########################################################################
# MSA configuration
#
# {{ ansible_managed }}
# Do NOT edit this file directly!

smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
biff             = no
readme_directory = no
mail_owner       = postfix

delay_warning_time     = 4h
maximal_queue_lifetime = 5d

myorigin            = /etc/mailname
myhostname          = smtp{{ mdano | default('') }}.$mydomain
mydomain            = {{ ansible_domain }}
append_dot_mydomain = no

# Turn off all TCP/IP listener ports except that necessary for the MSA.
master_service_disable = !submission.inet inet

queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
multi_instance_enable = yes

# This server is a Mail Submission Agent
mynetworks_style = host
inet_interfaces  = all
inet_protocols   = all

# No local delivery
mydestination        =
local_transport      = error:5.1.1 Mailbox unavailable
alias_maps           =
alias_database       =
local_recipient_maps =

message_size_limit   = 67108864
recipient_delimiter  = +

# Forward everything to our internal mailhub
{% if 'MTA-out' in group_names %}
relayhost     = [127.0.0.1]:{{ MTA_out.port }}
{% else %}
relayhost     = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}
{% endif %}
relay_domains =

# Don't rewrite remote headers
local_header_rewrite_clients     =
# Pass the client information along to the content filter
smtp_send_xforward_command       = yes
# Avoid splitting the envelope and scanning messages multiple times
smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency
smtp_data_done_timeout           = 1200s

# Anonymize the (authenticated) sender; pass the mail to the antivirus
header_checks  = pcre:$config_directory/anonymize_sender.pcre
#content_filter = amavisfeed:unix:public/amavisfeed-antivirus

# Tunnel everything through IPSec
smtp_tls_security_level = none
smtp_bind_address       = 172.16.0.1

# TLS
smtpd_tls_security_level        = encrypt
smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_CApath                = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header       = yes
smtpd_tls_ask_ccert             = yes
smtpd_tls_fingerprint_digest    = sha1
smtpd_tls_eecdh_grade           = strong
tls_random_source               = dev:/dev/urandom

# SASL
smtpd_sasl_auth_enable          = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain         =
smtpd_sasl_exceptions_networks  = $mynetworks
smtpd_sasl_security_options     = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients        = no
smtpd_sasl_type                 = dovecot
smtpd_sasl_path                 = unix:private/dovecot-auth


strict_rfc821_envelopes = yes
smtpd_delay_reject      = yes
disable_vrfy_command    = yes

# UCE control
unknown_client_reject_code = 554

smtpd_client_restrictions =
    permit_sasl_authenticated
    reject

smtpd_helo_required     = yes
smtpd_helo_restrictions =
    reject_invalid_helo_hostname

smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unknown_sender_domain

smtpd_recipient_restrictions =
    # RFC requirements
    reject_non_fqdn_recipient
    reject_unknown_recipient_domain
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination