containers/postfix/config/main.cf

myhostname = smtp.balsillie.net
mydomain = balsillie.net
myorigin = $mydomain
mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.0/24
mydestination = $myhostname localhost

biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = no
compatibility_level = 3.6

header_checks = pcre:/config/header_checks.pcre

inet_interfaces = all
inet_protocols = ipv4

lmtp_tls_loglevel = 1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_security_level = none
lmtp_tls_wrappermode = no
lmtp_use_tls = no

local_recipient_maps =
local_transport = local:$myhostname

mailbox_size_limit = 51200000
maillog_file = /dev/stdout
maximal_queue_lifetime = 1d
message_size_limit = 51200000
mime_header_checks = $header_checks

# Milters
milter_protocol = 6
milter_default_action = accept
dkim_milter = inet:127.0.0.1:8891
# dmarc_milter = inet:localhost:8893
# smtpd_milters = $dkim_milter,$dmarc_milter
smtpd_milters = $dkim_milter
non_smtpd_milters = $dkim_milter

postscreen_access_list =
postscreen_denylist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_allowlist_threshold = -1
postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.1.[2..254]*3,
    ix.dnsbl.manitu.net*3,
    bl.spamcop.net,
    b.barracudacentral.org,
    safe.dnsbl.sorbs.net,
    swl.spamhaus.org*-10,
postscreen_dnsbl_threshold = 3
postscreen_greet_action = ignore
postscreen_greet_banner =
postscreen_upstream_proxy_protocol =

# proxy_interfaces = x.x.x.x # Set with postconf during startup
recipient_delimiter = +
relay_domains =
relayhost =
sender_dependent_relayhost_maps =

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane

smtpd_banner = $myhostname ESMTP

# SASL - SMTPS sasl settings specified in master.cf

smtpd_sasl_auth_enable = no

# SMTPD restrictions

smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_client_restrictions = reject_unknown_client_hostname
smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_relay_restrictions = permit_auth_destination, reject_unauth_destination
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce

# client , reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org
# helo , reject_rhsbl_helo dbl.spamhaus.org
# sender , reject_rhsbl_sender dbl.spamhaus.org

smtpd_tls_cert_file=/cert/tls.crt
smtpd_tls_key_file=/cert/tls.key
smtpd_tls_dh1024_param_file = /cert/dhparams.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = encrypt

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no
tls_ssl_options = NO_COMPRESSION

unverified_recipient_reject_code = 577

virtual_alias_maps = ldap:/config/ldap_users.cf
virtual_mailbox_base =
virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = $virtual_alias_maps
virtual_transport = lmtp:unix:private/dovecot-lmtp