summaryrefslogtreecommitdiffstats
path: root/roles/mx/templates/etc/postfix
diff options
context:
space:
mode:
Diffstat (limited to 'roles/mx/templates/etc/postfix')
-rw-r--r--roles/mx/templates/etc/postfix/main.cf.j2139
1 files changed, 139 insertions, 0 deletions
diff --git a/roles/mx/templates/etc/postfix/main.cf.j2 b/roles/mx/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..5c44781
--- /dev/null
+++ b/roles/mx/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,139 @@
+########################################################################
+# MX configuration
+#
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+
+delay_warning_time = 4h
+maximal_queue_lifetime = 5d
+
+myorigin = /etc/mailname
+myhostname = mx{{ mxno | default('') }}.$mydomain
+mydomain = {{ ansible_domain }}
+append_dot_mydomain = no
+
+# Turn off all TCP/IP listener ports except that necessary for the mail
+# exchange.
+master_service_disable = !smtp.inet inet
+
+queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
+data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
+multi_instance_group = {{ postfix_instance[inst].group }}
+multi_instance_name = postfix-{{ postfix_instance[inst].name }}
+multi_instance_enable = yes
+
+# This server is a Mail eXchange
+mynetworks_style = host
+inet_interfaces = all
+inet_protocols = all
+
+# No local delivery
+mydestination =
+local_transport = error:5.1.1 Mailbox unavailable
+alias_maps =
+alias_database =
+local_recipient_maps =
+
+message_size_limit = 67108864
+recipient_delimiter = +
+
+# Forward everything to our internal mailhub
+{% if 'MTA-out' in group_names %}
+relay_transport = lmtp:unix:private/mta-out
+{% else %}
+relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}
+{% endif %}
+relay_domains =
+
+{% if 'LDA' in group_names %}
+virtual_transport = lmtp:unix:private/lda
+{% else %}
+virtual_transport = smtp:[{{ LDA.IPv4 }}]:{{ LDA.port }}
+{% endif %}
+
+virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf
+virtual_alias_maps = pcre:$config_directory/virtual/reserved_maps.pcre
+ ldap:$config_directory/virtual/alias_maps.cf
+ ldap:$config_directory/virtual/lists_maps.cf
+ ldap:$config_directory/virtual/alias_catchall_maps.cf
+virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox_maps.cf
+mailbox_transport_maps = cdb:$config_directory/virtual/reserved_transport_maps
+ ldap:$config_directory/virtual/transport_lists_maps.cf
+
+# Pass the client information along to the content filter
+local_header_rewrite_clients =
+smtp_send_xforward_command = yes
+smtp_destination_recipient_limit = 1000
+smtp_data_done_timeout = 1200s
+
+# Tunnel everything through IPSec
+smtp_tls_security_level = none
+smtp_bind_address = 172.16.0.1
+
+# Virtual
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_CApath = /etc/ssl/certs/
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header = yes
+smtpd_tls_ask_ccert = yes
+smtpd_tls_fingerprint_digest = sha1
+smtpd_tls_eecdh_grade = strong
+
+tls_random_source = dev:/dev/urandom
+
+
+# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
+# http://www.howtoforge.com/block_spam_at_mta_level_postfix
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject = yes
+disable_vrfy_command = yes
+
+# UCE control
+invalid_hostname_reject_code = 554
+multi_recipient_bounce_reject_code = 554
+non_fqdn_reject_code = 554
+relay_domains_reject_code = 554
+unknown_address_reject_code = 554
+unknown_client_reject_code = 554
+unknown_hostname_reject_code = 554
+unknown_local_recipient_reject_code = 554
+unknown_relay_recipient_reject_code = 554
+unknown_virtual_alias_reject_code = 554
+unknown_virtual_mailbox_reject_code = 554
+unverified_recipient_reject_code = 554
+unverified_sender_reject_code = 554
+
+
+smtpd_client_restrictions =
+ permit_mynetworks
+ reject_rbl_client zen.spamhaus.org
+ reject_rbl_client bl.spamcop.net
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ permit_mynetworks
+ reject_non_fqdn_helo_hostname
+ reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+
+smtpd_recipient_restrictions =
+ # RFC requirements
+ reject_non_fqdn_recipient
+ reject_unknown_recipient_domain
+ permit_mynetworks
+ reject_unauth_destination
+ check_policy_service unix:private/postgrey
+
+smtpd_data_restrictions =
+ reject_unauth_pipelining