########################################################################
# MSA configuration
#
# {{ ansible_managed }}
# Do NOT edit this file directly!

smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
biff             = no
readme_directory = no
mail_owner       = postfix

delay_warning_time     = 4h
maximal_queue_lifetime = 5d

myorigin            = /etc/mailname
myhostname          = smtp{{ msano | default('') }}.$mydomain
mydomain            = fripost.org
append_dot_mydomain = no

# Turn off all TCP/IP listener ports except that necessary for the MSA.
master_service_disable = !submission.inet inet

queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
multi_instance_enable = yes

# This server is a Mail Submission Agent
mynetworks_style = host
inet_interfaces  = all

# No local delivery
mydestination        =
local_transport      = error:5.1.1 Mailbox unavailable
alias_maps           =
alias_database       =
local_recipient_maps =

message_size_limit  = 67108864
recipient_delimiter = +

# Forward everything to our internal outgoing proxy
{% if 'out' in group_names %}
relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =


# Don't rewrite remote headers
local_header_rewrite_clients     =
# Avoid splitting the envelope and scanning messages multiple times
smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency
smtp_data_done_timeout           = 1200s

# Anonymize the (authenticated) sender; pass the mail to the antivirus
header_checks  = pcre:$config_directory/anonymize_sender.pcre
#content_filter = amavisfeed:unix:public/amavisfeed-antivirus


# TLS
{% if 'out' in group_names %}
smtp_tls_security_level         = none
smtp_bind_address               = 127.0.0.1
{% else %}
smtp_tls_security_level         = encrypt
smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest     = sha256
{% endif %}

smtpd_tls_security_level        = encrypt
smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
smtpd_tls_key_file              = /etc/postfix/ssl/smtp.fripost.org.key
smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header       = yes
smtpd_tls_ask_ccert             = yes

# SASL
smtpd_sasl_auth_enable          = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain         =
smtpd_sasl_exceptions_networks  = $mynetworks
smtpd_sasl_security_options     = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients        = yes
smtpd_sasl_type                 = dovecot
smtpd_sasl_path                 = unix:private/dovecot-auth


strict_rfc821_envelopes = yes
smtpd_delay_reject      = yes
disable_vrfy_command    = yes

address_verify_sender            = $double_bounce_sender@$mydomain
unverified_recipient_defer_code  = 250
unverified_recipient_reject_code = 550

smtpd_client_restrictions =
    permit_sasl_authenticated
    reject

smtpd_helo_required     = yes
smtpd_helo_restrictions =
    reject_invalid_helo_hostname

smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unknown_sender_domain

smtpd_relay_restrictions =
    reject_non_fqdn_recipient
    reject_unknown_recipient_domain
    reject_unverified_recipient
    permit_mynetworks
    permit_sasl_authenticated
    reject

smtpd_data_restrictions =
    reject_unauth_pipelining

# vim: set filetype=pfmain :