forked from infra/ansible
94 lines
2.9 KiB
Django/Jinja
94 lines
2.9 KiB
Django/Jinja
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
|
biff = no
|
|
|
|
# appending .domain is the MUA's job.
|
|
append_dot_mydomain = no
|
|
|
|
# Uncomment the next line to generate "delayed mail" warnings
|
|
#delay_warning_time = 4h
|
|
|
|
readme_directory = no
|
|
|
|
inet_interfaces = all
|
|
inet_protocols = ipv4
|
|
|
|
message_size_limit = 50000000
|
|
recipient_delimiter = +
|
|
|
|
mydomain = {{ mail_domain }}
|
|
myhostname = {{ ansible_fqdn }}
|
|
myorigin = {{ ansible_fqdn }}
|
|
mydestination = localhost.{{ mail_domain }}, localhost
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
|
|
alias_maps = hash:/etc/aliases
|
|
alias_database = hash:/etc/aliases
|
|
relayhost =
|
|
|
|
# TLS parameters
|
|
smtp_tls_security_level = may
|
|
smtp_tls_loglevel = 1
|
|
|
|
smtpd_tls_cert_file=/etc/postfix/ssl/{{ mail_server }}.crt
|
|
smtpd_tls_key_file=/etc/postfix/ssl/{{ mail_server }}.key
|
|
smtpd_tls_CAfile=/etc/acme/lets-encrypt-x3-cross-signed.pem
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_auth_only = yes
|
|
smtpd_tls_ciphers = medium
|
|
smtpd_tls_received_header = yes
|
|
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
|
|
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
|
# information on enabling SSL in the smtp client.
|
|
|
|
smtpd_sasl_type = dovecot
|
|
smtpd_sasl_path = private/auth
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_security_options = noanonymous
|
|
|
|
smtpd_helo_restrictions = permit_mynetworks
|
|
warn_if_reject reject_non_fqdn_hostname
|
|
check_helo_access hash:/etc/postfix/helo_access
|
|
#check_client_access cidr:/etc/postfix/client_access
|
|
|
|
smtpd_recipient_restrictions = permit_mynetworks
|
|
permit_sasl_authenticated
|
|
reject_unauth_destination
|
|
check_recipient_access hash:/etc/postfix/recipient_access
|
|
|
|
smtpd_data_restrictions = warn_if_reject reject_unauth_pipelining
|
|
|
|
smtpd_restriction_classes = rbl, rblgrey
|
|
|
|
rbl = reject_rbl_client sbl.spamhaus.org
|
|
reject_rbl_client cbl.abuseat.org
|
|
|
|
rblgrey = reject_rbl_client sbl.spamhaus.org
|
|
reject_rbl_client cbl.abuseat.org
|
|
check_policy_service unix:private/spfpolicy
|
|
check_policy_service inet:127.0.0.1:10023
|
|
|
|
content_filter = amavis:[127.0.0.1]:10024
|
|
receive_override_options = no_address_mappings
|
|
|
|
virtual_mailbox_domains = {{ mail_domain }}
|
|
{%- for domain in mail_domains %}
|
|
{{ domain }}
|
|
{%- endfor %}
|
|
|
|
virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-maps.cf
|
|
virtual_alias_maps = hash:/etc/postfix/virtual-alias, ldap:/etc/postfix/ldap-aliases.cf
|
|
|
|
virtual_transport = dovecot
|
|
dovecot_destination_recipient_limit = 1
|
|
|
|
# mailman
|
|
relay_domains = {{ mailman_domain }}
|
|
relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
|
|
transport_maps = hash:/etc/postfix/transport
|
|
mailman_destination_recipient_limit = 1
|