From 427427ec3bcb58eadaa9c62477f70a5f3c6f39e0 Mon Sep 17 00:00:00 2001
From: Bryan Newbold <bnewbold@archive.org>
Date: Wed, 16 Jan 2019 13:24:08 -0800
Subject: mailserver role

---
 roles/mailserver/templates/etc_postfix_main.cf.j2 | 126 ++++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 roles/mailserver/templates/etc_postfix_main.cf.j2

(limited to 'roles/mailserver/templates/etc_postfix_main.cf.j2')

diff --git a/roles/mailserver/templates/etc_postfix_main.cf.j2 b/roles/mailserver/templates/etc_postfix_main.cf.j2
new file mode 100644
index 0000000..2416789
--- /dev/null
+++ b/roles/mailserver/templates/etc_postfix_main.cf.j2
@@ -0,0 +1,126 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Modified as per http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# Accept messages up to 50MB
+message_size_limit = 51200000
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# antispam
+smtpd_helo_required = yes
+smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
+smtpd_sender_restrictions = reject_unknown_address
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+invalid_hostname_reject_code = 554
+multi_recipient_bounce_reject_code = 554
+non_fqdn_reject_code = 554
+relay_domains_reject_code = 554
+unknown_address_reject_code = 554
+unknown_client_reject_code = 554
+unknown_hostname_reject_code = 554
+unknown_local_recipient_reject_code = 554
+unknown_relay_recipient_reject_code = 554
+unknown_virtual_alias_reject_code = 554
+unknown_virtual_mailbox_reject_code = 554
+unverified_recipient_reject_code = 554
+unverified_sender_reject_code = 554
+
+# TLS parameters
+smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ domain }}/privkey.pem
+smtpd_use_tls=yes
+smtpd_tls_auth_only = yes
+smtp_tls_security_level = may
+smtp_tls_loglevel = 2
+smtpd_tls_received_header = yes
+smtp_tls_note_starttls_offer = yes
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+# http://www.postfix.org/FORWARD_SECRECY_README.html
+smtp_tls_ciphers = medium
+smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparam2048.pem
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+
+# set to empty value for backwards compatibility
+# as per http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
+smtpd_relay_restrictions =
+
+smtpd_recipient_restrictions =
+  permit_sasl_authenticated,
+  permit_mynetworks,
+  reject_unauth_pipelining,
+  reject_unauth_destination,
+  reject_invalid_hostname,
+  reject_non_fqdn_hostname,
+  reject_non_fqdn_recipient,
+  reject_unknown_recipient_domain,
+  permit
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ mail_server_hostname }}
+myorigin = $mydomain
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ ' '.join(friendly_networks) }}
+#mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+# dovecot db
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+mailbox_transport = lmtp:unix:private/dovecot-lmtp
+
+dovecot_destination_recipient_limit = 1
+virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
+virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
+virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
+local_recipient_maps = $virtual_mailbox_maps
+
+# Milters: Rspamd
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = $smtpd_milters
+milter_protocol = 6
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
+milter_default_action = accept
+
+smtpd_client_restrictions = permit_sasl_authenticated
+
+# Postscreen
+postscreen_access_list = permit_mynetworks
+postscreen_dnsbl_sites =
+  sbl-xbl.spamhaus.org*2
+  cbl.abuseat.org*2
+  bl.spamcop.net*2
+  dnsbl.sorbs.net*1
+  spam.spamrats.com*2
+postscreen_dnsbl_threshold = 3
+postscreen_dnsbl_action = enforce
+postscreen_greet_action = enforce
+
+{% if mail_header_privacy == 1 %}
+# Remove local client IP from headers
+smtp_header_checks = pcre:/etc/postfix/maps/smtp_header_checks.pcre
+{% endif %}
-- 
cgit v1.2.3