Introduce postfiy_type to differ between configuration types
This commit is contained in:
parent
2c432028d0
commit
237cfae5a5
4 changed files with 34 additions and 2 deletions
11
README.md
11
README.md
|
|
@ -8,9 +8,20 @@ Use this role to setup a Postfix mail server. It comes with the following additi
|
|||
- optional: [OnionMX](https://github.com/ehloonion/onionmx)
|
||||
- optional: Unbound
|
||||
|
||||
## General type of mail server configuration
|
||||
|
||||
You can select via the variable `postfix_type` a pre-defined set of configuraion options that best meets your needs.
|
||||
- `internet`: Mail is send received directly using SMTP. TLS is enabled.
|
||||
- `internal`: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25.
|
||||
|
||||
## Variables
|
||||
|
||||
### Required
|
||||
|
||||
| Variable | Value | Default | Note |
|
||||
|--|--|--|--|
|
||||
| `postfix_type` | str | `internet` | Determines how to setup Postfix. Choose `internet` or `internal` |
|
||||
|
||||
### Scope: misc
|
||||
|
||||
| Variable | Value | Default | Note |
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ postfix_daemon_dir: /usr/lib/postfix/sbin
|
|||
postfix_default_db_type: cdb
|
||||
postfix_dhparam_file: /etc/ssl/private/dhparam.pem
|
||||
postfix_pflogsum_mail_subject: "Mailserver Statistics"
|
||||
postfix_myhostname: "$myorigin"
|
||||
postfix_type: internet
|
||||
|
||||
tls_helper_domains_file: tls_domains
|
||||
tls_helper_postfix_dir: /var/lib/postfix/tls-helper
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
### {{ ansible_managed }}
|
||||
|
||||
{% if postfix_smtp_banner is defined %}
|
||||
smtpd_banner = {{ postfix_smtpd_banner }}
|
||||
{% endif %}
|
||||
|
||||
{% if postfix_debug_peer_list is defined %}
|
||||
### Debug Logging
|
||||
|
|
@ -11,11 +13,18 @@ debug_peer_list = {{ postfix_debug_peer_list | join(', ') }}
|
|||
inet_interfaces = all
|
||||
inet_protocols = ipv4
|
||||
|
||||
myhostname = $myorigin
|
||||
myhostname = {{ postfix_myhostname }}
|
||||
{% if postfix_myorigin is defined %}
|
||||
myorigin = {{ postfix_myorigin }}
|
||||
{% endif %}
|
||||
{% if postfix_mydestination is defined %}
|
||||
mydestination = {{ postfix_mydestination | join(', ') }}
|
||||
{% endif %}
|
||||
{% if postfix_mynetworks is defined %}
|
||||
mynetworks = {{ postfix_mynetworks | join(', ') }}
|
||||
{% endif %}
|
||||
|
||||
{% if postfix_type == "internet" %}
|
||||
### TLS settings
|
||||
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
|
||||
tls_preempt_cipherlist = no
|
||||
|
|
@ -58,6 +67,7 @@ smtp_tls_fingerprint_digest = sha1
|
|||
smtp_tls_loglevel = 1
|
||||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
||||
smtp_pix_workarounds = disable_esmtp
|
||||
{% endif %}
|
||||
|
||||
### Domains and recipients
|
||||
{% if postfix_virtual_mailbox_domains is defined %}
|
||||
|
|
@ -67,7 +77,6 @@ virtual_mailbox_domains =
|
|||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if postfix_virtual_mailbox_maps is defined %}
|
||||
# Check for existing recipients
|
||||
virtual_mailbox_maps =
|
||||
{% for map in postfix_virtual_mailbox_maps %}
|
||||
{{ map.type }}:{{ map.path }}
|
||||
|
|
@ -132,6 +141,7 @@ smtp_sasl_password_maps =
|
|||
smtp_sasl_security_options = noanonymous
|
||||
{% endif %}
|
||||
|
||||
{% if postfix_type == "internet" %}
|
||||
#### Postscreen
|
||||
postscreen_access_list =
|
||||
permit_mynetworks
|
||||
|
|
@ -150,7 +160,9 @@ postscreen_dnsbl_sites =
|
|||
{% endfor %}
|
||||
{% endif %}
|
||||
postscreen_dnsbl_action = drop
|
||||
{% endif %}
|
||||
|
||||
{% if postfix_type == "internet" %}
|
||||
# Postfix runs restrictions with the following order
|
||||
# - smtpd_client_restriction
|
||||
# - smtpd_helo_restriction
|
||||
|
|
@ -229,6 +241,7 @@ smtpd_recipient_restrictions =
|
|||
permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
reject_unverified_recipient
|
||||
{% endif %}
|
||||
|
||||
# Configuration for reject_unverified_recipient
|
||||
unverified_recipient_reject_reason = User unknown / Nutzer unbekannt
|
||||
|
|
@ -253,6 +266,7 @@ default_destination_concurrency_failed_cohort_limit = 10
|
|||
|
||||
header_checks = pcre:{{ postfix_conf_dir }}/header_checks
|
||||
|
||||
{% if postfix_type == "internet" %}
|
||||
### Spam and DKIM
|
||||
{% if postfix_smtpd_milters is defined %}
|
||||
smtpd_milters =
|
||||
|
|
@ -274,6 +288,7 @@ milter_connect_timeout = 20s
|
|||
|
||||
# Prevent DKIM signatures (don't allow spam header to change the signature)
|
||||
disable_mime_output_conversion = yes
|
||||
{% endif %}
|
||||
|
||||
### Misc
|
||||
|
||||
|
|
|
|||
|
|
@ -4,9 +4,13 @@
|
|||
# service type private unpriv chroot wakeup maxproc command + args
|
||||
# (yes) (yes) (no) (never) (100)
|
||||
# ==========================================================================
|
||||
{% if postfix_type == "internet" %}
|
||||
smtp inet n - y - 1 postscreen
|
||||
smtpd pass - - y - 100 smtpd
|
||||
-o cleanup_service_name=smtpd-in
|
||||
{% else %}
|
||||
smtp inet n - y - - smtpd
|
||||
{% endif %}
|
||||
dnsblog unix - - y - 0 dnsblog
|
||||
tlsproxy unix - - y - 0 tlsproxy
|
||||
{% if postfix_submission is defined and postfix_submission %}
|
||||
|
|
|
|||
Loading…
Reference in a new issue