From c6491ce3a60732833374eb42297d2ed1f97cf562 Mon Sep 17 00:00:00 2001 From: Adrien Date: Thu, 16 Apr 2020 00:07:29 +0200 Subject: [PATCH] Update relay for CentOS 8 --- templates/etc/postfix/main.cf.j2 | 79 ++++++++++++++++++++++++++++-- templates/etc/postfix/master.cf.j2 | 16 ++++-- 2 files changed, 85 insertions(+), 10 deletions(-) diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2 index e0f6cc3..6671cd3 100644 --- a/templates/etc/postfix/main.cf.j2 +++ b/templates/etc/postfix/main.cf.j2 @@ -5,10 +5,31 @@ # For common configuration examples, see BASIC_CONFIGURATION_README # and STANDARD_CONFIGURATION_README. To find these documents, use # the command "postconf html_directory readme_directory", or go to -# http://www.postfix.org/. +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. # # For best results, change no more than 2-3 parameters at a time, # and test if Postfix still works after every change. +{% if ansible_os_family == "RedHat" and ansible_distribution_major_version > '7' %} + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 2 +{% endif %} # SOFT BOUNCE # @@ -157,8 +178,8 @@ inet_protocols = all # compatible delivery agent that lookups all recipients in /etc/passwd # and /etc/aliases or their equivalent. # -# The default is $myhostname + localhost.$mydomain. On a mail domain -# gateway, you should also include $mydomain. +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. # # Do not specify the names of virtual domains - those domains are # specified elsewhere (see VIRTUAL_README). @@ -519,7 +540,7 @@ home_mailbox = Maildir/ # can be used to take advantage of the single instance message store # capability of Cyrus. The concurrency limit can be used to control # how many simultaneous LMTP sessions will be permitted to the Cyrus -# message store. +# message store. # # Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and # subsequent line in master.cf. @@ -662,7 +683,7 @@ debugger_command = # >$config_directory/$process_name.$process_id.log & sleep 5 # # Another possibility is to run gdb under a detached screen session. -# To attach to the screen sesssion, su root and run "screen -r +# To attach to the screen session, su root and run "screen -r # " where uniquely matches one of the detached # sessions (from "screen -list"). # @@ -707,10 +728,57 @@ manpage_directory = /usr/share/man # sample_directory: The location of the Postfix sample configuration files. # This parameter is obsolete as of Postfix 2.1. # +{% if ansible_os_family == "RedHat" and ansible_distribution_major_version < '8' %} sample_directory = /usr/share/doc/postfix-2.10.1/samples +{% else %} +sample_directory = /usr/share/doc/postfix/samples +{% endif %} # readme_directory: The location of the Postfix README files. # +{% if ansible_os_family == "RedHat" and ansible_distribution_major_version < '8' %} +readme_directory = /usr/share/doc/postfix/README_FILES + +# TLS CONFIGURATION +# +# Basic Postfix TLS configuration by default with self-signed certificate +# for inbound SMTP and also opportunistic TLS for outbound SMTP. + +# The full pathname of a file with the Postfix SMTP server RSA certificate +# in PEM format. Intermediate certificates should be included in general, +# the server certificate first, then the issuing CA(s) (bottom-up order). +# +smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem + +# The full pathname of a file with the Postfix SMTP server RSA private key +# in PEM format. The private key must be accessible without a pass-phrase, +# i.e. it must not be encrypted. +# +smtpd_tls_key_file = /etc/pki/tls/private/postfix.key + +# Announce STARTTLS support to remote SMTP clients, but do not require that +# clients use TLS encryption (opportunistic TLS inbound). +# +smtpd_tls_security_level = may + +# Directory with PEM format Certification Authority certificates that the +# Postfix SMTP client uses to verify a remote SMTP server certificate. +# +smtp_tls_CApath = /etc/pki/tls/certs + +# The full pathname of a file containing CA certificates of root CAs +# trusted to sign either remote SMTP server certificates or intermediate CA +# certificates. +# +smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt + +# Use TLS if this is supported by the remote SMTP server, otherwise use +# plaintext (opportunistic TLS outbound). +# +smtp_tls_security_level = may +meta_directory = /etc/postfix +shlib_directory = /usr/lib64/postfix +{% else %} readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES {% if postfix_mydestination is defined %} @@ -810,3 +878,4 @@ smtpd_recipient_restrictions = # reject_rbl_client bl.spamcop.net, permit {% endif %} +{% endif %} diff --git a/templates/etc/postfix/master.cf.j2 b/templates/etc/postfix/master.cf.j2 index 4d4c652..6a6cedb 100644 --- a/templates/etc/postfix/master.cf.j2 +++ b/templates/etc/postfix/master.cf.j2 @@ -1,12 +1,13 @@ # # Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master"). +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) +# (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - n - - smtpd {% if postfix_mydestination is defined %} @@ -26,6 +27,7 @@ submission inet n - n - - smtpd -o tls_preempt_cipherlist=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_milters=inet:127.0.0.1:8891 # -o smtpd_sasl_type=dovecot # -o smtpd_sasl_path=private/auth # /var/spool/postfix/private/dovecot-auth @@ -37,11 +39,13 @@ submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING {% endif %} #smtps inet n - n - - smtpd @@ -52,7 +56,8 @@ submission inet n - n - - smtpd # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup @@ -74,8 +79,9 @@ smtp unix - - n - - smtp {% endif %} relay unix - - n - - smtp {% if postfix_mydestination is defined %} - -o smtp_fallback_relay= + -o smtp_fallback_relay= {% endif %} + -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error