ansible-role-mailserver/templates/postfix/main.cf

196 lines
5.9 KiB
CFEngine3

##
## Network settings
##
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
smtp_address_preference = ipv6
myhostname = {{ mailserver_mx_domain }}
##
## Mail queue settings
##
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
##
## TLS settings
###
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
### Outbound SMTP connections (Postfix as sender)
{% if mailserver_dovecot_enabled %}
smtp_tls_security_level = may
{% else %}
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/tls-policy.cf
{% endif %}
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
### Inbound SMTP connections
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_key_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem
smtpd_tls_cert_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/fullchain.pem
smtpd_tls_dh1024_param_file = ${config_directory}/dh.pem
##
## Local mail delivery to Dovecot via LMTP
##
virtual_transport = lmtp:unix:private/dovecot-lmtp
{% if mailserver_rspamd_enabled %}
##
## Spam filter and DKIM signatures via Rspamd
##
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
{% endif %}
##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##
### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions = reject_non_fqdn_recipient
# reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
#smtpd_recipient_restrictions = check_recipient_access proxy:{{ mailserver_db_type }}:/etc/postfix/sql/recipient-access.cf
### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions = permit_mynetworks
# check_client_access hash:/etc/postfix/without_ptr
# reject_unknown_client_hostname
### Foreign mail servers must present a valid "HELO"
# Recipient address rejected: Domain not found;
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
# reject_unknown_helo_hostname
# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining
##
## Restrictions for MUAs (Mail user agents)
##
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
##
## Postscreen Filter
##
### Postscreen Whitelist / Blocklist
postscreen_access_list = permit_mynetworks
# cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
# Drop connections if other server is sending too quickly
postscreen_greet_action = drop
### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2
zen.spamhaus.org*2
postscreen_dnsbl_action = drop
##
## MySQL queries
##
alias_maps =
hash:/etc/postfix/aliases
{% if mailserver_mailman_enabled %}
hash:/var/lib/mailman/data/aliases
{% endif %}
alias_database = $alias_maps
virtual_alias_maps =
{% if mailserver_dovecot_enabled %}
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-maps.cf
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains-maps.cf
{% endif %}
{% if mailserver_mailman_enabled %}
hash:/var/lib/mailman/data/virtual-mailman
{% endif %}
{% if mailserver_dovecot_enabled %}
virtual_alias_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-alias-domains.cf
virtual_mailbox_maps = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-maps.cf
virtual_mailbox_domains = proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-mailbox-domains.cf
# List of authorized senders
smtpd_sender_login_maps =
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/smtpd-sender-login-maps.cf
proxy:{{ mailserver_db_type }}:/etc/postfix/sql/virtual-sender-maps.cf
{% endif %}
local_recipient_maps = $smtpd_sender_login_maps
{% if mailserver_mailman_enabled %}
relay_domains =
hash:/var/lib/mailman/data/relay-domains
{% endif %}
##
## Miscellaneous
##
### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
### Do not notify system users on new e-mail
biff = no
### Users always have to provide full e-mail addresses
append_dot_mydomain = no
### Delimiter for "Address Tagging"
recipient_delimiter = +
#------------------------------
compatibility_level = 2