5 files changed, 158 insertions, 0 deletions
diff --git a/roles/postfix/templates/aliases b/roles/postfix/templates/aliases
new file mode 100644
index 0000000..6cb2ca6
--- /dev/null
+++ b/roles/postfix/templates/aliases
@@ -0,0 +1,3 @@
+postmaster:     mailadmin
+root:           mailadmin
+dmarc:          mailadmin
diff --git a/roles/postfix/templates/local_maps b/roles/postfix/templates/local_maps
new file mode 100644
index 0000000..57592f9
--- /dev/null
+++ b/roles/postfix/templates/local_maps
@@ -0,0 +1 @@
+mailadmin       mailadmin
diff --git a/roles/postfix/templates/login_maps b/roles/postfix/templates/login_maps
new file mode 100644
index 0000000..d3ace34
--- /dev/null
+++ b/roles/postfix/templates/login_maps
@@ -0,0 +1 @@
+mailadmin@{{ domain }}  mailadmin
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
new file mode 100644
index 0000000..8a2d767
--- /dev/null
+++ b/roles/postfix/templates/main.cf.j2
@@ -0,0 +1,69 @@
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+readme_directory = no
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+# TLS parameters
+smtpd_tls_cert_file = /etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/mail.{{ domain }}/privkey.pem
+smtpd_tls_security_level = encrypt
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
+smtp_tls_security_level = encrypt
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+myhostname = {{ mail_domain }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = $mydomain
+mydestination = $myhostname, $mydomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = ipv4
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+tls_preempt_cipherlist = yes
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+smtp_tls_ciphers = high
+smtp_tls_mandatory_ciphers = high
+smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH
+smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+smtpd_helo_required = yes
+smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps
+smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname
+smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain
+smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org
+smtpd_data_restrictions = reject_unauth_pipelining
+disable_vrfy_command = yes
+local_recipient_maps = proxy:hash:/etc/postfix/local_maps $alias_maps
+home_mailbox = Mail/Inbox/
+mailbox_command = /usr/lib/dovecot/deliver
+header_checks = regexp:/etc/postfix/header_checks
+body_checks = regexp:/etc/postfix/body_checks
+postscreen_dnsbl_sites = zen.spamhaus.org
+postscreen_dnsbl_action = enforce
+postscreen_greet_action = enforce
+policyd-spf_time_limit = 3600
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2
new file mode 100644
index 0000000..ea64537
--- /dev/null
+++ b/roles/postfix/templates/master.cf.j2
@@ -0,0 +1,84 @@
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       1       postscreen
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp       unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+        -o syslog_name=postfix/$service_name
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix -       n       n       -       2       pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
+smtpd      pass  -       -       y       -       -       smtpd
+    -o content_filter=spamassassin
+    -o smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock
+tlsproxy   unix  -       -       y       -       0       tlsproxy
+dnsblog    unix  -       -       y       -       0       dnsblog
+submissions inet n       -       y       -       -       smtpd
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_tls_security_level=encrypt
+    -o smtpd_tls_auth_only=yes
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
+    -o smtpd_helo_restrictions=
+    -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch
+    -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks,reject
+    -o syslog_name=postfix/submissions
+    -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
+    -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
+    -o smtpd_milters=unix:opendkim/opendkim.sock
+spamassassin unix -      n       n       -       -       pipe user=debian-spamd
+    argv=/usr/bin/spamc --socket=/var/spool/postfix/spamd/spamd.sock -e /usr/sbin/sendmail -oi
+    -f ${sender} ${recipient}
+policyd-spf unix -       n       n       -       0       spawn user=policyd-spf
+    argv=/usr/bin/policyd-spf

diff --git a/roles/postfix/templates/aliases b/roles/postfix/templates/aliases new file mode 100644 index 0000000..6cb2ca6 --- /dev/null +++ b/roles/postfix/templates/aliases
@@ -0,0 +1,3 @@
	1	postmaster: mailadmin
	2	root: mailadmin
	3	dmarc: mailadmin


diff --git a/roles/postfix/templates/local_maps b/roles/postfix/templates/local_maps new file mode 100644 index 0000000..57592f9 --- /dev/null +++ b/roles/postfix/templates/local_maps
@@ -0,0 +1 @@
		mailadmin mailadmin


diff --git a/roles/postfix/templates/login_maps b/roles/postfix/templates/login_maps new file mode 100644 index 0000000..d3ace34 --- /dev/null +++ b/roles/postfix/templates/login_maps
@@ -0,0 +1 @@
		mailadmin@{{ domain }} mailadmin


diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..8a2d767 --- /dev/null +++ b/roles/postfix/templates/main.cf.j2
@@ -0,0 +1,69 @@
	1	smtpd_banner = $myhostname ESMTP $mail_name
	2	biff = no
	3
	4	# appending .domain is the MUA's job.
	5	append_dot_mydomain = no
	6
	7	# Uncomment the next line to generate "delayed mail" warnings
	8	#delay_warning_time = 4h
	9
	10	readme_directory = no
	11
	12	# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
	13	# fresh installs.
	14	compatibility_level = 2
	15
	16	# TLS parameters
	17	smtpd_tls_cert_file = /etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem
	18	smtpd_tls_key_file = /etc/letsencrypt/live/mail.{{ domain }}/privkey.pem
	19	smtpd_tls_security_level = encrypt
	20	smtp_tls_CApath=/etc/ssl/certs
	21	smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
	22	smtp_tls_security_level = encrypt
	23	smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
	24
	25	smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
	26	myhostname = {{ mail_domain }}
	27	alias_maps = hash:/etc/aliases
	28	alias_database = hash:/etc/aliases
	29	myorigin = $mydomain
	30	mydestination = $myhostname, $mydomain, localhost
	31	relayhost =
	32	mynetworks = 127.0.0.0/8 [::1]/128
	33	mailbox_size_limit = 0
	34	recipient_delimiter = +
	35	inet_interfaces = all
	36	inet_protocols = ipv4
	37	smtpd_tls_auth_only = yes
	38	smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
	39	smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
	40	smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
	41	smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
	42	tls_preempt_cipherlist = yes
	43	smtpd_tls_ciphers = high
	44	smtpd_tls_mandatory_ciphers = high
	45	smtp_tls_ciphers = high
	46	smtp_tls_mandatory_ciphers = high
	47	smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH
	48	smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH
	49	smtpd_sasl_type = dovecot
	50	smtpd_sasl_path = private/auth
	51	smtpd_sasl_auth_enable = yes
	52	smtpd_sasl_security_options = noanonymous, noplaintext
	53	smtpd_sasl_tls_security_options = noanonymous
	54	smtpd_helo_required = yes
	55	smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps
	56	smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname
	57	smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain
	58	smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org
	59	smtpd_data_restrictions = reject_unauth_pipelining
	60	disable_vrfy_command = yes
	61	local_recipient_maps = proxy:hash:/etc/postfix/local_maps $alias_maps
	62	home_mailbox = Mail/Inbox/
	63	mailbox_command = /usr/lib/dovecot/deliver
	64	header_checks = regexp:/etc/postfix/header_checks
	65	body_checks = regexp:/etc/postfix/body_checks
	66	postscreen_dnsbl_sites = zen.spamhaus.org
	67	postscreen_dnsbl_action = enforce
	68	postscreen_greet_action = enforce
	69	policyd-spf_time_limit = 3600


diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2 new file mode 100644 index 0000000..ea64537 --- /dev/null +++ b/roles/postfix/templates/master.cf.j2
@@ -0,0 +1,84 @@
	1	# ==========================================================================
	2	# service type private unpriv chroot wakeup maxproc command + args
	3	# (yes) (yes) (no) (never) (100)
	4	# ==========================================================================
	5	smtp inet n - y - 1 postscreen
	6	pickup unix n - y 60 1 pickup
	7	cleanup unix n - y - 0 cleanup
	8	qmgr unix n - n 300 1 qmgr
	9	tlsmgr unix - - y 1000? 1 tlsmgr
	10	rewrite unix - - y - - trivial-rewrite
	11	bounce unix - - y - 0 bounce
	12	defer unix - - y - 0 bounce
	13	trace unix - - y - 0 bounce
	14	verify unix - - y - 1 verify
	15	flush unix n - y 1000? 0 flush
	16	proxymap unix - - n - - proxymap
	17	proxywrite unix - - n - 1 proxymap
	18	smtp unix - - y - - smtp
	19	relay unix - - y - - smtp
	20	-o syslog_name=postfix/$service_name
	21	showq unix n - y - - showq
	22	error unix - - y - - error
	23	retry unix - - y - - error
	24	discard unix - - y - - discard
	25	local unix - n n - - local
	26	virtual unix - n n - - virtual
	27	lmtp unix - - y - - lmtp
	28	anvil unix - - y - 1 anvil
	29	scache unix - - y - 1 scache
	30	postlog unix-dgram n - n - 1 postlogd
	31
	32	# ====================================================================
	33	# Interfaces to non-Postfix software. Be sure to examine the manual
	34	# pages of the non-Postfix software to find out what options it wants.
	35	#
	36	# Many of the following services use the Postfix pipe(8) delivery
	37	# agent. See the pipe(8) man page for information about ${recipient}
	38	# and other message envelope options.
	39	# ====================================================================
	40	maildrop unix - n n - - pipe
	41	flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
	42
	43	uucp unix - n n - - pipe
	44	flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
	45
	46	ifmail unix - n n - - pipe
	47	flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
	48
	49	bsmtp unix - n n - - pipe
	50	flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
	51
	52	scalemail-backend unix - n n - 2 pipe
	53	flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
	54
	55	mailman unix - n n - - pipe
	56	flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
	57
	58	smtpd pass - - y - - smtpd
	59	-o content_filter=spamassassin
	60	-o smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock
	61	tlsproxy unix - - y - 0 tlsproxy
	62
	63	dnsblog unix - - y - 0 dnsblog
	64
	65	submissions inet n - y - - smtpd
	66	-o smtpd_tls_wrappermode=yes
	67	-o smtpd_tls_security_level=encrypt
	68	-o smtpd_tls_auth_only=yes
	69	-o smtpd_sasl_auth_enable=yes
	70	-o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
	71	-o smtpd_helo_restrictions=
	72	-o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch
	73	-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks,reject
	74	-o syslog_name=postfix/submissions
	75	-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
	76	-o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
	77	-o smtpd_milters=unix:opendkim/opendkim.sock
	78
	79	spamassassin unix - n n - - pipe user=debian-spamd
	80	argv=/usr/bin/spamc --socket=/var/spool/postfix/spamd/spamd.sock -e /usr/sbin/sendmail -oi
	81	-f ${sender} ${recipient}
	82
	83	policyd-spf unix - n n - 0 spawn user=policyd-spf
	84	argv=/usr/bin/policyd-spf