diff options
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 4 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 4 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/main.cf.j2 | 4 | ||||
| -rw-r--r-- | roles/webmail/templates/etc/postfix/main.cf.j2 | 4 |
4 files changed, 16 insertions, 0 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 685287a..337acd1 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -47,41 +47,45 @@ relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # Tunnel everything through IPSec smtp_tls_security_level = none +{% if 'MTA-out' in group_names %} +smtp_bind_address = 127.0.0.1 +{% else %} smtp_bind_address = 172.16.0.1 +{% endif %} # TLS smtpd_tls_security_level = encrypt smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 smtpd_tls_eecdh_grade = strong tls_random_source = dev:/dev/urandom # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 570a797..9f88eef 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -64,41 +64,45 @@ transport_maps = pcre:$config_directory/virtual/transport_reserved_maps.pcre ldap:$config_directory/virtual/transport_mailbox_maps.cf ldap:$config_directory/virtual/transport_lists_maps.cf ldap:$config_directory/virtual/transport_catchall_maps.cf virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_alias_maps = cdb:$config_directory/virtual/reserved_alias_maps ldap:$config_directory/virtual/alias_maps.cf virtual_mailbox_maps = $transport_maps # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none +{% if 'MTA-out' in group_names %} +smtp_bind_address = 127.0.0.1 +{% else %} smtp_bind_address = 172.16.0.1 +{% endif %} # TLS smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 smtpd_tls_eecdh_grade = strong tls_random_source = dev:/dev/urandom # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 4c56cea..83f97b4 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -26,39 +26,43 @@ alias_maps = local_recipient_maps = # All aliases are virtual default_database_type = cdb virtual_alias_maps = cdb:/etc/aliases alias_database = $virtual_alias_maps # Transform local FQDN addresses to addresses routable on the internet smtp_generic_maps = pcre:$config_directory/generic.pcre # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Tunnel everything through IPSec smtp_tls_security_level = none +{% if 'MTA-out' in group_names %} +smtp_bind_address = 127.0.0.1 +{% else %} smtp_bind_address = 172.16.0.1 +{% endif %} smtpd_tls_security_level = none # Turn off all TCP/IP listener ports except that dedicated to # samhain(8), which sadly cannot use pickup through the sendmail binary. master_service_disable = !127.0.0.1:16132.inet inet {% set multi_instance = False %} {%- for g in postfix_instance.keys() | sort -%} {%- if g in group_names -%} {%- if not multi_instance -%} {%- set multi_instance = True -%} ## Other postfix instances multi_instance_wrapper = $command_directory/postmulti -p -- multi_instance_enable = yes multi_instance_directories = {%- endif %} /etc/postfix-{{ postfix_instance[g].name }} {%- endif %} {% endfor %} diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 index cb57b23..cd026d1 100644 --- a/roles/webmail/templates/etc/postfix/main.cf.j2 +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -46,41 +46,45 @@ recipient_delimiter = + relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Pass the mail to the antivirus #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # Tunnel everything through IPSec smtp_tls_security_level = none +{% if 'MTA-out' in group_names %} +smtp_bind_address = 127.0.0.1 +{% else %} smtp_bind_address = 172.16.0.1 +{% endif %} smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control unknown_client_reject_code = 554 smtpd_client_restrictions = permit_mynetworks reject smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname |