maddy/maddy.conf

## maddy 0.1 - default configuration file (2020-02-15T12:39Z)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
#
# See tutorials at https://foxcpp.dev/maddy for guidance on typical
# configuration changes.
#
# See manual pages (also available at https://foxcpp.dev/maddy) for reference
# documentation.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = example.org
$(primary_domain) = example.org
$(local_domains) = $(primary_domain)

tls /etc/maddy/certs/$(hostname)/fullchain.pem \
    /etc/maddy/certs/$(hostname)/privkey.pem

# ----------------------------------------------------------------------------
# Local storage & authentication

sql local_mailboxes local_authdb {
    driver sqlite3
    dsn all.db
}

# ----------------------------------------------------------------------------
# Policies

# Cheat sheet:
# Remote sender => local recipient
# - inbound_limits
# - inbound_checks
# - inbound_modifiers
# - local_checks
# - local_modifiers
# Local sender => local recipient
# - local_limits
# - local_checks
# - local_modifiers
# Local sender => remote recipient
# - outbound_checks
# - outbound_modifiers
# - outbound_limits

limits inbound_limits {
    # Up to 20 msgs/sec across max. 10 SMTP connections.
    all rate 20 1s
    all concurrency 10
}

checks inbound_checks {
    require_matching_ehlo
    require_mx_record
    verify_dkim
    apply_spf
}

modifiers inbound_modifiers { }

limits local_limits {
    # Up to 50 msgs/sec across any amount of SMTP connections.
    all rate 50 1s
}

checks local_checks { }

modifiers local_modifiers {
    # <postmaster> address without domain is the standard (RFC 5321) way
    # to contact the server owner so redirect it to a real address we
    # can handle.
    replace_rcpt postmaster postmaster@$(primary_domain)
    # Implement plus-address notation.
    replace_rcpt /(.+)\+(.+)@(.+)/ $1@$3
    # Resolve aliases using text map file. See alias_file section
    # in maddy-filter(5) for details.
    alias_file /etc/maddy/aliases
}

limits outbound_limits {
    # Up to 20 msgs/sec across max. 10 SMTP connections
    # for each recipient domain.
    destination rate 20 1s
    destination concurrency 10
}

checks outbound_checks { }

modifiers outbound_modifiers {
    sign_dkim $(primary_domain) default
}

mx_auth outbound_auth {
    dane
    mtasts {
        cache fs
        fs_dir mtasts_cache/
    }
    sts_preload {
        source eff # See https://startls-everywhere.org
        # Apply testing-only entries as if they were enforced.
        enforce_testing yes
    }
    local_policy {
        min_tls_level encrypted
        min_mx_level none
    }
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

smtp tcp://0.0.0.0:25 {
    limits &inbound_limits

    dmarc yes

    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            check &inbound_checks
            check &local_checks
            modify &inbound_modifiers
            modify &local_modifiers
            deliver_to &local_mailboxes
        }
        default_destination {
            reject 550 5.1.1 "User not local"
        }
    }
}

submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
    limits &local_limits
    auth &local_authdb

    source $(local_domains) {
        destination $(local_domains) {
            check &local_checks
            modify &local_modifiers
            deliver_to &local_mailboxes
        }
        default_destination {
            check &outbound_checks
            modify &outbound_modifiers
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

queue remote_queue {
    target remote {
        limits &outbound_limits
        mx_auth &outbound_auth
    }

    autogenerated_msg_domain $(primary_domain)
    bounce {
        destination $(local_domains) {
            check &local_checks
            modify &local_modifiers
            deliver_to &local_mailboxes
        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
    auth &local_authdb
    storage &local_mailboxes
}