mailman: set SUBSCRIBE_FORM_SECRET to protect better against spammers
[ansible.git] / roles / email / templates / main.cf
1 compatibility_level = 2
2
3 # local delivery: aliases only
4 alias_maps = hash:/etc/aliases
5 local_recipient_maps = $alias_maps
6 {% if postfix.mynetworks is defined %}
7 mynetworks = {{ postfix.mynetworks }}
8 {% endif %}
9
10 # TLS server parameters
11 smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain
12 smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
13 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
14 smtpd_tls_security_level = may
15 smtpd_tls_loglevel = 1
16 smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
17 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
18 smtpd_tls_ciphers = low
19 smtpd_tls_mandatory_ciphers = high
20 # TLS client parameters
21 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
22 smtp_tls_ciphers = low
23 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
24 smtp_tls_loglevel = 1
25 {% if not(postfix.relay_host is defined) %}
26 smtp_tls_security_level = dane
27 smtp_dns_support_level = dnssec
28 {% endif %}
29
30 {% if postfix.postscreen | default(False) %}
31 # postscreen config
32 postscreen_dnsbl_threshold = 3
33 postscreen_dnsbl_whitelist_threshold = -2
34 postscreen_dnsbl_sites =
35         ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2
36         bl.spamcop.net dnsbl.sorbs.net bl.mailspike.net
37         swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
38 postscreen_greet_action = enforce
39 postscreen_dnsbl_action = enforce
40 postscreen_pipelining_enable = yes
41 postscreen_non_smtp_command_enable = yes
42 postscreen_bare_newline_enable = yes
43 {% endif %}
44
45 # control relay access
46 smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts,
47     # allow nobody else
48     defer_unauth_destination
49 # spam-protection restrictions
50 smtpd_helo_required = yes
51 smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
52     # check everybody else
53     reject_unauth_pipelining,
54     reject_invalid_helo_hostname,
55     reject_non_fqdn_recipient,
56     reject_non_fqdn_sender,
57
58 {% if postfix.relay_host is defined %}
59 # Relay everything
60 default_transport = smtp:{{ postfix.relay_host }}
61 {% if postfix.relay_client_cert is defined %}
62 # Enforce relay encryption
63 smtp_tls_cert_file=$config_directory/{{ postfix.relay_client_cert }}.crt
64 smtp_tls_key_file=$config_directory/{{ postfix.relay_client_cert }}.key
65 smtp_tls_security_level = encrypt
66 {% endif %}
67 {% endif %}
68
69 {% if postfix.submission | default(False) %}
70 # configure SASL
71 smtpd_sasl_type = dovecot
72 smtpd_sasl_path = private/auth
73 {% endif %}
74
75 {% if postfix.relay_client_cert_whitelist is defined %}
76 # allow relay for some TLS-authenticated clients
77 smtpd_tls_ask_ccert = yes
78 smtpd_tls_fingerprint_digest = sha1
79 relay_clientcerts = hash:$config_directory/relay_clientcerts
80 {% endif %}
81
82 # setup virtual delivery domains, aliases and destinations
83 virtual_mailbox_domains =
84 {% if postfix.mailman is defined %}  {% for item in postfix.mailman.domains %} {{item}}{% endfor %}{% endif %}
85 {% if postfix.dovecot is defined %}  {% for item in postfix.dovecot.domains %} {{item}}{% endfor %}{% endif %}
86
87 virtual_alias_maps = hash:$config_directory/virtual_alias_map
88   {% if postfix.dovecot is defined %}
89   proxy:mysql:$config_directory/mysql_vmail_aliases.cf
90   {% endif %}
91
92 virtual_mailbox_maps =
93   {% if postfix.dovecot is defined %}
94   proxy:mysql:$config_directory/mysql_vmail_users.cf
95   {% endif %}
96   {% if postfix.mailman | default(False) %}
97   hash:/var/lib/mailman/data/virtual-mailman
98   {% endif %}
99
100 smtpd_sender_login_maps =
101   {% if postfix.dovecot is defined %}
102   proxy:mysql:$config_directory/mysql_vmail_users.cf
103   proxy:mysql:$config_directory/mysql_vmail_senders.cf
104   proxy:mysql:$config_directory/mysql_vmail_aliases.cf
105   {% endif %}
106
107 proxy_read_maps = $virtual_alias_maps $virtual_mailbox_maps $smtpd_sender_login_maps
108
109 # setup mail routes for virtual mail: all mail ends up being forwarded somewhere
110 virtual_transport = error
111 transport_maps = hash:$config_directory/transport_map
112 {% if postfix.mailman | default(False) %}
113 mailman_destination_recipient_limit = 1
114 {% endif %}
115
116 {% if postfix.smtp_outgoing is defined %}
117 # send mail via specific IP
118 default_transport = {{ postfix.default_smtp_outgoing }}
119 sender_dependent_default_transport_maps = hash:$config_directory/sender_transport_map
120 {% endif %}
121
122 {% if postfix.opendkim is defined %}
123 # DKIM & Milter
124 milter_default_action = accept
125 # Path must match opendkim.env
126 smtpd_milters = unix:opendkim/sock
127 non_smtpd_milters = $smtpd_milters
128 {% endif %}
129
130 # misc
131 smtpd_delay_reject = yes
132 disable_vrfy_command = yes
133 recipient_delimiter = +
134 delay_warning_time = 4h
135 message_size_limit = 21384000