Zarafa4h Instructions for Synology NAS

From Zarafa wiki

Jump to: navigation, search

This article is a community contribution and includes features that are not supported by Zarafa support subscriptions. Please contact [email protected] before you deploy this setup in a commercial offering. See also #Support_disclaimer

The German Version of this Wiki is found here Zarafa4h_Anleitung_für_Synology_NAS



This page describes how to install the Zarafa for Home on your Synology NAS. Additional information may be found in the Zarafa Support forum and in the official documentation.
Here you will find the Zarafa-Project page which holds several releases and the Docker-Image; if you like it please raise the reccomendation level.
For the impatient the signed package (SPK) is on Community Package Hub under Showcase. Note: no Need do not manually pull the Docker-Image as this is all done by the SPK.

What is Zarafa and why Synology Zarafa in a Box?

Zarafa - is an Open Source Email & Collaboration Software. Store all your contacts, emails, notes, task on your Synology NAS. Zarafa has a powerful WebFrontend including Webmeetings and it provides Active Sync support to easily connect mobile devices.
It acts like an exchange server to Microsoft Outlook or smartphones (sync all contacts / task etc.). POP3, IMAP, ICAL connections are also possible. Note in order to send and receive emails, it is necessary to setup postfix and potentially fetch- / getmail.

Zarafa in a Box is an alternative approach to Julian Dohle's native cross-compiled Zarafa package for Synology with the aim to ship new releases faster via pre-compiled packages for Debian provided by Zarafa. This includes Zarafa Webmeetings which appears heavy for cross-compiling. Synology does not support Debian Package Manager (DPKG) so Docker or Debian-Chroot are used to run it hence 'running in a box'. 'Boxing it' has advantages of abstracting dependencies to Synology releases.
E.g. J.D.'s Zarafa will not run on DSM 6 unless the shipped PHP-Mapi will be upgraded since DSM 6 ships with on PHP 5.6. Synology Zarafa in a Box does not have such dependencies: it runs on DSM 6 and provides NGINX support already with DSM 5.
In a Box aka Docker-Container means things are virtual and not as expected for directories, urls, ports etc. On Synology level /etc/zarafa4h is a softlink into the /var/package area which is then mounted to /etc/zarafa in the container. Urls or /webapp are virtual urls with redirect and reverse proxy to localhost:9443.

Support disclaimer

This article and the package are community contributions targeting Zarafa for Home distribution including features that are not supported by Zarafa support subscriptions. Please contact [email protected] before you deploy this setup in a commercial offering.
For example the zarafa-backup command is a custom script specific to Synology for MySQl database full backup, restore and migration purpose not to be confused with Zarafa Backup Plus, brick level backup etc.

See how to order Zarafa For Home for 0-EUR with limited time Outlook connector support (registration period expired post May-1'16). See also Zarafa community and Business model and Zarafa Kopano Roadmap.

On Synology level Zarafa is and always has been a 3rd Party package with respective support implication. It was promoted by Synology and put on their package area while it was maintained by individual enthusiasts.
Statements like 'help Synology Zarafa leaves us' found in forums are mix of misunderstandings and urban legends despite the facts above.

For Synology specific support by the community please visit the GER or ENG Zarafa sections of Synology forums. For Z-Push specific topics there is a seperate forum.
I would like to thank for the support from Zarafa aka Felix Bartels on the Docker and DPKG scripting side which was new land to me and without him we would not have this package.

Due to popular demand in several forums to reward the effort of scripting, testing, maintenance here is the Donate option to send virtual beers or wine to TosoBoso.

Release Status and planning

Zarafa4h is currently under build in status Beta-2 with release candidate soon to come. There are known limitations and planned future enhancements as

  • admin GUI is in build and now works n DSM 6. In the meantime use #Zarafa Command-line Options
  • some plugins like dspam, 2-factor authentication, fail2ban for WebApp and Z-Push are in planning for future releases
  • SSL certificates of Synology can be imported to Zarafa4h webserver, but only in DSM 6.0; other services to SLL is in planning

Setup Types

Depending on your current situation you can setup Zarafa accordingly. You can access Zarafa via many different ways:

  • with Microsoft Outlook
  • via Active Sync with your Smartphone
  • via Zarafa WebApp
  • via POP3/IMAP Gateway of Zarafa
  • via ICal Gateway for calendar replication

Zarafa in a Box: Docker vs. Debian-Chroot

As Zarafa in a Box needs a container to run that understands (DPKG) there are two ways depending of your X86-CPU and Synology model:

  • Docker the preferred way as it runs 64bit virtualisation; -but Docker is only supported on certain Synology +-models
  • Debian-Chroot package from SynoCommunity as fallback for the others on 32bit (aka DS214play & DS215play)
  • note ARM is currently not supported and un-likely will be in the future as pre-compiled packages by Zarafa do not exist

To find out what processor your current or planned future Synology is using and get it in line with Zarafa4h X86 requirement see here in ENG or GER forum entry. The list of Docker Support is as following:

- RS2416RP+, RS2416+, RS18016xs+, DS916+, DS716+II, DS716+, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+,
- RS3614xs+, RS3614xs, RS3614RPxs,RS2414RP+, RS2414+, RS814RP+, RS814+, DS2413+, RS3413xs+, RS10613xs+, DS1813+, DS1513+, DS713+, 
- DS3612xs, RS3412xs, RS3412RPxs, RS2212RP+, RS2212+, DS1812+, DS1512+, RS812RP+,RS812+, DS412+, DS712+, 
- DS3611xs, DS2411+, RS3411xs, RS3411RPxs, RS2211RP+, RS2211+, DS1511+, DS411+II, DS411+, DS1010+, RS810RP+, RS810+, DS710+ 

We know there is a community of users on the cross-compiled ARM version of J.D.'s Zarafa for Synology but chances are they go the x86 migration path to Zarafa4h and stay on DSM 5 in the meantime.
There is no intention to leave people behind and I had a hard job to port Zarafa4h for Docker into a twin-setup supporting in parallel Debian-Chroot package for all X86 Synology models without Docker.
As outlined above the approach using Zarafa's compiled packages has a lot of advantages but comes at certain constraints. I cannot and will not cross-compile for ARM. Synology is unlikely to do either.
I have no Synology ARM model but test performed by others sending me the chroot-zarafa-build.log reveal unsupported platform 'E: Unable to locate package zarafa-licensed' to apt-get install zarafa-licensed.

Zarafa with postfix and own domain

In this setup you are hosting your own domain (e.g. [email protected]) on Synology. Postfix SmtpD has to be configured to send and receive emails via port 25 exposed to the Internet. Zarafa sends emails to postfix and receives emails from postfix via LMTP Delivery Agent. In case you are using a dynamic IP address you need to setup a relay host to avoid you mails being rejected as SPAM for being an unknown host (see #Configure Internal Postfix and #Configure Relayhost).


Zarafa with fetch-/getmail for IMAP / POP3 mailboxes

In this setup you have a email address from a provider (like [email protected] etc.). In this configuration either fetchmail or getmail receives your email from the providers imap/pop3 mailbox and delivers it to Zarafa via dagent. Zarafa sends emails to postfix which delivers it to your providers SMTP Server which is called SMTP Relayhost (see #Configure Relayhost and #Configure Fetchmail). There is no need to expose port 25 and Postfix needs less strict settings (recipient_restrictions).


Installation of the SPK

Before you can install the SPK on your device, please make sure that you activated/installed the following prerequisites listed in section below. The installation / screenshots are based on DSM 5.2, as minimum DSM entry point however it is tested to run on DSM 6 too.

Upgrade instructions

  • Make a Backup of your important configuration files and MySQL Database (only in case something goes wrong). For your database you can use zarafa-backup: a tailored script for Synology
  • Simply install the new SPK which comes including Z-Push for syncronization to mobile devices, and Outlook if running out of 3 accounts incl. Support

Note current versions of Zarafa4h v.0.5.x do not yet support upgrades as there had been major structural changes. IaW. upgrade option will come soon with v.0.5.5.

Backup, Migration & Replication instructions

Scheduling Backups

It is reckomended to setup scheduled backups of your Zarafa database but be warned NOT to use the DSM embedded backup feature for MariaDB as it will stop all running services.


Instead create a scheduled task via the Control Panel with the command "zarafa-backup"; -you can add the parameter "master" to have point in time recovery and replication possible (bin-log mode provided).


For Migration Zarafa will upgrade the database automatically with contraint there is no downgrade path. Having said that there are 4 Migration scenarios when comming from J.D.'s legacy Zarafa for Synology:

Bruce the Brave - straightforward

Bruce removes J.D.'s Zarafa which leaves the database orphaned on the box. Then Zarafa4h is installed selecting database 'zarafa'. Zarafa4h will take ownership to the database with dedicated user and upgrades it to the latest version. This usually works and all data is available.
However if something goes wrong straightforward turns into fixing forward as there is no fallback. Going forward Bruce decides to run zarafa-backup each night just in case to be fail-save for Upgrades or accidential deletion or other incidents.

Tom the Tester -parallel approach on same box

Tom runs J.D.'s Zarafa on a X86 Synology under DSM 5.2 and likes testing in parallel mode. He uses zarafa-backup to propagate data to Zarafa4h.

  • Install Zarafa4h into database 'zarafa4h' and Zarafa4h will stop legacy Zarafa package and create a empty parallel install
  • Run from command-line <zarafa-backup> legacy (db-name & credentials are parsed from legacy Zarafa-cfg-file)
  • Run >zarafa-backup restore which will ask for a reboot as MySQL Import Settings are enhanced and tell the latest MySQlDump Timestamp
  • <zarafa-backup restore> will tell the timestamp (e.g. 201604202200) to restore and ask for reboot first as mysql settings had been changed

This restore then runs into the new Zarafa4h database (target and credetions from Zarafa4h-cfg-file) and this procedure can be repeated. Both Zarafa's cannot be run the same time and it is important that when running Zarafa4h the Synology mail server Postfix SMTP is stopped to keep port 25 available.

Tim the Tidy - migration on new box with fallback

Tim is doing tidy migration planning and got himself a new Synology as his old one is on ARM (e.g. DS-414 => DS-415+) to install DSM 6.0 and Zarafa4h migrating in a fallback mode.

  • Copy on old box with J.D.'s zarafa & run it for mysqldump to Zarafa shared folder (db-name & credentials are parsed from cfg-file)
  • In Zarafa shared folder we find a db-dump file like this /volume1/zarafa/backup/dump-zarafa-201604202200.sql.gz
  • Sync zarafa shared folder to new box, install zarafa4h & run zarafa-backup in restore mode which requests a restart for changed mariaDB settings
  • <zarafa-backup restore> will tell the timestamp (e.g. 201604202200) to restore and ask for reboot first as mysql settings had been changed

Now Tim has all his data migrated and he did not need to go the bumpy route of putting his old disks into the new box which does not work ARM => X86 anyway. Tim can repeat the procedure if needed, he puts all the configuration to the new box and has a comparism plus fallback if something goes wrong.
Tim recognizes that Synology DSM 6.0 supports virtualisation with Docker-DSM. He now can test new packages including Zarafa4h updates on a seperate system without the need for an additional box.

Rob the Replication fan - migration without downtime

Rob is planning tidy as well but due to database size and operation hours he wants to accomplish the migration without any downtime. He also wants to use his old box as real-time relication slave to recover from errors. Zarafa4h command-line scripts help to do so as described in the post. Note that /var/packages/MariaDB/etc/my.cnf is updated and not the original my.conf as this would be reset at each MariaDB update.
As prerequisite for later Rob selects 'Set this MariaDB as replication master (id:101) to sync zarafa database to other slave' during install or runs <zarafa-replication master ..>. He restarts MariaDB for the new settings. Then similar to above:

  • Copy and on old box with J.D.'s Zarafa (both scripts will also be released via Project-Homepage)
  • Run < master mysql-pwd slave-host sync-pwd id> on old box to enable MariaDB as replication master and restart (if you skip id it defaults to 101).
  • Run < master> for mysqldump to Zarafa shared Folder; this time the backup will include replication Information (mysql log position).
  • Sync zarafa shared folder to new box, install zarafa4h & run <zarafa-replication mysql-pwd master-host sync-pwd 111> plus <zarafa-backup restore>; both requests a restart
  • <zarafa-backup restore> will tell the timestamp (e.g. 201604202200) to restore and on completion will notify on Master-Log-File-Position.
  • Post restore the slave can by synced to the master via <zarafa-replication sync-in mysql-pwd> which issues the following MySQL-commands:
CHANGE MASTER TO MASTER_LOG_FILE='mysqld-bin.000001', MASTER_LOG_POS=1075703; (settings as listed by restore)
START SLAVE; & SHOW SLAVE STATUS (Last_Error will be blank, Slave_IO_State will be “Waiting for master to send event” once synced)
  • Note: mysql-pwd is the database root password and sync-pwd is the Password for the sync user rslave which has to be the same on master and slave server,

Now Rob can decide to switch over to his new box anytime with no downtime. Once this is done he installs Zarafa4h on his old box and uses it as replication slave by repeating from step 3 above.

Zarafa Mysql Replication Extended

Extended details on MySql replication to get a Zarafa HA setup as described here Zarafa_High_Availability_setup_with_MySQL_master-slave which are all embedded into scripts as outlined in #Rob the Replication fan - migration without downtime:
Details will follow

Installation instructions


All prerequisites have to be enabled in the DSM interface in the control panel.

Install MariaDB, Perl, Docker or Debian-Chroot

Please go to the Package Center and install the packages MariaDB, Perl and Docker if not yet installed. For non Docker Synology's the Debian-Chroot can be used.
If no Container had been installed Zarafa4h will exit. There is no need to manually pull the Docker zarafa4h-image as this is all done by install Routine of the SPK Package.
Note as Zarafa4h comes with ist own NGINX webserver there is no primary need to enable Synology Webservices but if used it can act as Reverse Proxy.

Add Community Sources to Package Center

In order to download and upgrade Zarafa4h plus other community packages you need apply the following settings in DSM Package Manager:

  • Go for Settings, General and set Trust-Level to 'Synology Inc. and trusted publishers'
  • Go for Beta tab and enable to get beta versions offered -otherwise Zarafa4h does not show up as it is still beta
  • Go for Package Sources and add "" for Community Package Hub and "" for SynnoCommunity

Enable Telnet / SSH access

Depending on your configuration, some parts of Zarafa had to be configured via command-line, therefore click on “Terminal & SNMP” and Enable either Telnet (private LAN only) or “SSH Service”. Then click apply.


Webservices and Reverse Proxy

Once you enabled Webstation in the control panel under Webservices you can use a number of webbased packages. Zarafa4h however comes with ist own NGINX Webserver utilising the PHP-Mapi and other Zarafa libraries. In order to use SLL via port 443 you will need a Reverse Proxy configuration. For DSM 5 we can either use the Apache Reverse Proxy entry by Zarafa4h Install or HA-Proxy package; HA-Proxy GUI unfortunately does not run on DSM 6. With HA-Proxy you map SSL 443 from your router to HA-Proxy and then dependent on subdomain map to Apache or Zarafa. While the Reverse Proxy settings on Apache by z4h install create a virtual directory zarafa HA Proxy and DSM 6 Reverse Proxy are using virtual subdomains, so mind the difference.


With DSM-6 Reverse-Proxy available native in DSM-6 under control panel, application portal and the settings for Zarafa can be set as following:



The Installation SPK package will take care of all required steps to build or load Images, create database etc. There is no need to load any Docker images manually.
When installing the package you first need to acknowledge licensing Options; - the Dialogue might not be shown under DMS 6.0.
General note: the number of options might be confusing but usually the defaults in install menues will do and when not using yur own mail server some posfix settings can be ignored


Then you set the name for the database, MariaDB / MySQL root Password (which is different to OS root pwd) and other core options. You can build the Docker image or load it from repository.
You can then add a Zarafa / Kopano subscription license number to have certain colaboration options enabled. For details see Zarafa / Kopano options
As WebApp and ICAL run in another webserver select the port prefix to get e.g. http(s) 9080 / 9443. Zarafa Gateway for Pop3, IMAP, ICAL are optional as usually Z-Push will do the job.

Select Debian-Chroot as alternative to Docker container if your Synology does not support Docker (e.g. DS214/5play) (for both later options please scroll down).
By default the database name is 'zarafa4h' to allow parallel setup to legacy Zarafa. You can also select 'zarafa' if no legacy Zarafa is present. See also #Migration & Replication instructions.

The shared folder will be used to host logs, backups, manuals, windows-Client, attachments and can be replicated to a 2ns Synology to create high availability options. Note the 'etc' in shared zarafa folder is a softlink.
In reality the configuration files are in the package Directory mounted into the container, so when replacing the Container or replicating the configuration stays on the box.

Current Zarafa version supports to have attachments on file system as opposed to database. You might select this for performance reasons to keep MariDB by size and blocks small.
As older versions on Zarafa kept attachments in MariDB this option is only available for new setup (though migration scripts are available it is not yet supported by zarafa4h).


Next you define Webserver and Webmeetings specifics. NGINX will use the name supplied which has to match your certificate.
You can import certificates from Synology (DSM 6 only). File-paths looks like this </volume1/download/ssl/cert.pem>.
If you do not use HA-Proxy have Reverse-Proxy entries set to your Synology either for Apache or NGINX dependent what you use (this is WIP).
You can change the default port Webmeeting is listening to on localhost only and install coTURN for Video over NAT which is at early stage.


Now Mail-Server options for Postfix, Mail-Relaying and Fetch-/Getmail for external mailboxes are requested. Please scroll down for all options.
You can select 1 or multiple mail-domains separated by colon. The first entry is the primary domain Postfix uses as origin. If you are using external mailboxes only you can ignore this.
When using dynamic IPs it is advised to go for SMTP relay by your provider (e.g. "") otherwise some mail-server will reject you for missing MX entry (see #Configure Relayhost).

Spam can be handled on several levels: 1) Postfix handshake during the helo section; some spamers do not use helo or do fake senders.
2) DNS based rbl (rely block list) client rejection using, Both is optional but recommended.
3) Scanning using Amavisd-new integrating ClamAV (Anti-Visrus) and SpamAssassin (Spam detection engine) and rejecting certain attachments.


The user creation and language settings allow preferred settings per country. This will also trigger codepage and spell-checker e.e. when German is selected.
This colon / semi-colon user creation vector is straight-forward while users can also be created by command-line with <zarafa-admin> and in later versions via admin-GUI.
Note as it is pushed to zarafa-admin some special characters like <$> in password will break it. Using simpler passwords you still have the option to change via WebApp.


Now additional MariaDB (MySQL fork) options can be set. You can configure for planned replication of Zarafa. See #Migration & Replication instructions.
The MariaDb tuning options as per brief summary of best practice are listed. If you are unsure select at least the tuning baseline option


Finnaly you get the install summary to get all started and note install can easily take 10-20 min or even more as SW is downloaded and packages are loaded or build.


Configure Zarafa

With Zarafa4h v.0.55 an adminstration GUI is included with the aim of making login to Synology console obsolete. The command-line options below can also be called by the GUI. For advanced configurations it might be needed to login with SSH. Therefore connect to your NAS with putty or any other terminal program and login with the root or admin account (with DSM 6 root Login is no longer possible but admin is to be used combined with sudo).

Zarafa Command-line Options

Zarafa4h exposes certain zarafa commands to the Synology command-line and adds other custom scripts. With tab enter from prompt ~$zarafa- and you see

zarafa-admin  zarafa-backup  zarafa-cmdline  zarafa-fetchmail  zarafa-getmail  zarafa-listfolders zarafa-optionals
zarafa-postfix zarafa-pubfolders  zarafa-replication  zarafa-reset  zarafa-restart  zarafa-status  z-push-admin  z-push-top

The cmd-line tools typically have a usage and help function to get familiarized with the features.
To get full control enter ~$zarafa-cmdline (or ~$zarafa4h) and you are in the box (Docker-/Chroot-Container) and can do all other things like hardening your setup or running any other zarafa command. The zarafa-restart command can be issued after changes to configuration has been made since a stop and start on Synology GUI only acts against the container this is a full restart. To get the public-folder Ids of Z-Push you enter zarafa-pubfolders and put the Id's into the Z-Push config.php. To get a more detailed status on running, stopped, disabled processes run zarafa-status. For backup, restore run zarafa-backup which is a custom script by Zaraaf4h on Synology not to be confused with Zarafa Backup Plus shipped with commercial offering. Details and the power of zarafa-backup for migration is described above. Zarafa-postfix, zarafa-fetchmail, zarafa-getmail are used to add and change settings for mail-delivery.
With zarafa-admin you can add and change users from the cmd-line. For the impatient here is a demo command for a new user pwd is here 007 you can also use capital -P and get prompted for password:

~$zarafa-admin -cpbond -p007 -f'Paul Bond' -e'[email protected]'   User created.

Configure Mailservices aka SMTPD Postfix & IMAP-POP3 Getmail

Zarafa needs a Postfix service to send and receive mails. An internal Postfix is ready for use as unfortunately Synology Mailserver integration does not work due to issues with LMTP. Note that configuration and integration with Synology Mail Server for Zarafa4h is different to the old setup described here Zarafa_Installation_Instructions_for_Synology_NAS#Configure_Postfix_with_your_own_domain While legacy Zarafa uses dagent via cmd-line / pipe Zarafa4h uses LMTPsince postfix cannot talk to the container via root but uses port 2003.

Configure Internal Postfix

Zarafa4h Postfix functionality is currently building up with not yet all features via GUI at hand. See <zarafa-postfix help> for current features. Use the toolset instead of updating the config files unless you really know what you are doing.
For Postfix it is important to prevent being mis-used as Spam-Mail-Relay aka others use your Postfix service for spaming mails. This ensured via entries respectively mydomain and mynetworks which is restricted to localhost so only Zarafa can use it; be careful when changing it. For details see #Postfix

Configure Relayhost

The setup of relayhost is embedded into the install routine or the cmd-line utility zarafa-postfix. To understand the background see this tutorial here.
It is important to know the settings of your mail-provider to send mails via relay host respectively which port to use. While port 25 is used as default most providers force for TLS/SSL outgoing mails via port 587 or 465 so at install you should put like ""
If you configure later via cmd-line the call would look like this <zarafa-postfix relay []:587 [email protected] mypwd>. Note the [] brackets are optional.

Configure Fetchmail

To receive emails from mailboxes hosted externally the IMAP or Pop3 protocol is used via the tool Fetchmail. Note: the internal Postfix is only needed for outgoing mails so port 25 does not need to be exposed to the Internet and certain spam prevntion is obsolete. Fetchmail is installed but not enabled by default. The set of cmd-line calls is as following:

zarafa-fetchmail add => please provide all fetch-mail parameters in order: z-user r-user r-pwd server protocol port ssl
zarafa-fetchmail add jbond [email protected] mypwd pop3 995 ssl => OK adding fetchmail entry for z-user jbond as [email protected] at Post adding first entry you have to run zarafa-fetchmail init. 
zarafa-fetchmail init => init: adding fetchmail to zarafa services list, local_admin_users and removing SMTP recipient restrictions (please restart zarafa)..
zarafa-fetchmail list => jbond,[email protected],'mypwd',,pop3,9 95,ssl

Note zarafa-restart or zarafa-fetchmail restart are optional here as zarafa-fetchmail init already starts fetchmail; but the restart is needed after any next changes.

Configure Getmail

Getmail is an alternative to Fetchmail and will be implemented in a later release. Getmail comes into play for advanced settings like Spam / AV integration and keeping mails in external Mailbox for a period of time.

Zarafa Admin GUI

The Zarafa4h-Admin GUI as Perl module on Synology allows maintenance to users, groups, send-as options by wrapping the zarafa-admin command-line utility. For Postfix alias and bcc rules can be configured in addition to other features via menue SmtpD.
External mailboxes via fetchmail and other actions / tools are available




The defaul looks like this (some optional parts are disabled via # and can be enabled via install / admin GUI):
Most important you have "smtpd_client_restrictions = permit_mynetworks" to avoid being an open mail-relay and virtual_mailbox_domains / transport set.

# set domain -> hostname -> origin as fqdn to avoid abuse
mydomain =
myhostname =
myorigin = $
# closed relay: allow localhost for clients sending; add your local nw if needed,
mynetworks =, [::1]/128
smtp_host_lookup = dns, native
# overwrite max message size 10M->50M; mailbox_size_limit must not be smaller hencmailbox_size_limit = 0
message_size_limit = 52428800
# header and body checks
header_checks = regexp:/etc/zarafa/postfix/header_checks
body_checks = regexp:/etc/zarafa/postfix/body_checks
# use alias for system default and virtual valiases for zarafa aliases
alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/zarafa/postfix/valiases
# use virtual domains from cfg file; 1st entry is eq mydomain
virtual_mailbox_domains = /etc/zarafa/postfix/vdomains
virtual_transport = lmtp:
smtpd_banner = $myorigin ESMTP Postfix Zarafa
# anti-spam: no relaying and request valid helo to block spam-bots (helo restrictions optional)
smtpd_helo_required = yes
#smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
# anti-spam: have real-time dns based black-lists:, and postgrey on 10023 (optional)
smtpd_client_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_mynetworks reject_invalid_hostname reject_unauth_destination reject_unknown_recipient_domain 
#check_policy_service inet:                                                                                   
# anti-spam: mail-from unknown-sender by mx entry check (optional)
smtpd_sender_restrictions = reject_unknown_address
# anti-spam: amavis-new as content filter to integrate spamassassin and clamav (optional)
#content_filter = smtp-amavis:[]:10024
# misc settings
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
smtp_helo_timeout = 60s
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
# sender limit e.g. to avoid endless spam if hacked
#smtpd_sasl_sender_rate_limit = 99
# relayhosting from provider when running dynamic IP; now we need sasl_auth
relayhost = []:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/zarafa/postfix/sasl_passwd
smtp_sasl_security_options =
# tls encryption outbound for relayhosting (mind smtp without d)
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# only needed when authenticating with cert for relayhosting
#smtp_tls_cert_file = /etc/zarafa/ssl/svrcertbundle.pem
#smtp_tls_key_file = /etc/zarafa/ssl/server.key
# tls encryption opportunistic: announce STARTTLS support to remote clients
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file = /etc/zarafa/ssl/svrcertbundle.pem
smtpd_tls_key_file = /etc/zarafa/ssl/server.key
smtpd_tls_security_level = may
smtpd_tls_mandatory_exclude_ciphers = aNULL, RC4
smtpd_tls_exclude_ciphers = NULL, RC4
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_loglevel = 1
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_received_header = yes


The defaul looks like this and there is usualy no need to edit as the process descriptors reamin while Options are enabled via

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master")#
# ==========================================================================
# service       type  private unpriv  chroot  wakeup  maxproc command + args
#                     (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp            inet  n       -       -       -       -       smtpd
#smtp            inet  n       -       -       -       1       postscreen
#smtpd           pass  -       -       -       -       -       smtpd
#dnsblog         unix  -       -       -       -       0       dnsblog
#tlsproxy        unix  -       -       -       -       0       tlsproxy
#submission      inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps           inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# service       type  private unpriv  chroot  wakeup  maxproc command + args
#628             inet  n       -       -       -       -       qmqpd
pickup          unix  n       -       -       60      1       pickup
cleanup         unix  n       -       -       -       0       cleanup
qmgr            unix  n       -       n       300     1       qmgr
#qmgr           unix  n       -       n       300     1       oqmgr
tlsmgr          unix  -       -       -       1000?   1       tlsmgr
rewrite         unix  -       -       -       -       -       trivial-rewrite
bounce          unix  -       -       -       -       0       bounce
defer           unix  -       -       -       -       0       bounce
trace           unix  -       -       -       -       0       bounce
verify          unix  -       -       -       -       1       verify
flush           unix  n       -       -       1000?   0       flush
proxymap        unix  -       -       n       -       -       proxymap
proxywrite      unix  -       -       n       -       1       proxymap
smtp            unix  -       -       -       -       -       smtp
relay           unix  -       -       -       -       -       smtp
#  -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq           unix  n       -       -       -       -       showq
error           unix  -       -       -       -       -       error
retry           unix  -       -       -       -       -       error
discard         unix  -       -       -       -       -       discard
local           unix  -       n       n       -       -       local
virtual         unix  -       n       n       -       -       virtual
lmtp            unix  -       -       -       -       -       lmtp
anvil           unix  -       -       -       -       1       anvil
scache          unix  -       -       -       -       1       scache
# ==========================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual pages of
# the non-Postfix software to find out what options it wants. Many of the
# following services use the Postfix pipe(8) delivery agent. See the pipe(8)
# man page for information on ${recipient} and other message envelope options.
# ==========================================================================
# service       type  private unpriv  chroot  wakeup  maxproc command + args
#                     (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# UUCP. See the Postfix UUCP_README file for configuration details.
uucp            unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in maildrop_destination_recipient_limit=1
maildrop        unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# smtp-amavis. See the README.postfix from amavisd-new - IJS for details.
# Also specify in content_filter = smtp-amavis:[]:10024
smtp-amavis     unix  -       -       -       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
# inet  n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
# end smtp-amavis
Personal tools