ansible-role-mailserver/templates/postfix/main.cf

##
## Network settings
##

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
smtp_address_preference = ipv6
myhostname = {{ mailserver_mx_domain }}


##
## Mail queue settings
##

maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m


##
## TLS settings
###

tls_preempt_cipherlist = no
tls_ssl_options = NO_COMPRESSION
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

### Outbound SMTP connections (Postfix as sender)

{% if mailserver_dovecot_enabled %}
smtp_tls_security_level = may
{% else %}
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/tls-policy.cf
{% endif %}
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt


### Inbound SMTP connections
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_tls_key_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem
smtpd_tls_cert_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/fullchain.pem
smtpd_tls_dh1024_param_file = ${config_directory}/dh.pem

##
## Local mail delivery to Dovecot via LMTP
##

virtual_transport = lmtp:unix:private/dovecot-lmtp

{% if mailserver_rspamd_enabled %}
##
## Spam filter and DKIM signatures via Rspamd
##

smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_protocol = 6
milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
{% endif %}


##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##

### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =      reject_non_fqdn_recipient
#                                reject_unknown_recipient_domain
                                permit_mynetworks
                                reject_unauth_destination


### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
#smtpd_recipient_restrictions = check_recipient_access proxy:{{ mailserver_db_type }}:/etc/postfix/sql/recipient-access.cf


### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =     permit_mynetworks
#                                check_client_access hash:/etc/postfix/without_ptr
#                                reject_unknown_client_hostname


### Foreign mail servers must present a valid "HELO"
# Recipient address rejected: Domain not found;
smtpd_helo_required = yes
smtpd_helo_restrictions =   permit_mynetworks
                            reject_invalid_helo_hostname
                            reject_non_fqdn_helo_hostname
#                            reject_unknown_helo_hostname

# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining


##
## Restrictions for MUAs (Mail user agents)
##

mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject


##
## Postscreen Filter
##

### Postscreen Whitelist / Blocklist
postscreen_access_list =        permit_mynetworks
#                                cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop


# Drop connections if other server is sending too quickly
postscreen_greet_action = drop


### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites =    ix.dnsbl.manitu.net*2
                            zen.spamhaus.org*2
postscreen_dnsbl_action = drop


##
## MySQL queries
##
alias_maps =
       hash:/etc/postfix/aliases
{% if mailserver_mailman_enabled %}
       hash:/var/lib/mailman/data/aliases
{% endif %}
alias_database = $alias_maps

virtual_alias_maps =
{% if mailserver_dovecot_enabled %}
       proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-maps.cf
       proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains-maps.cf
{% endif %}
{% if mailserver_mailman_enabled %}
       hash:/var/lib/mailman/data/virtual-mailman
{% endif %}
{% if mailserver_dovecot_enabled %}
virtual_alias_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains.cf
virtual_mailbox_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-maps.cf
virtual_mailbox_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-domains.cf

# List of authorized senders
smtpd_sender_login_maps =
        proxy:{{ mailserver_db_type }}:/etc/postfix/sql/smtpd-sender-login-maps.cf
        proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-sender-maps.cf
{% endif %}
local_recipient_maps = $smtpd_sender_login_maps

{% if mailserver_mailman_enabled %}
relay_domains =
       hash:/var/lib/mailman/data/relay-domains
{% endif %}

##
## Miscellaneous
##

### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0

### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800

### Do not notify system users on new e-mail
biff = no

### Users always have to provide full e-mail addresses
append_dot_mydomain = no

### Delimiter for "Address Tagging"
recipient_delimiter = +

#------------------------------
compatibility_level = 2
postfix: support 2020-07-24 12:42:59 +02:00			`##`
			`## Network settings`
			`##`

			`mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128`
			`inet_interfaces = all`
			`smtp_address_preference = ipv6`
			`myhostname = {{ mailserver_mx_domain }}`


			`##`
			`## Mail queue settings`
			`##`

			`maximal_queue_lifetime = 1h`
			`bounce_queue_lifetime = 1h`
			`maximal_backoff_time = 15m`
			`minimal_backoff_time = 5m`
			`queue_run_delay = 5m`


			`##`
			`## TLS settings`
			`###`

postfix: tls++ like in ssl-config.mozilla.org intermediate 2021-01-14 23:35:02 +01:00			`tls_preempt_cipherlist = no`
postfix: support 2020-07-24 12:42:59 +02:00			`tls_ssl_options = NO_COMPRESSION`
postfix: tls++ like in ssl-config.mozilla.org intermediate 2021-01-14 23:35:02 +01:00			`tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`
postfix: support 2020-07-24 12:42:59 +02:00
			`### Outbound SMTP connections (Postfix as sender)`

			`{% if mailserver_dovecot_enabled %}`
			`smtp_tls_security_level = may`
			`{% else %}`
			`smtp_tls_security_level = dane`
			`smtp_dns_support_level = dnssec`
			`smtp_tls_policy_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/tls-policy.cf`
			`{% endif %}`
			`smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache`
			`smtp_tls_protocols = !SSLv2, !SSLv3`
			`smtp_tls_ciphers = high`
			`smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt`


			`### Inbound SMTP connections`
			`smtpd_tls_security_level = may`
postfix: tls++ like in ssl-config.mozilla.org intermediate 2021-01-14 23:35:02 +01:00			`smtpd_tls_auth_only = yes`
			`smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`
			`smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`
			`smtpd_tls_mandatory_ciphers = medium`
postfix: support 2020-07-24 12:42:59 +02:00			`smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache`

			`smtpd_tls_key_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem`
			`smtpd_tls_cert_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/fullchain.pem`
			`smtpd_tls_dh1024_param_file = ${config_directory}/dh.pem`

			`##`
			`## Local mail delivery to Dovecot via LMTP`
			`##`

			`virtual_transport = lmtp:unix:private/dovecot-lmtp`

			`{% if mailserver_rspamd_enabled %}`
			`##`
			`## Spam filter and DKIM signatures via Rspamd`
			`##`

			`smtpd_milters = inet:127.0.0.1:11332`
			`non_smtpd_milters = inet:127.0.0.1:11332`
			`milter_protocol = 6`
			`milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}`
			`milter_default_action = accept`
			`{% endif %}`


			`##`
			`## Server Restrictions for clients, cecipients and relaying`
			`## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)`
			`##`

			`### Conditions in which Postfix works as a relay. (for mail user clients)`
			`smtpd_relay_restrictions = reject_non_fqdn_recipient`
			`# reject_unknown_recipient_domain`
			`permit_mynetworks`
			`reject_unauth_destination`


			`### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)`
			`### check_recipient_access checks if an account is "sendonly"`
			`#smtpd_recipient_restrictions = check_recipient_access proxy:{{ mailserver_db_type }}:/etc/postfix/sql/recipient-access.cf`


			`### Restrictions for all sending foreign servers ("SMTP clients")`
			`smtpd_client_restrictions = permit_mynetworks`
cleanup + add roundcubemail 2020-07-24 17:07:52 +02:00			`# check_client_access hash:/etc/postfix/without_ptr`
postfix: support 2020-07-24 12:42:59 +02:00			`# reject_unknown_client_hostname`


			`### Foreign mail servers must present a valid "HELO"`
			`# Recipient address rejected: Domain not found;`
			`smtpd_helo_required = yes`
			`smtpd_helo_restrictions = permit_mynetworks`
			`reject_invalid_helo_hostname`
			`reject_non_fqdn_helo_hostname`
			`# reject_unknown_helo_hostname`

			`# Block clients, which start sending too early`
			`smtpd_data_restrictions = reject_unauth_pipelining`


			`##`
			`## Restrictions for MUAs (Mail user agents)`
			`##`

			`mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject`
			`mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject`
			`mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject`


			`##`
			`## Postscreen Filter`
			`##`

			`### Postscreen Whitelist / Blocklist`
			`postscreen_access_list = permit_mynetworks`
cleanup + add roundcubemail 2020-07-24 17:07:52 +02:00			`# cidr:/etc/postfix/postscreen_access`
postfix: support 2020-07-24 12:42:59 +02:00			`postscreen_blacklist_action = drop`


			`# Drop connections if other server is sending too quickly`
			`postscreen_greet_action = drop`


			`### DNS blocklists`
			`postscreen_dnsbl_threshold = 2`
			`postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2`
			`zen.spamhaus.org*2`
			`postscreen_dnsbl_action = drop`


			`##`
			`## MySQL queries`
			`##`
			`alias_maps =`
			`hash:/etc/postfix/aliases`
			`{% if mailserver_mailman_enabled %}`
			`hash:/var/lib/mailman/data/aliases`
			`{% endif %}`
			`alias_database = $alias_maps`

			`virtual_alias_maps =`
			`{% if mailserver_dovecot_enabled %}`
			`proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-maps.cf`
			`proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains-maps.cf`
			`{% endif %}`
			`{% if mailserver_mailman_enabled %}`
			`hash:/var/lib/mailman/data/virtual-mailman`
			`{% endif %}`
			`{% if mailserver_dovecot_enabled %}`
			`virtual_alias_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains.cf`
			`virtual_mailbox_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-maps.cf`
			`virtual_mailbox_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-domains.cf`

			`# List of authorized senders`
			`smtpd_sender_login_maps =`
			`proxy:{{ mailserver_db_type }}:/etc/postfix/sql/smtpd-sender-login-maps.cf`
			`proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-sender-maps.cf`
			`{% endif %}`
			`local_recipient_maps = $smtpd_sender_login_maps`

			`{% if mailserver_mailman_enabled %}`
			`relay_domains =`
			`hash:/var/lib/mailman/data/relay-domains`
			`{% endif %}`

			`##`
			`## Miscellaneous`
			`##`

			`### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)`
			`mailbox_size_limit = 0`

			`### Maximum size of inbound e-mails (50 MB)`
			`message_size_limit = 52428800`

			`### Do not notify system users on new e-mail`
			`biff = no`

			`### Users always have to provide full e-mail addresses`
			`append_dot_mydomain = no`

			`### Delimiter for "Address Tagging"`
			`recipient_delimiter = +`

			`#------------------------------`
			`compatibility_level = 2`