# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/thunix.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/thunix.net/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = thunix.net 

mydomain = thunix.net

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

#myorigin = /etc/mailname
myorigin = $mydomain

mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost, thunix.cf
relayhost = 
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
#inet_protocols = ipv4

home_mailbox = Maildir/

# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname

# Enforce the requirement for a helo to be sent for each message
smtpd_helo_required = yes

# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain

#Allow ONLY authenticated users to send email
smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,
 reject_invalid_hostname,
 reject_unauth_pipelining,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_unknown_reverse_client_hostname,
 check_policy_service unix:private/policyd-spf,
 reject_rbl_client bl.fmb.la=127.0.1.[24;25;26;27;28],
 reject_rbl_client spam.dnsbl.anonmails.de,
 reject_rbl_client uribl.abuse.ro,
 reject_rbl_client all.spamrats.com,
 reject_rbl_client sbl.spamhaus.org,
 reject_rbl_client xbl.spamhaus.org,
 reject_rbl_client pbl.spamhaus.org,
 reject_rbl_client blackholes.tepucom.nl,
 reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
 reject_rbl_client truncate.gbudb.net,
 reject_rhsbl_sender dbl.spamhaus.org

policyd-spf_time_limit = 3600

milter_protocol = 2
milter_default_action = accept

#smtpd_milters = inet:localhost:12301
#non_smtpd_milters = inet:localhost:12301

# message delivery requests that any client is allowed (50/hr)
smtpd_client_auth_rate_limit = 50
anvil_rate_time_unit = 60m