diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-06 21:06:38 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 20:25:39 +0100 |
| commit | 09cd9f998780fb7179b7fc23c593c305a12b050a (patch) | |
| tree | 33dad72c3a5256347a0e9700b975612c8c477918 /roles/common/templates/etc/postfix | |
| parent | 37d64e4a05b32599405ed824316e73aa8d0880b2 (diff) | |
MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
Diffstat (limited to 'roles/common/templates/etc/postfix')
| -rw-r--r-- | roles/common/templates/etc/postfix/master.cf.j2 | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 10fc303..4356363 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -1,54 +1,52 @@ ######################################################################## # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # {{ ansible_managed }} # Do NOT edit this file directly! # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== {% if inst is not defined %} [127.0.0.1]:16132 inet n - y - - smtpd {% elif inst == 'MX' %} -smtpd pass - - n - - smtpd - -o cleanup_service_name=cleanup_nochroot -smtp inet n - n - 1 postscreen -tlsproxy unix - - n - 0 tlsproxy -dnsblog unix - - n - 0 dnsblog -cleanup_nochroot unix n - n - 0 cleanup +smtpd pass - - y - - smtpd +smtp inet n - y - 1 postscreen +tlsproxy unix - - y - 0 tlsproxy +dnsblog unix - - y - 0 dnsblog {% elif inst == 'MSA' %} submission inet n - y - - smtpd -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL {% if groups.webmail | difference([inventory_hostname]) | length > 0 %} -[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd +[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd -o broken_sasl_auth_clients=no -o smtpd_tls_security_level=none -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_exceptions_networks= -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }} {% endif %} {% elif inst in ['IMAP', 'out', 'lists'] %} -[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd +[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - y - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }} {% endif %} pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error |