bundlewrap/bundles/postfix/files/main.cf
Franziska Kunsmann 35e4bbf04b
All checks were successful
bundlewrap/pipeline/head This commit looks good
bundles/postfix: remove postscreen usage
postscreen isn't able to share its cache file between
instances, which leads to the server simply accepting
mails for the port on which postscreen starts up later.
Since we can't predict which port this will be, we
simply remove postscreen alltogether.

Yes, i know i could just remove postscreen for port 2525.
2021-03-28 09:00:37 +02:00

93 lines
3.6 KiB
CFEngine3

smtpd_banner = SMTPd ready
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
myorigin = /etc/mailname
mydestination = $myhostname, localhost
mynetworks = 127.0.0.0/8 [::1]/128 [::ffff:127.0.0.0]/104 ${' '.join(sorted(node.metadata.get('postfix/mynetworks', set())))}
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
message_size_limit = ${node.metadata.get('postfix/message_size_limit_mb', 10)*1024*1024}
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
% if 'relayhost' in node.metadata.get('postfix', {}):
relayhost = ${node.metadata['postfix']['relayhost']}
% endif
% if node.has_bundle('postfixadmin') or node.has_bundle('iptables'):
inet_interfaces = all
% else:
inet_interfaces = 127.0.0.1
% endif
<%text>
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
</%text>
% if node.has_bundle('postfixadmin'):
smtpd_tls_cert_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/fullchain.pem
smtpd_tls_key_file=/var/lib/dehydrated/certs/${node.metadata['postfix']['myhostname']}/privkey.pem
<%text>
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL,LOW,EXP,MEDIUM,ADH,AECDH,MD5,DSS,ECDSA,CAMELLIA128,3DES,CAMELLIA256,RSA+AES,eNULL
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_auth_only=yes
</%text>
relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf
virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_limit = 0
virtual_minimum_uid = 115
virtual_uid_maps = static:115
virtual_gid_maps = static:115
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
% if node.has_bundle('dovecot'):
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
% endif
% if node.has_bundle('rspamd'):
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
% endif
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
% endif