1 files changed, 114 insertions, 0 deletions
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
new file mode 100644
index 0000000..3954085
--- /dev/null
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -0,0 +1,114 @@
+########################################################################
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+
+{% if inst is not defined %}
+[127.0.0.1]:16132 inet n -      y       -       -       smtpd
+{% elif inst == 'MX' %}
+smtpd     pass  -       -       y       -       -       smtpd
+smtp      inet  n       -       y       -       1       postscreen
+tlsproxy  unix  -       -       y       -       0       tlsproxy
+dnsblog   unix  -       -       y       -       0       dnsblog
+{% elif inst == 'MSA' %}
+submission inet n       -       y       -       -       smtpd
+submissions inet n      -       y       -       -       smtpd
+  -o smtpd_tls_wrappermode=yes
+{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
+[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       y       -       -       smtpd
+  -o broken_sasl_auth_clients=no
+  -o smtpd_tls_security_level=none
+  -o smtpd_sasl_security_options=noanonymous
+  -o smtpd_sasl_exceptions_networks=
+  -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
+  -o smtpd_peername_lookup=no
+{% endif %}
+{% elif inst in ['IMAP', 'out', 'lists'] %}
+[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       y       -       -       smtpd
+  -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
+  -o smtpd_peername_lookup=no
+{% endif %}
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+{% if inst is defined and inst == 'MSA' %}
+smtp_verify unix -      -       y       -       -       smtp
+  -o smtp_helo_name=noreply.$mydomain
+  -o smtp_tls_security_level=may
+  -o smtp_tls_ciphers=medium
+  -o smtp_tls_protocols=!SSLv2,!SSLv3
+  -o smtp_tls_note_starttls_offer=yes
+  -o smtp_tls_session_cache_database=lmdb:$data_directory/smtp_tls_session_cache
+  -o smtp_tls_fingerprint_digest=sha256
+  -o smtp_tls_policy_maps=lmdb:$config_directory/smtp_tls_policy
+{% endif %}
+relay     unix  -       -       y       -       -       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+{% if inst is defined and inst == 'MSA' %}
+policyd-spf unix -      n       n       -       0       spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf
+{% endif %}
+{% if inst is defined and inst == 'MX' %}
+reserved-alias unix  -  n       n       -       -       pipe
+  flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
+{% endif %}
+{% if inst is defined and inst == 'lists' %}
+sympa     unix  -       n       n       -       -       pipe
+  flags=Rhu user=sympa argv=/usr/local/bin/sympa-queue ${user}
+{% endif %}
+
+{% if inst is defined and inst == 'out' %}
+# Client part (lmtp) - amavis
+amavisfeed unix -       -       y       -       5       lmtp
+  -o lmtp_destination_recipient_limit=1000
+  -o lmtp_send_xforward_command=yes
+  -o lmtp_data_done_timeout=1200s
+  -o disable_dns_lookups=yes
+
+# Server part (smtpd) - amavis
+[127.0.0.1]:10025 inet n  -       y       -       -       smtpd
+  -o content_filter=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_relay_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o smtpd_restriction_classes=
+  -o mynetworks_style=host
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
+  -o local_header_rewrite_clients=
+  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+{% endif %}