December 22 update

jails/config/mail/postfix/main.cf

@@ -282,10 +282,9 @@ unknown_local_recipient_reject_code = 550
 #mynetworks = $config_directory/mynetworks
 #mynetworks = hash:$config_directory/network_table
 
-#mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56
-mynetworks = 127.0.0.1/32 192.168.0.0/24 [::1]/128 [fe80::]/10 [2603:3024:3f6:e1::]/64
+mynetworks = 127.0.0.1/32 192.168.0.0/24 [::1]/128 [fe80::]/10 [fd01::]/64
 smtp_bind_address = 192.168.0.100
-smtp_bind_address6 = 2603:3024:3f6:e1::100
+smtp_bind_address6 = fd01::100
 
 # The relay_domains parameter restricts what destinations this system will
 # relay mail to.  See the smtpd_recipient_restrictions description in
@@ -675,7 +674,7 @@ manpage_directory = /usr/local/man
 # sample_directory: The location of the Postfix sample configuration files.
 # This parameter is obsolete as of Postfix 2.1.
 #
-sample_directory = /usr/local/etc/postfix
+#sample_directory = /usr/local/etc/postfix
 
 # readme_directory: The location of the Postfix README files.
 #
@@ -684,6 +683,7 @@ inet_protocols = ipv4, ipv6
 
 # sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
 #smtp_address_preference = ipv4
+smtp_address_preference = any
 
 meta_directory = /usr/local/libexec/postfix
 shlib_directory = /usr/local/lib/postfix
@@ -717,6 +717,8 @@ swap_bangpath = no
 smtpd_tls_cert_file = /mnt/certs/fullchain.pem
 smtpd_tls_key_file = /mnt/certs/privkeyr.pem
 
+smtpd_tls_loglevel = 2
+
 # These two lines define how postfix will connect to other mail servers.
 # DANE is a stronger form of opportunistic TLS. You can read about it here:
 # http://www.postfix.org/TLS_README.html#client_tls_dane
@@ -729,25 +731,34 @@ smtp_dns_support_level = dnssec
 # Here we define the options for "mandatory" TLS. In our setup, TLS is only
 # "mandatory" for authenticating users. I got these settings from Mozilla's
 # SSL reccomentations page.
+
+# https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=intermediate&openssl=1.1.1k&guideline=5.6
+
 #
 # NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
 # connections. Do not attempt to change the default cipherlist for non-
 # mandatory connections either. There are still a lot of mail servers out
 # there that do not use TLS, and many that do only support old ciphers.
 # Forcing TLS for everyone *will* cause you to lose mail.
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2
-smtpd_tls_mandatory_ciphers = high
-tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+tls_preempt_cipherlist = no
 
 # allow other mail servers to connect using TLS, but don't require it
 smtpd_tls_security_level = may
 
 # tickets and compression have known vulnerabilities
-tls_ssl_options = no_ticket, no_compression
+tls_ssl_options = no_ticket, no_compression, NO_RENEGOTIATION
 
-# it's more secure to generate your own DH params
-smtpd_tls_dh512_param_file  = /mnt/certs/dhparam512.pem
-smtpd_tls_dh1024_param_file = /mnt/certs/dhparam2048.pem
+# it's more secure to generate your own DH params but using mozilla's
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+# not actually 1024 bits, this applies to all DHE >= 1024 bits
+#smtpd_tls_dh512_param_file  = /mnt/certs/dhparam512.pem
+smtpd_tls_dh1024_param_file = /mnt/certs/dhparam4096.pem
 
 # cache incoming and outgoing TLS sessions
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
@@ -781,13 +792,13 @@ smtpd_helo_required = yes
 # entry and present a valid, FQDN HELO hostname. In addition, they can only
 # send mail to valid mailboxes on the server, and the sender's domain must
 # actually exist.
-smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,reject_unknown_reverse_client_hostname
+smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,reject_unknown_reverse_client_hostname,reject_unknown_client_hostname
 # you might want to consider:
 #  reject_unknown_client_hostname,
 # here. This will reject all incoming connections without a reverse DNS
 # entry that resolves back to the client's IP address. This is a very
 # restrictive check and may reject legitimate mail.
-smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_unauth_pipelining,reject_non_fqdn_helo_hostname
+smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,reject_unauth_pipelining,reject_non_fqdn_helo_hostname,reject_unknown_helo_hostname
 # you might want to consider:
 #  reject_unknown_helo_hostname,
 # here. This will reject all incoming mail without a HELO hostname that
@@ -819,3 +830,5 @@ milter_protocol = 6
 milter_default_action = accept
 smtpd_milters = unix:/var/run/rspamd/milter.sock
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+
+#always_bcc = ahlawat@ahlawat.com