Postfix ======= Use this role to setup a Postfix mail server. It comes with the following additions: - [Mail-TLS-Helper](https://github.com/systemli/mail-tls-helper) - Fail2ban - optional: [MTA-STS-Resolver](https://github.com/Snawoot/postfix-mta-sts-resolver) - optional: [OnionMX](https://github.com/ehloonion/onionmx) - optional: Unbound ## General type of mail server configuration You can select via the variable `postfix_type` a pre-defined set of configuraion options that best meets your needs. - `internet`: Mail is send received directly using SMTP. TLS is enabled. - `internal`: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25. ## Dual use of RSA and ECDSA certificates Newer versions of Let's Encrypt clients (as of [Certbot 2.0.0](https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys) or Dehydrated ) defaults to ECDSA certificates. This could be a problem with older mail servers which only support RSA ciphers. Postfix can use both RSA and ECDSA certificates at the same time. If you use [Dehydrated](https://github.com/dehydrated-io/dehydrated) follow these steps: - Add your domain to `/etc/dehydrated/domains.txt`: ```Shell mx.example.org ``` - Add another entry to `/etc/dehydrated/domains.txt` for the RSA certificate and use the alias to force a different directory name: ``` mx.example.org mx.example.org > mx.example.org_rsa ``` - Create the certificate's directory: ```Shell mkdir /var/lib/dehydrated/certs/mx.example.org_rsa chmod 0700 /var/lib/dehydrated/certs/mx.example.org_rsa ``` - Create a config `/var/lib/dehydrated/certs/mx.example.org_rsa/config` with the following setting: ``` KEY_ALGO="rsa" ``` - Obtain the certificate: ```Shell dehydrated --cron ``` - Add all certificates to Postfix' `main.cf`: ``` smtpd_tls_cert_file = /var/lib/dehydrated/certs/mx.example.org_rsa/fullchain.pem smtpd_tls_key_file = /var/lib/dehydrated/certs/mx.example.org_rsa/privkey.pem smtpd_tls_eccert_file = /var/lib/dehydrated/certs/mx.example.org/fullchain.pem smtpd_tls_eckey_file = /var/lib/dehydrated/certs/mx.example.org/privkey.pem ``` ## Variables ### Required | Variable | Value | Default | Note | |--|--|--|--| | `postfix_type` | str | `internet` | Determines how to setup Postfix. Choose `internet` or `internal` | ### Scope: misc | Variable | Value | Default | Note | |--|--|--|--| | `unbound_install` | bool | | `True` if you whish to install unbound | | `postfix_onionmx` | bool | | `True` to setup OnionMX delivery | | `postfix_tls_herlp` | bool | `True` to setup Mail-TLS-Helper | | `postfix_mydestination` | List | | List with hostnames | | `postfix_mynetworks` | List | | List with network addresses | ### Scope: submission | Variable | Value | Default | Note | |--|--|--|--| | `postfix_submission` | bool | | Set `True` to configure submission port settings | | `postfix_submission_smtpd_tls_cert_file` | string | |Path to TLS cert file | | `postfix_submission_smtpd_tls_key_file` | string | | Path to TLS key file | | `postfix_submission_non_tls_port` | int | | Port number for an additional (internal) submission port without TLS | ### Scope: SASL Auth | Variable | Value | Default | Note | |--|--|--|--| | `postfix_smtpd_sasl_type` | string | | | | `postfix_smtpd_sasl_path` | string | | | | `postfix_smtp_sasl_auth_enabled` | bool | `no` | | | `postfix_smtp_sasl_auth_relay` | string | | Relay server which provides SASL-Auth | | `postfix_smtp_sasl_auth_user` | string | | Username for SASL authentication | | `postfix_smtp_sasl_auth_password` | string | | Password for SASL authenticatio |