diff options
Diffstat (limited to 'roles/mailserver/templates/etc_postfix_main.cf.j2')
| -rw-r--r-- | roles/mailserver/templates/etc_postfix_main.cf.j2 | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/roles/mailserver/templates/etc_postfix_main.cf.j2 b/roles/mailserver/templates/etc_postfix_main.cf.j2 new file mode 100644 index 0000000..2416789 --- /dev/null +++ b/roles/mailserver/templates/etc_postfix_main.cf.j2 @@ -0,0 +1,126 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version +# Modified as per http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ + +smtpd_banner = $myhostname ESMTP $mail_name +biff = no + +# Accept messages up to 50MB +message_size_limit = 51200000 + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# antispam +smtpd_helo_required = yes +smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname +smtpd_sender_restrictions = reject_unknown_address +disable_vrfy_command = yes +strict_rfc821_envelopes = yes +invalid_hostname_reject_code = 554 +multi_recipient_bounce_reject_code = 554 +non_fqdn_reject_code = 554 +relay_domains_reject_code = 554 +unknown_address_reject_code = 554 +unknown_client_reject_code = 554 +unknown_hostname_reject_code = 554 +unknown_local_recipient_reject_code = 554 +unknown_relay_recipient_reject_code = 554 +unknown_virtual_alias_reject_code = 554 +unknown_virtual_mailbox_reject_code = 554 +unverified_recipient_reject_code = 554 +unverified_sender_reject_code = 554 + +# TLS parameters +smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtp_tls_protocols = !SSLv2,!SSLv3 +smtpd_tls_protocols = !SSLv2,!SSLv3 +smtpd_tls_cert_file=/etc/letsencrypt/live/{{ domain }}/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/{{ domain }}/privkey.pem +smtpd_use_tls=yes +smtpd_tls_auth_only = yes +smtp_tls_security_level = may +smtp_tls_loglevel = 2 +smtpd_tls_received_header = yes +smtp_tls_note_starttls_offer = yes +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt +# http://www.postfix.org/FORWARD_SECRECY_README.html +smtp_tls_ciphers = medium +smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparam2048.pem + +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth +smtpd_sasl_auth_enable = yes +broken_sasl_auth_clients = yes +smtpd_sasl_security_options = noanonymous + +# set to empty value for backwards compatibility +# as per http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions +smtpd_relay_restrictions = + +smtpd_recipient_restrictions = + permit_sasl_authenticated, + permit_mynetworks, + reject_unauth_pipelining, + reject_unauth_destination, + reject_invalid_hostname, + reject_non_fqdn_hostname, + reject_non_fqdn_recipient, + reject_unknown_recipient_domain, + permit + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +myhostname = {{ mail_server_hostname }} +myorigin = $mydomain +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ ' '.join(friendly_networks) }} +#mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all + +# dovecot db +virtual_transport = lmtp:unix:private/dovecot-lmtp +mailbox_transport = lmtp:unix:private/dovecot-lmtp + +dovecot_destination_recipient_limit = 1 +virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf +virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf +virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf +local_recipient_maps = $virtual_mailbox_maps + +# Milters: Rspamd +smtpd_milters = inet:127.0.0.1:11332 +non_smtpd_milters = $smtpd_milters +milter_protocol = 6 +milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type} +milter_default_action = accept + +smtpd_client_restrictions = permit_sasl_authenticated + +# Postscreen +postscreen_access_list = permit_mynetworks +postscreen_dnsbl_sites = + sbl-xbl.spamhaus.org*2 + cbl.abuseat.org*2 + bl.spamcop.net*2 + dnsbl.sorbs.net*1 + spam.spamrats.com*2 +postscreen_dnsbl_threshold = 3 +postscreen_dnsbl_action = enforce +postscreen_greet_action = enforce + +{% if mail_header_privacy == 1 %} +# Remove local client IP from headers +smtp_header_checks = pcre:/etc/postfix/maps/smtp_header_checks.pcre +{% endif %} |