aports/config/postfix/main.cf

compatibility_level = 3.6

# General
smtpd_banner = $myhostname ESMTP RedXen Mail. DO NOT MESS WITH US OR WE WILL CUT YOUR BALLS OFF!
mail_name = RedXen Mail Postfix

inet_interfaces = all
inet_protocols = all

myorigin = redxen.eu
myhostname = mail.$myorigin
mydomain = $myorigin
mydestination = $myorigin
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

relayhost =
relay_domains = $mydestination

virtual_alias_domains = $myorigin, mail.ripped-condoms.$myorigin
virtual_alias_maps = proxy:pgsql:/etc/redxen/postfix/pgsql-aliases.cf, inline:{@mail.ripped-condoms.$myorigin=caskd}

local_transport = lmtp:unix:/run/dovecot/lmtp
smtpd_sender_login_maps = proxy:pgsql:/etc/redxen/postfix/pgsql-users.cf
local_recipient_maps = $smtpd_sender_login_maps $alias_maps

biff = no
append_dot_mydomain = no
delay_warning_time = 1h
readme_directory = no
mailbox_size_limit = 0
recipient_delimiter = +
notify_classes = resource, software, bounce
smtpd_helo_required = yes
smtpd_delay_reject = yes

# SMTP TLS
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/redxen/letsencrypt/chain.crt
smtpd_tls_key_file = /etc/redxen/letsencrypt/private.key
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3

# Restrictions
smtpd_sender_restrictions    = reject_known_sender_login_mismatch,
                               permit_sasl_authenticated,
                               check_sender_access inline:{{$myorigin=553 not logged in}},
                               reject_invalid_helo_hostname,
                               reject_unknown_sender_domain
smtpd_relay_restrictions     = permit_sasl_authenticated,
                               reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated,
                               reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
                               reject_unverified_recipient
smtpd_data_restrictions      = reject_unauth_pipelining
smtpd_helo_restrictions      = reject_invalid_helo_hostname

# Dovecot auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /run/dovecot/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myorigin

# OpenDKIM & RSpamD
milter_protocol = 6
milter_default_action = tempfail
internal_mail_filter_classes =

smtpd_milters = inet:rspamd.routinginfo.internal:7510 $non_smtpd_milters
non_smtpd_milters = inet:opendkim.routinginfo.internal:7514

# Caching
address_verify_negative_cache = yes
address_verify_negative_expire_time = 1d
address_verify_negative_refresh_time = 5m