blob: a435b0fcb7937d906976f9a97af5b2c51b45fdb8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
########################################################################
# Mail Submission Agent (MSA) configuration
#
# {{ ansible_managed }}
# Do NOT edit this file directly!
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
readme_directory = no
compatibility_level = 2
smtputf8_enable = no
delay_warning_time = 4h
maximal_queue_lifetime = 5d
myorigin = /etc/mailname
myhostname = smtp{{ msano | default('') }}.$mydomain
mydomain = fripost.org
append_dot_mydomain = no
mynetworks = 127.0.0.0/8, [::1]/128
{%- for h in groups.webmail | difference([inventory_hostname]) | sort -%}
, {{ ipsec[ hostvars[h].inventory_hostname_short ] | ipaddr }}
{% endfor %}
queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }}
data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }}
multi_instance_group = {{ postfix_instance[inst].group | default('') }}
multi_instance_name = postfix-{{ postfix_instance[inst].name }}
multi_instance_enable = yes
# No local delivery
mydestination =
local_transport = error:5.1.1 Mailbox unavailable
alias_maps =
alias_database =
local_recipient_maps =
message_size_limit = 67108864
recipient_delimiter = +
# Forward everything to our internal outgoing proxy
relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }}
relay_domains =
# Don't rewrite remote headers
local_header_rewrite_clients =
# Avoid splitting the envelope and scanning messages multiple times
smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
policyd-spf_time_limit = $ipc_timeout
# Anonymize the (authenticated) sender; pass the mail to the antivirus
header_checks = pcre:$config_directory/anonymize_sender.pcre
#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
# TLS
smtp_tls_security_level = none
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_cert_file = $config_directory/ssl/smtp.fripost.org.pem
smtpd_tls_key_file = $config_directory/ssl/smtp.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_session_cache_database=
smtpd_tls_received_header = yes
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = unix:private/dovecot-auth
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
address_verify_sender = $double_bounce_sender@noreply.$mydomain
address_verify_poll_count = 3
address_verify_relayhost =
address_verify_sender_ttl = 8069m
address_verify_negative_refresh_time = 5m
unverified_recipient_defer_code = 250
unverified_recipient_reject_code = 550
address_verify_map = lmdb:$data_directory/verify_cache
address_verify_default_transport = smtp_verify
smtpd_client_restrictions =
permit_sasl_authenticated
reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
reject_invalid_helo_hostname
smtpd_sender_login_maps = socketmap:unix:private/sender-login:sender_login
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
check_sender_access lmdb:$config_directory/check_sender_access
check_policy_service unix:private/policyd-spf
reject_known_sender_login_mismatch
smtpd_relay_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unverified_recipient
permit_sasl_authenticated
reject
smtpd_data_restrictions =
reject_unauth_pipelining
# vim: set filetype=pfmain :
|