forked from foxcpp/maddy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmaddy.conf
211 lines (180 loc) · 5.5 KB
/
maddy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
## maddy 0.3 - default configuration file (2020-05-31)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
#
# See tutorials at https://foxcpp.dev/maddy for guidance on typical
# configuration changes.
#
# See manual pages (also available at https://foxcpp.dev/maddy) for reference
# documentation.
# ----------------------------------------------------------------------------
# Base variables
$(hostname) = example.org
$(primary_domain) = example.org
$(local_domains) = $(primary_domain)
tls /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)/privkey.pem
# ----------------------------------------------------------------------------
# Local storage & authentication
# pass_table provides local hashed passwords storage for authentication of
# users. It can be configured to use any "table" module, in default
# configuration a table in SQLite DB is used.
# Table can be replaced to use e.g. a file for passwords. Or pass_table module
# can be replaced altogether to use some external source of credentials (e.g.
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddyctl creds' command.
pass_table local_authdb {
table sql_table {
driver sqlite3
dsn credentials.db
table_name passwords
}
}
# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddyctl utility.
imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
# ----------------------------------------------------------------------------
# Policies
# Cheat sheet:
# Remote sender => local recipient
# - inbound_limits
# - inbound_checks
# - inbound_modifiers
# - local_checks
# - local_modifiers
# Local sender => local recipient
# - local_limits
# - local_checks
# - local_modifiers
# Local sender => remote recipient
# - outbound_checks
# - outbound_modifiers
# - outbound_limits
limits inbound_limits {
# Up to 20 msgs/sec across max. 10 SMTP connections.
all rate 20 1s
all concurrency 10
}
checks inbound_checks {
require_matching_ehlo
require_mx_record
verify_dkim
apply_spf
}
modifiers inbound_modifiers { }
limits local_limits {
# Up to 50 msgs/sec across any amount of SMTP connections.
all rate 50 1s
}
checks local_checks { }
modifiers local_modifiers {
# <postmaster> address without domain is the standard (RFC 5321) way
# to contact the server owner so redirect it to a real address we
# can handle.
replace_rcpt static {
entry postmaster postmaster@$(primary_domain)
}
# Implement plus-address notation.
replace_rcpt regexp "(.+)\+(.+)@(.+)" "$1@$3"
# Resolve aliases using text file. See "replace_rcpt" section
# in maddy-filter(5) and "file" in maddy-tables(5) for details.
replace_rcpt file /etc/maddy/aliases
}
limits outbound_limits {
# Up to 20 msgs/sec across max. 10 SMTP connections
# for each recipient domain.
destination rate 20 1s
destination concurrency 10
}
checks outbound_checks { }
modifiers outbound_modifiers {
sign_dkim $(primary_domain) $(local_domains) default
}
mx_auth outbound_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
sts_preload {
source eff # See https://startls-everywhere.org
# Apply testing-only entries as if they were enforced.
enforce_testing yes
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
# ----------------------------------------------------------------------------
# SMTP endpoints + message routing
hostname $(hostname)
smtp tcp://0.0.0.0:25 {
limits &inbound_limits
dmarc yes
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
check &inbound_checks
check &local_checks
modify &inbound_modifiers
modify &local_modifiers
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User not local"
}
}
}
submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
limits &local_limits
auth &local_authdb
source $(local_domains) {
destination $(local_domains) {
check &local_checks
modify &local_modifiers
deliver_to &local_mailboxes
}
default_destination {
check &outbound_checks
modify &outbound_modifiers
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
queue remote_queue {
target remote {
limits &outbound_limits
mx_auth &outbound_auth
}
autogenerated_msg_domain $(primary_domain)
bounce {
destination $(local_domains) {
check &local_checks
modify &local_modifiers
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
# ----------------------------------------------------------------------------
# IMAP endpoints
imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
auth &local_authdb
storage &local_mailboxes
}