roles/email/templates/main.cf

   1 compatibility_level = 2
   2
   3 {% if postfix.hostname is defined %}
   4 myhostname = {{ postfix.hostname }}
   5 {% endif %}
   6 {% if postfix.mynetworks is defined %}
   7 mynetworks = {{ postfix.mynetworks }}
   8 {% endif %}
   9
  10 # local delivery: aliases only
  11 alias_maps = hash:/etc/aliases
  12 local_recipient_maps = $alias_maps
  13
  14 {% if 'letsencrypt' in group_names %}
  15 # TLS server parameters
  16 smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt
  17 smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
  18 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
  19 smtpd_tls_security_level = may
  20 smtpd_tls_loglevel = 1
  21 smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
  22 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
  23 smtpd_tls_ciphers = low
  24 smtpd_tls_mandatory_ciphers = high
  25 {% endif %}
  26 # TLS client parameters
  27 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
  28 smtp_tls_ciphers = low
  29 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
  30 smtp_tls_loglevel = 1
  31 {% if 'unbound' in group_names %}
  32 # If there are TLSA records, enforce using encryption
  33 smtp_dns_support_level = dnssec
  34 smtp_tls_security_level = dane
  35 {% endif %}
  36
  37 {% if postfix.postscreen | default(False) %}
  38 # postscreen config
  39 postscreen_dnsbl_threshold = 3
  40 postscreen_dnsbl_whitelist_threshold = -2
  41 postscreen_dnsbl_sites =
  42         ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*3 truncate.gbudb.net*2
  43         bl.spamcop.net bl.mailspike.net
  44         swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
  45 postscreen_greet_action = enforce
  46 postscreen_dnsbl_action = enforce
  47 postscreen_pipelining_enable = yes
  48 postscreen_non_smtp_command_enable = yes
  49 postscreen_bare_newline_enable = yes
  50 postscreen_access_list = permit_mynetworks,
  51         cidr:$config_directory/postscreen_access.cidr
  52 postscreen_blacklist_action = enforce
  53 {% endif %}
  54
  55 # control relay access
  56 smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts,
  57     # allow nobody else
  58     defer_unauth_destination
  59 # spam-protection restrictions
  60 smtpd_helo_required = yes
  61 smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
  62     # check everybody else
  63     reject_unauth_pipelining,
  64     reject_invalid_helo_hostname,
  65     reject_non_fqdn_recipient,
  66     reject_non_fqdn_sender,
  67
  68 # SMTP smuggling protection
  69 # <https://www.postfix.org/smtp-smuggling.html>
  70 smtpd_data_restrictions = reject_unauth_pipelining
  71 smtpd_discard_ehlo_keywords = chunking
  72
  73 {% if postfix.relay_host is defined %}
  74 # Relay everything
  75 default_transport = smtp:{{ postfix.relay_host }}
  76 {% if postfix.relay_client_cert is defined %}
  77 # Enforce relay encryption
  78 smtp_tls_cert_file=$config_directory/{{ postfix.relay_client_cert }}.crt
  79 smtp_tls_key_file=$config_directory/{{ postfix.relay_client_cert }}.key
  80 smtp_tls_security_level = encrypt
  81 {% endif %}
  82 {% endif %}
  83
  84 {% if postfix.submission | default(False) %}
  85 # configure SASL
  86 smtpd_sasl_type = dovecot
  87 smtpd_sasl_path = private/auth
  88 {% endif %}
  89
  90 {% if postfix.relay_client_cert_whitelist is defined %}
  91 # allow relay for some TLS-authenticated clients
  92 smtpd_tls_ask_ccert = yes
  93 smtpd_tls_fingerprint_digest = sha1
  94 relay_clientcerts = hash:$config_directory/relay_clientcerts
  95 {% endif %}
  96
  97 # setup virtual delivery domains, aliases and destinations
  98 virtual_mailbox_domains = {{ postfix.alias_domains | default("") }}
  99 {% if postfix.mailman is defined %}  {% for item in postfix.mailman.domains %} {{item}}{% endfor %}{% endif %}
 100 {% if postfix.dovecot is defined %}  {% for item in postfix.dovecot.domains %} {{item}}{% endfor %}{% endif %}
 101
 102 virtual_alias_maps = hash:$config_directory/virtual_alias_map
 103   {% if postfix.dovecot is defined %}
 104   proxy:mysql:$config_directory/mysql_vmail_aliases.cf
 105   {% endif %}
 106
 107 virtual_mailbox_maps =
 108   {% if postfix.dovecot is defined %}
 109   proxy:mysql:$config_directory/mysql_vmail_users.cf
 110   {% endif %}
 111   {% if postfix.mailman | default(False) %}
 112   hash:/var/lib/mailman/data/virtual-mailman
 113   {% endif %}
 114
 115 smtpd_sender_login_maps =
 116   {% if postfix.dovecot is defined %}
 117   proxy:mysql:$config_directory/mysql_vmail_users.cf
 118   proxy:mysql:$config_directory/mysql_vmail_senders.cf
 119   proxy:mysql:$config_directory/mysql_vmail_aliases.cf
 120   {% endif %}
 121
 122 proxy_read_maps = $virtual_alias_maps $virtual_mailbox_maps $smtpd_sender_login_maps
 123
 124 # setup mail routes for virtual mail: all mail ends up being forwarded somewhere
 125 virtual_transport = error
 126 transport_maps = hash:$config_directory/transport_map
 127 {% if postfix.mailman | default(False) %}
 128 mailman_destination_recipient_limit = 1
 129 {% endif %}
 130
 131 {% if postfix.smtp_outgoing is defined %}
 132 # send mail via specific IP
 133 default_transport = {{ postfix.default_smtp_outgoing }}
 134 sender_dependent_default_transport_maps = hash:$config_directory/sender_transport_map
 135 {% endif %}
 136
 137 {% if postfix.opendkim is defined %}
 138 # DKIM & Milter
 139 milter_default_action = accept
 140 # Path must match opendkim.env
 141 smtpd_milters = unix:opendkim/sock
 142 non_smtpd_milters = $smtpd_milters
 143 {% endif %}
 144
 145 # misc
 146 smtpd_delay_reject = yes
 147 disable_vrfy_command = yes
 148 recipient_delimiter = {{ postfix.recipient_delimiter | default("+") }}
 149 delay_warning_time = 4h
 150 message_size_limit = 30100100