summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/alias_domains.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/catchall.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/domains.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/list.cf2
-rw-r--r--roles/MX/files/etc/postfix/virtual/mailbox.cf2
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j214
8 files changed, 12 insertions, 16 deletions
diff --git a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
index 6969f75..1f61f4b 100644
--- a/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
+++ b/roles/MX/files/etc/postfix/reject-unknown-client-hostname.cf
@@ -1,10 +1,10 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fvl
result_format = reject_unknown_client_hostname
diff --git a/roles/MX/files/etc/postfix/virtual/alias.cf b/roles/MX/files/etc/postfix/virtual/alias.cf
index 1c104a9..2e846ca 100644
--- a/roles/MX/files/etc/postfix/virtual/alias.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias.cf
@@ -1,9 +1,9 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualAlias)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/alias_domains.cf b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
index 907166f..1108ea1 100644
--- a/roles/MX/files/etc/postfix/virtual/alias_domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/alias_domains.cf
@@ -1,11 +1,11 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualAliasDomain)(fvd=%d))
result_attribute = fripostMaildrop
result_format = %U@%s
diff --git a/roles/MX/files/etc/postfix/virtual/catchall.cf b/roles/MX/files/etc/postfix/virtual/catchall.cf
index e0e6350..a67d39c 100644
--- a/roles/MX/files/etc/postfix/virtual/catchall.cf
+++ b/roles/MX/files/etc/postfix/virtual/catchall.cf
@@ -1,10 +1,10 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
# The domain has already been validated (it's active and not pending)
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostVirtualAliasDomain))(fvd=%d)(fripostOptionalMaildrop=*))
result_attribute = fripostOptionalMaildrop
diff --git a/roles/MX/files/etc/postfix/virtual/domains.cf b/roles/MX/files/etc/postfix/virtual/domains.cf
index f5a7f25..88e17e2 100644
--- a/roles/MX/files/etc/postfix/virtual/domains.cf
+++ b/roles/MX/files/etc/postfix/virtual/domains.cf
@@ -1,11 +1,9 @@
-# XXX: How come we use a socked relative to the chroot here? smtpd(8) is
-# not (can't be) chrooted...
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = ou=virtual,dc=fripost,dc=org
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(fvd=%s)(fripostIsStatusActive=TRUE))
result_attribute = fvd
result_format = OK
diff --git a/roles/MX/files/etc/postfix/virtual/list.cf b/roles/MX/files/etc/postfix/virtual/list.cf
index 99e2147..e2df119 100644
--- a/roles/MX/files/etc/postfix/virtual/list.cf
+++ b/roles/MX/files/etc/postfix/virtual/list.cf
@@ -1,12 +1,12 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fripostListManager
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@%s.fripost.org
diff --git a/roles/MX/files/etc/postfix/virtual/mailbox.cf b/roles/MX/files/etc/postfix/virtual/mailbox.cf
index 7289670..36862db 100644
--- a/roles/MX/files/etc/postfix/virtual/mailbox.cf
+++ b/roles/MX/files/etc/postfix/virtual/mailbox.cf
@@ -1,12 +1,12 @@
-server_host = ldapi://%2Fvar%2Fspool%2Fpostfix-mx%2Fprivate%2Fldapi/
+server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = one
bind = sasl
sasl_mechs = EXTERNAL
query_filter = (&(objectClass=FripostVirtualUser)(fvl=%u)(fripostIsStatusActive=TRUE))
result_attribute = fvl
# Use a dedicated "virtual" domain to decongestion potential bottlenecks
# on trivial_rewrite(8) due to slow LDAP lookups in tranport_maps.
result_format = %D/%U@mda.fripost.org
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 10fc303..4356363 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -1,54 +1,52 @@
########################################################################
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# {{ ansible_managed }}
# Do NOT edit this file directly!
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
{% if inst is not defined %}
[127.0.0.1]:16132 inet n - y - - smtpd
{% elif inst == 'MX' %}
-smtpd pass - - n - - smtpd
- -o cleanup_service_name=cleanup_nochroot
-smtp inet n - n - 1 postscreen
-tlsproxy unix - - n - 0 tlsproxy
-dnsblog unix - - n - 0 dnsblog
-cleanup_nochroot unix n - n - 0 cleanup
+smtpd pass - - y - - smtpd
+smtp inet n - y - 1 postscreen
+tlsproxy unix - - y - 0 tlsproxy
+dnsblog unix - - y - 0 dnsblog
{% elif inst == 'MSA' %}
submission inet n - y - - smtpd
-o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
-[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd
+[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd
-o broken_sasl_auth_clients=no
-o smtpd_tls_security_level=none
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_exceptions_networks=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
{% endif %}
{% elif inst in ['IMAP', 'out', 'lists'] %}
-[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd
+[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - y - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
{% endif %}
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 01:43:58 +0000