journalwatch: ignore failed SSH attempts... there are just too many...
[ansible.git] / roles / postfix / templates / main.cf
index ac40750f06b6b59622a5586357f09b244f3492e8..fa2082c630f3a2260e12857255a1f252d162f285 100644 (file)
@@ -1,10 +1,8 @@
+compatibility_level = 2
+
 # local delivery: aliases only
 alias_maps = hash:/etc/aliases
 local_recipient_maps = $alias_maps
 # local delivery: aliases only
 alias_maps = hash:/etc/aliases
 local_recipient_maps = $alias_maps
-# explicitly UNSET relay domains to prevent implicit domains
-relay_domains =
-# only consider ourselves local
-mynetworks_style = host
 {% if postfix.mynetworks is defined %}
 mynetworks = {{ postfix.mynetworks }}
 {% endif %}
 {% if postfix.mynetworks is defined %}
 mynetworks = {{ postfix.mynetworks }}
 {% endif %}
@@ -15,7 +13,7 @@ smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_security_level = may
 smtpd_tls_loglevel = 1
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_security_level = may
 smtpd_tls_loglevel = 1
-smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
+smtpd_tls_dh1024_param_file = {{ postfix.paths.dh2048 }}
 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
 smtpd_tls_ciphers = low
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
 smtpd_tls_ciphers = low
 smtpd_tls_mandatory_ciphers = high
@@ -23,10 +21,13 @@ smtpd_tls_mandatory_ciphers = high
 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
 smtp_tls_ciphers = low
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
 smtp_tls_ciphers = low
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_loglevel = 1
+{% if not(postfix.relay_host is defined) %}
 smtp_tls_security_level = dane
 smtp_dns_support_level = dnssec
 smtp_tls_security_level = dane
 smtp_dns_support_level = dnssec
-smtp_tls_loglevel = 1
+{% endif %}
 
 
+{% if postfix.postscreen | default(False) %}
 # postscreen config
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_whitelist_threshold = -2
 # postscreen config
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_whitelist_threshold = -2
@@ -39,18 +40,83 @@ postscreen_dnsbl_action = enforce
 postscreen_pipelining_enable = yes
 postscreen_non_smtp_command_enable = yes
 postscreen_bare_newline_enable = yes
 postscreen_pipelining_enable = yes
 postscreen_non_smtp_command_enable = yes
 postscreen_bare_newline_enable = yes
+{% endif %}
+
 # control relay access
 smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts,
 # control relay access
 smtpd_relay_restrictions = permit_mynetworks, permit_tls_clientcerts,
-       # allow nobody else
-       defer_unauth_destination
+    # allow nobody else
+    defer_unauth_destination
 # spam-protection restrictions
 smtpd_helo_required = yes
 smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
 # spam-protection restrictions
 smtpd_helo_required = yes
 smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts,
-       # check everybody else
-       reject_unauth_pipelining,
-        reject_invalid_helo_hostname,
-       reject_non_fqdn_recipient,
-       reject_non_fqdn_sender,
+    # check everybody else
+    reject_unauth_pipelining,
+    reject_invalid_helo_hostname,
+    reject_non_fqdn_recipient,
+    reject_non_fqdn_sender,
+
+{% if postfix.relay_host is defined %}
+# Relay everything
+default_transport = smtp:{{ postfix.relay_host }}
+{% if postfix.relay_client_cert is defined %}
+# Enforce relay encryption
+smtp_tls_cert_file=$config_directory/{{ postfix.relay_client_cert }}.crt
+smtp_tls_key_file=$config_directory/{{ postfix.relay_client_cert }}.key
+smtp_tls_security_level = encrypt
+{% endif %}
+{% endif %}
+
+{% if postfix.submission | default(False) %}
+# configure SASL
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+{% endif %}
+
+{% if postfix.relay_client_cert_whitelist is defined %}
+# allow relay for some TLS-authenticated clients
+smtpd_tls_ask_ccert = yes
+smtpd_tls_fingerprint_digest = sha1
+relay_clientcerts = hash:$config_directory/{{ postfix.relay_client_cert_whitelist }}
+{% endif %}
+
+{% if postfix.virtual_mailbox_domains is defined %}
+# setup virtual delivery domains, aliases and destinations
+virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains }}
+virtual_alias_maps = hash:$config_directory/virtual_alias_map
+  {% if postfix.vmail_mysql_password is defined %}
+  proxy:mysql:$config_directory/mysql_vmail_aliases.cf
+  {% endif %}
+#
+virtual_mailbox_maps =
+  {% if postfix.vmail_mysql_password is defined %}
+  proxy:mysql:$config_directory/mysql_vmail_users.cf
+  {% endif %}
+  {% if postfix.mailman | default(False) %}
+  hash:/var/lib/mailman/data/virtual-mailman
+  {% endif %}
+#
+smtpd_sender_login_maps =
+  {% if postfix.vmail_mysql_password is defined %}
+  proxy:mysql:$config_directory/mysql_vmail_users.cf
+  proxy:mysql:$config_directory/mysql_vmail_senders.cf
+  proxy:mysql:$config_directory/mysql_vmail_aliases.cf
+  {% endif %}
+#
+proxy_read_maps = $virtual_alias_maps $virtual_mailbox_maps $smtpd_sender_login_maps
+
+# setup mail routes for virtual mail: all mail ends up being forwarded somewhere
+virtual_transport = error
+transport_maps = hash:/etc/postfix/transport_map
+mailman_destination_recipient_limit = 1
+{% endif %}
+
+{% if postfix.opendkim is defined %}
+# DKIM & Milter
+milter_default_action = accept
+# Path must match opendkim.env
+smtpd_milters = unix:opendkim/sock
+non_smtpd_milters = $smtpd_milters
+{% endif %}
 
 # misc
 smtpd_delay_reject = yes
 
 # misc
 smtpd_delay_reject = yes
@@ -58,4 +124,3 @@ disable_vrfy_command = yes
 recipient_delimiter = +
 delay_warning_time = 4h
 message_size_limit = 21384000
 recipient_delimiter = +
 delay_warning_time = 4h
 message_size_limit = 21384000
-append_dot_mydomain = no