compatibility_level = 2
-# local delivery: aliases only
-alias_maps = hash:/etc/aliases
-local_recipient_maps = $alias_maps
+{% if postfix.hostname is defined %}
+myhostname = {{ postfix.hostname }}
+{% endif %}
{% if postfix.mynetworks is defined %}
mynetworks = {{ postfix.mynetworks }}
{% endif %}
+# local delivery: aliases only
+alias_maps = hash:/etc/aliases
+local_recipient_maps = $alias_maps
+
+{% if 'letsencrypt' in group_names %}
# TLS server parameters
-smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain
+smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt
smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_ciphers = low
smtpd_tls_mandatory_ciphers = high
+{% endif %}
# TLS client parameters
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_ciphers = low
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
-{% if not(postfix.relay_host is defined) %}
-smtp_tls_security_level = dane
+{% if 'unbound' in group_names %}
+# If there are TLSA records, enforce using encryption
smtp_dns_support_level = dnssec
+smtp_tls_security_level = dane
{% endif %}
{% if postfix.postscreen | default(False) %}
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -2
postscreen_dnsbl_sites =
- ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*2
- bl.spamcop.net dnsbl.sorbs.net bl.mailspike.net
+ ix.dnsbl.manitu.net*2 sbl-xbl.spamhaus.org*3 truncate.gbudb.net*2
+ bl.spamcop.net bl.mailspike.net
swl.spamhaus.org*-2 list.dnswl.org=127.0.[0..255].[0..254]*-2
postscreen_greet_action = enforce
postscreen_dnsbl_action = enforce
postscreen_pipelining_enable = yes
postscreen_non_smtp_command_enable = yes
postscreen_bare_newline_enable = yes
+postscreen_access_list = permit_mynetworks,
+ cidr:$config_directory/postscreen_access.cidr
+postscreen_blacklist_action = enforce
{% endif %}
# control relay access
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
+# SMTP smuggling protection
+# <https://www.postfix.org/smtp-smuggling.html>
+smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_discard_ehlo_keywords = chunking
+
{% if postfix.relay_host is defined %}
# Relay everything
default_transport = smtp:{{ postfix.relay_host }}
relay_clientcerts = hash:$config_directory/relay_clientcerts
{% endif %}
-{% if postfix.virtual_mailbox_domains is defined %}
# setup virtual delivery domains, aliases and destinations
-virtual_mailbox_domains ={% for item in postfix.virtual_mailbox_domains %} {{item.domain}}{% endfor %}
+virtual_mailbox_domains = {{ postfix.alias_domains | default("") }}
+{% if postfix.mailman is defined %} {% for item in postfix.mailman.domains %} {{item}}{% endfor %}{% endif %}
+{% if postfix.dovecot is defined %} {% for item in postfix.dovecot.domains %} {{item}}{% endfor %}{% endif %}
virtual_alias_maps = hash:$config_directory/virtual_alias_map
{% if postfix.dovecot is defined %}
# setup mail routes for virtual mail: all mail ends up being forwarded somewhere
virtual_transport = error
transport_maps = hash:$config_directory/transport_map
+{% if postfix.mailman | default(False) %}
mailman_destination_recipient_limit = 1
{% endif %}
# misc
smtpd_delay_reject = yes
disable_vrfy_command = yes
-recipient_delimiter = +
+recipient_delimiter = {{ postfix.recipient_delimiter | default("+") }}
delay_warning_time = 4h
-message_size_limit = 21384000
+message_size_limit = 30100100