update

web/Modules/Email/server/postfix/main.cf

@@ -0,0 +1,124 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+smtpd_banner = $myhostname ESMTP
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+
+# Disabled as not compatible with Dovecot
+smtputf8_enable = no
+
+# Basic configuration
+# myhostname =
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+# Take the following concerns into consideration if adjusting `mydestination`:
+# https://github.com/docker-mailserver/docker-mailserver/pull/3264#pullrequestreview-1396816109
+# https://github.com/docker-mailserver/docker-mailserver/pull/3264#issuecomment-1518993555
+mydestination = $myhostname, localhost.$mydomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+# TLS parameters
+# These [snakeoil files actually exist](https://askubuntu.com/questions/396120/what-is-the-purpose-of-the-ssl-cert-snakeoil-key), but shouldn't ever be used in production!
+# If no `SSL_TYPE` env is set, "plaintext" is configured, but still accepts SSL with these:
+smtpd_tls_chain_files = /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem
+#smtpd_tls_CAfile =
+#smtp_tls_CAfile =
+smtpd_tls_security_level = may
+smtpd_tls_loglevel = 1
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
+
+# Reduces CPU overhead with `NO_COMPRESSION`, SMTP not at risk of CRIME attack (see git blame for details)
+# Reduce opportunities for a potential CPU exhaustion attack with `NO_RENEGOTIATION`
+tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
+
+tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = yes
+smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES, SHA1
+smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
+smtpd_tls_CApath = /etc/ssl/certs
+smtp_tls_CApath = /etc/ssl/certs
+
+# Settings to prevent SPAM early
+smtpd_helo_required = yes
+smtpd_delay_reject = yes
+smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain
+smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+smtpd_sender_restrictions = $dms_smtpd_sender_restrictions
+smtpd_discard_ehlo_keywords = silent-discard, dsn
+smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining
+disable_vrfy_command = yes
+
+# Security - Prevent SMTP Smuggling attack
+# https://www.postfix.org/smtp-smuggling.html#long
+smtpd_forbid_bare_newline = yes
+# It is possible to exclude clients on trusted networks from this restriction (the upstream default is `$mynetwork`):
+# smtpd_forbid_bare_newline_exclusions = $mynetworks
+
+# Custom defined parameters for DMS:
+# reject_unknown_sender_domain: https://github.com/docker-mailserver/docker-mailserver/issues/3716#issuecomment-1868033234
+dms_smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
+# Submission ports 587 and 465 support for SPOOF_PROTECTION=1
+mua_sender_restrictions = reject_authenticated_sender_login_mismatch, $dms_smtpd_sender_restrictions
+
+# Postscreen settings to drop zombies/open relays/spam early
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_sites =
+    zen.spamhaus.org=127.0.0.[2..11]*3
+    bl.mailspike.net=127.0.0.[2;14;13;12;11;10]
+    b.barracudacentral.org*2
+    bl.spameatingmonkey.net=127.0.0.2
+    dnsbl.sorbs.net
+    psbl.surriel.com
+    list.dnswl.org=127.0.[0..255].0*-2
+    list.dnswl.org=127.0.[0..255].1*-3
+    list.dnswl.org=127.0.[0..255].[2..3]*-4
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_allowlist_threshold = -1
+postscreen_greet_action = enforce
+postscreen_bare_newline_action = enforce
+
+# SASL
+smtpd_sasl_auth_enable = no
+smtpd_sasl_path = /dev/shm/sasl-auth.sock
+smtpd_sasl_type = dovecot
+
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = $mydomain
+broken_sasl_auth_clients = yes
+
+# Postfix lookup tables for verifying valid users and managed mail domains:
+# Populated during startup in: scripts/helpers/postfix.sh
+virtual_mailbox_domains = /etc/postfix/vhost
+# Populated during startup in: scripts/helpers/aliases.sh
+virtual_alias_maps = texthash:/etc/postfix/virtual
+
+# Milters used by DKIM
+milter_protocol = 6
+milter_default_action = accept
+smtpd_milters =
+non_smtpd_milters =
+
+# Header checks for content inspection on receiving
+header_checks = pcre:/etc/postfix/maps/header_checks.pcre
+
+# Remove unwanted headers that reveal our privacy
+smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
+
+# The default compatibility_level is 0 - which retains legacy settings defaults:
+# http://www.postfix.org/COMPATIBILITY_README.html
+# If backwards-compatibility log messages appear, fix them by explicitly adding
+# the legacy or new default value (alternatively raise the compatibility_level)
+compatibility_level = 3.6

web/Modules/Email/server/postfix/master.cf

@@ -0,0 +1,77 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service      type  private unpriv  chroot  wakeup  maxproc command + args
+#                    (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+
+smtp           inet  n       -       n       -       1       postscreen
+smtpd          pass  -       -       n       -       -       smtpd
+tlsproxy       unix  -       -       n       -       0       tlsproxy
+dnsblog        unix  -       -       n       -       0       dnsblog
+submission     inet  n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_sasl_authenticated_header=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_sender_restrictions=$mua_sender_restrictions
+  -o smtpd_discard_ehlo_keywords=
+  -o milter_macro_daemon_name=ORIGINATING
+  -o cleanup_service_name=sender-cleanup
+
+submissions    inet  n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submissions
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_sasl_type=dovecot
+  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_sasl_authenticated_header=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_sender_restrictions=$mua_sender_restrictions
+  -o smtpd_discard_ehlo_keywords=
+  -o milter_macro_daemon_name=ORIGINATING
+  -o cleanup_service_name=sender-cleanup
+
+pickup         fifo  n       -       n       60      1       pickup
+  -o content_filter=
+  -o receive_override_options=no_header_body_checks
+
+# This relates to submission(s) services defined above:
+# https://www.postfix.org/BUILTIN_FILTER_README.html#mx_submission
+sender-cleanup unix  n       -       n       -       0       cleanup
+  -o syslog_name=postfix/sender-cleanup
+  -o header_checks=pcre:/etc/postfix/maps/sender_header_filter.pcre
+
+cleanup        unix  n       -       n       -       0       cleanup
+qmgr           unix  n       -       n       300     1       qmgr
+tlsmgr         unix  -       -       n       1000?   1       tlsmgr
+rewrite        unix  -       -       n       -       -       trivial-rewrite
+bounce         unix  -       -       n       -       0       bounce
+defer          unix  -       -       n       -       0       bounce
+trace          unix  -       -       n       -       0       bounce
+verify         unix  -       -       n       -       1       verify
+flush          unix  n       -       n       1000?   0       flush
+proxymap       unix  -       -       n       -       -       proxymap
+proxywrite     unix  -       -       n       -       1       proxymap
+smtp           unix  -       -       n       -       -       smtp
+relay          unix  -       -       n       -       -       smtp
+showq          unix  n       -       n       -       -       showq
+error          unix  -       -       n       -       -       error
+retry          unix  -       -       n       -       -       error
+discard        unix  -       -       n       -       -       discard
+local          unix  -       n       n       -       -       local
+virtual        unix  -       n       n       -       -       virtual
+lmtp           unix  -       -       n       -       -       lmtp
+anvil          unix  -       -       n       -       1       anvil
+scache         unix  -       -       n       -       1       scache
+postlog  unix-dgram  n       -       n       -       1       postlogd