---
sendmail_periodic:
  - daily_clean_hoststat_enable
  - daily_status_mail_rejects_enable
  - daily_status_include_submit_mailq
  - daily_submit_queuerun

postfix_log_size: '32m'
postfix_log_mode: '750'
postfix_log_uid: '20000'
postfix_log_gid: '20000'

postfix_rebuild_types:
  - hash
  - btree

postfix_maps:
  - name: header_checks
    type: regexp
  - name: helo_checks
    type: hash
  - name: local_recipients
    type: hash
  - name: mynetworks
    type: hash
  - name: postscreen_dnsbl_reply_map
    type: pcre
  - name: rbl_override
    type: hash
  - name: virtual_aliases
    type: hash
  - name: sender_access
    type: hash

postfix_helo_checks:
  - localhost REJECT You're not me

postfix_rbl_override: []

postfix_sender_access:
  - hostepro.co.ua      REJECT Die you fucking spammer!
  - molingrush.co.ua    REJECT Die you fucking spammer!
  - jenreviews.com      REJECT Die you fucking spammer!
  - hes.net             REJECT Die you fucking spammer!
  - willsamaren.co.ua   REJECT Die you fucking spammer!
  - liluinc.eu          REJECT Die you fucking spamemr!
  - winsoker.co.ua      REJECT Die you fucking spammer!
  - mellingrush.eu      REJECT Die you fucking spammer!
  - newdgise.co.ua      REJECT Die you fucking spammer!
  - nicemaner.eu        REJECT Die you fucking spammer!
  - qr-hosting.eu       REJECT Die you fucking spammer!
  - villpubrel.com      REJECT Die you fucking spammer!
  - willi-bong.eu       REJECT Die you fucking spammer!
  - pgp.co.in           REJECT Die you fucking spammer!
  - rapnews.biz.ua      REJECT Die you fucking spammer!

postfix_virtual_aliases:
  - root@ccchb.de             crest@ccchb.de
  - abuse@ccchb.de            crest@ccchb.de
  - noc@ccchb.de              crest@ccchb.de
  - security@ccchb.de         crest@ccchb.de
  - postmaster@ccchb.de       crest@ccchb.de
  - hostmaster@ccchb.de       crest@ccchb.de
  - thoddi@ccchb.de           mail@thoddi.de
  - docloc@ccchb.de           docloc@posteo.net
  - fritz@ccchb.de            fritz@grimpen.net

  - root@lists.ccchb.de       crest@ccchb.de
  - crest@lists.ccchb.de      crest@ccchb.de
  - abuse@lists.ccchb.de      crest@ccchb.de
  - noc@lists.ccchb.de        crest@ccchb.de
  - security@lists.ccchb.de   crest@ccchb.de
  - postmaster@lists.ccchb.de crest@ccchb.de
  - hostmaster@lists.ccchb.de crest@ccchb.de

  - reddit@ccchb.de           crest@ccchb.de

postfix_service_dirs:
  - postfix
  - postfix/env
  - postfix/data
  - postfix-log
  - postfix-log/env

postfix_service_scripts:
  - postfix/run
  - postfix/finish
  - postfix/data/check
  - postfix-log/run
  - postfix-log/finish

postfix_service_config:
  - name: postfix/type
    content: longrun
  - name: postfix/dependencies
    content: postfix-log
  - name: postfix/notification-fd
    content: 3
  - name: postfix/env/NAME
    content: postfix
  - name: postfix/env/PATH
    content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

  - name: postfix-log/type
    content: longrun
  - name: postfix-log/notification-fd
    content: 3
  - name: postfix-log/env/NAME
    content: postfix
  - name: postfix-log/env/PATH
    content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
  - name: postfix-log/env/MODE
    content: '750'
  - name: postfix-log/env/USER
    content: s6-log
  - name: postfix-log/env/GROUP
    content: s6-log
  - name: postfix-log/env/DIR
    content: /var/log/postfix

postfix_config:
  - name: compatibility_level
    value: '2'
    state: present

  - name: header_checks
    value: 'regexp:$config_directory/header_checks'
    state: present

  - name: inet_interfaces
    value: '{{ postfix_inet_interfaces }}'
    state: present

  - name: inet_protocols
    value: 'ipv6, ipv4'
    state: present

  - name: local_recipient_maps
    value: 'hash:$config_directory/local_recipients $alias_maps'
    state: present

  - name: maillog_file
    value: '/var/log/postfix/fifo'
    state: present

  - name: mailbox_transport
    value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp'
    state: present

  - name: milter_default_action
    value: 'accept'
    state: present

  - name: milter_mail_macros
    value: 'i {mail_addr} {client_addr} {client_name} {auth_authen}'
    state: present

  - name: mua_client_restrictions
    value: 'permit_sasl_authenticated, reject'
    state: present

  - name: mua_helo_restrictions
    value: 'permit_sasl_authenticated, reject'
    state: present

  - name: mua_sender_restrictions
    value: 'permit_sasl_authenticated, reject'
    state: present

  - name: mydestination
    value: '$myhostname, localhost.$mydomain, localhost, $mydomain'
    state: present

  - name: mynetworks
    value: 'cidr:$config_directory/mynetworks'
    state: present

  - name: myorigin
    value: '$mydomain'
    state: present

  - name: postscreen_bare_newline_action
    value: 'enforce'
    state: present

  - name: postscreen_bare_newline_enable
    value: 'yes'
    state: present

  - name: postscreen_blacklist_action
    value: 'drop'
    state: present

  - name: postscreen_cache_map
    value: 'hash:$data_directory/postscreen_cache'
    state: present

  - name: postscreen_dnsbl_action
    value: 'enforce'
    state: present

  - name: postscreen_dnsbl_reply_map
    value: 'pcre:$config_directory/postscreen_dnsbl_reply_map'
    state: present

  - name: postscreen_dnsbl_sites
    value: >-
      zen.spamhaus.org*3
      b.barracudacentral.org*2
      bl.spameatingmonkey.net*2
      bl.spamcop.net
      dnsbl.sorbs.net
      psbl.surriel.com
      bl.mailspike.net
      swl.spamhaus.org*-4
      list.dnswl.org=127.0.[0..255].0*-2
      list.dnswl.org=127.0.[0..255].1*-3
      list.dnswl.org=127.0.[0..255].[2..3]*-4
    state: present

  - name: postscreen_dnsbl_threshold
    value: '3'
    state: present

  - name: postscreen_dnsbl_whitelist_threshold
    value: '-1'
    state: present

  - name: postscreen_greet_action
    value: 'enforce'
    state: present

  - name: postscreen_non_smtp_command_enable
    value: 'yes'
    state: present

  - name: postscreen_pipelining_enable
    value: 'yes'
    state: present

  - name: recipient_delimiter
    value: '+'
    state: present

  - name: smtp_tls_exclude_ciphers
    value: 'aNULL'
    state: present

  - name: smtp_tls_loglevel
    value: '1'
    state: present

  - name: smtp_tls_note_starttls_offer
    value: 'yes'
    state: present

  - name: smtp_tls_security_level
    value: 'may'
    state: present

  - name: smtp_tls_session_cache_database
    value: 'btree:${data_directory}/smtp_scache'
    state: present

  - name: smtpd_banner
    value: '$myhostname ESMTP 8BIT-OK NO UCE NO UBE $mail_name'
    state: present

  - name: smtpd_client_restrictions
    value: >-
      permit_sasl_authenticated,
      permit_mynetworks,
      reject_unknown_client,
      check_client_access
      hash:$config_directory/rbl_override,
      reject_rbl_client cbl.abuseat.org,
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client pbl.spamhaus.org,
      reject_rbl_client ix.dnsbl.manitu.net
    state: present

  - name: smtpd_helo_required
    value: 'yes'
    state: present

  - name: smtpd_helo_restrictions
    value: >-
      permit_sasl_authenticated,
      permit_mynetworks,
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      check_helo_access hash:$config_directory/helo_checks,
      reject_unknown_hostname
    state: present

  - name: smtpd_milters
    value: 'unix:/var/run/rspamd/proxy.sock'
    state: present

  - name: smtpd_recipient_restrictions
    value: >-
      permit_sasl_authenticated,
      permit_mynetworks,
      reject_non_fqdn_recipient,
      reject_unknown_recipient_domain,
      reject_unauth_destination
    state: present

  - name: smtpd_sasl_auth_enable
    value: 'yes'
    state: present

  - name: smtpd_sasl_path
    value: 'private/dovecot-auth'
    state: present

  - name: smtpd_sender_restrictions
    value: >-
      permit_sasl_authenticated,
      permit_mynetworks,
      reject_non_fqdn_sender,
      reject_unknown_sender_domain,
      check_sender_access hash:$config_directory/sender_access
    state: present

  - name: smtpd_tls_auth_only
    value: 'yes'
    state: present

  - name: smtpd_tls_cert_file
    value: '/usr/local/etc/dovecot/fullchain.pem'
    state: present

  - name: smtpd_tls_eecdh_grade
    value: 'ultra'
    state: present

  - name: smtpd_tls_exclude_ciphers
    value: 'aNULL'
    state: present

  - name: smtpd_tls_key_file
    value: '/usr/local/etc/dovecot/privkey.pem'
    state: present

  - name: smtpd_tls_loglevel
    value: '1'
    state: present

  - name: smtpd_tls_mandatory_ciphers
    value: 'high'
    state: present

  - name: smtpd_tls_mandatory_exclude_ciphers
    value: 'aNULL'
    state: present

  - name: smtpd_tls_mandatory_protocols
    value: 'TLSv1.2 TLSv1.3'
    state: present

  - name: smtpd_tls_protocols
    value: 'TLSv1.2 TLSv1.3'
    state: present

  - name: smtpd_tls_received_header
    value: 'yes'
    state: present

  - name: smtpd_tls_security_level
    value: 'may'
    state: present

  - name: smtpd_tls_session_cache_database
    value: 'btree:${data_directory}/smtpd_scache'
    state: present

  - name: strict_rfc821_envelopes
    value: 'yes'
    state: present

  - name: tls_high_cipherlist
    value: |-
      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    state: present

  - name: tls_ssl_options
    value: 'NO_COMPRESSION'
    state: present

  - name: unknown_address_reject_code
    value: '554'
    state: present

  - name: unknown_client_reject_code
    value: '554'
    state: present

  - name: unknown_hostname_reject_code
    value: '554'
    state: present

  - name: virtual_alias_maps
    value: 'hash:/usr/local/etc/postfix/virtual_aliases, hash:/usr/local/etc/postfix/virtual_mlmmj'
    state: present

  - name: virtual_mailbox_domains
    value: 'lists.ccchb.de'
    state: present

  - name: virtual_transport
    value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp'
    state: present

postfix_services:
  - name: smtp
    type: inet
    value: "smtp       inet  n       -       n       -       1       postscreen"

  - name: smtpd
    type: pass
    value: "smtpd      pass  -       -       n       -       -       smtpd"

  - name: submission
    type: inet
    value: "submission inet  n       -       n       -       -       smtpd"

  - name: dnsblog
    type: unix
    value: "dnsblog   unix  -       -       n       -       0       dnsblog"

  - name: tlsproxy
    type: unix
    value: "tlsproxy  unix  -       -       n       -       0       tlsproxy"

postfix_params:
  - name: submission/inet/syslog_name
    value: 'postfix/submission'
    state: present

  - name: submission/inet/smtpd_tls_security_level
    value: 'encrypt'
    state: present

  - name: submission/inet/tls_preempt_cipherlist
    value: 'yes'
    state: present

  - name: submission/inet/smtpd_sasl_auth_enable
    value: 'yes'
    state: present

  - name: submission/inet/smtpd_tls_auth_only
    value: 'yes'
    state: present

  - name: submission/inet/smtpd_reject_unlisted_recipient
    value: 'no'
    state: present

  - name: submission/inet/smtpd_client_restrictions
    value: '$mua_client_restrictions'
    state: present

  - name: submission/inet/smtpd_helo_restrictions
    value: '$mua_helo_restrictions'
    state: present

  - name: submission/inet/smtpd_sender_restrictions
    value: '$mua_sender_restrictions'
    state: present

  - name: submission/inet/smtpd_recipient_restrictions
    value: ''
    state: present

  - name: submission/inet/smtpd_relay_restrictions
    value: 'permit_sasl_authenticated,reject'
    state: present

  - name: submission/inet/milter_macro_daemon_name
    value: ORIGINATING
    state: present