adrien/ansible-role-postfix
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Externalize role

Browse source
This commit is contained in:
Adrien Reslinger 2018-10-08 19:35:21 +02:00
commit 6dd27f2df4
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
18 changed files with 1740 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
defaults/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
#postfix_myhostname: example.com
#postfix_mydomain: example.com
#postfix_myorigin: "$mydomain"
#postfix_mydestination: ""
#postfix_mynetworks: ""
#postfix_relayhost: ""

3
files/etc/cron.weekly/opendmarc Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash
wget -q -N -P /etc/opendmarc https://publicsuffix.org/list/public_suffix_list.dat
chown opendmarc:opendmarc /etc/opendmarc/public_suffix_list.dat

7
files/usr/local/sbin/update_postgrey_whitelist.sh Executable file
View file

@ -0,0 +1,7 @@
#!/bin/bash
wget https://github.com/schweikert/postgrey/raw/master/postgrey_whitelist_clients
#wget https://github.com/schweikert/postgrey/raw/master/postgrey_whitelist_recipients
sed -e 's|##DATE##|'"$(date +%d/%m/%Y)"'|' -e 's|##VERSION##|master|' -i postgrey_whitelist_clients
cat postgrey_whitelist_clients > /etc/postfix/postgrey_whitelist_clients
systemctl restart postgrey

14
handlers/main.yml Normal file
View file

@ -0,0 +1,14 @@
- name: Restart postfix
service:
name: postfix
state: restarted
- name: Restart OpenDMARC
service:
name: opendmarc
state: restarted
- name: Restart OpenDKIM
service:
name: opendkim
state: restarted

74
tasks/main.yml Normal file
View file

@ -0,0 +1,74 @@
---
- name: Include vars for {{ ansible_os_family }}
include_vars: "{{ ansible_os_family }}.yml"
- name: Include vars for {{ ansible_os_family }} for Mail Server
include_vars: "{{ ansible_os_family }}_server.yml"
when:
- postfix_mydestination is defined
- name: install packages
package: name="{{ postfix_packages }}" state=latest update_cache=yes
notify: Restart postfix
- name: Deploy templates
template: src=etc/postfix/{{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root mode=0644
with_items:
- main.cf
- master.cf
notify: Restart postfix
- name: Include tasks for postgrey
include_tasks: postgrey.yml
when:
- postfix_mydestination is defined
- name: Include tasks for OpenDKM
include_tasks: opendkim.yml
when:
- postfix_mydestination is defined
- name: Include tasks for OpenDMARC
include_tasks: opendmarc.yml
when:
- postfix_mydestination is defined
- name: Include dovecot role
include_role:
name: dovecot
when:
- postfix_mydestination is defined
- name: Install Certificat
include_role:
name: certbot
vars:
certbot_certname: "{{ postfix_myhostname }}"
when:
- postfix_mydestination is defined
notify: Restart postfix
- name: Open Firewalld
firewalld:
service: smtp
permanent: true
state: enabled
immediate: true
when:
- postfix_mydestination is defined
- name: Open Firewalld
firewalld:
service: smtp-submission
permanent: true
state: enabled
immediate: true
when:
- postfix_mydestination is defined
- name: Enable postfix at boot time
service: name=postfix enabled=yes state=started
when:
- postfix_mydestination is defined

31
tasks/opendkim.yml Normal file
View file

@ -0,0 +1,31 @@
---
# Need EPEL repo
- name: Make {{ postfix_mydomain }} keys directory
file: path=/etc/opendkim/keys/{{ postfix_mydomain }} state=directory owner=opendkim group=opendkim mode=0750
- name: Install template config file
template: src=etc/{{ item }}.j2 dest=/etc/{{ item }} owner=opendkim group=opendkim mode=0640
with_items:
- opendkim.conf
- opendkim/SigningTable
- opendkim/KeyTable
- opendkim/TrustedHosts
notify: Restart OpenDKIM
# Generate keys if theire doesn't exists
# opendkim-genkey -D /etc/opendkim/keys/{{ postfix_mydomain }}/ -d {{ postfix_mydomain }} -s default
- name: Copy specifics files
copy: src=etc/opendkim/keys/{{ postfix_mydomain }}/{{ item }} dest=/etc/opendkim/keys/{{ postfix_mydomain }}/{{ item }} owner=opendkim group=opendkim mode=0600
with_items:
- default.private
- default.txt
notify: Restart OpenDKIM
# Add /etc/opendkim/keys/{{ postfix_mydomain }}/default.txt in DNS zone
- name: Enable OpenDKIM on boot
service: name=opendkim state=started enabled=yes

22
tasks/opendmarc.yml Normal file
View file

@ -0,0 +1,22 @@
---
# Need EPEL repo
- name: Install template config file
template: src=etc/opendmarc.conf.j2 dest=/etc/opendmarc.conf owner=root group=root mode=0644
- name: Install update public_suffix_list file for opendmarc
get_url:
url: https://publicsuffix.org/list/public_suffix_list.dat
dest: /etc/opendmarc/public_suffix_list.dat
group: opendmarc
owner: opendmarc
mode: 0644
- name: Install updater script
copy: src=etc/cron.weekly/opendmarc dest=/etc/cron.weekly/opendmarc owner=root group=root mode=0755
notify: Restart OpenDMARC
- name: Enable OpenDMARC on boot
service: name=opendmarc state=started enabled=yes

5
tasks/postgrey.yml Normal file
View file

@ -0,0 +1,5 @@
- name: Install script to update postgrey whitelist
copy: src=usr/local/sbin/update_postgrey_whitelist.sh dest=/usr/local/sbin/update_postgrey_whitelist.sh owner=root group=root mode=0755
- name: Enable postgrey at boot time
service: name=postgrey enabled=yes state=started

88
templates/etc/opendkim.conf.j2 Normal file
View file

@ -0,0 +1,88 @@
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or %{_pkgdocdir}/opendkim.conf.sample for more
## BEFORE running OpenDKIM you must:
## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)
## See %{_pkgdocdir}/INSTALL for detailed instructions.
## CONFIGURATION OPTIONS
AutoRestart Yes
AutoRestartRate 10/1h
# Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid
# Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
# Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
# messages.
Mode sv
# Log activity to the system log.
Syslog yes
# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes
# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes an increase in the amount of log data generated
# for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy yes
# Attempt to become the specified user before starting operations.
UserID opendkim:opendkim
# Create a socket through which your MTA can communicate.
Socket inet:8891@localhost
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask 022
# This specifies a text file in which to store DKIM transaction statistics.
# OpenDKIM must be manually compiled with --enable-stats to enable this feature.
#Statistics /var/spool/opendkim/stats.dat
## SIGNING OPTIONS
# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/simple
# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.
#Domain example.com
# Defines the name of the selector to be used when signing messages.
Selector default
# Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024
# Gives the location of a private key to be used for signing ALL messages. This
# directive is ignored if KeyTable is enabled.
#KeyFile /etc/opendkim/keys/default.private
# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# directive in the configuration file. Requires SigningTable be enabled.
KeyTable refile:/etc/opendkim/KeyTable
# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable refile:/etc/opendkim/SigningTable
# Identifies a set of "external" hosts that may send mail through the server as one
# of the signing domains without credentials as such.
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
# Identifies a set "internal" hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
SignatureAlgorithm rsa-sha256

7
templates/etc/opendkim/KeyTable.j2 Normal file
View file

@ -0,0 +1,7 @@
# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.{{ postfix_mydomain }} {{ postfix_mydomain }}:default:/etc/opendkim/keys/{{ postfix_mydomain }}/default.private

26
templates/etc/opendkim/SigningTable.j2 Normal file
View file

@ -0,0 +1,26 @@
# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.
# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.
# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.
#*@example.com default._domainkey.example.com
*@{{ postfix_mydomain }} default._domainkey.{{ postfix_mydomain }}
# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.
#example.com default._domainkey.example.com

11
templates/etc/opendkim/TrustedHosts.j2 Normal file
View file

@ -0,0 +1,11 @@
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
::1
#host.example.com
#192.168.1.0/24
{{ postfix_myhostname }}
*.{{ postfix_mydomain }}

355
templates/etc/opendmarc.conf.j2 Normal file
View file

@ -0,0 +1,355 @@
##
## opendmarc.conf -- configuration file for OpenDMARC filter
##
## Copyright (c) 2012-2015, The Trusted Domain Project. All rights reserved.
##
## AuthservID (string)
## defaults to MTA name
##
## Sets the "authserv-id" to use when generating the Authentication-Results:
## header field after verifying a message. If the string "HOSTNAME" is
## provided, the name of the host running the filter (as returned by the
## gethostname(3) function) will be used.
#
AuthservID {{ postfix_myhostname }}
## AuthservIDWithJobID { true | false }
## default "false"
##
## If "true", requests that the authserv-id portion of the added
## Authentication-Results header fields contain the job ID of the message
## being evaluated.
#
# AuthservIDWithJobID false
## AutoRestart { true | false }
## default "false"
##
## Automatically re-start on failures. Use with caution; if the filter fails
## instantly after it starts, this can cause a tight fork(2) loop.
#
# AutoRestart false
## AutoRestartCount n
## default 0
##
## Sets the maximum automatic restart count. After this number of automatic
## restarts, the filter will give up and terminate. A value of 0 implies no
## limit.
#
# AutoRestartCount 0
## AutoRestartRate n/t[u]
## default (no limit)
##
## Sets the maximum automatic restart rate. If the filter begins restarting
## faster than the rate defined here, it will give up and terminate. This
## is a string of the form n/t[u] where n is an integer limiting the count
## of restarts in the given interval and t[u] defines the time interval
## through which the rate is calculated; t is an integer and u defines the
## units thus represented ("s" or "S" for seconds, the default; "m" or "M"
## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
## value of "10/1h" limits the restarts to 10 in one hour. There is no
## default, meaning restart rate is not limited.
#
# AutoRestartRate n/t[u]
## Background { true | false }
## default "true"
##
## Causes opendmarc to fork and exits immediately, leaving the service
## running in the background.
#
# Background true
## BaseDirectory (string)
## default (none)
##
## If set, instructs the filter to change to the specified directory using
## chdir(2) before doing anything else. This means any files referenced
## elsewhere in the configuration file can be specified relative to this
## directory. It's also useful for arranging that any crash dumps will be
## saved to a specific location.
#
# BaseDirectory /var/run/opendmarc
## ChangeRootDirectory (string)
## default (none)
##
## Requests that the operating system change the effective root directory of
## the process to the one specified here prior to beginning execution.
## chroot(2) requires superuser access. A warning will be generated if
## UserID is not also set.
#
# ChangeRootDirectory /var/chroot/opendmarc
## CopyFailuresTo (string)
## default (none)
##
## Requests addition of the specified email address to the envelope of
## any message that fails the DMARC evaluation.
#
# CopyFailuresTo postmaster@localhost
## DNSTimeout (integer)
## default 5
##
## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait.
## (NOT YET IMPLEMENTED)
#
# DNSTimeout 5
## EnableCoredumps { true | false }
## default "false"
##
## On systems that have such support, make an explicit request to the kernel
## to dump cores when the filter crashes for some reason. Some modern UNIX
## systems suppress core dumps during crashes for security reasons if the
## user ID has changed during the lifetime of the process. Currently only
## supported on Linux.
#
# EnableCoreDumps false
## FailureReports { true | false }
## default "false"
##
## Enables generation of failure reports when the DMARC test fails and the
## purported sender of the message has requested such reports. Reports are
## formatted per RFC6591.
#
# FailureReports false
## FailureReportsBcc (string)
## default (none)
##
## When failure reports are enabled and one is to be generated, always
## send one to the address(es) specified here. If a failure report is
## requested by the domain owner, the address(es) are added in a Bcc: field.
## If no request is made, they address(es) are used in a To: field. There
## is no default.
#
# FailureReportsBcc postmaster@example.coom
## FailureReportsOnNone { true | false }
## default "false"
##
## Supplements the "FailureReports" setting by generating reports for
## domains that advertise "none" policies. By default, reports are only
## generated (when enabled) for sending domains advertising a "quarantine"
## or "reject" policy.
#
# FailureReportsOnNone false
## FailureReportsSentBy string
## default "USER@HOSTNAME"
##
## Specifies the email address to use in the From: field of failure
## reports generated by the filter. The default is to use the userid of
## the user running the filter and the local hostname to construct an
## email address. "postmaster" is used in place of the userid if a name
## could not be determined.
#
# FailureReportsSentBy USER@HOSTNAME
## HistoryFile path
## default (none)
##
## If set, specifies the location of a text file to which records are written
## that can be used to generate DMARC aggregate reports. Records are groups
## of rows containing information about a single received message, and
## include all relevant information needed to generate a DMARC aggregate
## report. It is expected that this will not be used in its raw form, but
## rather periodically imported into a relational database from which the
## aggregate reports can be extracted by a tool such as opendmarc-import(8).
#
# HistoryFile /var/spool/opendmarc/opendmarc.dat
## IgnoreAuthenticatedClients { true | false }
## default "false"
##
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter.
#
# IgnoreAuthenticatedClients false
## IgnoreHosts path
## default (internal)
##
## Specifies the path to a file that contains a list of hostnames, IP
## addresses, and/or CIDR expressions identifying hosts whose SMTP
## connections are to be ignored by the filter. If not specified, defaults
## to "127.0.0.1" only.
#
# IgnoreHosts /etc/opendmarc/ignore.hosts
## IgnoreMailFrom domain[,...]
## default (none)
##
## Gives a list of domain names whose mail (based on the From: domain) is to
## be ignored by the filter. The list should be comma-separated. Matching
## against this list is case-insensitive. The default is an empty list,
## meaning no mail is ignored.
#
# IgnoreMailFrom example.com
## MilterDebug (integer)
## default 0
##
## Sets the debug level to be requested from the milter library.
#
# MilterDebug 0
## PidFile path
## default (none)
##
## Specifies the path to a file that should be created at process start
## containing the process ID.
##
#
# PidFile /var/run/opendmarc.pid
## PublicSuffixList path
## default (none)
##
## Specifies the path to a file that contains top-level domains (TLDs) that
## will be used to compute the Organizational Domain for a given domain name,
## as described in the DMARC specification. If not provided, the filter will
## not be able to determine the Organizational Domain and only the presented
## domain will be evaluated.
#
PublicSuffixList /etc/opendmarc/public_suffix_list.dat
## RecordAllMessages { true | false }
## default "false"
##
## If set and "HistoryFile" is in use, all received messages are recorded
## to the history file. If not set (the default), only messages for which
## the From: domain published a DMARC record will be recorded in the
## history file.
#
# RecordAllMessages false
## RejectFailures { true | false }
## default "false"
##
## If set, messages will be rejected if they fail the DMARC evaluation, or
## temp-failed if evaluation could not be completed. By default, no message
## will be rejected or temp-failed regardless of the outcome of the DMARC
## evaluation of the message. Instead, an Authentication-Results header
## field will be added.
#
# RejectFailures false
## ReportCommand string
## default "/usr/sbin/sendmail -t"
##
## Indicates the shell command to which failure reports should be passed for
## delivery when "FailureReports" is enabled.
#
# ReportCommand /usr/sbin/sendmail -t
## RequiredHeaders { true | false }
## default "false"
##
## If set, the filter will ensure the header of the message conforms to the
## basic header field count restrictions laid out in RFC5322, Section 3.6.
## Messages failing this test are rejected without further processing. A
## From: field from which no domain name could be extracted will also be
## rejected.
#
# RequiredHeaders false
## Socket socketspec
## default (none)
##
## Specifies the socket that should be established by the filter to receive
## connections from sendmail(8) in order to provide service. socketspec is
## in one of two forms: local:path, which creates a UNIX domain socket at
## the specified path, or inet:port[@host] or inet6:port[@host] which creates
## a TCP socket on the specified port for the appropriate protocol family.
## If the host is not given as either a hostname or an IP address, the
## socket will be listening on all interfaces. This option is mandatory
## either in the configuration file or on the command line. If an IP
## address is used, it must be enclosed in square brackets.
#
Socket inet:8893@localhost
## SoftwareHeader { true | false }
## default "false"
##
## Causes the filter to add a "DMARC-Filter" header field indicating the
## presence of this filter in the path of the message from injection to
## delivery. The product's name, version, and the job ID are included in
## the header field's contents.
#
SoftwareHeader true
## SPFIgnoreResults { true | false }
## default "false"
##
## Causes the filter to ignore any SPF results in the header of the
## message. This is useful if you want the filter to perfrom SPF checks
## itself, or because you don't trust the arriving header.
#
SPFIgnoreResults true
## SPFSelfValidate { true | false }
## default false
##
## Enable internal spf checking with --with-spf
## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path
##
## Causes the filter to perform a fallback SPF check itself when
## it can find no SPF results in the message header. If SPFIgnoreResults
## is also set, it never looks for SPF results in headers and
## always performs the SPF check itself when this is set.
#
SPFSelfValidate true
## Syslog { true | false }
## default "false"
##
## Log via calls to syslog(3) any interesting activity.
#
Syslog true
## SyslogFacility facility-name
## default "mail"
##
## Log via calls to syslog(3) using the named facility. The facility names
## are the same as the ones allowed in syslog.conf(5).
#
# SyslogFacility mail
## TrustedAuthservIDs string
## default HOSTNAME
##
## Specifies one or more "authserv-id" values to trust as relaying true
## upstream DKIM and SPF results. The default is to use the name of
## the MTA processing the message. To specify a list, separate each entry
## with a comma. The key word "HOSTNAME" will be replaced by the name of
## the host running the filter as reported by the gethostname(3) function.
#
# TrustedAuthservIDs HOSTNAME
## UMask mask
## default (none)
##
## Requests a specific permissions mask to be used for file creation. This
## only really applies to creation of the socket when Socket specifies a
## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
## files are normally created by the mkstemp(3) function that enforces a
## specific file mode on creation regardless of the process umask. See
## umask(2) for more information.
#
UMask 007
## UserID user[:group]
## default (none)
##
## Attempts to become the specified userid before starting operations.
## The process will be assigned all of the groups and primary group ID of
## the named userid unless an alternate group is specified.
#
UserID opendmarc:mail

812
templates/etc/postfix/main.cf.j2 Normal file
View file

@ -0,0 +1,812 @@
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
{% if postfix_myhostname is defined %}
myhostname = {{ postfix_myhostname }}
{% endif %}
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
{% if postfix_mydomain is defined %}
mydomain = {{ postfix_mydomain }}
{% else %}
#mydomain = domain.tld
{% endif %}
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
{% if postfix_myorigin is defined %}
myorigin = $mydomain
{% else %}
#myorigin = $mydomain
{% endif %}
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
{% if postfix_mydestination is defined %}
inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost
{% else %}
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = localhost
{% endif %}
# Enable IPv4, and IPv6 if supported
inet_protocols = all
#inet_protocols = ipv4
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
{% if postfix_mydestination is defined %}
#mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydestination = {% for postfix_destination in postfix_mydestination %}{{ postfix_destination }}{% if not loop.last %}, {% endif %}{% endfor %}
{% else %}
mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
{% endif %}
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
{% if postfix_mynetworks is defined %}
mynetworks = {% for postfix_network in postfix_mynetworks %}{{ postfix_network }}{% if not loop.last %}, {% endif %}{% endfor %}
{% endif %}
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
{% if ( postfix_relayhost is defined ) and postfix_relayhost %}
relayhost = {{ postfix_relayhost }}
{% endif %}
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
{% if postfix_mydestination is defined %}
home_mailbox = Maildir/
{% else %}
#home_mailbox = Maildir/
{% endif %}
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix-2.10.1/samples
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
{% if postfix_mydestination is defined %}
# Taille mail
message_size_limit = 51200000
# DKIM & DMARC
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
# SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
# TLS
tls_random_source = dev:/dev/urandom
#tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
#tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/letsencrypt/live/{{ postfix_myhostname }}/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/{{ postfix_myhostname }}/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/{{ postfix_myhostname }}/chain.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers=aNULL:eNULL:LOW:3DES:MD5:MEDIUM:EXP:PSK:DSS:RC4:SEED:ECDSA:CAMELLIA256-SHA
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtpd_tls_eecdh_grade=ultra
smtp_tls_security_level = may
smtp_tls_key_file = /etc/letsencrypt/live/{{ postfix_myhostname }}/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/{{ postfix_myhostname }}/cert.pem
smtp_tls_CAfile = /etc/letsencrypt/live/{{ postfix_myhostname }}/chain.pem
smtp_tls_loglevel = 1
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtp_use_tls=yes
smtp_tls_mandatory_ciphers=high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtp_tls_eecdh_grade=ultra
### Conf AntiSpam
# Pour eviter certains vieux spammeurs
disable_vrfy_command = yes
smtpd_helo_required = yes
# Rejeter tout mail mal formate
smtpd_helo_restrictions =
permit_mynetworks,
# check_client_access hash:/usr/local/etc/postfix/access,
reject_non_fqdn_hostname
# restrictions d'acces
# adresses d'expedition
# le "reject_unknown_sender_domain" verifie que le domaine existe
smtpd_sender_restrictions =
# hash:/etc/postfix/access,
permit_mynetworks,
reject_unknown_sender_domain,
warn_if_reject reject_unverified_sender
smtpd_recipient_restrictions =
# check_client_access hash:/usr/local/etc/postfix/access,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
# check_policy_service inet:127.0.0.1:10031,
check_policy_service unix:postgrey/socket,
# reject_rbl_client zen.spamhaus.org,
# reject_rbl_client korea.services.net,
# reject_rbl_client list.dsbl.org,
# reject_rbl_client phishing.rbl.msrbl.net,
# reject_rbl_client rbl.efnet.org,
# reject_rbl_client bl.spamcop.net,
permit
{% endif %}

154
templates/etc/postfix/master.cf.j2 Normal file
View file

@ -0,0 +1,154 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
{% if postfix_mydestination is defined %}
# -o content_filter=spamassassin
-o smtpd_sender_restrictions=permit
-o smtpd_milters=inet:127.0.0.1:8891
# -o smtpd_recipient_restrictions=permit_mynetworks,mysql:/etc/postfix/mysql-receiver.cf,reject
{% endif %}
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
{% if postfix_mydestination is defined %}
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o tls_preempt_cipherlist=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_milters=inet:127.0.0.1:8891
# -o smtpd_sasl_type=dovecot
# -o smtpd_sasl_path=private/auth # /var/spool/postfix/private/dovecot-auth
# -o smtpd_sasl_security_options=noanonymous
# -o smtpd_sasl_authenticated_header=yes
# -o milter_macro_daemon_name=ORIGINATING
{% else %}
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
{% endif %}
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
{% if postfix_mydestination is defined %}
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
{% endif %}
relay unix - - n - - smtp
{% if postfix_mydestination is defined %}
-o smtp_fallback_relay=
{% endif %}
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

115
templates/etc/postfix/master.cf.j2.tmp Normal file
View file

@ -0,0 +1,115 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
# -o content_filter=spamassassin
-o smtpd_sender_restrictions=permit
-o smtpd_milters=inet:127.0.0.1:8891
# -o smtpd_recipient_restrictions=permit_mynetworks,mysql:/etc/postfix/mysql-receiver.cf,reject
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o tls_preempt_cipherlist=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_milters=inet:127.0.0.1:8891
# -o smtpd_sasl_type=dovecot
# -o smtpd_sasl_path=private/auth # /var/spool/postfix/private/dovecot-auth
# -o smtpd_sasl_security_options=noanonymous
# -o smtpd_sasl_authenticated_header=yes
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

3
vars/RedHat.yml Normal file
View file

@ -0,0 +1,3 @@
postfix_packages:
- postfix

6
vars/RedHat_server.yml Normal file
View file

@ -0,0 +1,6 @@
postfix_packages:
- postfix
- postgrey
- opendkim
- opendmarc
- wget