1 compatibility_level = 2
3 {% if postfix.hostname is defined %}
4 myhostname = {{ postfix.hostname }}
6 {% if postfix.mynetworks is defined %}
7 mynetworks = {{ postfix.mynetworks }}
10 # local delivery: aliases only
11 alias_maps = hash:/etc/aliases
12 local_recipient_maps = $alias_maps
14 {% if 'letsencrypt' in group_names %}
15 # TLS server parameters
16 smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt
17 smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
18 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
19 smtpd_tls_security_level = may
20 smtpd_tls_loglevel = 1
21 smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
22 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
23 smtpd_tls_ciphers = low
24 smtpd_tls_mandatory_ciphers = high
26 # TLS client parameters
27 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
28 smtp_tls_ciphers = low
29 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
31 {% if 'unbound' in group_names %}
32 # If there are TLSA records, enforce using encryption
33 smtp_dns_support_level = dnssec
34 smtp_tls_security_level = dane
37 {% if postfix.postscreen | default(False) %}
39 postscreen_dnsbl_threshold = 3
40 postscreen_dnsbl_whitelist_threshold = -2
41 postscreen_dnsbl_sites =
42 ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2
43 bl.spamcop.net bl.mailspike.net
44 swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
45 postscreen_greet_action = enforce
46 postscreen_dnsbl_action = enforce
47 postscreen_pipelining_enable = yes
48 postscreen_non_smtp_command_enable = yes
49 postscreen_bare_newline_enable = yes
50 postscreen_access_list = permit_mynetworks,
51 cidr:$config_directory/postscreen_access.cidr
52 postscreen_blacklist_action = enforce
55 # control relay access
56 smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts,
58 defer_unauth_destination
59 # spam-protection restrictions
60 smtpd_helo_required = yes
61 smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
62 # check everybody else
63 reject_unauth_pipelining,
64 reject_invalid_helo_hostname,
65 reject_non_fqdn_recipient,
66 reject_non_fqdn_sender,
68 {% if postfix.relay_host is defined %}
70 default_transport = smtp:{{ postfix.relay_host }}
71 {% if postfix.relay_client_cert is defined %}
72 # Enforce relay encryption
73 smtp_tls_cert_file=$config_directory/{{ postfix.relay_client_cert }}.crt
74 smtp_tls_key_file=$config_directory/{{ postfix.relay_client_cert }}.key
75 smtp_tls_security_level = encrypt
79 {% if postfix.submission | default(False) %}
81 smtpd_sasl_type = dovecot
82 smtpd_sasl_path = private/auth
85 {% if postfix.relay_client_cert_whitelist is defined %}
86 # allow relay for some TLS-authenticated clients
87 smtpd_tls_ask_ccert = yes
88 smtpd_tls_fingerprint_digest = sha1
89 relay_clientcerts = hash:$config_directory/relay_clientcerts
92 # setup virtual delivery domains, aliases and destinations
93 virtual_mailbox_domains = {{ postfix.alias_domains | default("") }}
94 {% if postfix.mailman is defined %} {% for item in postfix.mailman.domains %} {{item}}{% endfor %}{% endif %}
95 {% if postfix.dovecot is defined %} {% for item in postfix.dovecot.domains %} {{item}}{% endfor %}{% endif %}
97 virtual_alias_maps = hash:$config_directory/virtual_alias_map
98 {% if postfix.dovecot is defined %}
99 proxy:mysql:$config_directory/mysql_vmail_aliases.cf
102 virtual_mailbox_maps =
103 {% if postfix.dovecot is defined %}
104 proxy:mysql:$config_directory/mysql_vmail_users.cf
106 {% if postfix.mailman | default(False) %}
107 hash:/var/lib/mailman/data/virtual-mailman
110 smtpd_sender_login_maps =
111 {% if postfix.dovecot is defined %}
112 proxy:mysql:$config_directory/mysql_vmail_users.cf
113 proxy:mysql:$config_directory/mysql_vmail_senders.cf
114 proxy:mysql:$config_directory/mysql_vmail_aliases.cf
117 proxy_read_maps = $virtual_alias_maps $virtual_mailbox_maps $smtpd_sender_login_maps
119 # setup mail routes for virtual mail: all mail ends up being forwarded somewhere
120 virtual_transport = error
121 transport_maps = hash:$config_directory/transport_map
122 {% if postfix.mailman | default(False) %}
123 mailman_destination_recipient_limit = 1
126 {% if postfix.smtp_outgoing is defined %}
127 # send mail via specific IP
128 default_transport = {{ postfix.default_smtp_outgoing }}
129 sender_dependent_default_transport_maps = hash:$config_directory/sender_transport_map
132 {% if postfix.opendkim is defined %}
134 milter_default_action = accept
135 # Path must match opendkim.env
136 smtpd_milters = unix:opendkim/sock
137 non_smtpd_milters = $smtpd_milters
141 smtpd_delay_reject = yes
142 disable_vrfy_command = yes
143 recipient_delimiter = {{ postfix.recipient_delimiter | default("+") }}
144 delay_warning_time = 4h
145 message_size_limit = 21384000