Initial commit

templates/logrotate.conf

@@ -0,0 +1,17 @@
+/var/log/mail.log
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+{
+    rotate 1
+    daily
+    missingok
+    notifempty
+    compress
+    delaycompress
+    sharedscripts
+    postrotate
+        /usr/lib/rsyslog/rsyslog-rotate
+        python3 /opt/mail-tls-helper/mail-tls-helper.py -s /opt/mail-tls-helper/domains.sqlite -p /var/lib/postfix/tls-helper/tls_domains -t cdb --allowlist /opt/mail-tls-helper/allowlist.txt -d {{ postfix_tls_helper_domain }} -r {{ postfix_tls_helper_recipient }} -f {{ postfix_tls_helper_sender }}
+    endscript
+}

templates/mail-sasl.j2

@@ -0,0 +1,10 @@
+### {{ ansible_managed }}
+
+/var/log/{{ mail_sasl_log }} {
+    rotate 2
+    daily
+    missingok
+    notifempty
+    delaycompress
+    compress
+}

templates/postfix/allowlist.txt

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for domain in postfix_tls_helper_allowlist %}
+{{ domain }}
+{% endfor %}

templates/postfix/conf.d/bad_smtp_auth_users.j2

@@ -0,0 +1,11 @@
+### {{ ansible_managed }}
+
+# Use this file to block SMTP-Auth access for users.
+# Example:
+# username   REJECT
+
+{% if postfix_bad_smtp_auth_users is defined %}
+{% for user in postfix_bad_smtp_auth_users %}
+{{ "%-30s %s" | format(user, "REJECT") }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/client_checks.j2

@@ -0,0 +1,10 @@
+### {{ ansible_managed }}
+
+### With this file you can allow or disallow clients to connect to the SMTP server.
+
+{% if postfix_client_checks is defined %}
+{% for client in postfix_client_checks %}
+{{ client.comment }}
+{{ "%-30s %s" | format(client.name, client.state) }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/destination_limit.j2

@@ -0,0 +1,7 @@
+### {{ ansible_managed }}
+
+{% if postfix_dlimit_domains is defined %}
+{% for domain in postfix_dlimit_domains %}
+{{ "%-50s %s" | format(domain, "dlimit:") }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/header_add.j2

@@ -0,0 +1,7 @@
+### {{ ansible_managed }}
+
+{% if postfix_header_add is defined %}
+{% for header in postfix_header_add %}
+{{ "%-50s %s" | format(header.destination, header.header) }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/header_treatment.j2

@@ -0,0 +1,21 @@
+### {{ ansible_managed }}
+
+# Remove sensible headers
+/^Mail-System-Version:/ IGNORE
+/^Mailer:/ IGNORE
+/^Originating-Client:/ IGNORE
+/^User-Agent:/ IGNORE
+/^X-Enigmail-Version:/ IGNORE
+/^X-Mailer:/ IGNORE
+/^X-MimeOLE:/ IGNORE
+/^X-Newsreader:/ IGNORE
+/^X-Originating-IP:/ IGNORE
+/^X-Sender:/ IGNORE
+
+/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])
+
+{% if postfix_header_treatment is defined %}
+{% for header in postfix_header_treatment %}
+{{ header }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/helo_checks.j2

@@ -0,0 +1,13 @@
+### {{ ansible_managed }}
+
+{% if postfix_default_helo_checks is defined %}
+{% for check in postfix_default_helo_checks %}
+{{ "%-30s %s" | format(check.client, check.state) }}
+{% endfor %}
+{% endif %}
+
+{% if postfix_helo_checks is defined %}
+{% for check in postfix_default_helo_checks %}
+{{ "%-30s %s" | format(check.client, check.state) }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/permit_sasl_login_mismatch.j2

@@ -0,0 +1,8 @@
+### {{ ansible_managed }}
+### Enable sender spoofing for selected accounts
+
+{% if postfix_permit_login_mismatch is defined %}
+{% for user in postfix_permit_login_mismatch %}
+{{ "%-50s %s" | format(user, "permit_login_mismatch") }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/postscreen_access.j2

@@ -0,0 +1,19 @@
+### {{ ansible_managed }}
+
+{% if postfix_default_postscreen_access is defined %}
+{% for source in postfix_default_postscreen_access %}
+{% if source.comment is defined %}
+# {{ source.comment }}
+{% endif %}
+{{ "%-40s %s" | format(source.source, source.state) }}
+{% endfor %}
+{% endif %}
+
+{% if postfix_postscreen_access is defined %}
+{% for source in postfix_postscreen_access %}
+{% if source.comment is defined %}
+# {{ source.comment }}
+{% endif %}
+{{ "%-40s %s" | format(source.source, source.state) }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/relay_by_sender.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+# http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps
+
+{% if postfix_relay_by_sender is defined %}
+{% for map in postfix_relay_by_sender %}
+{{ map }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/relay_checks.j2

@@ -0,0 +1 @@
+### {{ ansible_managed }}

templates/postfix/conf.d/sender_checks.j2

@@ -0,0 +1,20 @@
+### {{ ansible_managed }}
+
+{% if postfix_sender_checks is defined %}
+{% for sender in postfix_sender_checks %}
+{% if sender.comment is defined %}
+# {{ sender.comment }}
+{% endif %}
+{{ "%-50s %s" | format(sender.client, sender.state) }}
+{% endfor %}
+{% endif %}
+
+# Blocked Domains
+{% for domain in postfix_blocked_domains %}
+{{ "%-50s %s" | format(domain, "REJECT No spammers") }}
+{% endfor %}
+
+# Blocked Sender
+{% for sender in postfix_blocked_senders %}
+{{ "%-50s %s" | format(sender, "REJECT No spammers") }}
+{% endfor %}

templates/postfix/conf.d/transport_global_exceptions.j2

@@ -0,0 +1,12 @@
+### {{ ansible_managed }}
+
+# Use this file for mail addresses that should be treated specially.
+
+{% if postfix_transport_global_exceptions is defined %}
+{% for address in postfix_transport_global_exceptions %}
+{% if address.comment is defined %}
+# {{ address.comment }}
+{% endif %}
+{{ "%-50s %s" | format(address.adress, address.state) }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/transport_relay.j2

@@ -0,0 +1,10 @@
+### {{ ansible_managed }}
+
+{% if postfix_transport_relay is defined %}
+{% for transport in postfix_transport_relay %}
+{% if transport.comment is defined %}
+# {{ transport.comment }}
+{% endif %}
+{{ "%-50s %s" | format(transport.destination, transport.relay) }}
+{% endfor %}
+{% endif %}

templates/postfix/conf.d/transport_tor.j2

@@ -0,0 +1,13 @@
+### {{ ansible_managed }}
+
+{% if postfix_default_transport_tor_domains is defined %}
+{% for domain in postfix_default_transport_tor_domains %}
+{{ "%-50s %s" | format(domain.name, domain.relay) }}
+{% endfor %}
+{% endif %}
+
+{% if postfix_transport_tor_domains is defined %}
+{% for domain in postfix_transport_tor_domains %}
+{{ "%-50s %s" | format(domain.name, domain.relay) }}
+{% endfor %}
+{% endif %}

templates/postfix/main.cf.j2

@@ -0,0 +1,307 @@
+### {{ ansible_managed }}
+
+smtpd_banner = {{ postfix_smtpd_banner }}
+
+### Debug Logging
+#debug_peer_list =
+
+### Protocols and destinations
+inet_interfaces = all
+inet_protocols = ipv4
+
+myhostname = $myorigin
+myorigin = {{ postfix_myorigin }}
+mydestination = {{ postfix_mydestination | join(', ') }}
+mynetworks = {{ postfix_mynetworks | join(', ') }}
+
+### TLS settings
+tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
+tls_preempt_cipherlist = no
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA
+tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+
+### TLS settings for SMTP server
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = yes
+smtpd_tls_cert_file = {{ postfix_smtpd_tls_cert_file }}
+smtpd_tls_key_file = {{ postfix_smtpd_tls_key_file }}
+smtpd_tls_ciphers = medium
+smtpd_tls_mandatory_ciphers = medium
+smtpd_tls_exclude_ciphers = aNULL, eNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA, DHE-RSA-AES256-SHA
+#Einige berechtigte Mailserver nutzen nur TLSv1
+#smtpd_tls_mandatory_protocols = !TLSv1
+#smtpd_tls_protocols = !TLSv1
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_session_cache_timeout = 7200s
+smtpd_tls_loglevel = 1
+smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtpd_tls_dh1024_param_file = {{ postfix_dhparam_file }}
+smtpd_tls_eecdh_grade = strong
+
+### TLS settings for SMTP client
+smtp_tls_security_level = dane
+smtp_dns_support_level = dnssec
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_session_cache_timeout = 7200s
+#Some mailserver use only TLSv1. Hence we can't disable it.
+#smtp_tls_protocols = !TLSv1
+{% if postfix_smtp_tls_policy_maps is defined %}
+smtp_tls_policy_maps =
+{% for map in postfix_smtp_tls_policy_maps %}
+    {{ map.type }}:{{ map.path }}
+{% endfor %}
+{% endif %}
+smtp_tls_ciphers = medium
+smtp_tls_fingerprint_digest = sha1
+smtp_tls_loglevel = 1
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_pix_workarounds = disable_esmtp
+
+### Domains and recipients
+{% if postfix_virtual_mailbox_domains is defined %}
+virtual_mailbox_domains =
+{% for map in postfix_virtual_mailbox_domains %}
+    {{ map.type }}:{{ map.path }}
+{% endfor %}
+{% endif %}
+{% if postfix_virtual_mailbox_maps is defined %}
+# Check for existing recipients
+virtual_mailbox_maps =
+{% for map in postfix_virtual_mailbox_maps %}
+    {{ map.type }}:{{ map.path }}
+{% endfor %}
+{% endif %}
+{% if postfix_virtual_alias_maps is defined %}
+virtual_alias_maps =
+{% for map in postfix_virtual_alias_maps %}
+    {{ map.type }}:{{ map.path}}
+{% endfor %}
+{% endif %}
+{% if postfix_virtual_transport is defined %}
+virtual_transport =
+{% for map in postfix_virtual_transport %}
+    {{ map.type }}:{{ map.address }}
+{% endfor %}
+{% endif %}
+
+{% if postfix_relay_domains is defined %}
+# Relay mails without recipient check
+relay_domains =
+{% for map in postfix_relay_domains %}
+    {{ map.type}}:{{ map.path }}
+{% endfor %}
+{% endif %}
+{% if postfix_sender_dependent_relayhost_maps is defined %}
+sender_dependent_relayhost_maps =
+{% for map in postfix_sender_dependent_relayhost_maps %}
+    {{ map.type }}:{{ map.path }}
+{% endfor %}
+{% endif %}
+
+{% if postfix_transport_maps is defined %}
+transport_maps =
+{% for map in postfix_transport_maps %}
+    {{ map.type }}:{{ map.path }}
+{% endfor %}
+{% endif %}
+
+{% if postfix_smtpd_sasl_type is defined %}
+### SMTP Auth, server side
+broken_sasl_auth_clients = yes
+smtpd_sasl_type = {{ postfix_smtpd_sasl_type }}
+smtpd_sasl_path = {{ postfix_smtpd_sasl_path }}
+smtpd_sasl_auth_enable = no
+{% if postfix_smtpd_sasl_exceptions_networks is defined %}
+# Some clients demand SASL Auth if the server offers it
+smtpd_sasl_exceptions_networks = {{ postfix_smtpd_sasl_exceptions_networks | join(', ') }}
+{% endif %}
+{% endif %}
+
+{% if postfix_smtp_sasl_auth is defined and postfix_smtp_sasl_auth %}
+### SMTP Auth client side
+smtp_sasl_auth_enable = yes
+smtp_sasl_auth_soft_bounce = no
+smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
+smtp_sasl_security_options = noanonymous
+{% endif %}
+
+#### Postscreen
+postscreen_access_list =
+    permit_mynetworks
+    cidr:/etc/postfix/conf.d/postscreen_access.cidr
+postscreen_blacklist_action = drop
+
+# Pregreeting
+postscreen_greet_action = drop
+
+# DNS block lists
+postscreen_dnsbl_threshold = 2
+postscreen_dnsbl_sites =
+    bl.spamcop.net*1
+    ix.dnsbl.manitu.net*2
+    zen.spamhaus.org*2
+postscreen_dnsbl_action = drop
+
+# Postfix runs restrictions with the following order
+# - smtpd_client_restriction
+# - smtpd_helo_restriction
+# - smtpd_sender_restrition
+# - smtpd_relay_restrictions
+# - smtpd_recipient_restrictions
+# - smtpd_data_restriction
+# - smtpd_end_of_data_restriction
+# - smtpd_etrn_restriction
+
+smtpd_restriction_classes = permit_login_mismatch
+
+smtpd_client_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    check_client_access cdb:/etc/postfix/conf.d/client_checks,
+    reject_unknown_client_hostname,
+    permit
+
+# Reject only after RCPT-TO
+smtpd_delay_reject = yes
+# Enforce helo to apply restrictions
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    check_helo_access pcre:/etc/postfix/conf.d/helo_checks,
+    reject_non_fqdn_helo_hostname,
+    reject_invalid_helo_hostname,
+    permit
+
+smtpd_sender_restrictions =
+    permit_mynetworks,
+    check_sender_access cdb:/etc/postfix/conf.d/sender_checks,
+    reject_non_fqdn_sender,
+    reject_unknown_sender_domain,
+    check_sender_mx_access cidr:/etc/postfix/conf.d/bogus_mx,
+    #Uncomment the next two lines to block mails from other servers with our domain as MAIL FROM
+    #permit_sasl_authenticated,
+    #check_sender_access hash:/etc/postfix/conf.d/sender_checks_domain,
+    permit
+
+# Restrictions for submission port
+mua_sender_restrictions =
+    check_sasl_access cdb:/etc/postfix/conf.d/permit_sasl_login_mismatch,
+    permit_mynetworks,
+    check_sender_access cdb:/etc/postfix/conf.d/sender_checks,
+    reject_non_fqdn_sender,
+    reject_unknown_sender_domain,
+    reject_sender_login_mismatch,
+    permit_sasl_authenticated
+
+permit_login_mismatch =
+    permit_mynetworks,
+    reject_non_fqdn_sender,
+    reject_unknown_sender_domain,
+    permit_sasl_authenticated
+
+submission_bad_smtp_user_check =
+    check_sasl_access cdb:/etc/postfix/conf.d/bad_smtp_auth_users
+
+smtpd_relay_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    check_client_access cdb:/etc/postfix/conf.d/relay_checks,
+    reject_unauth_destination
+
+smtpd_recipient_restrictions =
+    reject_unauth_pipelining,
+    reject_non_fqdn_recipient,
+    reject_unknown_recipient_domain,
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_unverified_recipient
+
+# Configuration for reject_unverified_recipient
+unverified_recipient_reject_reason = User unknown / Nutzer unbekannt
+unverified_recipient_reject_code = 550
+
+smtpd_data_restrictions =
+    reject_multi_recipient_bounce,
+    check_recipient_access pcre:/etc/postfix/conf.d/header_add,
+
+### Connection limits
+smtpd_client_connection_rate_limit = 100
+smtpd_client_event_limit_exceptions = {{ postfix_smtpd_client_event_limit_exceptions | join(', ') }}
+smtpd_client_message_rate_limit = 25
+smtpd_client_new_tls_session_rate_limit = 100
+smtpd_client_auth_rate_limit = 100
+
+default_destination_rate_delay = 60s
+default_destination_recipient_limit = 1
+default_destination_concurrency_failed_cohort_limit = 10
+
+header_checks = pcre:/etc/postfix/conf.d/header_checks
+
+### Spam and DKIM
+{% if postfix_smtpd_milters is defined %}
+smtpd_milters =
+{% for map in postfix_smtpd_milters %}
+    {{ map.type }}:{{ map.address }}
+{% endfor %}
+{% endif %}
+{% if postfix_non_smtpd_milters is defined %}
+non_smtpd_milters =
+{% for map in postfix_non_smtpd_milters %}
+    {{ map.type }}:{{ map.address }}
+{% endfor %}
+{% endif %}
+milter_default_action = accept
+milter_connect_macros = i j {daemon_name} v {if_name} _
+milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} {client_addr} {client_name}
+milter_rcpt_macros = i j _ {auth_type} {rcpt_addr} {rcpt_host} {rcpt_mailer}
+milter_connect_timeout = 20s
+
+# Prevent DKIM signatures (don't allow spam header to change the signature)
+disable_mime_output_conversion = yes
+
+### Misc
+
+readme_directory = /usr/share/doc/postfix
+html_directory = /usr/share/doc/postfix/html
+
+disable_vrfy_command = yes
+recipient_delimiter = +
+
+# Postfix-default: alias_maps = hash:/etc/mail/aliases nis:mail.aliases
+# Prevents delays caused by NIS queries
+alias_maps =
+
+# Error notifications
+# http://www.postfix.org/postconf.5.html#notify_classes
+notify_classes = data, delay, resource, software
+minimal_backoff_time = 1000s
+maximal_backoff_time = 4h
+
+compatibility_level = 2
+biff = no
+append_dot_mydomain = no
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+# Add missing headers
+always_add_missing_headers = yes
+local_header_rewrite_clients = permit_mynetworks
+
+mailbox_size_limit = 0
+message_size_limit = {{ postfix_message_size_limit }}
+
+### Destination limits
+# Some mail server limit concurrent connections
+# Solves: Maximum parallel connections for your IP-Address
+dlimit_destination_concurrency_limit = 4
+dlimit_destination_recipient_limit = 3
+dlimit_destination_rate_delay = 5s
+
+{% if postfix_proxy_read_maps is defined %}
+### Proxy maps
+proxy_read_maps =
+{% for map in postfix_proxy_read_maps %}
+    {{ map }}
+{% endfor %}
+{% endif %}

templates/postfix/master.cf

@@ -0,0 +1,90 @@
+### {{ ansible_managed }}
+
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       1       postscreen
+smtpd     pass  -       -       y       -       100     smtpd
+    -o cleanup_service_name=smtpd-in
+dnsblog   unix  -       -       y       -       0       dnsblog
+tlsproxy  unix  -       -       y       -       0       tlsproxy
+{% if postfix_submission is defined and postfix_submission %}
+smtps      inet  n       -       y       -      100     smtpd
+    -o syslog_name=postfix/smtps
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_tls_cert_file={{ postfix_submission_smtpd_tls_cert_file }}
+    -o smtpd_tls_key_file={{ postfix_submission_smtpd_tls_key_file }}
+    -o smtpd_tls_dh1024_param_file={{ dhparam_file }}
+    -o smtpd_tls_mandatory_protocols=!TLSv1,!TLSv1.1
+    -o smtpd_tls_protocols=!TLSv1,!TLSv1.1
+    -o smtpd_client_restrictions=$submission_bad_smtp_user_check,permit_sasl_authenticated,reject
+    -o smtpd_sasl_auth_enable=yes
+{% if postfix_smtpd_sender_login_maps is defined %}
+    -o smtpd_sender_login_maps={{ postfix_smtpd_sender_login_maps | join(', ') }}
+{% endif %}
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o cleanup_service_name=subclean
+submission inet  n       -       y       -       -      smtpd
+    -o syslog_name=postfix/submission
+    -o smtpd_tls_security_level=encrypt
+    -o smtpd_tls_cert_file={{ postfix_submission_smtpd_tls_cert_file }}
+    -o smtpd_tls_key_file={{ postfix_submission_smtpd_tls_key_file }}
+    -o smtpd_tls_dh1024_param_file={{ dhparam_file }}
+    -o smtpd_client_restrictions=$submission_bad_smtp_user_check,permit_sasl_authenticated,reject
+    -o smtpd_sasl_auth_enable=yes
+{% if postfix_smtpd_sender_login_maps is defined %}
+    -o smtpd_sender_login_maps={{ postfix_smtpd_sender_login_maps | join(', ') }}
+{% endif %}
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o cleanup_service_name=subclean
+{% if postfix_submission_alternative_port is defined %}
+{{ postfix_submission_alternative_port }}        inet  n       -       y       -       -       smtpd
+    -o syslog_name=postfix/submission-local
+    -o smtpd_tls_security_level=none
+    -o smtpd_client_restrictions=permit_mynetworks,reject
+    -o smtpd_sasl_auth_enable=no
+    -o cleanup_service_name=subclean
+{% endif %}
+{% endif %}
+dlimit     unix  -       -       n       -       -       smtp
+    -o syslog_name=postfix-dlimit
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+smtptor    unix  -       -       n       -       -      smtp_tor
+  -o smtp_dns_support_level=disabled
+  -o smtp_tls_security_level=none
+  -o smtp_tls_policy_maps=
+relay     unix  -       -       y       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+
+# Outbound: Remove sensible headers
+subclean   unix  n       -       y       -       0       cleanup
+    -o header_checks=regexp:/etc/postfix/conf.d/header_treatment
+
+# Inbound: Remove some headers
+smtpd-in  unix  n       -       y       -       0       cleanup
+  -o syslog_name=postfix/smtpd-in
+  -o header_checks=pcre:/etc/postfix/conf.d/header_checks_inbound