aboutsummaryrefslogtreecommitdiff
path: root/roles/postfix/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/postfix/templates')
-rw-r--r--roles/postfix/templates/aliases3
-rw-r--r--roles/postfix/templates/local_maps1
-rw-r--r--roles/postfix/templates/login_maps1
-rw-r--r--roles/postfix/templates/main.cf.j269
-rw-r--r--roles/postfix/templates/master.cf.j284
5 files changed, 158 insertions, 0 deletions
diff --git a/roles/postfix/templates/aliases b/roles/postfix/templates/aliases
new file mode 100644
index 0000000..6cb2ca6
--- /dev/null
+++ b/roles/postfix/templates/aliases
@@ -0,0 +1,3 @@
1postmaster: mailadmin
2root: mailadmin
3dmarc: mailadmin
diff --git a/roles/postfix/templates/local_maps b/roles/postfix/templates/local_maps
new file mode 100644
index 0000000..57592f9
--- /dev/null
+++ b/roles/postfix/templates/local_maps
@@ -0,0 +1 @@
mailadmin mailadmin
diff --git a/roles/postfix/templates/login_maps b/roles/postfix/templates/login_maps
new file mode 100644
index 0000000..d3ace34
--- /dev/null
+++ b/roles/postfix/templates/login_maps
@@ -0,0 +1 @@
mailadmin@{{ domain }} mailadmin
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
new file mode 100644
index 0000000..8a2d767
--- /dev/null
+++ b/roles/postfix/templates/main.cf.j2
@@ -0,0 +1,69 @@
1smtpd_banner = $myhostname ESMTP $mail_name
2biff = no
3
4# appending .domain is the MUA's job.
5append_dot_mydomain = no
6
7# Uncomment the next line to generate "delayed mail" warnings
8#delay_warning_time = 4h
9
10readme_directory = no
11
12# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
13# fresh installs.
14compatibility_level = 2
15
16# TLS parameters
17smtpd_tls_cert_file = /etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem
18smtpd_tls_key_file = /etc/letsencrypt/live/mail.{{ domain }}/privkey.pem
19smtpd_tls_security_level = encrypt
20smtp_tls_CApath=/etc/ssl/certs
21smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
22smtp_tls_security_level = encrypt
23smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
24
25smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
26myhostname = {{ mail_domain }}
27alias_maps = hash:/etc/aliases
28alias_database = hash:/etc/aliases
29myorigin = $mydomain
30mydestination = $myhostname, $mydomain, localhost
31relayhost =
32mynetworks = 127.0.0.0/8 [::1]/128
33mailbox_size_limit = 0
34recipient_delimiter = +
35inet_interfaces = all
36inet_protocols = ipv4
37smtpd_tls_auth_only = yes
38smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
39smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
40smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
41smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
42tls_preempt_cipherlist = yes
43smtpd_tls_ciphers = high
44smtpd_tls_mandatory_ciphers = high
45smtp_tls_ciphers = high
46smtp_tls_mandatory_ciphers = high
47smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH
48smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH
49smtpd_sasl_type = dovecot
50smtpd_sasl_path = private/auth
51smtpd_sasl_auth_enable = yes
52smtpd_sasl_security_options = noanonymous, noplaintext
53smtpd_sasl_tls_security_options = noanonymous
54smtpd_helo_required = yes
55smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps
56smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname
57smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain
58smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org
59smtpd_data_restrictions = reject_unauth_pipelining
60disable_vrfy_command = yes
61local_recipient_maps = proxy:hash:/etc/postfix/local_maps $alias_maps
62home_mailbox = Mail/Inbox/
63mailbox_command = /usr/lib/dovecot/deliver
64header_checks = regexp:/etc/postfix/header_checks
65body_checks = regexp:/etc/postfix/body_checks
66postscreen_dnsbl_sites = zen.spamhaus.org
67postscreen_dnsbl_action = enforce
68postscreen_greet_action = enforce
69policyd-spf_time_limit = 3600
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2
new file mode 100644
index 0000000..ea64537
--- /dev/null
+++ b/roles/postfix/templates/master.cf.j2
@@ -0,0 +1,84 @@
1# ==========================================================================
2# service type private unpriv chroot wakeup maxproc command + args
3# (yes) (yes) (no) (never) (100)
4# ==========================================================================
5smtp inet n - y - 1 postscreen
6pickup unix n - y 60 1 pickup
7cleanup unix n - y - 0 cleanup
8qmgr unix n - n 300 1 qmgr
9tlsmgr unix - - y 1000? 1 tlsmgr
10rewrite unix - - y - - trivial-rewrite
11bounce unix - - y - 0 bounce
12defer unix - - y - 0 bounce
13trace unix - - y - 0 bounce
14verify unix - - y - 1 verify
15flush unix n - y 1000? 0 flush
16proxymap unix - - n - - proxymap
17proxywrite unix - - n - 1 proxymap
18smtp unix - - y - - smtp
19relay unix - - y - - smtp
20 -o syslog_name=postfix/$service_name
21showq unix n - y - - showq
22error unix - - y - - error
23retry unix - - y - - error
24discard unix - - y - - discard
25local unix - n n - - local
26virtual unix - n n - - virtual
27lmtp unix - - y - - lmtp
28anvil unix - - y - 1 anvil
29scache unix - - y - 1 scache
30postlog unix-dgram n - n - 1 postlogd
31
32# ====================================================================
33# Interfaces to non-Postfix software. Be sure to examine the manual
34# pages of the non-Postfix software to find out what options it wants.
35#
36# Many of the following services use the Postfix pipe(8) delivery
37# agent. See the pipe(8) man page for information about ${recipient}
38# and other message envelope options.
39# ====================================================================
40maildrop unix - n n - - pipe
41 flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
42
43uucp unix - n n - - pipe
44 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
45
46ifmail unix - n n - - pipe
47 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
48
49bsmtp unix - n n - - pipe
50 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
51
52scalemail-backend unix - n n - 2 pipe
53 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
54
55mailman unix - n n - - pipe
56 flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
57
58smtpd pass - - y - - smtpd
59 -o content_filter=spamassassin
60 -o smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock
61tlsproxy unix - - y - 0 tlsproxy
62
63dnsblog unix - - y - 0 dnsblog
64
65submissions inet n - y - - smtpd
66 -o smtpd_tls_wrappermode=yes
67 -o smtpd_tls_security_level=encrypt
68 -o smtpd_tls_auth_only=yes
69 -o smtpd_sasl_auth_enable=yes
70 -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
71 -o smtpd_helo_restrictions=
72 -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch
73 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks,reject
74 -o syslog_name=postfix/submissions
75 -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
76 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
77 -o smtpd_milters=unix:opendkim/opendkim.sock
78
79spamassassin unix - n n - - pipe user=debian-spamd
80 argv=/usr/bin/spamc --socket=/var/spool/postfix/spamd/spamd.sock -e /usr/sbin/sendmail -oi
81 -f ${sender} ${recipient}
82
83policyd-spf unix - n n - 0 spawn user=policyd-spf
84 argv=/usr/bin/policyd-spf