# Listening
inet_interfaces = all

# Rate limits
local_destination_concurrency_limit = 20
default_destination_concurrency_limit = 20
in_flow_delay = 1s

# RFC Compliance
#smtpd_helo_required = yes
strict_rfc821_envelopes = yes

# Names
myhostname = HOST.DOMAIN
myorigin = $myhostname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# Address mangling
append_dot_mydomain = no
append_at_myorigin = yes

# User and domain maps
#virtual_alias_domains = DOMAIN
virtual_alias_maps = hash:/etc/postfix/virtual

# Aliases
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

# Queueing and bounces
delay_warning_time = 4h
bounce_queue_lifetime = 48h
maximal_queue_lifetime = 48h
bounce_size_limit = 2000

# Relaying, local, and backup domains
mydestination = HOST.DOMAIN, localhost
relay_domains = $mydestination
mynetworks = 127.0.0.0/8
smtpd_helo_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_invalid_hostname

smtpd_sender_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_non_fqdn_sender,
	reject_unknown_sender_domain

smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unauth_pipelining,
	reject_unknown_recipient_domain,
	reject_non_fqdn_recipient,
	reject_unauth_destination
#	check_policy_service inet:127.0.0.1:60000,
#	check_client_access pcre:/etc/postfix/dspam_filter_access

# Routing
transport_maps = hash:/etc/postfix/transport

# Size limits
message_size_limit = 104857600
mailbox_size_limit = 0
virtual_mailbox_limit = 0

# Mailboxes
home_mailbox = Maildir/
recipient_delimiter = -

# Deliver with Dovecot LDA
#dovecot_destination_recipient_limit = 1
#mailbox_transport = dovecot
#local_recipient_maps =

# Auth/SASL
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_sasl_authenticated_header = yes
# We override this in master.cf for port 587
smtpd_sasl_auth_enable = no

# TLS
tls_random_source = dev:/dev/urandom
tls_random_exchange_name = ${queue_directory}/cache/prng_exch

# Server TLS
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_key_file = /etc/postfix/ssl/mail.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/cache/smtpd_tls
        
# Client TLS
smtp_tls_security_level = may
smtp_tls_mandatory_ciphers = high
smtp_tls_session_cache_database = btree:${queue_directory}/cache/smtp_tls
#smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# DSPAM
#dspam_destination_recipient_limit = 1
#dspam-add_destination_recipient_limit = 1
#dspam-fp_destination_recipient_limit = 1

# Outbound SMTP
#relayhost = smtpauth.yourISP.com
#smtp_sasl_auth_enable = yes
#smtp_sasl_mechanism_filter = login plain gssapi
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_sasl_security_options = noanonymous

# Debugging
#debug_peer_list = 209.235.147.0/24
#debug_peer_level = 2