MTA

postfix postfix-pcre libsasl2-modules-db libsasl2-modules libgsasl18 packages on debian

A working configuration that relays mail to a smarthost and integrates with dovecot

/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
# See http://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 3.9
 
# Which domain that locally-originated mail appears to come from.
# Debian policy suggests to read this value from /etc/mailname.
myorigin = /etc/mailname
 
# Domains
myhostname = orion.ctq.ro
mail_name = ctq.ro
mydomain = ctq.ro
 
# Text that follows the 220 code in the SMTP server's greeting banner.
# You MUST specify $myhostname at the start due to an RFC requirement.
smtpd_banner = $myhostname ESMTP $mail_name (Debian)
 
# IP protocols to use: ipv4, ipv6, or all
# (set this explicitly so `post-install upgrade-configuration' wont complain)
inet_protocols = all
 
# List of "trusted" SMTP clients (maptype:mapname allowed) that have more
# privileges than "strangers".  If mynetworks is not specified (the default),
# mynetworks_style is used to compute its value.
mynetworks_style = host
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 
# List of domains (maptype:mapname allowed) that this machine considers
# itself the final destination for.
mydestination = mail.ctq.ro, orion.ctq.ro, ctq.ro, orion, localhost.localdomain, localhost
 
# Maximum size of a user mailbox
mailbox_size_limit = 0
 
# Optional external command to use instead of mailbox delivery.  If set,
# you must set up an alias to forward root mail to a real user.
mailbox_command = /usr/lib/dovecot/deliver
 
# List of alias maps to use to lookup local addresses.
# Per Debian Policy it should be /etc/aliases.
alias_maps = hash:/etc/aliases
 
# List of alias maps to make indexes on, when running newaliases.
alias_database = hash:/etc/aliases
 
# Notify (or not) local biff service when new mail arrives.
# Rarely used these days.
biff = no
 
# Separator between user name and address extension (user+foo@domain)
recipient_delimiter = +
 
# A host to send "other" mail to
relayhost = live.smtp.mailtrap.io:587
 
# Relay restrictions
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
 
# Where to look for Cyrus SASL configuration files.  Upstream default is unset
# (use compiled-in SASL library default), Debian Policy says it should be
# /etc/postfix/sasl.
cyrus_sasl_config_path = /etc/postfix/sasl
 
# SMTP server RSA key and certificate in PEM format
smtpd_tls_key_file = /etc/letsencrypt/live/ctq.ro/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/ctq.ro/fullchain.pem
 
# SMTP Server security level: none|may|encrypt
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
 
# SMTP server client cert auth
#smtpd_tls_CAfile = /etc/ssl/orion-ca/ca.crt
#tls_append_default_CA = no
 
# Listen on all interfaces
inet_interfaces = all
 
# SMTP daemon TLS
# Disallow insecure SSL/TLS versions
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 
# Use secure TLS versions
smtpd_tls_protocols = >=TLSv1
 
# Use strong ciphers
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
tls_preempt_cipherlist = yes
 
# Sender and recipient restrictions
smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain
 
# Connection init restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
 
# Authenticate users via dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
 
# List of CAs for SMTP Client to trust
# Prefer this over _CApath when smtp is running chrooted
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 
# SMTP Client TLS security level: none|may|encrypt|...
smtp_tls_security_level = may
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_protocols = >=TLSv1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 
# SMTP Client TLS session cache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
# User mail directory
home_mailbox = Mail/Inbox/
 
# Filter headers for privacy with regex
header_checks = regexp:/etc/postfix/header_checks

/etc/postfix/master.cf

# SMTP SUBMISSIONS - port 465
submissions     inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/submissions
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
        -o smtpd_sender_login_maps=pcre:/etc/postfix/login_maps.pcre
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
        -o smtpd_sender_restrictions=reject_unlisted_sender
        -o smtpd_sasl_security_options=noanonymous

/etc/postfix/header_checks

/^Received:.*/     IGNORE
/^X-Originating-IP:/    IGNORE

/etc/postfix/login_maps.pcre

/^(.*)@ctq\.ro$/   ${1}

Configure aliases database:

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

Specify in /etc/postfix/aliases in the format original:alias
You should have at least an alias for root.

After first edit run postalias /etc/postfix/aliases to initialise the aliases database.
Afterwards you can run newaliases

Use a smarthost to send outbound mail in case outbound SMTP is blocked in your case.

# A host to send "other" mail to
relayhost = [relay.smtp.example.com]:587
 
# Relay credentials, store hashed
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 
# Relay restrictions
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination

Create a sasl_passwd file with the relay credentials in the format relay.smtp.example.com RLUSER:RLPASSWD
Hash the password database with postmap hash:/etc/postfix/sasl_passwd.
Remove the plaintext sasl_passwd file.

Remember to restart postfix.