diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf new file mode 100644 index 0000000..b57afd1 --- /dev/null +++ b/bundles/postfix/files/main.cf @@ -0,0 +1,92 @@ +smtpd_banner = SMTPd ready +biff = no +append_dot_mydomain = no +readme_directory = no +compatibility_level = 2 +myhostname = ${node.metadata.get('postfix', {}).get('myhostname', node.metadata['hostname'])} +myorigin = /etc/mailname +mydestination = $myhostname, localhost +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_protocols = all +message_size_limit = ${node.metadata.get('postfix', {}).get('message_size_limit_mb', 10)*1024*1024} + +% if node.has_bundle('postfixadmin'): +inet_interfaces = all +% else: +inet_interfaces = 127.0.0.1 +% endif + +<%text> +smtp_use_tls = yes +smtp_tls_loglevel = 1 +smtp_tls_note_starttls_offer = yes +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_security_level = dane +smtp_dns_support_level = dnssec +smtp_tls_protocols = !SSLv2, !SSLv3 +smtp_tls_ciphers = high +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt + + +% if node.has_bundle('postfixadmin'): +smtpd_tls_cert_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/fullchain.pem +smtpd_tls_key_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/privkey.pem +<%text> +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination +smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated +smtpd_helo_required = yes +smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname +smtpd_data_restrictions = reject_unauth_pipelining +smtpd_tls_security_level = may +smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_ciphers = high +smtpd_tls_auth_only=yes + + +relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf +virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf +virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf +virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf +virtual_mailbox_base = /var/mail/vmail +virtual_mailbox_limit = 0 +virtual_minimum_uid = 115 +virtual_uid_maps = static:115 +virtual_gid_maps = static:115 +local_transport = virtual +local_recipient_maps = $virtual_mailbox_maps +% if node.has_bundle('dovecot'): +virtual_transport = lmtp:unix:private/dovecot-lmtp + +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth +smtpd_sasl_authenticated_header = yes +smtpd_sasl_auth_enable = yes +smtpd_sasl_security_options = noanonymous +broken_sasl_auth_clients = yes +% endif + +% if node.has_bundle('rspamd'): +smtpd_milters = inet:localhost:11332 +non_smtpd_milters = inet:localhost:11332 +milter_protocol = 6 +milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} +milter_default_action = accept +% endif + +mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject +mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,permit_sasl_authenticated,reject +mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject + +postscreen_access_list = permit_mynetworks +postscreen_blacklist_action = drop +postscreen_greet_action = drop +postscreen_dnsbl_threshold = 2 +postscreen_dnsbl_sites = ix.dnsbl.manitu.net zen.spamhaus.org +postscreen_dnsbl_action = drop +% endif diff --git a/bundles/postfix/files/master.cf b/bundles/postfix/files/master.cf new file mode 100644 index 0000000..56c584d --- /dev/null +++ b/bundles/postfix/files/master.cf @@ -0,0 +1,54 @@ +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +% if node.has_bundle('postfixadmin'): +smtp inet n - y - 1 postscreen + -o smtpd_sasl_auth_enable=no +% else: +smtp inet n - y - 1 smtpd +% endif +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy +% if node.has_bundle('postfixadmin'): +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + -o smtpd_sasl_security_options=noanonymous + -o smtpd_client_restrictions=$mua_client_restrictions + -o smtpd_sender_restrictions=$mua_sender_restrictions + -o smtpd_relay_restrictions=$mua_relay_restrictions + -o milter_macro_daemon_name=ORIGINATING + -o smtpd_helo_required=no + -o smtpd_helo_restrictions= + -o cleanup_service_name=submission-header-cleanup +submission-header-cleanup unix n - n - 0 cleanup + -o header_checks=regexp:/etc/postfix/submission_header_cleanup +% endif +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py new file mode 100644 index 0000000..56e2ac5 --- /dev/null +++ b/bundles/postfix/items.py @@ -0,0 +1,33 @@ +if node.has_bundle('postfixadmin'): + assert node.has_bundle('letsencrypt') + +files = { + '/etc/mailname': { + 'content': node.metadata.get('postfix', {}).get('myhostname', node.metadata['hostname']), + 'triggers': { + 'svc_systemd:postfix:restart', + }, + }, + '/etc/postfix/master.cf': { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:postfix:restart', + }, + }, + '/etc/postfix/main.cf': { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:postfix:restart', + }, + }, +} + +svc_systemd = { + 'postfix': { + 'needs': { + 'file:/etc/postfix/master.cf', + 'file:/etc/postfix/main.cf', + 'pkg_apt:', + }, + }, +} diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py new file mode 100644 index 0000000..0461d1d --- /dev/null +++ b/bundles/postfix/metadata.py @@ -0,0 +1,29 @@ +defaults = { + 'apt': { + 'packages': { + 'postfix': {}, + }, + }, +} + +@metadata_reactor +def letsencrypt(metadata): + if not node.has_bundle('letsencrypt'): + raise DoNotRunAgain + + result = { + 'reload_after': { + 'postfix', + }, + } + + myhostname = metadata.get('postfix/myhostname', None) + + if myhostname and myhostname != metadata.get('hostname'): + result['domains'] = { + myhostname: {}, + } + + return { + 'letsencrypt': result, + }