| die letzten Änderungen * Seitenstruktur * Stichwortsuche :


logo_puschin.jpg

Startseite

Knowledge base



Kontakt

Impressum

Knowledge base - Mailsysteme

Knowledge base

15 Benutzer online Druckversion




zurück



Mailsysteme
ausführliche Postfix Konfiguration

# Global Postfix configuration file. This file lists only a subset
# of all 250+ parameters. See the sample-xxx.cf files for a full list.
#
# The general format is lines with parameter = value pairs. Lines
# that begin with whitespace continue the previous line. A value can
# contain references to other $names or ${name}s.
#
# NOTE - CHANGE NO MORE THAN 2-3 PARAMETERS AT A TIME, AND TEST IF
# POSTFIX STILL WORKS AFTER EVERY CHANGE.

# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing.  When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no

# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix

# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin

# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix

# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes.  Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix

# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody

# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = [HOSTNAME]

# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
mydomain = $myhostname

# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites.  If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain

# RECEIVING MAIL

# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on.  By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost

# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4

# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain.  On a mail domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see sample-virtual.cf).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# sample-smtpd.cf).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
#mydestination = $myhostname, localhost.$mydomain
#mydestination = $myhostname, localhost.$mydomain $mydomain
#mydestination = $myhostname, localhost.$mydomain, $mydomain,
#      mail.$mydomain, www.$mydomain, ftp.$mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination and $inet_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
#   For example, you define $mydestination domain recipients in   
#   the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or
"fallback_transport"
#   feature of the Postfix local delivery agent (see sample-local.cf).
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =

# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# $inet_interfaces, while $local_recipient_maps is non-empty and the
# recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
#unknown_local_recipient_reject_code = 550
unknown_local_recipient_reject_code = 450

# TRUST AND RELAY CONTROL

# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix.  See the smtpd_recipient_restrictions parameter
# in file sample-smtpd.cf.
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network.  Instead, specify an explicit
# mynetworks list by hand, as described below.

# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
mynetworks = [NETWORKS]

# The relay_domains parameter restricts what destinations this system will
# relay mail to.  See the smtpd_recipient_restrictions restriction in the
# file sample-smtpd.cf for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any
destination,
# - from "untrusted" clients to destinations that match $relay_domains or
#   subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace.  Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction in the file sample-smtpd.cf.
#
#relay_domains = $mydestination
relay_domains = $mydestination, [MY-DOMAIN], $virtual_domains

# INTERNET OR INTRANET

# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = gateway.my.domain
#relayhost = uucphost
#relayhost = [an.ip.add.ress]

# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients

# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 50 SMTP server process
# limit, this limits the mail inflow to 50 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s

# ADDRESS REWRITING
#
# Insert text from sample-rewrite.cf if you need to do address
# masquerading.
#
# Insert text from sample-canonical.cf if you need to do address
# rewriting, or if you need username->Firstname.Lastname mapping.
recipient_canonical_maps = ldap:ldapforwarding
sender_canonical_maps = hash:/etc/postfix/canonical
#masquerade_classes = header_recipient

# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# Insert text from sample-virtual.cf if you need virtual domain support.
virtual_maps = hash:/etc/postfix/virtual, ldap:ldapvirtual

# "USER HAS MOVED" BOUNCE MESSAGES
#
# Insert text from sample-relocated.cf if you need "user has moved"
# style bounce messages. Alternatively, you can bounce recipients
# with an SMTP server access table. See sample-smtpd.cf.

# TRANSPORT MAP
#
# Insert text from sample-transport.cf if you need explicit routing.
transport_maps = hash:/etc/postfix/transport
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible.  Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
#alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
alias_maps = hash:/etc/aliases, ldap:ldapaliases

# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi".  This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
#alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +

# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
home_mailbox = Maildir/

# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail

# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception:  delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"

# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf.  The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for   
# non-UNIX accounts with "User unknown in local recipient table".
#
#mailbox_transport = lmtp:unix:/file/name
#mailbox_transport = cyrus

# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf.  The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for   
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/file/name
#fallback_transport = cyrus
#fallback_transport =

# The luser_relay parameter specifies an optional destination address
# for unknown recipients.  By default, mail for unknown@$mydestination
# and unknown@[$inet_interfaces] is returned as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for   
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
 
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. See the file
# sample-smtpd.cf for an elaborate list of anti-UCE controls.

# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see the sample-filter.cf file.
#
header_checks = regexp:/etc/postfix/header_checks

# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
#
# By default, Postfix maintains deferred mail logfile information
# only for destinations that Postfix is willing to relay to (as
# specified in the relay_domains parameter). For other destinations,
# Postfix attempts to deliver ALL queued mail after receiving the
# SMTP "ETRN domain.tld" command, or after execution of "sendmail
# -qRdomain.tld". This can be slow when a lot of mail is queued.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this "fast ETRN/sendmail -qR" service.
#
#fast_flush_domains = $relay_domains
#fast_flush_domains =

# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
mail_name = Postfix (i686)
smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter.  The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.

#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 10

# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2

# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain

# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
      PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
      xxgdb $daemon_directory/$process_name $process_id & sleep 5

# If you don't have X installed on the Postfix machine, try:
# debugger_command =
#      PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
#      echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
#      >$config_directory/$process_name.$process_id.log & sleep 5

# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix

# mailq_path: The full pathname of the Postfix mailq command.  This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix

# setgid_group: The group for mail submission and queue management
# commands.  This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop

# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man

# sample_directory: The location of the Postfix sample configuration files.
#
sample_directory = /etc/postfix/samples

# readme_directory: The location of the Postfix README files.
#
readme_directory = /etc/postfix/README_FILES
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases

# And now the LDAP-Stuff:
# needs openldap to be installed
# Take a look at /usr/doc/packages/postfix/LDAP_README

ldapforwarding_bind_dn = [LDAP BIND DN]
ldapforwarding_bind_pw = [LDAP KENNWORT]
ldapforwarding_server_host = [LDAP SERVER]
ldapforwarding_server_port = 389
ldapforwarding_timeout = 30
ldapforwarding_search_base = [LDAP SEARCH BASE]
ldapforwarding_query_filter = (mail=%s)
ldapforwarding_result_attribute = mailforwardingaddress
ldapforwarding_lookup_wildcards = no
ldapforwarding_cache = no
ldapforwarding_cache_expiry = 3600
ldapforwarding_cache_size = 3276800

ldapvirtual_bind_dn = [LDAP BIND DN]
ldapvirtual_bind_pw = [LDAP KENNWORT]
ldapvirtual_server_host = [LDAP SERVER]
ldapvirtual_server_port = 389
ldapvirtual_timeout = 30
ldapvirtual_search_base = [LDAP SEARCH BASE]
ldapvirtual_query_filter = (mailforwardingaddress=%s)
ldapvirtual_result_attribute = mailmessagestore
ldapvirtual_lookup_wildcards = no
ldapvirtual_cache = no
ldapvirtual_cache_expiry = 3600
ldapvirtual_cache_size = 3276800

ldapinternet_bind_dn = [LDAP BIND DN]
ldapinternet_bind_pw = [LDAP KENNWORT]
ldapinternet_server_host = [LDAP SERVER]
ldapinternet_server_port = 389
ldapinternet_timeout = 30
ldapinternet_search_base = [LDAP SEARCH BASE]
ldapinternet_query_filter =
(|(mail=%s)(mailforwardingaddress=%s)(mailalternateaddress=%s))
ldapinternet_result_attribute = polPersInetMailNI
ldapinternet_lookup_wildcards = no
ldapinternet_cache = no
ldapinternet_cache_expiry = 3600
ldapinternet_cache_size = 3276800

ldapaliases_bind_dn = [LDAP BIND DN]
ldapaliases_bind_pw = [LDAP KENNWORT]
ldapaliases_server_host = [LDAP SERVER]
ldapaliases_server_port = 389
ldapaliases_timeout = 30
ldapaliases_search_base = [LDAP SEARCH BASE]
ldapaliases_query_filter =
(&(mailalternateaddress=%s)(mailmessagestore=*@$myhostname))
ldapaliases_result_attribute = mailmessagestore
ldapaliases_lookup_wildcards = no
ldapaliases_cache = no
ldapaliases_cache_expiry = 3600
ldapaliases_cache_size = 3276800

#
# UCE RESTRICTIONS
#

# The smtpd_client_restrictions parameter specifies optional restrictions
# on SMTP client host names and addresses.
#
# The default is to allow connections from any host.  The following
# restrictions are available:
#
#   reject_unknown_client: reject the request if the client hostname is
unknown.
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   check_client_access maptype:mapname
#   maptype:mapname: look up client name, parent domains, client address,
#                   or networks obtained by stripping octets.
#                   Reject if result is REJECT or "[45]xx text"
#                   Permit otherwise.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
# smtpd_client_restrictions = reject_unknown_client, permit_mynetworks, reject
smtpd_client_restrictions = reject_unknown_client, permit

# The smtpd_helo_required parameter optionally turns on the requirement
# that SMTP clients must introduce themselves at the beginning of an
# SMTP session.
#
# smtpd_helo_required = no
smtpd_helo_required = yes

# The smtpd_helo_restrictions parameter specifies optional restrictions
# on what SMTP clients can send in SMTP HELO and EHLO commands.
#
# The default is to permit everything.  The following restrictions
# are available:
#
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   reject_unknown_client: reject the request if the client hostname is
unknown.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject_invalid_hostname: reject HELO hostname with bad syntax.
#   reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
#   reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
#   check_helo_access maptype:mapname
#   maptype:mapname: look up HELO hostname or parent domains.
#                   Reject if result is REJECT or "[45]xx text"
#                   Permit otherwise.
#   check_client_access maptype:mapname: see smtpd_client_restrictions.
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
# smtpd_helo_restrictions = reject_invalid_hostname
# smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname
# smtpd_helo_restrictions =
reject_unknown_client,reject_invalid_hostname,permit
smtpd_helo_restrictions = reject_invalid_hostname,permit

#
smtpd_restriction_classes = internet_erlaubt_abfragen

internet_erlaubt_abfragen = check_sender_access
hash:/etc/postfix/smarthost_ausnahme, check_recipient_access
ldap:ldapinternet, reject

# The smtpd_sender_restrictions parameter specifies optional restrictions
# on sender addresses that SMTP clients can send in MAIL FROM commands.
#
# The default is to permit any sender address.  The following
# restrictions are available:
#
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   reject_unknown_client: reject the request if the client hostname is
unknown.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject_invalid_hostname: reject HELO hostname with bad syntax.
#   reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
#   reject_unknown_sender_domain: reject sender domain without A or MX record.
#   check_sender_access maptype:mapname
#   maptype:mapname: look up sender address, parent domain, or localpart@.
#                   Reject if result is REJECT or "[45]xx text"
#                   Permit otherwise.
#   check_client_access maptype:mapname: see smtpd_client_restrictions.
#   check_helo_access maptype:mapname: see smtpd_helo_restrictions.
#   reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
#   reject_non_fqdn_sender: reject sender address that is not in FQDN form
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
# smtpd_sender_restrictions = reject_unknown_address
# smtpd_sender_restrictions = reject_unknown_address, hash:/etc/postfix/access
# smtpd_sender_restrictions = hash:/etc/postfix/restricted_senders, reject
#
#
# hier werden die ABSENDER der MAIL GECHECKT
#
smtpd_sender_restrictions = reject_non_fqdn_sender, check_client_access
hash:/etc/postfix/check_client_access,
reject_unknown_sender_domain, permit

# The smtpd_recipient_restrictions parameter specifies restrictions on
# recipient addresses that SMTP clients can send in RCPT TO commands.
#
# The default is to permit any destination from clients that match
# $mynetworks, and to otherwise permit only mail from or to domains
# listed in $relay_domains.
#
# The following restrictions are available:
#
#   permit_mynetworks: permit if the client address matches $mynetworks.
#   reject_unknown_client: reject the request if the client hostname is
unknown.
#   reject_maps_rbl: reject if the client is listed under $maps_rbl_domains.
#   reject_invalid_hostname: reject HELO hostname with bad syntax.
#   reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
#   reject_unknown_sender_domain: reject sender domain without A or MX record.
#   check_relay_domains: permit only mail from/to domains in $relay_domains.
#   permit_mx_backup: accept mail for sites that list me as MX host.
#   reject_unknown_recipient_domain: reject domains without A or MX record.
#   check_recipient_access maptype:mapname
#   maptype:mapname: look up recipient address, parent domain, or localpart@.
#                   Reject if result is REJECT or "[45]xx text"
#                   Permit otherwise.
#   check_client_access maptype:mapname: see smtpd_client_restrictions.
#   check_helo_access maptype:mapname: see smtpd_helo_restrictions.
#   check_sender_access maptype:mapname: see smtpd_sender_restrictions.
#   reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form
#   reject_non_fqdn_sender: reject sender address that is not in FQDN form
#   reject_non_fqdn_recipient: reject recipient address that is not in FQDN
form
#   reject: reject the request. Place this at the end of a restriction.
#   permit: permit the request. Place this at the end of a restriction.
#
# Restrictions are applied in the order as specified; the first
# restriction that matches wins.
#
# Specify a list of restrictions, separated by commas and/or whitespace.
# Continue long lines by starting the next line with whitespace.
#
#smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains
#smtpd_recipient_restrictions = reject_unknown_client,permit
#smtpd_recipient_restrictions = permit
#
#smtpd_recipient_restrictions = reject_non_fqdn_sender, check_sender_access
ldap:ldapinternet,
reject_unknown_recipient_domain, check_relay_domains
smtpd_recipient_restrictions = reject_non_fqdn_sender, check_sender_access
ldap:ldapinternet,
reject_unknown_recipient_domain, reject_unauth_destination

#
# RESPONSE CODES
#

# The access_map_reject_code parameter specifies the SMTP server
# response code when a client violates an access map restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
access_map_reject_code = 550


# The invalid_hostname_reject_code parameter specifies the SMTP server
# response when a client violates the reject_invalid_hostname anti-UCE
# restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
invalid_hostname_reject_code = 501


# The maps_rbl_reject_code parameter specifies the SMTP server response
# when a client violates the maps_rbl_domains restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
maps_rbl_reject_code = 550

# The reject_code parameter specifies the SMTP server response code
# when an SMTP client matches a reject restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
reject_code = 550


# The relay_domains_reject_code parameter specifies the SMTP server
# response when a client attempts to violate the mail relay policy.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
relay_domains_reject_code = 550


# The unknown_address_reject_code parameter specifies the SMTP server
# response when a client violates the reject_unknown_address restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
unknown_address_reject_code = 550
# unknown_address_reject_code = 550


# The unknown_client_reject_code parameter specifies the SMTP server
# response when a client without address to name mapping violates
# the reject_unknown_clients restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
unknown_client_reject_code = 550

# The unknown_hostname_reject_code parameter specifies the SMTP server
# response when a client violates the reject_unknown_hostname
# restriction.
#
# Do not change this unless you have a complete understanding of RFC 822.
#
unknown_hostname_reject_code = 550

#
# MISCELLANEOUS CONTROLS
#

# The best_mx_transport parameter controls what happens when the
# local system is listed as the best MX host for a destination. By
# default, Postfix reports a "mail loops back to myself" error and
# bounces the message. Specify "best_mx_transport = local" to pass
# the mail to the local delivery agent. You can specify any transport
# that is defined in the master.cf file.
#
# best_mx_transport =

# The fallback_relay parameter specifies zero or more hosts or domains
# to hand off mail to if a message destination is not found, or if a
# destination is unreachable.
#
# By default, mail is bounced when a destination is not found, and
# delivery is deferred if a destination is unreachable.
#
fallback_relay=[SMARTHOST]

# The ignore_mx_lookup_error parameter controls what happens when a
# name server fails to respond to an MX lookup request. By default,
# Postfix defers delivery and tries again after some delay. Specify
# "ignore_mx_lookup_error = yes" to force an A record lookup instead.
#
ignore_mx_lookup_error = no

# The smtp_skip_4xx_greeting parameter controls what happens when
# an SMTP server greets us with a 4XX status code. By default, Postfix
# backs off. Specify "smtp_skip_4xx_greeting = yes" to move on the
# the next mail exchanger.
#
smtp_skip_4xx_greeting = no

# The smtp_skip_quit_response parameter controls whether the SMTP
# client waits for the response to the QUIT command. The default is
# to not wait.
#
smtp_skip_quit_response = yes

#
# RATE CONTROLS
#
# The smtp_destination_concurrency_limit parameter limits the number
# of parallel deliveries to the same destination via the smtp delivery
# agent.
#
# The default limit is the default_destination_concurrency_limit
# parameter. It is probably safer to limit the concurrency to 10.
#
smtp_destination_concurrency_limit = 10

# The smtp_destination_recipient_limit parameter limits the number
# of recipients per delivery via the smtp delivery agent.
#
# The default is taken from the default_destination_recipient_limit
# parameter.
#
smtp_destination_recipient_limit = $default_destination_recipient_limit

# The message_size_limit parameter limits the total size in bytes of
# a message, including envelope information.
#
message_size_limit = 99437184
mailbox_size_limit = 512000000

#
# FILTER
#

# The body_checks parameter specifies an optional table with patterns
# that each physical line in the message body is matched against
# (including MIME headers inside the message body - Postfix does not
# recognize multi-line MIME headers).  Lines are matched one at a
# time.  Long lines are matched in chunks of at most $line_length_limit
# characters. Patterns are matched in the specified order, and the
# search stops upon the first match.  When a pattern matches, what
# happens next depends on the associated action:
#
# REJECT the entire message is rejected.
#
# IGNORE the body line is silently discarded.
#
# OK    Nothing happens. The message will still be rejected when some
#       other body line matches a REJECT pattern.
#
body_checks = regexp:/etc/postfix/body_checks

#################################################################################
#################################################################################

#
# MAILBOX DELIVERY CONTROLS
#

# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
# home_mailbox = Mailbox
home_mailbox = Maildir/

# always_bcc =

#########################################################################################
#########################################################################################

#########################################################################################
#########################################################################################
#########################################################################################

# To use TLS we do need a certificate and a private key. Both must be in
# "pem" format, the private key must not be encrypted, that does mean:
# it must be accessable without password. Both parts (certificate and
# private key) may be in the same file.
#
# Both RSA and DSA are certificates are supported. Typically you will only
# have RSA certificates issued by a commercial CA, also the tools supplied
# with OpenSSL will by default issue RSA certificates.
# You can have both at the same time, in this case the cipher used decides,
# which certificate is presented. For Netscape and OpenSSL clients without
# special cipher choices, the RSA certificate is preferred.
#
# In order to check the certificates, the CA-certificate (in case of a
# certificate chain, all CA-certificates) must be available.
# You should add these certificates to the server certificate, the server
# certificate first, then the issuing CA(s).
#
# Example: the certificate for "server.dom.ain" was issued by "intermediate
CA"
# which itself has a certificate of "root CA". Create the server.pem file by
# 'cat server_cert.pem intemediate_CA.pem root_CA.pem > server.pem'
#
# If you want to accept certificates issued by these CAs yourself, you can
# also add the CA-certificates to the smtpd_tls_CAfile, in which case it is
# not necessary to have them in the smtpd_tls_[d]cert_file.
#
# A certificate supplied here must be useable as SSL server certificate and
# hence pass the "openssl verify -purpose sslserver ..." test.
#
smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_key_file = /etc/postfix/certs/key.pem

#
# Its DSA counterparts:
#smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
#smtpd_tls_dkey_file = $smtpd_tls_dcert_file

# The certificate was issued by a certification authority (CA), the CA-cert
# of which must be available, if not in the certificate file.
# This file may also contain the the CA certificates of other trusted CAs.
# You must use this file for the list of trusted CAs if you want to use
# chroot-mode. No default is supplied for this value as of now.
#
#smtpd_tls_CAfile = /etc/postfix/certs/CAcert.pem

# To verify the peer certificate, we need to know the certificates of
# certification authorities. These certificates in "pem" format are
# collected in a directory. The same CAs are offered to clients for
# client verification. Don't forget to create the necessary "hash"
# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
# no default and you explicitly have to set the value here!
#
# To use this option in chroot mode, this directory itself or a copy of it
# must be inside the chroot jail. Please note also, that the CAs in this
# directory are not listed to the client, so that e.g. Netscape might not
# offer certificates issued by them.
#
# I therefore discourage the use of this option.
#
smtpd_tls_CApath = /etc/postfix/certs

# To get additional information during the TLS setup and negotiations
# you can increase the loglevel from 0..4:
# 0: No output about the TLS subsystem
# 1: Printout startup and certificate information
# 2: 1 + Printout of levels during negotiation
# 3: 2 + Hex and ASCII dump of negotiation process
# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
# discouraged.
#
smtpd_tls_loglevel = 0

# To include information about the protocol and cipher used as well as the
# client and issuer CommonName into the "Received:" header, set the
# smtpd_tls_received_header variable to true. The default is no, as the
# information is not necessarily authentic. Only the final destination
# is reliable, since the headers might have been changed in between.
#
smtpd_tls_received_header = yes

# By default TLS is disabled, so no difference to plain postfix is visible.
# Explicitely switch it on here:
#
smtpd_use_tls = yes

# You can ENFORCE the use of TLS, so that no commands (except QUIT of course)
# are allowed without TLS. According to RFC2487 this MUST NOT be applied
# in case of a publicly-referenced SMTP server. So this option is off
# by default and should only seldom be used. Using this option implies
# smtpd_use_tls = yes
#
# smtpd_enforce_tls = no

# Besides RFC2487 some clients, namely Outlook [Express] prefer to run the
# non-standard "wrapper" mode, not the STARTTLS enhancement to SMTP.
# This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port!=25
# and OE (5.01 Mac on all ports).
# It is strictly discouraged to use this mode from main.cf. If you want to
# support this service, enable a special port in master.cf. Port 465 (smtps)
# was once chosen for this feature.
#
# smtpd_tls_wrappermode = no

# To receive a client certificate, the server must explicitly ask for one.
# Hence netscape will either complain if no certificate is available (for
# the list of CAs in /etc/postfix/certs) or will offer you client certificates
# to choose from. This might be annoying, so this option is "off" by default.
# You will however need the certificate if you want to to e.g. certificate
# based relaying.
#
# smtpd_tls_ask_ccert = no

# You may also decide to REQUIRE a client certificate to allow TLS connections.
# I don't think it will be necessary often, it is however included here for
# completeness. This option implies smtpd_tls_ask_ccert = yes
#
# Please be aware, that this will inhibit TLS connections without a proper
# certificate and only makes sense, when normal submission is disabled and
# TLS is enforced (smtpd_enforce_tls). Otherwise clients may bypass by simply
# not using STARTTLS at all. When TLS is not enforced, the connection will be
# handled, as if only smtpd_tls_ask_ccert = yes would be set and an information
# is logged.
#
# smtpd_tls_req_ccert = no

# The verification depth for client certificates. A depth of 1 is sufficient,
# if the certificate ist directly issued by a CA listed in the CA locations.
# The default value (5) should also suffice for longer chains (root CA issues
# special CA which then issues the actual certificate...)
#
smtpd_tls_ccert_verifydepth = 3

# The server and client negotiate a session, which takes some computer time
# and network bandwidth. The session is cached only in the smtpd process
# actually using this session and is lost when the process dies.
# To share the session information between the smtpd processes, a disc based
# session cache can be used based on the SDBM databases (routines included
# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
# can be used.
#
#smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
#smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache


# The cached sessions time out after a certain amount of time. For Postfix/TLS
# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
# (=1 hour). RFC2246 recommends a maximum of 24 hours.
#
# smtpd_tls_session_cache_timeout = 3600s

# Two additional options has been added for relay control to the UCE rules:
#   permit_tls_clientcerts      (a)
# and
#   permit_tls_all_clientcerts. (b)
#
# If one of these options is added to
#   smtpd_recipient_restrictions,
# postfix will relay if
# (a) a valid (it passed the verification) client certificate is presented
#     and its fingerprint is listed in the list of client certs
#     (relay_clientcerts),
# (b) any valid (it passed the verification) client certificate is presented.
#
# Option (b) must only be used, if a special CA issues the certificates and
# only this CA is listed as trusted CA. If other CAs are trusted, any owner
# of a valid (SSL client)-certificate can relay. Option (b) can be practical
# for a specically created email relay. It is however recommended to stay with
# option (a) and list all certificates, as (b) does not permit any control
# when a certificate must no longer be used (e.g. an employee leaving).
#
# smtpd_recipient_restrictions = ... permit_tls_clientcerts ...

# The list of client certificates for which relaying will be allowed.
# Unfortunately the routines for lists in postfix use whitespaces as
# seperators and choke on special chars. So using the certificate
# X509ONELINES is quite impractical. We will use the fingerprints at
# this point, as they are difficult to fake but easy to use for lookup.
# As postmap (when using e.g. db) insists of having a pair of key and value,
# but we only need the key, the value can be chosen freely, e.g. the name
# of the user or host:
# D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
#
# relay_clientcerts = hash:/etc/postfix/relay_clientcerts

# To influence the cipher selection scheme, you can give cipherlist-string.
# A detailed description would go to far here, please refer to the openssl
# documentation.
# If you don't know what to do with it, simply don't touch it and leave the
# (openssl-)compiled in default!
#
# DO NOT USE " to enclose the string, just the string!!!
#
# smtpd_tls_cipherlist = DEFAULT

# If you want to take advantage of ciphers with EDH, DH parameters are needed.
# There are built in DH parameters for both 1025bit and 512bit available. It
# is however better to have "own" parameters, since otherwise it would
"pay"
# for a possible attacker to start a brute force attack against these
# parameters commonly used by everybody. For this reason, the parameters
# chosen are already different from those distributed with other TLS packages.
#
# To generate your own set of parameters, use
# openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
# openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
# (your source for "entropy" might vary; on Linux there is /dev/random, on
# other system, you might consider the "Entropy Gathering Daemon EGD",
# available at http://www.lothar.com/tech/crypto/.
#
smtpd_tls_dh1024_param_file = /etc/postfix/certs/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/certs/dh_512.pem

# The smtpd_starttls_timeout parameter limits the time in seconds to write and
# read operations during TLS start and stop handhake procedures.
#
# smtpd_starttls_timeout = 300s


##################### CLIENT ######################################
##################### CLIENT ######################################
##################### CLIENT ######################################
##################### CLIENT ######################################
##################### CLIENT ######################################
##################### CLIENT ######################################
##################### CLIENT ######################################
##################### CLIENT ######################################


#main.cf: smtp (client) specific variables
# During the startup negotiation we might present a certificate to the server.
# Netscape is rather clever here and lets the user select between only those
# certs that will match the CAs accepted from the server. As I simply use
# the integrated "SSL_connect()" from the OpenSSL package, this is not
# possible by now and we have to chose just one cert.
# So for now the default is to use _no_ cert and key unless explictly
# set here. It is possible to use the same key/cert pair as for the server.
# If a cert is to be presented, it must be in "pem" format, the private key
# must not be encrypted, that does mean: it must be accessable without
# password. Both parts (certificate and private key) may be in the
# same file.
#
# In order to check the certificates, the CA-certificate (in case of a
# certificate chain, all CA-certificates) must be available.
# You should add these certificates to the server certificate, the server
# certificate first, then the issuing CA(s).
#
# Example: the certificate for "client.dom.ain" was issued by "intermediate
CA"
# which itself has a certificate of "root CA". Create the client.pem file by
# 'cat client_cert.pem intemediate_CA.pem root_CA.pem > client.pem'
#
# If you want to accept certificates issued by these CAs yourself, you can
# also add the CA-certificates to the smtp_tls_CAfile, in which case it is
# not necessary to have them in the smtp_tls_[d]cert_file.
#
# A certificate supplied here must be useable as SSL client certificate and
# hence pass the "openssl verify -purpose sslclient ..." test.
#
#smtp_tls_cert_file = /etc/postfix/certs/ClientCert.pem
#smtp_tls_key_file  = /etc/postfix/certs/ClientKey.pem

# The certificate was issued by a certification authority (CA), the CA-cert
# of which must be available, if not in the certificate file.
# This file may also contain the the CA certificates of other trusted CAs.
# You must use this file for the list of trusted CAs if you want to use
# chroot-mode. No default is supplied for this value as of now.
#
#smtp_tls_CAfile = /etc/postfix/certs/alleca.pem

# To verify the peer certificate, we need to know the certificates of
# certification authorities. These certificates in "pem" format are
# collected in a directory. Don't forget to create the necessary "hash"
# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
# no default and you explicitly have to set the value here!
#
# To use this option in chroot mode, this directory itself or a copy of it
# must be inside the chroot jail.
#

#      Im Gefaengnis !
smtp_tls_CApath = /etc/certs

# To get additional information during the TLS setup and negotiations
# you can increase the loglevel from 0..4:
# 0: No output about the TLS subsystem
# 1: Printout startup and certificate information
# 2: 1 + Printout of levels during negotiation
# 3: 2 + Hex and ASCII dump of negotiation process
# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
# discouraged.
#
smtp_tls_loglevel = 0

# The server and client negotiate a session, which takes some computer time
# and network bandwidth. The session is cached only in the smtpd process
# actually using this session and is lost when the process dies.
# To share the session information between the smtp processes, a disc based
# session cache can be used based on the SDBM databases (routines included
# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
# can be used.
#
#smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache

# The cached sessions time out after a certain amount of time. For Postfix/TLS
# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
# (=1 hour). RFC2246 recommends a maximum of 24 hours.
#
# smtp_tls_session_cache_timeout = 3600s

# By default TLS is disabled, so no difference to plain postfix is visible.
# If you enable TLS it will be used when offered by the server.
# WARNING: I didn't have access to other software (except those explicitely
# listed) to test the interaction. On corresponding mailing list
# there was a discussion going on about MS exchange servers offering
# STARTTLS even if it is not configured, so it might be wise to not
# use this option on your central mail hub, as you don't know in advance
# whether you are going to hit such host. Use the recipient/site specific
# options instead.
# HINT: I have it switched on on my mailservers and did experience one
# single failure since client side TLS is implemented. (There was one
# misconfired MS Exchange server; I contacted ths admin.) Hence, I am happy
# with it running all the time, but I am interested in testing anyway.
# You have been warned, however
#
# In case of failure, a "4xx" code is issued and the mail stays in the queue.
#
# Explicitely switch it on here, if you want it.
#
smtp_use_tls = yes

# You can ENFORCE the use of TLS, so that only connections with TLS will
# be accepted. Additionally, the hostname of the receiving host is matched
# against the CommonName in the certificate. Also, the certificate must
# be verified "Ok", so that a CA trusted by the client must have issued
# the certificate. If the certificate doesn't verify or the hostname doesn't
# match, a "4xx" will be issued and the mail stays in the queue.
# The hostname used in the check is beyond question, as it must be the
# principle hostname (no CNAME allowed here).
# The behaviour may be changed with the smtp_tls_enforce_peername option
#
# This option is useful only if you are definitely sure that you will only
# connect to servers supporting RFC2487 _and_ with valid certificates.
# I use it for my clients which will only send email to one mailhub, which
# does offer the necessary STARTTLS support.
#
smtp_enforce_tls = no

# As of RFC2487 the requirements for hostname checking for MTA clients are
# not set. When in smtp_enforce_tls mode, the option smtp_tls_enforce_peername
# can be set to "no" to disable strict peername checking. In this case, the
# mail delivery will be continued, if a TLS connection was established
# _and_ the peer certificate passed verification _but_ regardless of the
# CommonName listed in the certificate. This option only applies to the
# default setting smtp_enforce_tls_mode, special settings in the
# smtp_tls_per_site table override smtp_tls_enforce_peername.
#
# This can make sense in closed environment where special CAs are created.
# If not used carefully, this option opens the danger of a
"man-in-the-middle"
# attack (the CommonName of this attacker is logged).
#
# smtp_tls_enforce_peername = yes

# As generally trying TLS can be a bad idea (some hosts offer STARTTLS but
# the negotiation will fail leading to unexplainable failures, it may be
# a good idea to decide based on the recipient or the mailhub to which you are
# connecting.
#
# Deciding per recipient may be difficult, since a singe email can have
# several recipients. We use the "nexthop" mechanism inside postfix.
# When an email is to be delivered, the "nexthop" is obtained. If it matches
# an entry in the smtp_tls_per_site list, appropriate action is taken.
# Since entries in the transport table or the use of a relay_host override
# the nexthop setting, in these cases the relay_host etc must be listed
# in the table. In any case, the hostname of the peer to be contacted is
# looked up (that is: the MX or the name of the host, if no MX is given).
#
# Special hint for enforcement mode:
# Since there is no secure mechanism for DNS lookups available, the
# recommended setup is: put the sensible domains with their mailhost
# into the transport table (since you can asure security of this table
# unlike DNS), then set MUST mode for this mailhost.
#
# Format of the table:
# The keys entries are on the left hand side, no wildcards allowed. On the
# right hand side the keywords NONE (don't use TLS at all), MAY (try to use
# STARTTLS if offered, no problem if not), MUST (enforce usage of STARTTLS,
# check server certificate CommonName against server FQDN), MUST_NOPEERMATCH
# (enforce usage of STARTTLS and verify certificate, but ignore differences
# between CommonName and server FQDN).
# dom.ain            NONE
# host.dom.ain            MAY
# important.host      MUST
# some.host.dom.ain      MUST_NOPEERMATCH
#
# If an entry is not matched, the default policy is applied; if the default
# policy is "enforce", NONE explicitely switches it off, otherwise the
# "enforce" mode is used even for MAY entries.
#
#smtp_tls_per_site = hash:/etc/postfix/tls_per_site

# The verification depth for server certificates. A depth of 1 is sufficient,
# if the certificate ist directly issued by a CA listed in the CA locations.
# The default value (5) should also suffice for longer chains (root CA issues
# special CA which then issues the actual certificate...)
#
smtp_tls_scert_verifydepth = 3

# As we decide on a "per site" basis, wether to use TLS or not, it would be
# good to have a list of sites, that offered "STARTTLS'. We can collect it
# ourselves with this option.
#
# If activated and TLS is not already enabled for this host, a line is added
# to the logfile:
# postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
#
smtp_tls_note_starttls_offer = yes

# To influence the cipher selection scheme, you can give cipherlist-string.
# A detailed description would go to far here, please refer to the openssl
# documentation.
# If you don't know what to do with it, simply don't touch it and leave the
# (openssl-)compiled in default!
#
# DO NOT USE " to enclose the string, just the string!!!
#
# smtp_tls_cipherlist = DEFAULT

# The smtp_starttls_timeout parameter limits the time in seconds to write and
# read operations during TLS start and stop handhake procedures.
#
# In case of problems the client does NOT try the next address on
# the mail exchanger list.
#
# smtp_starttls_timeout = 300s

#main.cf: general variables
# In order to seed the PRNG Pseude Random Number Generator, random data is
# needed. The PRNG pool is maintained by the "tlsmgr" daemon and is used
# (read) by the smtp[d] processes after adding some more entropy by stirring
# in time and process id.
# The file, which is from time to time rewritten by the tlsmgr, is created
# if not existant. A default value is given; the default should probably
# be on the /var partition but _not_ inside chroot jail.
#
# tls_random_exchange_name = /etc/postfix/prng_exch

# To feed the PRNG pool, entropy is being read from an external source,
# both at startup and during run.
# Specify a good entropy source here, like EGD or /dev/urandom; make sure
# to only use non-blocking sources.
# In both cases, 32 bytes are read at each re-seeding event (which is an
# amount of 256bits and hence good enough for 128bit symmetric keys).
# You must specify the type of source: "dev:" for a device special file
# or "egd:" for a source with EGD compatible socket interface. A maximum
# 255 bytes is read from these sources in each step.
# If you specify a normal file, a larger amount of data can be read.
#
# The entropy source is queried again after a certain amount of time. The
# time is calculated using the PRNG, it is between 0 and the time specified,
# default is a maximum of 1 hour.
#
tls_random_source = dev:/dev/urandom
# tls_random_source = egd:/var/run/egd-pool
# tls_random_bytes = 32
# tls_random_reseed_period = 3600s

# The PRNG pool inside tlsmgr is used to re-generate the 1024 byte file
# being read by smtp[d]. The time, after which the exchange file is
# rewritten is calculated using the PRNG, it is between 0 and the time
# specified, default is a maximum of 60 seconds.
#
# tls_random_upd_period = 60s

# If you have a entropy source available, that is not easily drained (like
# /dev/urandom), the daemons can also load additional entropy on startup from
# the source specified. By default an amount of 32 bytes is read, the
# equivalent to 256 bits. This is more than enough to generate a 128bit
# (or 168bit) session key, but we may have to generate more than one.
# Usage of this option may drain EGD (consider the case of 50 smtp starting
# up with a full queue and "postfix start", which will request 1600bytes
# of entropy). This is however not fatal, as long as "entropy" data could
# be read from the exchange file.
#
tls_daemon_random_source = dev:/dev/urandom
# tls_daemon_random_source = egd:/var/run/egd-pool
# tls_daemon_random_bytes = 32


zurück



Knowledge base wurde zuletzt bearbeitet am 12.07.13 durch Frank

www.puschin.de
login

<body bgcolor='#FFFFFF' link='#000000' vlink='#000000' alink='#000000' text='#000000'><font face='Verdana' size='2'><strong>www.puschin.de</strong><br>Die Webseite http://www.puschin.de bietet eine interessante Webseite zu vielen Themen aus dem Bereich Linux und Windows. Man findet hier Tipps und Tricks zu cms php apache postfix openxchange tomcat windows linux firewall <br><br><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=191'>Startseite</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=63'>Knowledge base</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=57'>Kontakt</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=9'>Impressum</a></body>