1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2026-07-02 19:15:39 +00:00

restructure configuration directories

This commit is contained in:
FreddleSpl0it
2025-05-22 15:37:15 +02:00
parent dba9675a9b
commit f35def48cb
25 changed files with 113 additions and 124 deletions
@@ -0,0 +1 @@
/^(.+)@mailcow.local/ OK
@@ -0,0 +1,20 @@
if /^\s*Received:.*Authenticated sender.*\(Postcow\)/
#/^Received: from .*? \([\w-.]* \[.*?\]\)\s+\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (E?SMTPS?A?) id ([A-F0-9]+).+;.*?/
/^Received: from .*? \([\w\-.]* \[.*?\]\)(.*|\n.*)\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (.*)/
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with $3
endif
if /^\s*Received: from.* \(.*dovecot-mailcow.*mailcow-network.*\).*\(Postcow\)/
/^Received: from.* (.*|\n.*)\((.+) (.+)\)\s+by (.+) \(Postcow\) with (.*)/
REPLACE Received: from sieve (sieve $3) by $4 (Postcow) with $5
endif
if /^\s*Received: from.* \(.*rspamd-mailcow.*mailcow-network.*\).*\(Postcow\)/
/^Received: from.* (.*|\n.*)\((.+) (.+)\)\s+by (.+) \(Postcow\) with (.*)/
REPLACE Received: from rspamd (rspamd $3) by $4 (Postcow) with $5
endif
/^\s*X-Enigmail/ IGNORE
# Not removing Mailer by default, might be signed
#/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE
/^\s*X-Forward/ IGNORE
# Not removing UA by default, might be signed
#/^\s*User-Agent/ IGNORE
@@ -0,0 +1,2 @@
/watchdog@localhost$/ watchdog_discard:
/localhost$/ local:
@@ -0,0 +1,146 @@
# inter-mx with postscreen on 25/tcp
smtp inet n - n - 1 postscreen
10025 inet n - n - 1 postscreen
-o postscreen_upstream_proxy_protocol=haproxy
-o syslog_name=haproxy
smtpd pass - - n - - smtpd
-o smtpd_sasl_auth_enable=no
-o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain
# smtpd tls-wrapped (smtps) on 465/tcp
# TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
-o tls_preempt_cipherlist=yes
-o cleanup_service_name=smtp_sender_cleanup
-o syslog_name=postfix/smtps
10465 inet n - n - - smtpd
-o smtpd_upstream_proxy_protocol=haproxy
-o smtpd_tls_wrappermode=yes
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
-o tls_preempt_cipherlist=yes
-o cleanup_service_name=smtp_sender_cleanup
-o syslog_name=postfix/smtps-haproxy
# smtpd with starttls on 587/tcp
# TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
submission inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
-o tls_preempt_cipherlist=yes
-o cleanup_service_name=smtp_sender_cleanup
-o syslog_name=postfix/submission
10587 inet n - n - - smtpd
-o smtpd_upstream_proxy_protocol=haproxy
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
-o tls_preempt_cipherlist=yes
-o cleanup_service_name=smtp_sender_cleanup
-o syslog_name=postfix/submission-haproxy
# used by SOGo
# smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function
588 inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_auth_only=no
-o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain
-o cleanup_service_name=smtp_sender_cleanup
-o syslog_name=postfix/sogo
# used to reinject quarantine mails
590 inet n - n - - smtpd
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_tls_auth_only=no
-o smtpd_milters=
-o non_smtpd_milters=
-o syslog_name=postfix/quarantine
# used to send bcc mails
591 inet n - n - - smtpd
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_tls_auth_only=no
-o smtpd_milters=
-o non_smtpd_milters=
-o syslog_name=postfix/bcc
# enforced smtp connector
smtp_enforced_tls unix - - n - - smtp
-o smtp_tls_security_level=encrypt
-o syslog_name=enforced-tls-smtp
-o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter
# smtp connector used, when a transport map matched
# this helps to have different sasl maps than we have with sender dependent transport maps
smtp_via_transport_maps unix - - n - - smtp
-o smtp_sasl_password_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp flags=O
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
# used to anonymize sender IP
smtp_sender_cleanup unix n - y - 0 cleanup
-o header_checks=$smtp_header_checks
# start whitelist_fwd
127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh
# end whitelist_fwd
# start watchdog-specific
# logs to local7 (hidden)
589 inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
-o syslog_name=watchdog
-o syslog_facility=local7
-o smtpd_milters=
-o cleanup_service_name=watchdog_cleanup
-o non_smtpd_milters=
watchdog_cleanup unix n - n - 0 cleanup
-o syslog_name=watchdog
-o syslog_facility=local7
-o queue_service_name=watchdog_qmgr
watchdog_qmgr fifo n - n 300 1 qmgr
-o syslog_facility=local7
-o syslog_name=watchdog
-o rewrite_service_name=watchdog_rewrite
watchdog_rewrite unix - - n - - trivial-rewrite
-o syslog_facility=local7
-o syslog_name=watchdog
-o local_transport=watchdog_discard
watchdog_discard unix - - n - - discard
-o syslog_facility=local7
-o syslog_name=watchdog
# end watchdog-specific
@@ -0,0 +1,6 @@
/^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
5$1
/^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
5$1
/^4.7.5(.*)/
5.7.5$1