE AND PROCESS OWNERSHIP
mail_owner = postfix
#default_privs = nobody

# INTERNET HOST AND DOMAIN NAMES
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = mail.528p.com
#mydomain = domain.tld
mydomain = 528p.com

# SENDING MAIL
#myorigin = $myhostname
myorigin = $mydomain

# RECEIVING MAIL
inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
#mydestination = $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
unknown_local_recipient_reject_code = 550

# TRUST AND RELAY CONTROL
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
mynetworks = 192.168.0.0/24, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
relay_domains = $mydestination

# INTERNET OR INTRANET
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]

# REJECTING UNKNOWN RELAY USERS
#relay_recipient_maps = hash:/etc/postfix/relay_recipients

# INPUT RATE CONTROL
#in_flow_delay = 1s

# ADDRESS REWRITING
canonical_maps = hash:/etc/postfix/canonical

# ADDRESS REDIRECTION (VIRTUAL DOMAIN)

# "USER HAS MOVED" BOUNCE MESSAGES

# TRANSPORT MAP

# ALIAS DATABASE
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

# ADDRESS EXTENSIONS (e.g., user+foo)
#recipient_delimiter = +

# DELIVERY TO MAILBOX
#home_mailbox = Mailbox
home_mailbox = Maildir/
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail

# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
#mailbox_transport = cyrus
#fallback_transport = lmtp:unix:/file/name
#fallback_transport = cyrus
#fallback_transport =
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local

# JUNK MAIL CONTROLS
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks

# FAST ETRN SERVICE
#fast_flush_domains = $relay_domains

# SHOW SOFTWARE VERSION OR NOT
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_banner = $myhostname ESMTP

# PARALLEL DELIVERY TO THE SAME DESTINATION
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20

# DEBUGGING CONTROL
debug_peer_level = 2
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

# debugger_command =
#    PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
#    echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
#    >$config_directory/$process_name.$process_id.log & sleep 5

# debugger_command =
#    PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
#    -dmS $process_name gdb $daemon_directory/$process_name
#    $process_id & sleep 1

# INSTALL-TIME CONFIGURATION INFORMATION
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix

disable_vrfy_command = yes
message_size_limit = 2097152

# ACCESS CONTROL
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $mydomain
#broken_sasl_auth_clients = yes

smtpd_helo_required = yes

smtpd_client_restrictions = permit_mynetworks,
    check_client_access regexp:/etc/postfix/white-list.txt,
    check_client_access regexp:/etc/postfix/tarpit_client,
    reject_unknown_client_hostname
smtpd_helo_restrictions = permit_mynetworks,
    reject_invalid_helo_hostname,reject_unknown_helo_hostname
smtpd_sender_restrictions = permit_mynetworks,
    check_sender_access hash:/etc/postfix/access,
    reject_non_fqdn_sender,reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,
    defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

# TLS(openssl)
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-server.crt
smtpd_tls_key_file = /etc/pki/tls/private/mail-server.key
#smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

# POSTSCREEN
postscreen_access_list = permit_mynetworks,
    cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action= drop
postscreen_greet_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..7;10;11],
    dnsbl.sorbs.net=127.0.0.[2..10]
postscreen_dnsbl_action = enforce

○ Copyright(c) 528p.com All Rights Reserved.