Downgrade postfix back to 1.4 configuration

core/postfix/conf/main.cf

@@ -4,12 +4,9 @@
 
 # Main domain and hostname
 mydomain = {{ DOMAIN }}
-myhostname = {{ HOSTNAMES.split(",")[0] }}
+myhostname = {{ HOSTNAME }}
 myorigin = $mydomain
 
-# Queue location
-queue_directory = /queue
-
 # Message size limit
 message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
 
@@ -28,12 +25,6 @@ mydestination =
 # Relayhost if any is configured
 relayhost = {{ RELAYHOST }}
 
-# Recipient delimiter for extended addresses
-recipient_delimiter = {{ RECIPIENT_DELIMITER }}
-
-# Only the front server is allowed to perform xclient
-smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }}
-
 ###############
 # TLS
 ###############
@@ -41,14 +32,47 @@ smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }}
 # General TLS configuration
 tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 tls_preempt_cipherlist = yes
-tls_ssl_options = NO_COMPRESSION
+
+# Only one key/certificate pair is used, SNI not being supported by all
+# services and not a strong requirement. Also, TLS is enforced for submission
+# and smtps in master.cf.
+smtpd_tls_security_level = may
+smtpd_tls_cert_file=/certs/cert.pem
+smtpd_tls_key_file=/certs/key.pem
+smtpd_tls_session_cache_database = lmdb:${data_directory}/smtpd_scache
+
+# Server-side TLS is hardened, it should be up to the client to update his or
+# her TLS stack in order to connect to the mail server. Hardening is based on
+# https://bettercrypto.org/static/applied-crypto-hardening.pdf
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+
 
 # Outgoing TLS is more flexible because 1. not all receiving servers will
 # support TLS, 2. not all will have and up-to-date TLS stack.
 smtp_tls_security_level = may
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
+
+# General TLS hardening
+tls_ssl_options = NO_COMPRESSION
+tls_preempt_cipherlist = yes
+
+###############
+# SASL
+###############
+
+smtpd_sasl_local_domain = $myhostname
+
+# Authentication is done against dovecot, which acts as the main authention
+# source
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = inet:imap:2102
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
 
 ###############
 # Virtual
@@ -60,8 +84,7 @@ virtual_alias_maps = ${sql}sqlite-virtual_alias_maps.cf
 virtual_mailbox_domains = ${sql}sqlite-virtual_mailbox_domains.cf
 virtual_mailbox_maps = $virtual_alias_maps
 
-# Mails are transported if required, then forwarded to Dovecot for delivery
-transport_maps = ${sql}sqlite-transport.cf
+# Mails are forwarded to Dovecot for delivery
 virtual_transport = lmtp:inet:imap:2525
 
 # In order to prevent Postfix from running DNS query, enforce the use of the
@@ -78,22 +101,31 @@ smtpd_delay_reject = yes
 # Allowed senders are: the user or one of the alias destinations
 smtpd_sender_login_maps = $virtual_alias_maps
 
-# Restrictions for incoming SMTP, other restrictions are applied in master.cf
+# Helo restrictions are specified for smtp only in master.cf
 smtpd_helo_required = yes
 
+# Sender restrictions
+smtpd_sender_restrictions =
+   permit_mynetworks,
+   reject_non_fqdn_sender,
+   reject_unknown_sender_domain,
+   reject_unlisted_sender,
+   reject_sender_login_mismatch,
+   permit
+
+# Recipient restrictions:
 smtpd_recipient_restrictions =
-  permit_mynetworks,
-  check_sender_access ${sql}sqlite-reject-spoofed.cf,
-  reject_non_fqdn_sender,
-  reject_unknown_sender_domain,
-  reject_unknown_recipient_domain,
-  permit
+   reject_unauth_pipelining,
+   reject_non_fqdn_recipient,
+   reject_unknown_recipient_domain,
+   permit_mynetworks,
+   permit
 
 ###############
 # Milter
 ###############
 
-smtpd_milters = inet:antispam:11332
+smtpd_milters = inet:milter:9900
 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_default_action = tempfail