roles/MSA/templates/etc/postfix/main.cf.j2


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

########################################################################
# MSA configuration
#
# {{ ansible_managed }}
# Do NOT edit this file directly!

smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
biff             = no
readme_directory = no
mail_owner       = postfix

delay_warning_time     = 4h
maximal_queue_lifetime = 5d

myorigin            = /etc/mailname
myhostname          = smtp{{ msano | default('') }}.$mydomain
mydomain            = fripost.org
append_dot_mydomain = no

# Turn off all TCP/IP listener ports except that necessary for the MSA.
master_service_disable = !submission.inet inet

queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
multi_instance_enable = yes

# This server is a Mail Submission Agent
mynetworks_style = host

# No local delivery
mydestination        =
local_transport      = error:5.1.1 Mailbox unavailable
alias_maps           =
alias_database       =
local_recipient_maps =

message_size_limit  = 67108864
recipient_delimiter = +

# Forward everything to our internal outgoing proxy
{% if 'out' in group_names %}
relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =


# Don't rewrite remote headers
local_header_rewrite_clients     =
# Avoid splitting the envelope and scanning messages multiple times
smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency
smtp_data_done_timeout           = 1200s

# Anonymize the (authenticated) sender; pass the mail to the antivirus
header_checks  = pcre:$config_directory/anonymize_sender.pcre
#content_filter = amavisfeed:unix:public/amavisfeed-antivirus


# TLS
{% if 'out' in group_names %}
smtp_tls_security_level         = none
smtp_bind_address               = 127.0.0.1
{% else %}
smtp_tls_security_level         = encrypt
smtp_tls_ciphers                = high
smtp_tls_protocols              = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers        = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest     = sha256
{% endif %}

smtpd_tls_security_level        = encrypt
smtpd_tls_ciphers               = high
smtpd_tls_protocols             = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
smtpd_tls_key_file              = /etc/postfix/ssl/smtp.fripost.org.key
smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
smtpd_tls_session_cache_database=
smtpd_tls_received_header       = yes
smtpd_tls_ask_ccert             = yes

# SASL
smtpd_sasl_auth_enable          = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain         =
smtpd_sasl_exceptions_networks  = $mynetworks
smtpd_sasl_security_options     = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients        = yes
smtpd_sasl_type                 = dovecot
smtpd_sasl_path                 = unix:private/dovecot-auth


strict_rfc821_envelopes = yes
smtpd_delay_reject      = yes
disable_vrfy_command    = yes

address_verify_sender            = $double_bounce_sender@$mydomain
address_verify_sender_ttl        = 24h
unverified_recipient_defer_code  = 250
unverified_recipient_reject_code = 550

smtpd_client_restrictions =
    permit_sasl_authenticated
    reject

smtpd_helo_required     = yes
smtpd_helo_restrictions =
    reject_invalid_helo_hostname

smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unknown_sender_domain

smtpd_relay_restrictions =
    reject_non_fqdn_recipient
    reject_unknown_recipient_domain
    reject_unverified_recipient
    permit_sasl_authenticated
    reject

smtpd_data_restrictions =
    reject_unauth_pipelining

# vim: set filetype=pfmain :