ansible/roles/mail/templates/postfix/main.cf.j2

# Uncomment soft_bounce for testing
#soft_bounce = yes

# Generic postfix parameters
compatibility_level = 2
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
inet_interfaces = all
inet_protocols = all
message_size_limit = 50000000
recipient_delimiter = +
owner_request_special = no
unknown_local_recipient_reject_code = 550
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
relayhost =

# Postscreen (pre-greet only, rspamd does the rest)
postscreen_greet_banner = $myhostname ESMTP $mail_name
postscreen_greet_action = enforce

# Network parameters
mydomain = {{ mail_domain }}
myhostname = {{ ansible_fqdn }}
myorigin = $myhostname
mydestination = localhost.$mydomain, localhost, {{ mail_srs_domain }}
mynetworks =
    127.0.0.0/8
    [::ffff:127.0.0.0]/104
    [::1]/128
{% for cidr in mail_trusted %}
    {{ cidr | ipwrap }}
{% endfor %}

# Alias configuration
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# Client TLS parameters
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
smtp_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_fingerprint_digest=sha256

# Server TLS parameters
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_fingerprint_digest=sha256

# Submission SASL configuration
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

# SMTPd restrictions
smtpd_helo_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    warn_if_reject reject_non_fqdn_hostname
    check_helo_access hash:/etc/postfix/helo_access

smtpd_client_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_unknown_reverse_client_hostname

smtpd_sender_restrictions =
    permit_mynetworks
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    permit_tls_clientcerts
    permit_sasl_authenticated
    reject_unauth_pipelining
    reject_unauthenticated_sender_login_mismatch
    reject_sender_login_mismatch

smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    permit_mynetworks
    permit_tls_clientcerts
    permit_sasl_authenticated
    reject_unauth_destination
    reject_unauth_pipelining
    reject_unverified_recipient

# SMTP Smuggling
smtpd_forbid_bare_newline = yes

# rspamd Milter setup
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_default_action = accept
milter_protocol = 6

# mailbox / forward definitions
virtual_mailbox_domains = {{ mail_domain }}
{% for domain in mail_domains %}
    {{ domain }}
{% endfor %}
virtual_alias_maps = hash:/etc/postfix/virtual-alias
virtual_transport = lmtp:unix:private/dovecot-lmtpd
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = Recipient unknown

# mailman
relay_domains =
    hash:/var/lib/mailman3/data/postfix_domains
local_recipient_maps =
    hash:/var/lib/mailman3/data/postfix_lmtp
transport_maps =
    hash:/var/lib/mailman3/data/postfix_lmtp

# postsrsd
# sender_canonical_maps = tcp:localhost:10001 - > see master.cf
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient