{{ ansible_managed | comment }} # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== {% if postfix_type == "internet" %} smtp inet n - y - 1 postscreen smtpd pass - - y - {{ postfix_smtpd_maxproc }} smtpd -o cleanup_service_name=smtpd-in {% else %} smtp inet n - y - - smtpd {% endif %} dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy {% if postfix_submission is defined and postfix_submission %} smtps inet n - y - 100 smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes {% if postfix_submission_smtpd_tls_eccert_file is defined %} -o smtpd_tls_eccert_file={{ postfix_submission_smtpd_tls_eccert_file }} {% else %} -o smtpd_tls_cert_file={{ postfix_submission_smtpd_tls_cert_file }} {% endif %} {% if postfix_submission_smtpd_tls_eckey_file is defined %} -o smtpd_tls_eckey_file={{ postfix_submission_smtpd_tls_eckey_file }} {% else %} -o smtpd_tls_key_file={{ postfix_submission_smtpd_tls_key_file }} {% endif %} -o smtpd_tls_dh1024_param_file={{ dhparam_file }} -o smtpd_tls_mandatory_protocols=!TLSv1,!TLSv1.1 -o smtpd_tls_protocols=!TLSv1,!TLSv1.1 -o smtpd_client_restrictions=$submission_bad_smtp_user_check,permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes {% if postfix_smtpd_sender_login_maps is defined %} -o smtpd_sender_login_maps={{ postfix_smtpd_sender_login_maps | join(', ') }} {% endif %} -o smtpd_sender_restrictions=$mua_sender_restrictions -o cleanup_service_name=subclean submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt {% if postfix_submission_smtpd_tls_eccert_file is defined %} -o smtpd_tls_eccert_file={{ postfix_submission_smtpd_tls_eccert_file }} {% else %} -o smtpd_tls_cert_file={{ postfix_submission_smtpd_tls_cert_file }} {% endif %} {% if postfix_submission_smtpd_tls_eckey_file is defined %} -o smtpd_tls_eckey_file={{ postfix_submission_smtpd_tls_eckey_file }} {% else %} -o smtpd_tls_key_file={{ postfix_submission_smtpd_tls_key_file }} {% endif %} -o smtpd_tls_dh1024_param_file={{ dhparam_file }} -o smtpd_client_restrictions=$submission_bad_smtp_user_check,permit_sasl_authenticated,reject -o smtpd_sasl_auth_enable=yes {% if postfix_smtpd_sender_login_maps is defined %} -o smtpd_sender_login_maps={{ postfix_smtpd_sender_login_maps | join(', ') }} {% endif %} -o smtpd_sender_restrictions=$mua_sender_restrictions -o cleanup_service_name=subclean {% if postfix_submission_non_tls_port is defined %} {{ postfix_submission_non_tls_port }} inet n - y - - smtpd -o syslog_name=postfix/submission-local -o smtpd_tls_security_level=none -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_sasl_auth_enable=no -o cleanup_service_name=subclean {% endif %} {% endif %} dlimit unix - - n - - smtp -o syslog_name=postfix-dlimit pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp smtptor unix - - n - - smtp_tor -o smtp_dns_support_level=disabled -o smtp_tls_security_level=none -o smtp_tls_policy_maps= relay unix - - y - - smtp -o syslog_name=postfix/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache postlog unix-dgram n - n - 1 postlogd # Outbound: Remove sensible headers subclean unix n - y - 0 cleanup -o header_checks=regexp:{{ postfix_conf_dir }}/header_treatment # Inbound: Remove some headers smtpd-in unix n - y - 0 cleanup -o syslog_name=postfix/smtpd-in -o header_checks=pcre:{{ postfix_conf_dir }}/header_checks_inbound