My checklist while setting up a mail server using Postfix MTA, putting it here for quick reference. Make sure what the option actually does before enabling them.
# # standard config options # myhostname = godzilla.mydomain.com mydomain = mydomain.com myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, $mydomain mynetworks_style = host #mynetworks_style = subnet #mynetworks = 127.0.0.1/32 192.168.1.0/24 [::1/128] relayhost = relay.my-isp.com # domain masquerading masquerade_domains= mydomain.com masquerade_exceptions= root,mailer-daemon,shanu # inet interfaces inet_interfaces = $myhostname, localhost # no biff and banners biff= no smtpd_banner= $myhostname ESMTP # alias database alias_maps= hash:/usr/local/etc/postfix/aliases alias_database = hash:/usr/local/etc/postfix/aliases # # RESTRICTIONS # spam checks, smtpd restrictions etc # # strict checking, helps fight spam smtpd_helo_required= yes strict_rfc821_envelopes = yes disable_vrfy_command = yes # # SMTPD RESTRICTIONS # # sender restrictions smtpd_sender_restrictions = hash:/usr/local/etc/postfix/access, reject_unknown_sender_domain # recepient restrictions smtpd_recipient_restrictions = hash:/usr/local/etc/postfix/access, permit_mynetworks, reject_unauth_destination # client restrictions smtpd_client_restrictions = hash:/usr/local/etc/postfix/access # # header/body checks using regular expressions # header_checks= regexp:/usr/local/etc/postfix/header_checks body_checks= regexp:/usr/local/etc/postfix/body_checks # # DELIVERY MECHANISMS # Maildirs, maildrop, cyrus-imap etc # # Maildir home_mailbox = Maildir/ # maildrop delivery mailbox_command = /usr/local/bin/maildrop -w 50 local_destination_concurrency_limit = 1 # # MAILBOX TRANSPORTS # # cyrus-imap delivery mailbox_transport = lmtp:unix:/var/imap/socket/lmtp local_destination_recipient_limit = 300 local_destination_concurrency_limit = 5 # # MAIL QUOTAS AND LIMITS # # individual quota map file virtual_mailbox_limit_maps = hash:/usr/local/etc/postfix/vquota mailbox_size_limit = 51200000 message_size_limit = 10240000 # # CONTENT FILTERING # # Amavis content_filter = smtp-amavis:[127.0.0.1]:10024 max_use = 10 # keep copies of all mails always_bcc = snoopy # # SMTP SASL AUTHENTICATION # # SMTP client auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtp_sasl_password_maps = hash:/usr/local/etc/postfix/saslpass broken_sasl_auth_clients = yes smtp_sasl_security_options = noplaintext # # TLS # smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /usr/local/etc/postfix/certs/MYca.pem smtpd_tls_cert_file = /usr/local/etc/postfix/certs/MYcert.pem smtpd_tls_key_file = /usr/local/etc/postfix/certs/MYkey.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_auth_only = yes # # LDAP lookups # localhost_server_host = localhost lccalhost_timeout = 10 localhost_search_base = dc=godzilla,dc=mydomain,dc=com localhost_scope = sub localhost_query_filter = (&(objectClass=qmailUser)(mail=%s)) localhost_result_attribute = mailForwardingAddress localhost_ldap_domain = godzilla.mydomain.com localhost_ldap_cache = yes localhost_debuglevel = 3
#
# The amavis interface
#
smtp-amavis unix - - y - 2 lmtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes