1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
########################################################################
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# {{ ansible_managed }}
# Do NOT edit this file directly!
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
{% if inst is not defined %}
[127.0.0.1]:16132 inet n - y - - smtpd
{% elif inst == 'MX' %}
smtpd pass - - y - - smtpd
smtp inet n - y - 1 postscreen
tlsproxy unix - - y - 0 tlsproxy
dnsblog unix - - y - 0 dnsblog
{% elif inst == 'MSA' %}
submission inet n - y - - smtpd
submissions inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd
-o broken_sasl_auth_clients=no
-o smtpd_tls_security_level=none
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_exceptions_networks=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
-o smtpd_peername_lookup=no
{% endif %}
{% elif inst in ['IMAP', 'out', 'lists'] %}
[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - y - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
-o smtpd_peername_lookup=no
{% endif %}
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
{% if inst is defined and inst == 'MSA' %}
smtp_verify unix - - y - - smtp
-o smtp_helo_name=noreply.$mydomain
-o smtp_tls_security_level=may
-o smtp_tls_ciphers=medium
-o smtp_tls_protocols=!SSLv2,!SSLv3
-o smtp_tls_note_starttls_offer=yes
-o smtp_tls_session_cache_database=lmdb:$data_directory/smtp_tls_session_cache
-o smtp_tls_fingerprint_digest=sha256
-o smtp_tls_policy_maps=lmdb:$config_directory/smtp_tls_policy
{% endif %}
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
{% if inst is defined and inst == 'MSA' %}
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
{% endif %}
{% if inst is defined and inst == 'MX' %}
reserved-alias unix - n n - - pipe
flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
{% endif %}
{% if inst is defined and inst == 'lists' %}
sympa unix - n n - - pipe
flags=Rhu user=sympa argv=/usr/local/bin/sympa-queue ${user}
{% endif %}
{% if inst is defined and inst == 'out' %}
# Client part (lmtp) - amavis
amavisfeed unix - - y - 5 lmtp
-o lmtp_destination_recipient_limit=1000
-o lmtp_send_xforward_command=yes
-o lmtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
# Server part (smtpd) - amavis
[127.0.0.1]:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks_style=host
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
{% endif %}
|