biff                    = no
append_dot_mydomain     = no
delay_warning_time      = 4h

smtpd_banner            = $myhostname ESMTP $mail_name (Debian/GNU)
myhostname              = host.name.cz
alias_maps              = hash:/etc/aliases
alias_database          = hash:/etc/aliases
myorigin                = /etc/mailname
mydestination           = host.name.cz, localhost
relayhost               =
relay_domains           = $mydestination
mynetworks              = 127.0.0.0/8
mailbox_size_limit      = 1048576000
recipient_delimiter     = +
inet_interfaces         = all
content_filter          = smtp-amavis:[127.0.0.1]:10024

virtual_mailbox_base    = /var/mail
virtual_mailbox_maps    = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps        = mysql:/etc/postfix/mysql_uid.cf
virtual_gid_maps        = mysql:/etc/postfix/mysql_gid.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_alias_maps      = mysql:/etc/postfix/mysql_alias.cf
relocated_maps          = hash:/etc/postfix/relay_recipient.cf
transport_maps          = hash:/etc/postfix/transport.cf

# SASL
smtpd_sasl_auth_enable      = yes
broken_sasl_auth_clients    = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain     = $myhostname


## TLS
smtpd_tls_security_level = may
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
#smtpd_tls_key_file       = /etc/postfix/postfix.pem
smtpd_tls_key_file       = /etc/postfix/ssl/mail.host.cz.key
#smtpd_tls_cert_file      = /etc/postfix/postfix_signed.pem
smtpd_tls_cert_file      = /etc/postfix/ssl/host_name_cz.crt
#smtpd_tls_CAfile         = /etc/postfix/cacert.pem
smtpd_tls_CAfile         = /etc/postfix/ssl/AddTrustExternalCARoot.crt
smtpd_tls_loglevel       = 1
smtpd_tls_ask_ccert      = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


# SETUPTEST
soft_bounce = no

# MAIL FITER
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_delay_reject = yes

smtpd_helo_restrictions =
        permit_mynetworks
#       reject_non_fqdn_hostname
        reject_invalid_hostname
        permit

smtpd_client_restrictions =
        permit_mynetworks

smtpd_sender_restrictions =
        permit_sasl_authenticated
        permit_mynetworks

smtpd_recipient_restrictions =
        permit_sasl_authenticated
        permit_mynetworks
        reject_invalid_hostname
        reject_unauth_destination
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
#       reject_non_fqdn_hostname
#       reject_non_fqdn_sender
#       reject_non_fqdn_recipient
#       check_sender_access hash:/etc/postfix/whitelist_sender
        check_client_access hash:/etc/postfix/whitelist_client
        reject_rbl_client b.barracudacentral.org
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client bl.spamcop.net
        reject_rbl_client dnsbl.dronebl.org
        reject_rbl_client dnsbl.njabl.org
        permit
        # grey list
	#check_policy_service inet:127.0.0.1:60000
unknown_local_recipient_reject_code = 450

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
message_size_limit = 26214400