projects
/
ansible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
fix SSH patterns
[ansible.git]
/
roles
/
email
/
templates
/
main.cf
diff --git
a/roles/email/templates/main.cf
b/roles/email/templates/main.cf
index 1190de5fc874aa3ef1be6d17a4888664752e65f5..2d254f0c5219502fcb9ee091e9b2c4a364b21229 100644
(file)
--- a/
roles/email/templates/main.cf
+++ b/
roles/email/templates/main.cf
@@
-39,7
+39,7
@@
smtp_tls_security_level = dane
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -2
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -2
postscreen_dnsbl_sites =
- ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2
+ ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*
3 truncate.gbudb.net*
2
bl.spamcop.net bl.mailspike.net
swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
postscreen_greet_action = enforce
bl.spamcop.net bl.mailspike.net
swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
postscreen_greet_action = enforce
@@
-65,6
+65,11
@@
smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
+# SMTP smuggling protection
+# <https://www.postfix.org/smtp-smuggling.html>
+smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_discard_ehlo_keywords = chunking
+
{% if postfix.relay_host is defined %}
# Relay everything
default_transport = smtp:{{ postfix.relay_host }}
{% if postfix.relay_host is defined %}
# Relay everything
default_transport = smtp:{{ postfix.relay_host }}
@@
-142,4
+147,4
@@
smtpd_delay_reject = yes
disable_vrfy_command = yes
recipient_delimiter = {{ postfix.recipient_delimiter | default("+") }}
delay_warning_time = 4h
disable_vrfy_command = yes
recipient_delimiter = {{ postfix.recipient_delimiter | default("+") }}
delay_warning_time = 4h
-message_size_limit =
213840
00
+message_size_limit =
301001
00