From 02d00b0547491504fd880a54983edcb3afc57a0e Mon Sep 17 00:00:00 2001
From: Giorgio Ravera <giorgio.ravera@gmail.com>
Date: Wed, 21 Jan 2026 11:17:24 +0100
Subject: [PATCH] Updated postfix configuration

---
 main.cf   | 84 +++++++++++++++++++++++++++++++++----------------------
 master.cf |  2 +-
 2 files changed, 51 insertions(+), 35 deletions(-)

diff --git a/main.cf b/main.cf
index 76e2ec6..e37b829 100644
--- a/main.cf
+++ b/main.cf
@@ -1,6 +1,10 @@
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
-compatibility_level = 2
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
 
 biff = yes
 
@@ -10,13 +14,44 @@ append_dot_mydomain = no
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
 
-alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
-# Map applied to sender and recipent
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
+# fresh installs.
+compatibility_level = 3.6
+
+# Alias
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+
+# General Settings
+myhostname = mail.giorgioravera.it
+mydomain = giorgioravera.it
+myorigin = /etc/mailname
+mydestination = localhost, localhost.localdomain
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 192.168.2.0/24 192.168.3.0/24 192.168.178.0/24
+inet_interfaces = all
+inet_protocols = all
+
+# Relay
+#relay_domains = /etc/postfix/ml-domains
+relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf
+sender_dependent_relayhost_maps = mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
+#relayhost = [smtp.gmail.com]:587
+relayhost = [smtp.eu.sparkpostmail.com]:587
+
+# Mailbox settings
+mailbox_command = /usr/bin/procmail -a "$EXTENSION"
+mailbox_size_limit = 512000000
+message_size_limit = 20480000
+recipient_delimiter = +
+content_filter = amavis:[127.0.0.1]:10024
+
+# Maps applied to sender and recipent
 canonical_maps = mysql:/etc/postfix/mysql/canonical_maps.cf
-# Map applied to recipent only
+# Maps applied to recipent only
 #recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
-# Map applied to sender only
+# Maps applied to sender only
 #sender_canonical_maps = hash:/etc/postfix/sender_canonical
+# Bcc Maps
 #recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
 recipient_bcc_maps = mysql:/etc/postfix/mysql/recipient_bcc_maps.cf
 #sender_bcc_maps = hash:/etc/postfix/sender_bcc
@@ -41,22 +76,6 @@ virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
 #transport_maps = hash:/etc/postfix/transport
 transport_maps = mysql:/etc/postfix/mysql/transport_maps.cf
 
-myhostname = mail.giorgioravera.it
-mydomain = giorgioravera.it
-myorigin = localhost.localdomain
-mydestination = localhost, localhost.localdomain
-#relay_domains = /etc/postfix/ml-domains
-relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf
-mynetworks = 127.0.0.0/8, [::1]/128, 192.168.0.0/24, 192.168.2.0/24
-inet_protocols = all
-mailbox_command = /usr/bin/procmail -a "$EXTENSION"
-mailbox_size_limit = 512000000
-message_size_limit = 20480000
-recipient_delimiter = +
-content_filter = amavis:[127.0.0.1]:10024
-#content_filter = spamassassin
-mailman_destination_recipient_limit = 1
-
 # Evita header X-Original-To
 enable_original_recipient = no
 # Evita header Delivered-To
@@ -71,6 +90,7 @@ bounce_template_file = /etc/postfix/bounce.cf
 
 disable_vrfy_command = yes
 
+# SMTPD
 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU Linux)
 
 # SMTPD Auth
@@ -83,21 +103,18 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = no
 
 # SMTPD SSL
-smtpd_use_tls = yes
+#smtpd_use_tls = yes
+#smtpd_tls_security_level = encrypt
+smtpd_tls_security_level = may
 #smtpd_tls_protocols = !SSLv2
-#smtpd_tls_key_file = /etc/ssl/giorgioravera.it/certs/mail.giorgioravera.it.key
-#smtpd_tls_cert_file = /etc/ssl/giorgioravera.it/certs/mail.giorgioravera.it.crt
-#smtpd_tls_CAfile = /etc/ssl/giorgioravera.it/ca.crt
-smtpd_tls_cert_file = /etc/ssl/giorgioravera.it/cert.pem
+smtpd_tls_cert_file = /etc/ssl/giorgioravera.it/fullchain.pem
 smtpd_tls_key_file = /etc/ssl/giorgioravera.it/privkey.pem
-smtpd_tls_CAfile = /etc/ssl/giorgioravera.it/chain.pem
 #smtpd_tls_loglevel = 2
 smtpd_tls_received_header = no
 smtpd_tls_session_cache_timeout = 3600s
 tls_random_source = dev:/dev/urandom
 
 # SMTPD Restrictions 
-# Allow connections from trusted networks only.
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated, 
 	reject_unauth_pipelining,
@@ -138,24 +155,22 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_rbl_client dul.dnsbl.sorbs.net,
 	reject_rhsbl_helo dbl.spamhaus.org,
 	reject_rhsbl_sender dbl.spamhaus.org
-
 smtpd_error_sleep_time = 1s
 smtpd_soft_error_limit = 10
 smtpd_hard_error_limit = 20
 
 # SMTP Client
-smtp_use_tls = yes
+#smtp_use_tls = yes
+#smtp_tls_security_level = encrypt
+smtp_tls_security_level = may
 smtp_sasl_auth_enable = yes
 smtp_sasl_security_options = noanonymous
+#smtp_sasl_mechanism_filter = plain login
 #smtp_sasl_password_maps = hash:/etc/postfix/smtp_sasl_passwd
 smtp_sasl_password_maps = mysql:/etc/postfix/mysql/smtp_sasl_passwd_maps.cf
 #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
 smtp_tls_policy_maps = mysql:/etc/postfix/mysql/smtp_tls_policy_maps.cf
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-sender_dependent_relayhost_maps = mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
-#smtp_sasl_mechanism_filter = plain login
-#relayhost = [smtp.gmail.com]:587
-relayhost = [smtp.eu.sparkpostmail.com]:587
 
 # Blocchi generici
 #invalid_hostname_reject_code = 554
@@ -172,3 +187,4 @@ relayhost = [smtp.eu.sparkpostmail.com]:587
 #unknown_virtual_mailbox_reject_code = 554
 #unverified_recipient_reject_code = 554
 #unverified_sender_reject_code = 554
+cyrus_sasl_config_path = /etc/postfix/sasl
diff --git a/master.cf b/master.cf
index 2e1613e..9d9f979 100644
--- a/master.cf
+++ b/master.cf
@@ -144,7 +144,7 @@ spamassassin unix -     n       n       -       -       pipe
 amavis    unix  -       -       y       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
-  -o disable_dns_lookups=yes
+  -o smtp_dns_support_level=disabled
   -o max_use=20
 
 127.0.0.1:10025 inet n  -       y       -       -       smtpd
-- 
2.47.3