summaryrefslogtreecommitdiffstats
path: root/roles/MX/templates/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-05-30 13:23:19 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:53:53 +0200
commitfa82a617a0c50b7478cd2b7189aa5f7d14449954 (patch)
tree62488ddf805f34b3f06807a83d6f94a360ece723 /roles/MX/templates/etc
parent64e8603cf9790aa4419d0f2746671bd242e6344d (diff)
Upgrade the MX configuration from Wheezy to Jessie.
In particular, since Postfix is now able to perform LDAP lookups using SASL, previous hacks with simble binds on cn=postfix,ou=services,… can now be removed.
Diffstat (limited to 'roles/MX/templates/etc')
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j219
1 files changed, 9 insertions, 10 deletions
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 09a5ce7..11c8199 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -69,12 +69,12 @@ transport_maps = cdb:$config_directory/virtual/transport
# Don't rewrite remote headers
-local_header_rewrite_clients =
+local_header_rewrite_clients =
# Pass the client information along to the content filter
-smtp_send_xforward_command = yes
+smtp_send_xforward_command = yes
# Avoid splitting the envelope and scanning messages multiple times
-smtp_destination_recipient_limit = 1000
-reserved-alias_recipient_limit = 1
+smtp_destination_recipient_limit = 1000
+reserved-alias_destination_recipient_limit = 1
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
@@ -90,7 +90,6 @@ smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = sha256
{% endif %}
-smtpd_tls_security_level = none
smtpd_tls_security_level = may
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
@@ -140,7 +139,7 @@ postscreen_dnsbl_sites =
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_greet_action = enforce
-postscreen_whitelist_interfaces = !88.80.11.28 static:all
+postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all
smtpd_client_restrictions =
permit_mynetworks
@@ -154,13 +153,13 @@ smtpd_helo_restrictions =
smtpd_sender_restrictions =
reject_non_fqdn_sender
-smtpd_recipient_restrictions =
- # RFC requirements
- reject_non_fqdn_recipient
+smtpd_relay_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
- permit_dnswl_client list.dnswl.org
+
+smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
smtpd_data_restrictions =
reject_unauth_pipelining