ansible/roles/mail/templates/postfix/main.cf.j2

128 lines
3.6 KiB
Django/Jinja

# Uncomment soft_bounce for testing
#soft_bounce = yes
# Generic postfix parameters
compatibility_level = 2
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
inet_interfaces = all
inet_protocols = all
message_size_limit = 50000000
recipient_delimiter = +
unknown_local_recipient_reject_code = 550
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
relayhost =
# Postscreen (pre-greet only, rspamd does the rest)
postscreen_greet_banner = $myhostname ESMTP $mail_name
postscreen_greet_action = enforce
# Network parameters
mydomain = {{ mail_domain }}
myhostname = {{ ansible_fqdn }}
myorigin = $myhostname
mydestination = localhost.$mydomain, localhost, {{ mail_srs_domain }}
mynetworks =
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
{% for cidr in mail_trusted.split(' ') %}
{{ cidr }}
{% endfor %}
# Alias configuration
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Client TLS parameters
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
smtp_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_fingerprint_digest=sha256
# Server TLS parameters
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_fingerprint_digest=sha256
# Submission SASL configuration
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
# SMTPd restrictions
smtpd_helo_restrictions =
permit_sasl_authenticated
permit_mynetworks
warn_if_reject reject_non_fqdn_hostname
check_helo_access hash:/etc/postfix/helo_access
smtpd_client_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unknown_reverse_client_hostname
smtpd_sender_restrictions =
permit_mynetworks
reject_unknown_sender_domain
reject_non_fqdn_sender
permit_tls_clientcerts
permit_sasl_authenticated
reject_unauth_pipelining
reject_unauthenticated_sender_login_mismatch
reject_sender_login_mismatch
smtpd_recipient_restrictions =
reject_unknown_recipient_domain
reject_non_fqdn_recipient
permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
reject_unauth_destination
reject_unauth_pipelining
reject_unverified_recipient
# rspamd Milter setup
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_default_action = accept
milter_protocol = 6
# mailbox / forward definitions
virtual_mailbox_domains = {{ mail_domain }}
{% for domain in mail_domains %}
{{ domain }}
{% endfor %}
virtual_alias_maps = hash:/etc/postfix/virtual-alias
virtual_transport = lmtp:unix:private/dovecot-lmtpd
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = Recipient unknown
# mailman
relay_domains = {{ mailman_domain }}
relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
# postsrsd
# sender_canonical_maps = tcp:localhost:10001 - > see master.cf
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient