2019-07-15 19:00:23 +02:00
|
|
|
# Uncomment soft_bounce for testing
|
|
|
|
#soft_bounce = yes
|
2016-02-15 21:04:01 +01:00
|
|
|
|
2019-07-15 19:00:23 +02:00
|
|
|
# Generic postfix parameters
|
|
|
|
compatibility_level = 2
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
2016-02-15 21:04:01 +01:00
|
|
|
biff = no
|
|
|
|
append_dot_mydomain = no
|
|
|
|
readme_directory = no
|
|
|
|
inet_interfaces = all
|
2016-04-13 08:59:45 +02:00
|
|
|
inet_protocols = all
|
2016-02-15 21:04:01 +01:00
|
|
|
message_size_limit = 50000000
|
|
|
|
recipient_delimiter = +
|
2019-07-15 19:00:23 +02:00
|
|
|
unknown_local_recipient_reject_code = 550
|
|
|
|
strict_rfc821_envelopes = yes
|
|
|
|
disable_vrfy_command = yes
|
|
|
|
smtpd_delay_reject = yes
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
relayhost =
|
2016-02-15 21:04:01 +01:00
|
|
|
|
2019-07-15 19:00:23 +02:00
|
|
|
# Postscreen (pre-greet only, rspamd does the rest)
|
|
|
|
postscreen_greet_banner = $myhostname ESMTP $mail_name
|
|
|
|
postscreen_greet_action = enforce
|
|
|
|
|
|
|
|
# Network parameters
|
2016-02-15 21:30:24 +01:00
|
|
|
mydomain = {{ mail_domain }}
|
|
|
|
myhostname = {{ ansible_fqdn }}
|
2019-07-15 19:00:23 +02:00
|
|
|
myorigin = $myhostname
|
|
|
|
mydestination = localhost.$mydomain, localhost
|
|
|
|
mynetworks =
|
|
|
|
127.0.0.0/8
|
|
|
|
[::ffff:127.0.0.0]/104
|
|
|
|
[::1]/128
|
|
|
|
{% for cidr in mail_trusted.split(' ') %}
|
|
|
|
{{ cidr }}
|
|
|
|
{% endfor %}
|
|
|
|
|
|
|
|
# Alias configuration
|
2016-02-15 21:04:01 +01:00
|
|
|
alias_maps = hash:/etc/aliases
|
|
|
|
alias_database = hash:/etc/aliases
|
|
|
|
|
2019-07-15 19:00:23 +02:00
|
|
|
# Client TLS parameters
|
2016-04-07 00:01:54 +02:00
|
|
|
smtp_tls_security_level = may
|
|
|
|
smtp_tls_loglevel = 1
|
2019-05-20 20:09:07 +02:00
|
|
|
smtp_tls_CApath = /etc/ssl/certs
|
2019-07-15 19:00:23 +02:00
|
|
|
smtp_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
|
|
|
smtp_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
|
|
|
smtp_tls_CApath = /etc/ssl/certs
|
|
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
|
|
smtp_tls_fingerprint_digest=sha256
|
2016-02-15 21:04:01 +01:00
|
|
|
|
2019-07-15 19:00:23 +02:00
|
|
|
# Server TLS parameters
|
2016-04-01 08:10:00 +02:00
|
|
|
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
|
|
|
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
2019-05-20 20:09:07 +02:00
|
|
|
smtpd_tls_CApath = /etc/ssl/certs
|
2016-04-06 22:40:38 +02:00
|
|
|
smtpd_tls_security_level = may
|
|
|
|
smtpd_tls_auth_only = yes
|
2016-02-23 21:03:12 +01:00
|
|
|
smtpd_tls_ciphers = medium
|
2016-04-07 00:01:54 +02:00
|
|
|
smtpd_tls_received_header = yes
|
|
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
2019-07-15 19:00:23 +02:00
|
|
|
smtpd_tls_fingerprint_digest=sha256
|
2016-02-15 21:04:01 +01:00
|
|
|
|
2019-07-15 19:00:23 +02:00
|
|
|
# Submission SASL configuration
|
2016-02-15 21:04:01 +01:00
|
|
|
smtpd_sasl_type = dovecot
|
2019-07-15 19:00:23 +02:00
|
|
|
smtpd_sasl_path = private/dovecot-auth
|
2016-02-15 21:04:01 +01:00
|
|
|
smtpd_sasl_auth_enable = yes
|
|
|
|
smtpd_sasl_security_options = noanonymous
|
|
|
|
|
2019-07-15 19:00:23 +02:00
|
|
|
# SMTPd restrictions
|
|
|
|
smtpd_helo_restrictions =
|
|
|
|
permit_sasl_authenticated
|
|
|
|
permit_mynetworks
|
|
|
|
warn_if_reject reject_non_fqdn_hostname
|
|
|
|
check_helo_access hash:/etc/postfix/helo_access
|
|
|
|
|
|
|
|
smtpd_client_restrictions =
|
|
|
|
permit_sasl_authenticated
|
|
|
|
permit_mynetworks
|
|
|
|
reject_unknown_reverse_client_hostname
|
|
|
|
|
|
|
|
smtpd_sender_restrictions =
|
|
|
|
reject_unknown_sender_domain
|
|
|
|
reject_non_fqdn_sender
|
|
|
|
permit_mynetworks
|
|
|
|
permit_tls_clientcerts
|
|
|
|
permit_sasl_authenticated
|
|
|
|
reject_unauth_pipelining
|
|
|
|
reject_unauthenticated_sender_login_mismatch
|
|
|
|
reject_sender_login_mismatch
|
|
|
|
|
|
|
|
smtpd_recipient_restrictions =
|
|
|
|
reject_unknown_recipient_domain
|
|
|
|
reject_non_fqdn_recipient
|
|
|
|
permit_mynetworks
|
|
|
|
permit_tls_clientcerts
|
|
|
|
permit_sasl_authenticated
|
|
|
|
reject_unauth_destination
|
|
|
|
reject_unauth_pipelining
|
|
|
|
reject_unverified_recipient
|
|
|
|
|
|
|
|
# rspamd Milter setup
|
|
|
|
smtpd_milters = inet:localhost:11332
|
|
|
|
non_smtpd_milters = inet:localhost:11332
|
|
|
|
milter_default_action = accept
|
|
|
|
milter_protocol = 6
|
|
|
|
|
|
|
|
# mailbox / forward definitions
|
2016-02-15 21:30:24 +01:00
|
|
|
virtual_mailbox_domains = {{ mail_domain }}
|
2019-07-15 19:00:23 +02:00
|
|
|
{% for domain in mail_domains %}
|
2016-04-06 21:38:54 +02:00
|
|
|
{{ domain }}
|
2019-07-15 19:00:23 +02:00
|
|
|
{% endfor %}
|
|
|
|
virtual_alias_maps = hash:/etc/postfix/virtual-alias
|
|
|
|
virtual_transport = lmtp:unix:private/dovecot-lmtpd
|
|
|
|
unverified_recipient_reject_code = 550
|
|
|
|
unverified_recipient_reject_reason = Recipient unknown
|
2016-02-15 21:04:01 +01:00
|
|
|
|
2016-02-29 20:50:14 +01:00
|
|
|
# mailman
|
|
|
|
relay_domains = {{ mailman_domain }}
|
|
|
|
relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
|
|
|
|
transport_maps = hash:/etc/postfix/transport
|
|
|
|
mailman_destination_recipient_limit = 1
|