########################################################################
# Outgoing MTA configuration
#
# {{ ansible_managed }}
# Do NOT edit this file directly!

smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
biff             = no
readme_directory = no
mail_owner       = postfix

delay_warning_time     = 1d
maximal_queue_lifetime = 5d

myorigin            = /etc/mailname
myhostname          = outgoing{{ outgoingno | default('') }}.$mydomain
mydomain            = fripost.org
append_dot_mydomain = no

# Turn off all TCP/IP listener ports except that necessary for the
# outgoing SMTP proxy.
master_service_disable = !2525.inet inet

queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
multi_instance_enable = yes

# Accept everything coming through IPSec.
# TODO: this should our virtual private subnetwork
mynetworks      = 0.0.0.0/0
inet_interfaces = 172.16.0.1, 127.0.0.1

# No local delivery
mydestination        =
local_transport      = error:5.1.1 Mailbox unavailable
alias_maps           =
alias_database       =
local_recipient_maps =

message_size_limit  = 67108864
recipient_delimiter = +

relay_domains           =
relay_transport         = error:5.3.2 Relay Transport unavailable

# All header rewriting happens upstream
local_header_rewrite_clients =


smtp_tls_security_level         = may
smtp_tls_note_starttls_offer    = yes
smtp_tls_cert_file              = /etc/postfix-out/ssl/smtp.fripost.org.pem
smtp_tls_key_file               = /etc/postfix-out/ssl/smtp.fripost.org.key
smtp_tls_CApath                 = /etc/ssl/certs/
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_fingerprint_digest     = sha1
tls_random_source               = dev:/dev/urandom


smtpd_helo_required     = yes
smtpd_helo_restrictions =
    reject_invalid_helo_hostname

smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unknown_sender_domain

smtpd_recipient_restrictions =
    # RFC requirements
    reject_non_fqdn_recipient
    reject_unknown_recipient_domain
    permit_mynetworks
    reject_unauth_destination

smtpd_data_restrictions =
    reject_unauth_pipelining