2020-11-07 21:31:18 +00:00
|
|
|
smtpd_banner = SMTPd ready
|
|
|
|
biff = no
|
|
|
|
append_dot_mydomain = no
|
|
|
|
readme_directory = no
|
|
|
|
compatibility_level = 2
|
2021-02-18 17:12:25 +00:00
|
|
|
myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
|
2020-11-07 21:31:18 +00:00
|
|
|
myorigin = /etc/mailname
|
|
|
|
mydestination = $myhostname, localhost
|
2021-03-21 10:11:49 +00:00
|
|
|
mynetworks = 127.0.0.0/8 [::1]/128 [::ffff:127.0.0.0]/104 ${' '.join(sorted(node.metadata.get('postfix/mynetworks', set())))}
|
2020-11-07 21:31:18 +00:00
|
|
|
mailbox_size_limit = 0
|
|
|
|
recipient_delimiter = +
|
|
|
|
inet_protocols = all
|
2021-02-18 17:12:25 +00:00
|
|
|
message_size_limit = ${node.metadata.get('postfix/message_size_limit_mb', 10)*1024*1024}
|
2020-11-09 09:52:24 +00:00
|
|
|
alias_database = hash:/etc/aliases
|
2021-02-06 09:24:19 +00:00
|
|
|
alias_maps = hash:/etc/aliases
|
2020-11-07 21:31:18 +00:00
|
|
|
|
2020-11-11 12:29:22 +00:00
|
|
|
% if 'relayhost' in node.metadata.get('postfix', {}):
|
|
|
|
relayhost = ${node.metadata['postfix']['relayhost']}
|
|
|
|
% endif
|
|
|
|
|
2021-03-15 10:41:35 +00:00
|
|
|
% if node.has_bundle('postfixadmin') or node.has_bundle('iptables'):
|
2020-11-07 21:31:18 +00:00
|
|
|
inet_interfaces = all
|
|
|
|
% else:
|
|
|
|
inet_interfaces = 127.0.0.1
|
|
|
|
% endif
|
|
|
|
|
|
|
|
<%text>
|
|
|
|
smtp_use_tls = yes
|
|
|
|
smtp_tls_loglevel = 1
|
|
|
|
smtp_tls_note_starttls_offer = yes
|
|
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
|
|
smtp_tls_security_level = dane
|
|
|
|
smtp_dns_support_level = dnssec
|
2020-11-08 11:24:37 +00:00
|
|
|
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
|
|
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
2020-11-07 21:31:18 +00:00
|
|
|
smtp_tls_ciphers = high
|
|
|
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
|
|
|
</%text>
|
|
|
|
|
|
|
|
% if node.has_bundle('postfixadmin'):
|
|
|
|
smtpd_tls_cert_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/fullchain.pem
|
|
|
|
smtpd_tls_key_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/privkey.pem
|
|
|
|
<%text>
|
|
|
|
smtpd_use_tls=yes
|
|
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
|
|
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
|
|
|
|
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
|
|
|
|
smtpd_data_restrictions = reject_unauth_pipelining
|
|
|
|
smtpd_tls_security_level = may
|
|
|
|
smtpd_tls_mandatory_ciphers = high
|
2020-11-08 11:24:37 +00:00
|
|
|
smtpd_tls_exclude_ciphers = aNULL,LOW,EXP,MEDIUM,ADH,AECDH,MD5,DSS,ECDSA,CAMELLIA128,3DES,CAMELLIA256,RSA+AES,eNULL
|
|
|
|
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
|
|
|
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
2020-11-07 21:31:18 +00:00
|
|
|
smtpd_tls_ciphers = high
|
|
|
|
smtpd_tls_auth_only=yes
|
|
|
|
</%text>
|
|
|
|
|
|
|
|
relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf
|
|
|
|
virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
|
|
|
|
virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
|
|
|
|
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
|
|
|
|
virtual_mailbox_base = /var/mail/vmail
|
|
|
|
virtual_mailbox_limit = 0
|
|
|
|
virtual_minimum_uid = 115
|
|
|
|
virtual_uid_maps = static:115
|
|
|
|
virtual_gid_maps = static:115
|
|
|
|
local_transport = virtual
|
|
|
|
local_recipient_maps = $virtual_mailbox_maps
|
|
|
|
% if node.has_bundle('dovecot'):
|
|
|
|
virtual_transport = lmtp:unix:private/dovecot-lmtp
|
|
|
|
|
|
|
|
smtpd_sasl_type = dovecot
|
|
|
|
smtpd_sasl_path = private/auth
|
|
|
|
smtpd_sasl_authenticated_header = yes
|
|
|
|
smtpd_sasl_auth_enable = yes
|
|
|
|
smtpd_sasl_security_options = noanonymous
|
|
|
|
broken_sasl_auth_clients = yes
|
|
|
|
% endif
|
|
|
|
|
|
|
|
% if node.has_bundle('rspamd'):
|
|
|
|
smtpd_milters = inet:localhost:11332
|
|
|
|
non_smtpd_milters = inet:localhost:11332
|
|
|
|
milter_protocol = 6
|
|
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
milter_default_action = accept
|
|
|
|
% endif
|
|
|
|
|
|
|
|
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
|
|
|
|
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,permit_sasl_authenticated,reject
|
|
|
|
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
|
|
|
|
% endif
|