Size: 8697
Comment:
|
Size: 9464
Comment:
|
Deletions are marked like this. | Additions are marked like this. |
Line 219: | Line 219: |
== Makefile == * Nice trick to save some work {{{#!highlight ini root@mail/etc/postfix (git)-[master] # cat Makefile postmap: postmap /etc/postfix/access_client postmap /etc/postfix/access_helo postmap /etc/postfix/access_sender postmap /etc/postfix/access_recipient postmap /etc/postfix/body_checks postmap /etc/postfix/esmtp_access postmap /etc/postfix/header_checks postmap /etc/postfix/relay_domains postmap /etc/postfix/virtual postmap /etc/postfix/transport newaliases @echo "\nPlease issue 'postfix reload' to let configuration changes take effect." vim_syntax: cat vim_syntax.vim >> /usr/share/vim/vim73/syntax/pfmain.vim }}} |
postfix
Crypto
1 ### Customs
2 ciphers_insecure = RC4
3 cipher_suite_minimum = high
4 protocols_insecure = !SSLv2,!SSLv3,!TLSv1.0
5 tls_security_level = may
6
7
8 ### Cipherlists
9 ##tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
10 ##tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
11 ##tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
12 ##tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
13 ##tls_null_cipherlist = eNULL:!aNULL
14
15
16 ### LMTP Client
17 #lmtp_enforce_tls (default: no)
18 #lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)
19 #lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_security_options)
20 #lmtp_starttls_timeout (default: 300s)
21 #lmtp_tls_CAfile (default: empty)
22 #lmtp_tls_CApath (default: empty)
23 #lmtp_tls_block_early_mail_reply (default: empty)
24 #lmtp_tls_cert_file (default: empty)
25 #lmtp_tls_ciphers (default: export)
26 lmtp_tls_ciphers = $cipher_suite_minimum
27 #lmtp_tls_dcert_file (default: empty)
28 #lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)
29 #lmtp_tls_eccert_file (default: empty)
30 #lmtp_tls_eckey_file (default: empty)
31 #lmtp_tls_enforce_peername (default: yes)
32 #lmtp_tls_exclude_ciphers (default: empty)
33 lmtp_tls_exclude_ciphers = $ciphers_insecure
34 #lmtp_tls_fingerprint_cert_match (default: empty)
35 #lmtp_tls_fingerprint_digest (default: md5)
36 lmtp_tls_fingerprint_digest = sha1
37 #lmtp_tls_force_insecure_host_tlsa_lookup (default: no)
38 #lmtp_tls_key_file (default: $lmtp_tls_cert_file)
39 #lmtp_tls_loglevel (default: 0)
40 #lmtp_tls_mandatory_ciphers (default: empty)
41 lmtp_tls_mandatory_ciphers = $cipher_suite_minimum
42 #lmtp_tls_mandatory_exclude_ciphers (default: empty)
43 lmtp_tls_mandatory_exclude_ciphers = $ciphers_insecure
44 #lmtp_tls_mandatory_protocols (default: !SSLv2)
45 lmtp_tls_mandatory_protocols = $protocols_insecure
46 #lmtp_tls_note_starttls_offer (default: no)
47 #lmtp_tls_per_site (default: empty)
48 #lmtp_tls_policy_maps (default: empty)
49 #lmtp_tls_protocols (default: empty)
50 lmtp_tls_protocols = $protocols_insecure
51 #lmtp_tls_scert_verifydepth (default: 9)
52 #lmtp_tls_secure_cert_match (default: nexthop)
53 #lmtp_tls_security_level (default: empty)
54 # possible values: none, may, encrypt, dane, dane-only,
55 # fingerprint, verify, secure
56 lmtp_tls_security_level = $tls_security_level
57 #lmtp_tls_session_cache_database (default: empty)
58 #lmtp_tls_session_cache_timeout (default: 3600s)
59 #lmtp_tls_trust_anchor_file (default: empty)
60 #lmtp_tls_verify_cert_match (default: hostname)
61 #lmtp_use_tls (default: no) <- deprecaded with 2.3 -> smtpd_tls_security_level
62
63
64 ### SMTP Client
65 #smtp_enforce_tls (default: no)
66 #smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)
67 #smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_security_options)
68 #smtp_starttls_timeout (default: 300s)
69 #smtp_tls_CAfile (default: empty)
70 #smtp_tls_CApath (default: empty)
71 #smtp_tls_block_early_mail_reply (default: no)
72 #smtp_tls_cert_file (default: empty)
73 #smtp_tls_cipherlist (default: empty) <- obsolete
74 #smtp_tls_ciphers (default: export)
75 smtp_tls_ciphers = $cipher_suite_minimum
76 #smtp_tls_dcert_file (default: empty)
77 #smtp_tls_dkey_file (default: $smtp_tls_dcert_file)
78 #smtp_tls_eccert_file (default: empty)
79 #smtp_tls_eckey_file (default: $smtp_tls_eccert_file)
80 #smtp_tls_enforce_peername (default: yes)
81 #smtp_tls_exclude_ciphers (default: empty)
82 smtp_tls_exclude_ciphers = $ciphers_insecure
83 #smtp_tls_fingerprint_cert_match (default: empty)
84 #smtp_tls_fingerprint_digest (default: md5)
85 smtp_tls_fingerprint_digest = sha1
86 #smtp_tls_force_insecure_host_tlsa_lookup (default: no)
87 #smtp_tls_key_file (default: $smtp_tls_cert_file)
88 #smtp_tls_loglevel (default: 0)
89 #smtp_tls_mandatory_ciphers (default: medium)
90 smtp_tls_mandatory_ciphers = $cipher_suite_minimum
91 #smtp_tls_mandatory_exclude_ciphers (default: empty)
92 smtp_tls_mandatory_exclude_ciphers = $ciphers_insecure
93 #smtp_tls_mandatory_protocols (default: !SSLv2)
94 smtp_tls_mandatory_protocols = $protocols_insecure
95 #smtp_tls_note_starttls_offer (default: no)
96 #smtp_tls_per_site (default: empty)
97 #smtp_tls_policy_maps (default: empty)
98 #smtp_tls_protocols (default: !SSLv2)
99 smtp_tls_protocols = $protocols_insecure
100 #smtp_tls_scert_verifydepth (default: 9)
101 #smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)
102 #smtp_tls_security_level (default: empty)
103 # possible values: none, may, encrypt, dane, dane-only,
104 # fingerprint, verify, secure
105 smtp_tls_security_level = $tls_security_level
106 #smtp_tls_session_cache_database (default: empty)
107 #smtp_tls_session_cache_timeout (default: 3600s)
108 #smtp_tls_trust_anchor_file (default: empty)
109 #smtp_tls_verify_cert_match (default: hostname)
110 #smtp_use_tls (default: no) <- deprecaded with 2.3 -> smtp_tls_security_level
111
112
113 ### SMTPD Server
114 #smtpd_client_new_tls_session_rate_limit (default: 0)
115 #smtpd_enforce_tls (default: no)
116 #smtpd_sasl_tls_security_options (default: $smtpd_sasl_security_options)
117 #smtpd_starttls_timeout (default: see postconf -d output)
118 #smtpd_tls_CAfile (default: empty)
119 #smtpd_tls_CApath (default: empty)
120 #smtpd_tls_always_issue_session_ids (default: yes)
121 #smtpd_tls_ask_ccert (default: no)
122 #smtpd_tls_auth_only (default: no)
123 #smtpd_tls_ccert_verifydepth (default: 9)
124 #smtpd_tls_cert_file (default: empty)
125 #smtpd_tls_cipherlist (default: empty) <- obsolete
126 #smtpd_tls_ciphers (default: export)
127 smtpd_tls_ciphers = $cipher_suite_minimum
128 #smtpd_tls_dcert_file (default: empty)
129 #smtpd_tls_dh1024_param_file (default: empty)
130 #smtpd_tls_dh512_param_file (default: empty)
131 #smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)
132 #smtpd_tls_eccert_file (default: empty)
133 #smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)
134 #smtpd_tls_eecdh_grade (default: see postconf -d output)
135 #smtpd_tls_exclude_ciphers (default: empty)
136 smtpd_tls_exclude_ciphers = $ciphers_insecure
137 #smtpd_tls_fingerprint_digest (default: md5)
138 smtpd_tls_fingerprint_digest = sha1
139 #smtpd_tls_key_file (default: $smtpd_tls_cert_file)
140 #smtpd_tls_loglevel (default: 0)
141 #smtpd_tls_mandatory_ciphers (default: medium)
142 smtpd_tls_mandatory_ciphers = $cipher_suite_minimum
143 #smtpd_tls_mandatory_exclude_ciphers (default: empty)
144 smtpd_tls_mandatory_exclude_ciphers = $ciphers_insecure
145 #smtpd_tls_mandatory_protocols (default: !SSLv2)
146 smtpd_tls_mandatory_protocols = $protocols_insecure
147 #smtpd_tls_protocols (default: none)
148 smtpd_tls_protocols=$protocols_insecure
149 #smtpd_tls_received_header (default: no)
150 #smtpd_tls_req_ccert (default: no)
151 #smtpd_tls_security_level (default: empty)
152 # possible values: none, may, encrypt
153 smtpd_tls_security_level = $tls_security_level
154 #smtpd_tls_session_cache_database (default: empty)
155 #smtpd_tls_session_cache_timeout (default: 3600s)
156 #smtpd_tls_wrappermode (default: no)
157 #smtpd_use_tls (default: no) <- deprecaded with 2.3 -> smtpd_tls_security_level
- Looks nice in vim if you:
1 :g/^#[^#]/d
1 ### Customs
2 ciphers_insecure = RC4
3 cipher_suite_minimum = high
4 protocols_insecure = !SSLv2,!SSLv3,!TLSv1.0
5 tls_security_level = may
6
7
8 ### Cipherlists
9 ##tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
10 ##tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
11 ##tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
12 ##tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
13 ##tls_null_cipherlist = eNULL:!aNULL
14
15
16 ### LMTP Client
17 lmtp_tls_ciphers = $cipher_suite_minimum
18 lmtp_tls_exclude_ciphers = $ciphers_insecure
19 lmtp_tls_fingerprint_digest = sha1
20 lmtp_tls_mandatory_ciphers = $cipher_suite_minimum
21 lmtp_tls_mandatory_exclude_ciphers = $ciphers_insecure
22 lmtp_tls_mandatory_protocols = $protocols_insecure
23 lmtp_tls_protocols = $protocols_insecure
24 lmtp_tls_security_level = $tls_security_level
25
26
27 ### SMTP Client
28 smtp_tls_ciphers = $cipher_suite_minimum
29 smtp_tls_exclude_ciphers = $ciphers_insecure
30 smtp_tls_fingerprint_digest = sha1
31 smtp_tls_mandatory_ciphers = $cipher_suite_minimum
32 smtp_tls_mandatory_exclude_ciphers = $ciphers_insecure
33 smtp_tls_mandatory_protocols = $protocols_insecure
34 smtp_tls_protocols = $protocols_insecure
35 smtp_tls_security_level = $tls_security_level
36
37
38 ### SMTPD Server
39 smtpd_tls_ciphers = $cipher_suite_minimum
40 smtpd_tls_exclude_ciphers = $ciphers_insecure
41 smtpd_tls_fingerprint_digest = sha1
42 smtpd_tls_mandatory_ciphers = $cipher_suite_minimum
43 smtpd_tls_mandatory_exclude_ciphers = $ciphers_insecure
44 smtpd_tls_mandatory_protocols = $protocols_insecure
45 smtpd_tls_protocols=$protocols_insecure
46 smtpd_tls_security_level = $tls_security_level
Makefile
* Nice trick to save some work
1 root@mail/etc/postfix (git)-[master] # cat Makefile
2 postmap:
3 postmap /etc/postfix/access_client
4 postmap /etc/postfix/access_helo
5 postmap /etc/postfix/access_sender
6 postmap /etc/postfix/access_recipient
7 postmap /etc/postfix/body_checks
8 postmap /etc/postfix/esmtp_access
9 postmap /etc/postfix/header_checks
10 postmap /etc/postfix/relay_domains
11 postmap /etc/postfix/virtual
12 postmap /etc/postfix/transport
13 newaliases
14 @echo "\nPlease issue 'postfix reload' to let configuration changes take effect."
15
16 vim_syntax:
17 cat vim_syntax.vim >> /usr/share/vim/vim73/syntax/pfmain.vim