forked from foxcpp/maddy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmaddy.conf
190 lines (161 loc) · 4.79 KB
/
maddy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
## maddy 0.2 - default configuration file (2020-03-05)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
#
# See tutorials at https://foxcpp.dev/maddy for guidance on typical
# configuration changes.
#
# See manual pages (also available at https://foxcpp.dev/maddy) for reference
# documentation.
# ----------------------------------------------------------------------------
# Base variables
$(hostname) = example.org
$(primary_domain) = example.org
$(local_domains) = $(primary_domain)
tls /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)/privkey.pem
# ----------------------------------------------------------------------------
# Local storage & authentication
# imapsql modules provides unified database that is used both for user
# credentials and IMAP index. Use 'maddyctl users' utility to manage accounts
# and 'maddyctl imap-*' commands to inspect stored messages.
imapsql local_mailboxes local_authdb {
driver sqlite3
dsn imapsql.db
}
# ----------------------------------------------------------------------------
# Policies
# Cheat sheet:
# Remote sender => local recipient
# - inbound_limits
# - inbound_checks
# - inbound_modifiers
# - local_checks
# - local_modifiers
# Local sender => local recipient
# - local_limits
# - local_checks
# - local_modifiers
# Local sender => remote recipient
# - outbound_checks
# - outbound_modifiers
# - outbound_limits
limits inbound_limits {
# Up to 20 msgs/sec across max. 10 SMTP connections.
all rate 20 1s
all concurrency 10
}
checks inbound_checks {
require_matching_ehlo
require_mx_record
verify_dkim
apply_spf
}
modifiers inbound_modifiers { }
limits local_limits {
# Up to 50 msgs/sec across any amount of SMTP connections.
all rate 50 1s
}
checks local_checks { }
modifiers local_modifiers {
# <postmaster> address without domain is the standard (RFC 5321) way
# to contact the server owner so redirect it to a real address we
# can handle.
replace_rcpt static {
entry postmaster postmaster@$(primary_domain)
}
# Implement plus-address notation.
replace_rcpt regexp "(.+)\+(.+)@(.+)" "$1@$3"
# Resolve aliases using text file. See "replace_rcpt" section
# in maddy-filter(5) and "file_table" in maddy-tables(5) for details.
replace_rcpt file_table /etc/maddy/aliases
}
limits outbound_limits {
# Up to 20 msgs/sec across max. 10 SMTP connections
# for each recipient domain.
destination rate 20 1s
destination concurrency 10
}
checks outbound_checks { }
modifiers outbound_modifiers {
sign_dkim $(primary_domain) $(local_domains) default
}
mx_auth outbound_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
sts_preload {
source eff # See https://startls-everywhere.org
# Apply testing-only entries as if they were enforced.
enforce_testing yes
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
# ----------------------------------------------------------------------------
# SMTP endpoints + message routing
hostname $(hostname)
smtp tcp://0.0.0.0:25 {
limits &inbound_limits
dmarc yes
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
check &inbound_checks
check &local_checks
modify &inbound_modifiers
modify &local_modifiers
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User not local"
}
}
}
submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
limits &local_limits
auth &local_authdb
source $(local_domains) {
destination $(local_domains) {
check &local_checks
modify &local_modifiers
deliver_to &local_mailboxes
}
default_destination {
check &outbound_checks
modify &outbound_modifiers
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
queue remote_queue {
target remote {
limits &outbound_limits
mx_auth &outbound_auth
}
autogenerated_msg_domain $(primary_domain)
bounce {
destination $(local_domains) {
check &local_checks
modify &local_modifiers
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
# ----------------------------------------------------------------------------
# IMAP endpoints
imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
auth &local_authdb
storage &local_mailboxes
}