From 724d877995dfcc10c462a18dcb4ea6c8b60c2d03 Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Sun, 2 Jul 2023 19:04:30 -0400 Subject: initial commit --- roles/postfix/templates/aliases | 3 ++ roles/postfix/templates/local_maps | 1 + roles/postfix/templates/login_maps | 1 + roles/postfix/templates/main.cf.j2 | 69 +++++++++++++++++++++++++++++ roles/postfix/templates/master.cf.j2 | 84 ++++++++++++++++++++++++++++++++++++ 5 files changed, 158 insertions(+) create mode 100644 roles/postfix/templates/aliases create mode 100644 roles/postfix/templates/local_maps create mode 100644 roles/postfix/templates/login_maps create mode 100644 roles/postfix/templates/main.cf.j2 create mode 100644 roles/postfix/templates/master.cf.j2 (limited to 'roles/postfix/templates') diff --git a/roles/postfix/templates/aliases b/roles/postfix/templates/aliases new file mode 100644 index 0000000..6cb2ca6 --- /dev/null +++ b/roles/postfix/templates/aliases @@ -0,0 +1,3 @@ +postmaster: mailadmin +root: mailadmin +dmarc: mailadmin diff --git a/roles/postfix/templates/local_maps b/roles/postfix/templates/local_maps new file mode 100644 index 0000000..57592f9 --- /dev/null +++ b/roles/postfix/templates/local_maps @@ -0,0 +1 @@ +mailadmin mailadmin diff --git a/roles/postfix/templates/login_maps b/roles/postfix/templates/login_maps new file mode 100644 index 0000000..d3ace34 --- /dev/null +++ b/roles/postfix/templates/login_maps @@ -0,0 +1 @@ +mailadmin@{{ domain }} mailadmin diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 new file mode 100644 index 0000000..8a2d767 --- /dev/null +++ b/roles/postfix/templates/main.cf.j2 @@ -0,0 +1,69 @@ +smtpd_banner = $myhostname ESMTP $mail_name +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +# TLS parameters +smtpd_tls_cert_file = /etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem +smtpd_tls_key_file = /etc/letsencrypt/live/mail.{{ domain }}/privkey.pem +smtpd_tls_security_level = encrypt +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt +smtp_tls_security_level = encrypt +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination +myhostname = {{ mail_domain }} +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = $mydomain +mydestination = $myhostname, $mydomain, localhost +relayhost = +mynetworks = 127.0.0.0/8 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = ipv4 +smtpd_tls_auth_only = yes +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +tls_preempt_cipherlist = yes +smtpd_tls_ciphers = high +smtpd_tls_mandatory_ciphers = high +smtp_tls_ciphers = high +smtp_tls_mandatory_ciphers = high +smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH +smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth +smtpd_sasl_auth_enable = yes +smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_tls_security_options = noanonymous +smtpd_helo_required = yes +smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps +smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname +smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain +smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org +smtpd_data_restrictions = reject_unauth_pipelining +disable_vrfy_command = yes +local_recipient_maps = proxy:hash:/etc/postfix/local_maps $alias_maps +home_mailbox = Mail/Inbox/ +mailbox_command = /usr/lib/dovecot/deliver +header_checks = regexp:/etc/postfix/header_checks +body_checks = regexp:/etc/postfix/body_checks +postscreen_dnsbl_sites = zen.spamhaus.org +postscreen_dnsbl_action = enforce +postscreen_greet_action = enforce +policyd-spf_time_limit = 3600 diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2 new file mode 100644 index 0000000..ea64537 --- /dev/null +++ b/roles/postfix/templates/master.cf.j2 @@ -0,0 +1,84 @@ +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - 1 postscreen +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd + +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +maildrop unix - n n - - pipe + flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} + +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) + +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) + +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient + +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} + +mailman unix - n n - - pipe + flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} + +smtpd pass - - y - - smtpd + -o content_filter=spamassassin + -o smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock +tlsproxy unix - - y - 0 tlsproxy + +dnsblog unix - - y - 0 dnsblog + +submissions inet n - y - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_tls_security_level=encrypt + -o smtpd_tls_auth_only=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch + -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetworks,reject + -o syslog_name=postfix/submissions + -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 + -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2 + -o smtpd_milters=unix:opendkim/opendkim.sock + +spamassassin unix - n n - - pipe user=debian-spamd + argv=/usr/bin/spamc --socket=/var/spool/postfix/spamd/spamd.sock -e /usr/sbin/sendmail -oi + -f ${sender} ${recipient} + +policyd-spf unix - n n - 0 spawn user=policyd-spf + argv=/usr/bin/policyd-spf -- cgit v1.2.3