Upgrade the MX configuration from Wheezy to Jessie.

In particular, since Postfix is now able to perform LDAP lookups using SASL, previous hacks with simble binds on cn=postfix,ou=services,… can now be removed.
author: Guilhem Moulin <guilhem@fripost.org> 2015-05-30 13:23:19 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:53:53 +0200
commit: fa82a617a0c50b7478cd2b7189aa5f7d14449954 (patch)
tree: 62488ddf805f34b3f06807a83d6f94a360ece723 /roles/MX/templates
parent: 64e8603cf9790aa4419d0f2746671bd242e6344d (diff)
1 files changed, 9 insertions, 10 deletions
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 09a5ce7..11c8199 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -52,62 +52,61 @@ relay_domains =
 
 # Virtual transport
 # We use a dedicated "virtual" domain to decongestion potential
 # bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in
 # tranport_maps.
 virtual_transport     = error:5.1.1 Virtual transport unavailable
 virtual_alias_domains = !cdb:$config_directory/virtual/transport
                         ldap:$config_directory/virtual/domains.cf
 virtual_alias_maps    = pcre:$config_directory/virtual/reserved_alias.pcre
                         # unless there is a matching user/alias/list...
                         ldap:$config_directory/virtual/mailbox.cf
                         ldap:$config_directory/virtual/alias.cf
                         ldap:$config_directory/virtual/list.cf
                         # ...we resolve alias domains and catch alls
                         ldap:$config_directory/virtual/alias_domains.cf
                         ldap:$config_directory/virtual/catchall.cf
 transport_maps        = cdb:$config_directory/virtual/transport
 
 
 # Don't rewrite remote headers
-local_header_rewrite_clients     =
+local_header_rewrite_clients               =
 # Pass the client information along to the content filter
-smtp_send_xforward_command       = yes
+smtp_send_xforward_command                 = yes
 # Avoid splitting the envelope and scanning messages multiple times
-smtp_destination_recipient_limit = 1000
-reserved-alias_recipient_limit   = 1
+smtp_destination_recipient_limit           = 1000
+reserved-alias_destination_recipient_limit = 1
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 
 {% if 'out' in group_names %}
 smtp_tls_security_level         = none
 smtp_bind_address               = 127.0.0.1
 {% else %}
 smtp_tls_security_level         = encrypt
 smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
 smtp_tls_fingerprint_digest     = sha256
 {% endif %}
-smtpd_tls_security_level        = none
 
 smtpd_tls_security_level        = may
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 
 
 # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
 # http://www.howtoforge.com/block_spam_at_mta_level_postfix
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
@@ -123,46 +122,46 @@ unknown_relay_recipient_reject_code = 554
 unknown_virtual_alias_reject_code   = 554
 unknown_virtual_mailbox_reject_code = 554
 unverified_recipient_reject_code    = 554
 unverified_sender_reject_code       = 554
 
 postscreen_blacklist_action = drop
 postscreen_dnsbl_threshold  = 3
 postscreen_dnsbl_action     = enforce
 postscreen_dnsbl_sites      =
     zen.spamhaus.org*3
     swl.spamhaus.org*-4
     b.barracudacentral.org*2
     bl.spameatingmonkey.net*2
     bl.spamcop.net
     dnsbl.sorbs.net
     list.dnswl.org=127.[0..255].[0..255].0*-2
     list.dnswl.org=127.[0..255].[0..255].1*-3
     list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
 
 postscreen_greet_action          = enforce
-postscreen_whitelist_interfaces = !88.80.11.28 static:all
+postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all
 
 smtpd_client_restrictions =
     permit_mynetworks
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
-smtpd_recipient_restrictions =
-    # RFC requirements
-    reject_non_fqdn_recipient
+smtpd_relay_restrictions =
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient
-    permit_dnswl_client list.dnswl.org
+
+smtpd_recipient_restrictions =
+    reject_non_fqdn_recipient
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :
author	Guilhem Moulin <guilhem@fripost.org>	2015-05-30 13:23:19 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:53:53 +0200
commit	fa82a617a0c50b7478cd2b7189aa5f7d14449954 (patch)
tree	62488ddf805f34b3f06807a83d6f94a360ece723 /roles/MX/templates
parent	64e8603cf9790aa4419d0f2746671bd242e6344d (diff)