projects / ansible.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
journalwatch: allow more TLS errors
[ansible.git] / roles / email / templates / main.cf
diff --git a/roles/email/templates/main.cf b/roles/email/templates/main.cf
index e6936410d740a4bbbe3447eef9709104cf845ae1..2d254f0c5219502fcb9ee091e9b2c4a364b21229 100644 (file)
--- a/roles/email/templates/main.cf
+++ b/roles/email/templates/main.cf
@@ -39,7 +39,7 @@ smtp_tls_security_level = dane
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_whitelist_threshold = -2
 postscreen_dnsbl_sites =
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_whitelist_threshold = -2
 postscreen_dnsbl_sites =
-       ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2
+       ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*3 truncate.gbudb.net*2
        bl.spamcop.net bl.mailspike.net
        swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
 postscreen_greet_action = enforce
        bl.spamcop.net bl.mailspike.net
        swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
 postscreen_greet_action = enforce
@@ -65,6 +65,11 @@ smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
     reject_non_fqdn_recipient,
     reject_non_fqdn_sender,
 
     reject_non_fqdn_recipient,
     reject_non_fqdn_sender,
 
+# SMTP smuggling protection
+# <https://www.postfix.org/smtp-smuggling.html>
+smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_discard_ehlo_keywords = chunking
+
 {% if postfix.relay_host is defined %}
 # Relay everything
 default_transport = smtp:{{ postfix.relay_host }}
 {% if postfix.relay_host is defined %}
 # Relay everything
 default_transport = smtp:{{ postfix.relay_host }}
Ansible playbooks for my servers