forked from infra/ansible
Add config files and extend tasks for mail role.
This commit is contained in:
parent
a19575ffc0
commit
175ee1841b
@ -6,13 +6,15 @@ ldap_base: dc=binary-kitchen,dc=de
|
|||||||
ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de
|
ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de
|
||||||
ldap_bindpw: svcpwd
|
ldap_bindpw: svcpwd
|
||||||
|
|
||||||
|
mail_domain: binary-kitchen.com
|
||||||
|
|
||||||
nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
|
nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
|
||||||
nslcd_base_shadow: ou=Users,dc=binary-kitchen,dc=de
|
nslcd_base_shadow: ou=Users,dc=binary-kitchen,dc=de
|
||||||
nslcd_base_passwd: ou=Users,dc=binary-kitchen,dc=de
|
nslcd_base_passwd: ou=Users,dc=binary-kitchen,dc=de
|
||||||
|
|
||||||
ntp_servers:
|
ntp_servers:
|
||||||
- 172.23.1.61
|
- 172.23.1.61
|
||||||
- 172.23.2.2
|
- 172.23.2.2
|
||||||
|
|
||||||
prosody_admin: moepman@jabber.binary-kitchen.de
|
prosody_admin: moepman@jabber.binary-kitchen.de
|
||||||
prosody_domain: jabber.binary-kitchen.de
|
prosody_domain: jabber.binary-kitchen.de
|
||||||
|
14
roles/mail/files/policyd-spf.conf
Normal file
14
roles/mail/files/policyd-spf.conf
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# For a fully commented sample config file see policyd-spf.conf.commented
|
||||||
|
|
||||||
|
debugLevel = 1
|
||||||
|
defaultSeedOnly = 1
|
||||||
|
|
||||||
|
HELO_reject = No_Check
|
||||||
|
Mail_From_reject = False
|
||||||
|
|
||||||
|
Mail_From_pass_restriction = OK
|
||||||
|
|
||||||
|
PermError_reject = False
|
||||||
|
TempError_Defer = False
|
||||||
|
|
||||||
|
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128
|
@ -3,25 +3,75 @@
|
|||||||
- name: Install packages
|
- name: Install packages
|
||||||
apt: name={{ item }} state=present
|
apt: name={{ item }} state=present
|
||||||
with_items:
|
with_items:
|
||||||
- postfix
|
|
||||||
- amavisd-new
|
- amavisd-new
|
||||||
- postgrey
|
- bsd-mailx
|
||||||
- spamassassin
|
|
||||||
- dovecot-core
|
- dovecot-core
|
||||||
- dovecot-imapd
|
- dovecot-imapd
|
||||||
- dovecot-sieve
|
|
||||||
- dovecot-managesieved
|
|
||||||
- dovecot-ldap
|
- dovecot-ldap
|
||||||
|
- dovecot-managesieved
|
||||||
|
- dovecot-sieve
|
||||||
|
- postfix
|
||||||
|
- postfix-policyd-spf-python
|
||||||
|
- postgrey
|
||||||
|
- pyzor
|
||||||
|
- razor
|
||||||
|
- spamassassin
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Create vmail group
|
||||||
|
group: name=vmail gid=500 state=present
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Create vmail user
|
||||||
|
user: name=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Configure amavis
|
||||||
|
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- amavis/15-content_filter_mode
|
||||||
|
- amavis/50-user
|
||||||
|
notify: Restart amavis
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Configure dovecot
|
||||||
|
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- dovecot/dovecot-ldap.conf.ext
|
||||||
|
- dovecot/local.conf
|
||||||
|
notify: Restart dovecot
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Configure policyd
|
||||||
|
copy: src={{ item }} dest=/etc/postfix-policyd-spf-python/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- policyd-spf.conf
|
||||||
tags: mail
|
tags: mail
|
||||||
|
|
||||||
- name: Configure postfix
|
- name: Configure postfix
|
||||||
template: src={{ item }} dest=/etc/postfix/{{ item }}
|
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- ldap-aliases.cf.j2
|
- postfix/helo_access
|
||||||
- ldap-virtual-maps.cf.j2
|
- postfix/ldap-aliases.cf
|
||||||
|
- postfix/ldap-virtual-maps.cf
|
||||||
|
- postfix/main.cf
|
||||||
|
- postfix/master.cf
|
||||||
|
- postfix/recipient_access
|
||||||
notify: Restart postfix
|
notify: Restart postfix
|
||||||
tags: mail
|
tags: mail
|
||||||
|
|
||||||
|
- name: Create razor directory structure
|
||||||
|
command: razor-admin -create chdir=/var/lib/amavis creates=/var/lib/amavis/.razor
|
||||||
|
become: yes
|
||||||
|
become_user: amavis
|
||||||
|
tags: mail
|
||||||
|
|
||||||
|
- name: Register razor
|
||||||
|
command: razor-admin -register chdir=/var/lib/amavis creates=/var/lib/amavis/.razor/identity
|
||||||
|
become: yes
|
||||||
|
become_user: amavis
|
||||||
|
tags: mail
|
||||||
|
|
||||||
- name: Start amavis
|
- name: Start amavis
|
||||||
service: name=amavis state=started enabled=yes
|
service: name=amavis state=started enabled=yes
|
||||||
tags: mail
|
tags: mail
|
||||||
|
27
roles/mail/templates/amavis/15-content_filter_mode.j2
Normal file
27
roles/mail/templates/amavis/15-content_filter_mode.j2
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
use strict;
|
||||||
|
|
||||||
|
# You can modify this file to re-enable SPAM checking through spamassassin
|
||||||
|
# and to re-enable antivirus checking.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Default antivirus checking mode
|
||||||
|
# Please note, that anti-virus checking is DISABLED by
|
||||||
|
# default.
|
||||||
|
# If You wish to enable it, please uncomment the following lines:
|
||||||
|
|
||||||
|
|
||||||
|
#@bypass_virus_checks_maps = (
|
||||||
|
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Default SPAM checking mode
|
||||||
|
# Please note, that anti-spam checking is DISABLED by
|
||||||
|
# default.
|
||||||
|
# If You wish to enable it, please uncomment the following lines:
|
||||||
|
|
||||||
|
|
||||||
|
@bypass_spam_checks_maps = (
|
||||||
|
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
|
||||||
|
|
||||||
|
1; # ensure a defined return
|
33
roles/mail/templates/amavis/50-user.j2
Normal file
33
roles/mail/templates/amavis/50-user.j2
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
use strict;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Place your configuration directives here. They will override those in
|
||||||
|
# earlier files.
|
||||||
|
#
|
||||||
|
# See /usr/share/doc/amavisd-new/ for documentation and examples of
|
||||||
|
# the directives you can use in this file
|
||||||
|
#
|
||||||
|
|
||||||
|
$remove_existing_spam_headers = 1;
|
||||||
|
|
||||||
|
$sa_tag_level_deflt = undef;
|
||||||
|
$sa_tag2_level_deflt = 5.0;
|
||||||
|
$sa_kill_level_deflt = $sa_tag2_level_deflt;
|
||||||
|
$sa_spam_subject_tag = undef;
|
||||||
|
|
||||||
|
$final_virus_destiny = D_PASS;
|
||||||
|
$final_banned_destiny = D_PASS;
|
||||||
|
$final_spam_destiny = D_PASS;
|
||||||
|
$final_bad_header_destiny = D_PASS;
|
||||||
|
|
||||||
|
$virus_admin = undef;
|
||||||
|
|
||||||
|
$virus_quarantine_to = undef;
|
||||||
|
$spam_quarantine_to = undef;
|
||||||
|
|
||||||
|
$X_HEADER_LINE = "$myproduct_name at $mydomain";
|
||||||
|
|
||||||
|
# todo (mrks): determine local addresses
|
||||||
|
|
||||||
|
#------------ Do not modify anything below this line -------------
|
||||||
|
1; # ensure a defined return
|
145
roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
Normal file
145
roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
Normal file
@ -0,0 +1,145 @@
|
|||||||
|
# This file is commonly accessed via passdb {} or userdb {} section in
|
||||||
|
# conf.d/auth-ldap.conf.ext
|
||||||
|
|
||||||
|
# This file is opened as root, so it should be owned by root and mode 0600.
|
||||||
|
#
|
||||||
|
# http://wiki2.dovecot.org/AuthDatabase/LDAP
|
||||||
|
#
|
||||||
|
# NOTE: If you're not using authentication binds, you'll need to give
|
||||||
|
# dovecot-auth read access to userPassword field in the LDAP server.
|
||||||
|
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
|
||||||
|
# already be something like this:
|
||||||
|
|
||||||
|
# access to attribute=userPassword
|
||||||
|
# by dn="<dovecot's dn>" read # add this
|
||||||
|
# by anonymous auth
|
||||||
|
# by self write
|
||||||
|
# by * none
|
||||||
|
|
||||||
|
# Space separated list of LDAP hosts to use. host:port is allowed too.
|
||||||
|
#hosts = {{ ldap_host }}
|
||||||
|
|
||||||
|
# LDAP URIs to use. You can use this instead of hosts list. Note that this
|
||||||
|
# setting isn't supported by all LDAP libraries.
|
||||||
|
uris = {{ ldap_uri }}
|
||||||
|
|
||||||
|
# Distinguished Name - the username used to login to the LDAP server.
|
||||||
|
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
|
||||||
|
dn = {{ ldap_binddn }}
|
||||||
|
|
||||||
|
# Password for LDAP server, if dn is specified.
|
||||||
|
dnpass = {{ ldap_bindpw }}
|
||||||
|
|
||||||
|
# Use SASL binding instead of the simple binding. Note that this changes
|
||||||
|
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
|
||||||
|
# and auth_bind=yes don't work together.
|
||||||
|
#sasl_bind = no
|
||||||
|
# SASL mechanism name to use.
|
||||||
|
#sasl_mech =
|
||||||
|
# SASL realm to use.
|
||||||
|
#sasl_realm =
|
||||||
|
# SASL authorization ID, ie. the dnpass is for this "master user", but the
|
||||||
|
# dn is still the logged in user. Normally you want to keep this empty.
|
||||||
|
#sasl_authz_id =
|
||||||
|
|
||||||
|
# Use TLS to connect to the LDAP server.
|
||||||
|
tls = yes
|
||||||
|
# TLS options, currently supported only with OpenLDAP:
|
||||||
|
#tls_ca_cert_file =
|
||||||
|
#tls_ca_cert_dir =
|
||||||
|
#tls_cipher_suite =
|
||||||
|
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||||
|
#tls_cert_file =
|
||||||
|
#tls_key_file =
|
||||||
|
# Valid values: never, hard, demand, allow, try
|
||||||
|
#tls_require_cert =
|
||||||
|
|
||||||
|
# Use the given ldaprc path.
|
||||||
|
#ldaprc_path =
|
||||||
|
|
||||||
|
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
|
||||||
|
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
|
||||||
|
# to get enough output.
|
||||||
|
#debug_level = 0
|
||||||
|
|
||||||
|
# Use authentication binding for verifying password's validity. This works by
|
||||||
|
# logging into LDAP server using the username and password given by client.
|
||||||
|
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
|
||||||
|
# is still used, only the password field is ignored in it. Before doing any
|
||||||
|
# search, the binding is switched back to the default DN.
|
||||||
|
#auth_bind = no
|
||||||
|
|
||||||
|
# If authentication binding is used, you can save one LDAP request per login
|
||||||
|
# if users' DN can be specified with a common template. The template can use
|
||||||
|
# the standard %variables (see user_filter). Note that you can't
|
||||||
|
# use any pass_attrs if you use this setting.
|
||||||
|
#
|
||||||
|
# If you use this setting, it's a good idea to use a different
|
||||||
|
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
|
||||||
|
# the filename is different in userdb's args). That way one connection is used
|
||||||
|
# only for LDAP binds and another connection is used for user lookups.
|
||||||
|
# Otherwise the binding is changed to the default DN before each user lookup.
|
||||||
|
#
|
||||||
|
# For example:
|
||||||
|
# auth_bind_userdn = cn=%u,ou=people,o=org
|
||||||
|
#
|
||||||
|
#auth_bind_userdn =
|
||||||
|
|
||||||
|
# LDAP protocol version to use. Likely 2 or 3.
|
||||||
|
#ldap_version = 3
|
||||||
|
|
||||||
|
# LDAP base. %variables can be used here.
|
||||||
|
# For example: dc=mail, dc=example, dc=org
|
||||||
|
base = {{ ldap_base }}
|
||||||
|
|
||||||
|
# Dereference: never, searching, finding, always
|
||||||
|
deref = never
|
||||||
|
|
||||||
|
# Search scope: base, onelevel, subtree
|
||||||
|
scope = subtree
|
||||||
|
|
||||||
|
# User attributes are given in LDAP-name=dovecot-internal-name list. The
|
||||||
|
# internal names are:
|
||||||
|
# uid - System UID
|
||||||
|
# gid - System GID
|
||||||
|
# home - Home directory
|
||||||
|
# mail - Mail location
|
||||||
|
#
|
||||||
|
# There are also other special fields which can be returned, see
|
||||||
|
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
||||||
|
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
||||||
|
user_attr =
|
||||||
|
|
||||||
|
# Filter for user lookup. Some variables can be used (see
|
||||||
|
# http://wiki2.dovecot.org/Variables for full list):
|
||||||
|
# %u - username
|
||||||
|
# %n - user part in user@domain, same as %u if there's no domain
|
||||||
|
# %d - domain part in user@domain, empty if user there's no domain
|
||||||
|
#user_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||||
|
user_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||||
|
|
||||||
|
# Password checking attributes:
|
||||||
|
# user: Virtual user name (user@domain), if you wish to change the
|
||||||
|
# user-given username to something else
|
||||||
|
# password: Password, may optionally start with {type}, eg. {crypt}
|
||||||
|
# There are also other special fields which can be returned, see
|
||||||
|
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
|
||||||
|
#pass_attrs = uid=user,userPassword=password
|
||||||
|
|
||||||
|
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
|
||||||
|
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
|
||||||
|
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
|
||||||
|
# string. For example:
|
||||||
|
#pass_attrs = uid=user,userPassword=password,\
|
||||||
|
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
|
||||||
|
|
||||||
|
# Filter for password lookups
|
||||||
|
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
|
||||||
|
|
||||||
|
# Attributes and filter to get a list of all users
|
||||||
|
#iterate_attrs = uid=user
|
||||||
|
#iterate_filter = (objectClass=posixAccount)
|
||||||
|
|
||||||
|
# Default password scheme. "{scheme}" before password overrides this.
|
||||||
|
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
|
||||||
|
#default_pass_scheme = CRYPT
|
102
roles/mail/templates/dovecot/local.conf.j2
Normal file
102
roles/mail/templates/dovecot/local.conf.j2
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
auth_mechanisms = plain login
|
||||||
|
auth_verbose = yes
|
||||||
|
|
||||||
|
auth_debug=yes
|
||||||
|
mail_debug = yes
|
||||||
|
log_path = /var/log/dovecot/errors.log
|
||||||
|
info_log_path = /var/log/dovecot/info.log
|
||||||
|
#log_timestamp = "%Y-%m-%d %H:%M:%S "
|
||||||
|
|
||||||
|
mail_privileged_group = mail
|
||||||
|
|
||||||
|
mail_location = maildir:/var/vmail/%u/.maildir
|
||||||
|
mail_home = maildir:/var/vmail/%u
|
||||||
|
mail_uid = vmail
|
||||||
|
mail_gid = vmail
|
||||||
|
|
||||||
|
ssl = yes
|
||||||
|
ssl_cert = </etc/ssl/certs/mail.binary-kitchen.com.pem
|
||||||
|
ssl_key = </etc/ssl/private/mail.binary-kitchen.com.key
|
||||||
|
#ssl_ca = </etc/ssl/binary-kitchen/cacert_ca.crt
|
||||||
|
ssl_protocols = !SSLv2 !SSLv3
|
||||||
|
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
||||||
|
|
||||||
|
#passdb {
|
||||||
|
# driver = ldap
|
||||||
|
# args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
|
#}
|
||||||
|
|
||||||
|
passdb {
|
||||||
|
driver = static
|
||||||
|
args = password=fnord
|
||||||
|
}
|
||||||
|
|
||||||
|
userdb {
|
||||||
|
driver = static
|
||||||
|
args = uid=vmail gid=vmail home=/var/vmail/%u
|
||||||
|
}
|
||||||
|
|
||||||
|
service auth {
|
||||||
|
unix_listener /var/spool/postfix/private/auth {
|
||||||
|
mode = 0666
|
||||||
|
user = postfix
|
||||||
|
group = postfix
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
service imap-login {
|
||||||
|
inet_listener imap {
|
||||||
|
address = 127.0.0.1 ::1
|
||||||
|
port = 143
|
||||||
|
}
|
||||||
|
inet_listener imaps {
|
||||||
|
address = 0.0.0.0
|
||||||
|
port = 993
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
service managesieve-login {
|
||||||
|
inet_listener sieve {
|
||||||
|
address = 127.0.0.1 ::1
|
||||||
|
port = 2000
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol lda {
|
||||||
|
mail_plugins = sieve
|
||||||
|
log_path = /var/log/dovecot/deliver.log
|
||||||
|
info_log_path = /var/log/dovecot/deliver.log
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol imap {
|
||||||
|
mail_max_userip_connections = 50
|
||||||
|
}
|
||||||
|
|
||||||
|
plugin {
|
||||||
|
sieve = ~/.dovecot.sieve
|
||||||
|
sieve_before = /var/vmail/default.sieve
|
||||||
|
sieve_global_path = /var/vmail/default.sieve
|
||||||
|
}
|
||||||
|
|
||||||
|
namespace inbox {
|
||||||
|
type = private
|
||||||
|
inbox = yes
|
||||||
|
|
||||||
|
mailbox Drafts {
|
||||||
|
special_use = \Drafts
|
||||||
|
}
|
||||||
|
mailbox Junk {
|
||||||
|
special_use = \Junk
|
||||||
|
auto = subscribe
|
||||||
|
}
|
||||||
|
mailbox Trash {
|
||||||
|
special_use = \Trash
|
||||||
|
}
|
||||||
|
mailbox Sent {
|
||||||
|
special_use = \Sent
|
||||||
|
}
|
||||||
|
mailbox "Sent Messages" {
|
||||||
|
special_use = \Sent
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
2
roles/mail/templates/postfix/helo_access.j2
Normal file
2
roles/mail/templates/postfix/helo_access.j2
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
{{ ansible_default_ipv4.address }} REJECT You are not me. Go away.
|
||||||
|
{{ mail_domain }} REJECT You are not me. Go away.
|
89
roles/mail/templates/postfix/main.cf.j2
Normal file
89
roles/mail/templates/postfix/main.cf.j2
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||||
|
|
||||||
|
# Debian specific: Specifying a file name will cause the first
|
||||||
|
# line of that file to be used as the name. The Debian default
|
||||||
|
# is /etc/mailname.
|
||||||
|
#myorigin = /etc/mailname
|
||||||
|
|
||||||
|
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||||||
|
biff = no
|
||||||
|
|
||||||
|
# appending .domain is the MUA's job.
|
||||||
|
append_dot_mydomain = no
|
||||||
|
|
||||||
|
# Uncomment the next line to generate "delayed mail" warnings
|
||||||
|
#delay_warning_time = 4h
|
||||||
|
|
||||||
|
readme_directory = no
|
||||||
|
|
||||||
|
inet_interfaces = all
|
||||||
|
|
||||||
|
message_size_limit = 50000000
|
||||||
|
recipient_delimiter = +
|
||||||
|
|
||||||
|
mydomain = binary-kitchen.com
|
||||||
|
myhostname = ptest.binary-kitchen.com
|
||||||
|
myorigin = binary-kitchen.com
|
||||||
|
# fixme
|
||||||
|
mydestination = ptest.binary.kitchen, localhost.binary.kitchen, localhost
|
||||||
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||||
|
|
||||||
|
alias_maps = hash:/etc/aliases
|
||||||
|
alias_database = hash:/etc/aliases
|
||||||
|
relayhost =
|
||||||
|
|
||||||
|
# TLS parameters
|
||||||
|
smtp_use_tls = yes
|
||||||
|
smtp_tls_loglevel = 2
|
||||||
|
|
||||||
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
smtpd_use_tls=yes
|
||||||
|
|
||||||
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
|
||||||
|
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
|
||||||
|
|
||||||
|
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
||||||
|
# information on enabling SSL in the smtp client.
|
||||||
|
|
||||||
|
smtpd_sasl_type = dovecot
|
||||||
|
smtpd_sasl_path = private/auth
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
smtpd_sasl_security_options = noanonymous
|
||||||
|
|
||||||
|
smtpd_helo_restrictions = permit_mynetwork
|
||||||
|
warn_if_reject reject_non_fqdn_hostname
|
||||||
|
check_helo_access hash:/etc/postfix/helo_access
|
||||||
|
#check_client_access cidr:/etc/postfix/client_access
|
||||||
|
|
||||||
|
smtpd_recipient_restrictions = permit_mynetworks
|
||||||
|
permit_sasl_authenticated
|
||||||
|
reject_unauth_destination
|
||||||
|
check_recipient_access hash:/etc/postfix/recipient_access
|
||||||
|
|
||||||
|
smtpd_data_restrictions = warn_if_reject reject_unauth_pipelining
|
||||||
|
|
||||||
|
smtpd_restriction_classes = rbl, rblgrey
|
||||||
|
|
||||||
|
rbl = reject_rbl_client sbl.spamhaus.org
|
||||||
|
reject_rbl_client cbl.abuseat.org
|
||||||
|
|
||||||
|
rblgrey = reject_rbl_client sbl.spamhaus.org
|
||||||
|
reject_rbl_client cbl.abuseat.org
|
||||||
|
check_policy_service unix:private/spfpolicy
|
||||||
|
check_policy_service inet:127.0.0.1:10023
|
||||||
|
|
||||||
|
content_filter = amavis:[127.0.0.1]:10024
|
||||||
|
receive_override_options = no_address_mappings
|
||||||
|
|
||||||
|
virtual_mailbox_domains = binary-kitchen.com
|
||||||
|
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
|
||||||
|
virtual_alias_maps = hash:/etc/postfix/virtual_alias
|
||||||
|
#virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-maps.cf
|
||||||
|
#virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap-aliases.cf
|
||||||
|
|
||||||
|
virtual_transport = dovecot
|
||||||
|
dovecot_destination_recipient_limit = 1
|
||||||
|
|
149
roles/mail/templates/postfix/master.cf.j2
Normal file
149
roles/mail/templates/postfix/master.cf.j2
Normal file
@ -0,0 +1,149 @@
|
|||||||
|
#
|
||||||
|
# Postfix master process configuration file. For details on the format
|
||||||
|
# of the file, see the master(5) manual page (command: "man 5 master" or
|
||||||
|
# on-line: http://www.postfix.org/master.5.html).
|
||||||
|
#
|
||||||
|
# Do not forget to execute "postfix reload" after editing this file.
|
||||||
|
#
|
||||||
|
# ==========================================================================
|
||||||
|
# service type private unpriv chroot wakeup maxproc command + args
|
||||||
|
# (yes) (yes) (yes) (never) (100)
|
||||||
|
# ==========================================================================
|
||||||
|
smtp inet n - - - - smtpd
|
||||||
|
#smtp inet n - - - 1 postscreen
|
||||||
|
#smtpd pass - - - - - smtpd
|
||||||
|
#dnsblog unix - - - - 0 dnsblog
|
||||||
|
#tlsproxy unix - - - - 0 tlsproxy
|
||||||
|
submission inet n - - - - smtpd
|
||||||
|
# -o syslog_name=postfix/submission
|
||||||
|
# -o smtpd_tls_security_level=encrypt
|
||||||
|
# -o smtpd_sasl_auth_enable=yes
|
||||||
|
# -o smtpd_reject_unlisted_recipient=no
|
||||||
|
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||||
|
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||||
|
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||||
|
# -o smtpd_recipient_restrictions=
|
||||||
|
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||||
|
# -o milter_macro_daemon_name=ORIGINATING
|
||||||
|
#smtps inet n - - - - smtpd
|
||||||
|
# -o syslog_name=postfix/smtps
|
||||||
|
# -o smtpd_tls_wrappermode=yes
|
||||||
|
# -o smtpd_sasl_auth_enable=yes
|
||||||
|
# -o smtpd_reject_unlisted_recipient=no
|
||||||
|
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||||
|
# -o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||||
|
# -o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||||
|
# -o smtpd_recipient_restrictions=
|
||||||
|
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||||
|
# -o milter_macro_daemon_name=ORIGINATING
|
||||||
|
#628 inet n - - - - qmqpd
|
||||||
|
pickup unix n - - 60 1 pickup
|
||||||
|
cleanup unix n - - - 0 cleanup
|
||||||
|
qmgr unix n - n 300 1 qmgr
|
||||||
|
#qmgr unix n - n 300 1 oqmgr
|
||||||
|
tlsmgr unix - - - 1000? 1 tlsmgr
|
||||||
|
rewrite unix - - - - - trivial-rewrite
|
||||||
|
bounce unix - - - - 0 bounce
|
||||||
|
defer unix - - - - 0 bounce
|
||||||
|
trace unix - - - - 0 bounce
|
||||||
|
verify unix - - - - 1 verify
|
||||||
|
flush unix n - - 1000? 0 flush
|
||||||
|
proxymap unix - - n - - proxymap
|
||||||
|
proxywrite unix - - n - 1 proxymap
|
||||||
|
smtp unix - - - - - smtp
|
||||||
|
relay unix - - - - - smtp
|
||||||
|
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||||
|
showq unix n - - - - showq
|
||||||
|
error unix - - - - - error
|
||||||
|
retry unix - - - - - error
|
||||||
|
discard unix - - - - - discard
|
||||||
|
local unix - n n - - local
|
||||||
|
virtual unix - n n - - virtual
|
||||||
|
lmtp unix - - - - - lmtp
|
||||||
|
anvil unix - - - - 1 anvil
|
||||||
|
scache unix - - - - 1 scache
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||||
|
# pages of the non-Postfix software to find out what options it wants.
|
||||||
|
#
|
||||||
|
# Many of the following services use the Postfix pipe(8) delivery
|
||||||
|
# agent. See the pipe(8) man page for information about ${recipient}
|
||||||
|
# and other message envelope options.
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||||
|
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
maildrop unix - n n - - pipe
|
||||||
|
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||||
|
#
|
||||||
|
# Specify in cyrus.conf:
|
||||||
|
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||||
|
#
|
||||||
|
# Specify in main.cf one or more of the following:
|
||||||
|
# mailbox_transport = lmtp:inet:localhost
|
||||||
|
# virtual_transport = lmtp:inet:localhost
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Cyrus 2.1.5 (Amos Gouaux)
|
||||||
|
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
#cyrus unix - n n - - pipe
|
||||||
|
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Old example of delivery via Cyrus.
|
||||||
|
#
|
||||||
|
#old-cyrus unix - n n - - pipe
|
||||||
|
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# See the Postfix UUCP_README file for configuration details.
|
||||||
|
#
|
||||||
|
uucp unix - n n - - pipe
|
||||||
|
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||||
|
#
|
||||||
|
# Other external delivery methods.
|
||||||
|
#
|
||||||
|
ifmail unix - n n - - pipe
|
||||||
|
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||||
|
bsmtp unix - n n - - pipe
|
||||||
|
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||||
|
scalemail-backend unix - n n - 2 pipe
|
||||||
|
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||||
|
mailman unix - n n - - pipe
|
||||||
|
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||||
|
${nexthop} ${user}
|
||||||
|
|
||||||
|
# dovecot
|
||||||
|
dovecot unix - n n - - pipe
|
||||||
|
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user} -m ${extension}
|
||||||
|
|
||||||
|
# amavis
|
||||||
|
amavis unix - - - - 2 smtp
|
||||||
|
-o smtp_data_done_timeout=1200
|
||||||
|
-o smtp_send_xforward_command=yes
|
||||||
|
|
||||||
|
127.0.0.1:10025 inet n - - - - smtpd
|
||||||
|
-o content_filter=
|
||||||
|
-o local_recipient_maps=
|
||||||
|
-o relay_recipient_maps=
|
||||||
|
-o smtpd_restriction_classes=
|
||||||
|
-o smtpd_client_restrictions=
|
||||||
|
-o smtpd_helo_restrictions=
|
||||||
|
-o smtpd_sender_restrictions=
|
||||||
|
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
||||||
|
-o mynetworks=127.0.0.0/8
|
||||||
|
-o strict_rfc821_envelopes=yes
|
||||||
|
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
|
||||||
|
|
||||||
|
# spf
|
||||||
|
spfpolicy unix - n n - 0 spawn
|
||||||
|
user=nobody argv=/usr/bin/python /usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf
|
1
roles/mail/templates/postfix/recipient_access.j2
Normal file
1
roles/mail/templates/postfix/recipient_access.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
mrks@binary-kitchen.com rblgrey
|
Loading…
Reference in New Issue
Block a user