From 089d677fe78dde98972f58afe2195f2f183334cc Mon Sep 17 00:00:00 2001
From: Adrian <adrian.dev@kousz.ch>
Date: Fri, 16 Apr 2021 00:16:50 +0200
Subject: [PATCH 1/2] Reorder some postfix config parameters

---
 mail/postfix/main.cf | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/main.cf b/mail/postfix/main.cf
index 4fc969c..e1fc9a1 100644
--- a/mail/postfix/main.cf
+++ b/mail/postfix/main.cf
@@ -5,9 +5,14 @@ compatibility_level = 2
 disable_vrfy_command = yes
 mailbox_size_limit = 0
 message_size_limit = 0
-mydomain = local
 mynetworks_style = subnet
 
+# Custom
+
+mydomain = local
+recipient_delimiter = +
+smtp_helo_name = mail.example.com
+
 # TLS
 
 smtp_tls_security_level = may
@@ -16,12 +21,11 @@ smtpd_tls_key_file =  /data/ssl/certs/mail.example.com/privkey.pem
 smtpd_tls_cert_file = /data/ssl/certs/mail.example.com/fullchain.pem
 tls_server_sni_maps = hash:/etc/postfix/sni.cf
 
-# Custom
+# Setup
 
 relay_domains = sqlite:/etc/postfix/relay.cf
 transport_maps = sqlite:/etc/postfix/transport.cf
 
-recipient_delimiter = +
 virtual_mailbox_base = /data/mail/mail
 virtual_uid_maps = static:2000
 virtual_gid_maps = static:2000

From 6c83ab224d1ada79bfae31eb58fcc948b5765377 Mon Sep 17 00:00:00 2001
From: Adrian <adrian.dev@kousz.ch>
Date: Fri, 16 Apr 2021 00:19:24 +0200
Subject: [PATCH 2/2] Harden postfix config

---
 mail/postfix/main.cf | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/main.cf b/mail/postfix/main.cf
index e1fc9a1..2ec11c3 100644
--- a/mail/postfix/main.cf
+++ b/mail/postfix/main.cf
@@ -23,6 +23,8 @@ tls_server_sni_maps = hash:/etc/postfix/sni.cf
 
 # Setup
 
+smtpd_tls_received_header = yes
+
 relay_domains = sqlite:/etc/postfix/relay.cf
 transport_maps = sqlite:/etc/postfix/transport.cf
 
@@ -37,10 +39,13 @@ virtual_mailbox_limit = 0
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
-smtpd_sender_restrictions = reject_sender_login_mismatch
 smtpd_sender_login_maps = sqlite:/etc/postfix/login.cf, $virtual_alias_maps
 
+smtpd_delay_reject = no
+smtpd_hard_error_limit = 1
+smtpd_client_restrictions = reject_unknown_reverse_client_hostname
+smtpd_sender_restrictions = reject_sender_login_mismatch
+smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access.cf
+
 smtpd_milters = unix:private/opendkim
 non_smtpd_milters = $smtpd_milters
-
-smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access.cf