roles/common/templates/etc/postfix/master.cf.j2


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

########################################################################
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# {{ ansible_managed }}
# Do NOT edit this file directly!
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

{% if inst is not defined %}
[127.0.0.1]:16132 inet n -      y       -       -       smtpd
{% elif inst == 'MX' %}
smtpd     pass  -       -       y       -       -       smtpd
smtp      inet  n       -       y       -       1       postscreen
tlsproxy  unix  -       -       y       -       0       tlsproxy
dnsblog   unix  -       -       y       -       0       dnsblog
{% elif inst == 'MSA' %}
submission inet n       -       y       -       -       smtpd
  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
submissions inet n      -       y       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       y       -       -       smtpd
  -o broken_sasl_auth_clients=no
  -o smtpd_tls_security_level=none
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_exceptions_networks=
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
  -o smtpd_peername_lookup=no
{% endif %}
{% elif inst in ['IMAP', 'out', 'lists'] %}
[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       y       -       -       smtpd
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
  -o smtpd_peername_lookup=no
{% endif %}
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
{% if inst is defined and inst == 'MSA' %}
smtp_verify unix -      -       y       -       -       smtp
  -o smtp_helo_name=noreply.$mydomain
  -o smtp_tls_security_level=may
  -o smtp_tls_ciphers=medium
  -o smtp_tls_protocols=!SSLv2,!SSLv3
  -o smtp_tls_note_starttls_offer=yes
  -o smtp_tls_session_cache_database=lmdb:$data_directory/smtp_tls_session_cache
{% endif %}
relay     unix  -       -       y       -       -       smtp
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
{% if inst is defined and inst == 'MSA' %}
policyd-spf unix -      n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf
{% endif %}
{% if inst is defined and inst == 'MX' %}
reserved-alias unix  -  n       n       -       -       pipe
  flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
{% endif %}
{% if inst is defined and inst == 'lists' %}
sympa     unix  -       n       n       -       -       pipe
  flags=Rhu user=sympa argv=/usr/local/bin/sympa-queue ${user}
{% endif %}

{% if inst is defined and inst == 'out' %}
# Client part (lmtp) - amavis
amavisfeed unix -       -       y       -       5       lmtp
  -o lmtp_destination_recipient_limit=1000
  -o lmtp_send_xforward_command=yes
  -o lmtp_data_done_timeout=1200s
  -o disable_dns_lookups=yes

# Server part (smtpd) - amavis
[127.0.0.1]:10025 inet n  -       y       -       -       smtpd
  -o content_filter=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_relay_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o smtpd_restriction_classes=
  -o mynetworks_style=host
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
  -o local_header_rewrite_clients=
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
{% endif %}