compatibility_level = 2 {% if postfix.hostname is defined %} myhostname = {{ postfix.hostname }} {% endif %} {% if postfix.mynetworks is defined %} mynetworks = {{ postfix.mynetworks }} {% endif %} # local delivery: aliases only alias_maps = hash:/etc/aliases local_recipient_maps = $alias_maps {% if 'letsencrypt' in group_names %} # TLS server parameters smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_ciphers = low smtpd_tls_mandatory_ciphers = high {% endif %} # TLS client parameters smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_ciphers = low smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_loglevel = 1 {% if 'unbound' in group_names %} # If there are TLSA records, enforce using encryption smtp_dns_support_level = dnssec smtp_tls_security_level = dane {% endif %} {% if postfix.postscreen | default(False) %} # postscreen config postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -2 postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*3 truncate.gbudb.net*2 bl.spamcop.net bl.mailspike.net swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2 postscreen_greet_action = enforce postscreen_dnsbl_action = enforce postscreen_pipelining_enable = yes postscreen_non_smtp_command_enable = yes postscreen_bare_newline_enable = yes postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr postscreen_blacklist_action = enforce {% endif %} # control relay access smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts, # allow nobody else defer_unauth_destination # spam-protection restrictions smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts, # check everybody else reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, # SMTP smuggling protection # smtpd_data_restrictions = reject_unauth_pipelining smtpd_discard_ehlo_keywords = chunking {% if postfix.relay_host is defined %} # Relay everything default_transport = smtp:{{ postfix.relay_host }} {% if postfix.relay_client_cert is defined %} # Enforce relay encryption smtp_tls_cert_file=$config_directory/{{ postfix.relay_client_cert }}.crt smtp_tls_key_file=$config_directory/{{ postfix.relay_client_cert }}.key smtp_tls_security_level = encrypt {% endif %} {% endif %} {% if postfix.submission | default(False) %} # configure SASL smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth {% endif %} {% if postfix.relay_client_cert_whitelist is defined %} # allow relay for some TLS-authenticated clients smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 relay_clientcerts = hash:$config_directory/relay_clientcerts {% endif %} # setup virtual delivery domains, aliases and destinations virtual_mailbox_domains = {{ postfix.alias_domains | default("") }} {% if postfix.mailman is defined %} {% for item in postfix.mailman.domains %} {{item}}{% endfor %}{% endif %} {% if postfix.dovecot is defined %} {% for item in postfix.dovecot.domains %} {{item}}{% endfor %}{% endif %} virtual_alias_maps = hash:$config_directory/virtual_alias_map {% if postfix.dovecot is defined %} proxy:mysql:$config_directory/mysql_vmail_aliases.cf {% endif %} virtual_mailbox_maps = {% if postfix.dovecot is defined %} proxy:mysql:$config_directory/mysql_vmail_users.cf {% endif %} {% if postfix.mailman | default(False) %} hash:/var/lib/mailman/data/virtual-mailman {% endif %} smtpd_sender_login_maps = {% if postfix.dovecot is defined %} proxy:mysql:$config_directory/mysql_vmail_users.cf proxy:mysql:$config_directory/mysql_vmail_senders.cf proxy:mysql:$config_directory/mysql_vmail_aliases.cf {% endif %} proxy_read_maps = $virtual_alias_maps $virtual_mailbox_maps $smtpd_sender_login_maps # setup mail routes for virtual mail: all mail ends up being forwarded somewhere virtual_transport = error transport_maps = hash:$config_directory/transport_map {% if postfix.mailman | default(False) %} mailman_destination_recipient_limit = 1 {% endif %} {% if postfix.smtp_outgoing is defined %} # send mail via specific IP default_transport = {{ postfix.default_smtp_outgoing }} sender_dependent_default_transport_maps = hash:$config_directory/sender_transport_map {% endif %} {% if postfix.opendkim is defined %} # DKIM & Milter milter_default_action = accept # Path must match opendkim.env smtpd_milters = unix:opendkim/sock non_smtpd_milters = $smtpd_milters {% endif %} # misc smtpd_delay_reject = yes disable_vrfy_command = yes recipient_delimiter = {{ postfix.recipient_delimiter | default("+") }} delay_warning_time = 4h message_size_limit = 30100100