smtpd_banner = SMTPd ready biff = no append_dot_mydomain = no readme_directory = no compatibility_level = 2 myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])} myorigin = /etc/mailname mydestination = $myhostname, localhost mynetworks = 127.0.0.0/8 [::1]/128 [::ffff:127.0.0.0]/104 ${' '.join(sorted(node.metadata.get('postfix/mynetworks', set())))} mailbox_size_limit = 0 recipient_delimiter = + inet_protocols = all message_size_limit = ${node.metadata.get('postfix/message_size_limit_mb', 10)*1024*1024} alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases % if 'relayhost' in node.metadata.get('postfix', {}): relayhost = ${node.metadata['postfix']['relayhost']} % endif % if node.has_bundle('postfixadmin') or node.has_bundle('iptables'): inet_interfaces = all % else: inet_interfaces = 127.0.0.1 % endif <%text> smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = dane smtp_dns_support_level = dnssec smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_ciphers = high smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt % if node.has_bundle('postfixadmin'): smtpd_tls_cert_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/fullchain.pem smtpd_tls_key_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/privkey.pem <%text> smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_tls_security_level = may smtpd_tls_mandatory_ciphers = high smtpd_tls_exclude_ciphers = aNULL,LOW,EXP,MEDIUM,ADH,AECDH,MD5,DSS,ECDSA,CAMELLIA128,3DES,CAMELLIA256,RSA+AES,eNULL smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_ciphers = high smtpd_tls_auth_only=yes relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf virtual_mailbox_base = /var/mail/vmail virtual_mailbox_limit = 0 virtual_minimum_uid = 115 virtual_uid_maps = static:115 virtual_gid_maps = static:115 local_transport = virtual local_recipient_maps = $virtual_mailbox_maps % if node.has_bundle('dovecot'): virtual_transport = lmtp:unix:private/dovecot-lmtp smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_authenticated_header = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes % endif % if node.has_bundle('rspamd'): smtpd_milters = inet:localhost:11332 non_smtpd_milters = inet:localhost:11332 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = accept % endif mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,permit_sasl_authenticated,reject mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject % endif