### {{ ansible_managed }} ### {{ template_path }} {% if postfix_smtp_banner is defined %} smtpd_banner = {{ postfix_smtpd_banner }} {% endif %} {% if postfix_debug_peer_list is defined %} ### Debug Logging debug_peer_list = {{ postfix_debug_peer_list | join(', ') }} {% endif %} ### Protocols and destinations inet_interfaces = all inet_protocols = ipv4 myhostname = {{ postfix_myhostname }} {% if postfix_myorigin is defined %} myorigin = {{ postfix_myorigin }} {% endif %} {% if postfix_mydestination is defined %} mydestination = {{ postfix_mydestination | join(', ') }} {% endif %} {% if postfix_mynetworks is defined %} mynetworks = {{ postfix_mynetworks | join(', ') }} {% endif %} {% if postfix_type == "internet" %} ### TLS settings tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION tls_preempt_cipherlist = no tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA ### TLS settings for SMTP server smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file = {{ postfix_smtpd_tls_cert_file }} smtpd_tls_key_file = {{ postfix_smtpd_tls_key_file }} smtpd_tls_ciphers = medium smtpd_tls_mandatory_ciphers = medium smtpd_tls_exclude_ciphers = aNULL, eNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA, DHE-RSA-AES256-SHA #Einige berechtigte Mailserver nutzen nur TLSv1 #smtpd_tls_mandatory_protocols = !TLSv1 #smtpd_tls_protocols = !TLSv1 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_tls_loglevel = 1 smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_dh1024_param_file = {{ postfix_dhparam_file }} smtpd_tls_eecdh_grade = strong {% endif %} {% if postfix_type == "internet" or postfix_smtp_sasl_auth_enabled is defined and postfix_smtp_sasl_auth_enabled %} ### TLS settings for SMTP client smtp_tls_security_level = dane smtp_dns_support_level = dnssec smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_timeout = 7200s #Some mailserver use only TLSv1. Hence we can't disable it. #smtp_tls_protocols = !TLSv1 {% if postfix_smtp_tls_policy_maps is defined %} smtp_tls_policy_maps = {% for map in postfix_smtp_tls_policy_maps %} {{ map.type }}:{{ map.path }} {% endfor %} {% endif %} smtp_tls_ciphers = medium smtp_tls_fingerprint_digest = sha1 smtp_tls_loglevel = 1 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_pix_workarounds = disable_esmtp {% endif %} ### Domains and recipients {% if postfix_virtual_mailbox_domains is defined %} virtual_mailbox_domains = {% for map in postfix_virtual_mailbox_domains %} {{ map.type }}:{{ map.path }} {% endfor %} {% endif %} {% if postfix_virtual_mailbox_maps is defined %} virtual_mailbox_maps = {% for map in postfix_virtual_mailbox_maps %} {{ map.type }}:{{ map.path }} {% endfor %} {% endif %} {% if postfix_virtual_alias_maps is defined %} virtual_alias_maps = {% for map in postfix_virtual_alias_maps %} {{ map.type }}:{{ map.path}} {% endfor %} {% endif %} {% if postfix_virtual_transport is defined %} virtual_transport = {% for map in postfix_virtual_transport %} {{ map.type }}:{{ map.address }} {% endfor %} {% endif %} {% if postfix_relay_domains is defined %} # Relay mails without recipient check relay_domains = {% for map in postfix_relay_domains %} {{ map.type}}:{{ map.path }} {% endfor %} {% endif %} {% if postfix_sender_dependent_relayhost_maps is defined %} sender_dependent_relayhost_maps = {% for map in postfix_sender_dependent_relayhost_maps %} {{ map.type }}:{{ map.path }} {% endfor %} {% endif %} {% if postfix_transport_maps is defined %} transport_maps = {% for map in postfix_transport_maps %} {{ map.type }}:{{ map.path }} {% endfor %} {% endif %} {% if postfix_relayhost is defined %} relayhost = {{ postfix_relayhost}} {% endif %} {% if postfix_canonical_maps is defined %} canonical_maps = {% for map in postfix_canonical_maps %} {{ map.type}}:{{ map.path }} {% endfor %} {% endif %} {% if postfix_sender_canonical_maps is defined %} sender_canonical_maps = {% for map in postfix_sender_canonical_maps %} {{ map.type}}:{{ map.path }} {% endfor %} {% endif %} {% if postfix_type == "internet" %} # Postfix-default: alias_maps = hash:/etc/mail/aliases nis:mail.aliases # Prevents delays caused by NIS queries {% endif %} alias_maps = {% for map in postfix_alias_maps %} {{ map.type }}:{{ map.path }} {% endfor %} {% if postfix_smtpd_sasl_type is defined %} ### SMTP Auth, server side broken_sasl_auth_clients = yes smtpd_sasl_type = {{ postfix_smtpd_sasl_type }} smtpd_sasl_path = {{ postfix_smtpd_sasl_path }} smtpd_sasl_auth_enable = no {% if postfix_smtpd_sasl_exceptions_networks is defined %} # Some clients demand SASL Auth if the server offers it smtpd_sasl_exceptions_networks = {{ postfix_smtpd_sasl_exceptions_networks | join(', ') }} {% endif %} {% endif %} {% if postfix_smtp_sasl_auth_enabled is defined and postfix_smtp_sasl_auth_enabled %} ### SMTP Auth client side smtp_sasl_auth_enable = yes smtp_sasl_auth_soft_bounce = no smtp_sasl_password_maps = cdb:{{ postfix_conf_dir }}/smtp_sasl_auth_password smtp_sasl_security_options = noanonymous {% endif %} {% if postfix_type == "internet" %} #### Postscreen postscreen_access_list = permit_mynetworks cidr:{{ postfix_conf_dir }}/postscreen_access postscreen_blacklist_action = drop # Pregreeting postscreen_greet_action = drop # DNS block lists postscreen_dnsbl_threshold = 2 {% if postfix_postscreen_dnsbl_sites is defined %} postscreen_dnsbl_sites = {% for site in postfix_postscreen_dnsbl_sites %} {{ site.name }}*{{ site.multiplier }} {% endfor %} {% endif %} postscreen_dnsbl_action = drop {% endif %} {% if postfix_type == "internet" %} # Postfix runs restrictions with the following order # - smtpd_client_restriction # - smtpd_helo_restriction # - smtpd_sender_restrition # - smtpd_relay_restrictions # - smtpd_recipient_restrictions # - smtpd_data_restriction # - smtpd_end_of_data_restriction # - smtpd_etrn_restriction smtpd_restriction_classes = permit_login_mismatch smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access cdb:{{ postfix_conf_dir }}/client_checks, reject_unknown_client_hostname, permit # Reject only after RCPT-TO smtpd_delay_reject = yes # Enforce helo to apply restrictions smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access pcre:{{ postfix_conf_dir }}/helo_checks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, check_sender_access cdb:{{ postfix_conf_dir }}/sender_checks, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_mx_access cidr:{{ postfix_conf_dir }}/bogus_mx, #Uncomment the next two lines to block mails from other servers with our domain as MAIL FROM #permit_sasl_authenticated, #check_sender_access hash:{{ postfix_conf_dir }}/sender_checks_domain, permit {% if postfix_submission is defined and postfix_submission %} # Restrictions for submission port mua_sender_restrictions = check_sasl_access cdb:{{ postfix_conf_dir }}/permit_sasl_login_mismatch, permit_mynetworks, check_sender_access cdb:{{ postfix_conf_dir }}/sender_checks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_sender_login_mismatch, permit_sasl_authenticated {% endif %} permit_login_mismatch = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit_sasl_authenticated {% if postfix_submission is defined and postfix_submission %} submission_bad_smtp_user_check = check_sasl_access cdb:{{ postfix_conf_dir }}/bad_smtp_auth_users {% endif %} smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access cdb:{{ postfix_conf_dir }}/relay_checks, reject_unauth_destination smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unverified_recipient {% endif %} # Configuration for reject_unverified_recipient unverified_recipient_reject_reason = User unknown / Nutzer unbekannt unverified_recipient_reject_code = 550 smtpd_data_restrictions = reject_multi_recipient_bounce, check_recipient_access pcre:{{ postfix_conf_dir }}/header_add, ### Connection limits smtpd_client_connection_rate_limit = 100 {% if postfix_smtpd_client_event_limit_exceptions is defined %} smtpd_client_event_limit_exceptions = {{ postfix_smtpd_client_event_limit_exceptions | join(', ') }} {% endif %} smtpd_client_message_rate_limit = 25 smtpd_client_new_tls_session_rate_limit = 100 smtpd_client_auth_rate_limit = 100 default_destination_rate_delay = 60s default_destination_recipient_limit = 1 default_destination_concurrency_failed_cohort_limit = 10 {% if postfix_type == "internet" %} ### Spam and DKIM {% if postfix_smtpd_milters is defined %} smtpd_milters = {% for map in postfix_smtpd_milters %} {{ map.type }}:{{ map.address }} {% endfor %} {% endif %} {% if postfix_non_smtpd_milters is defined %} non_smtpd_milters = {% for map in postfix_non_smtpd_milters %} {{ map.type }}:{{ map.address }} {% endfor %} {% endif %} milter_default_action = accept milter_connect_macros = i j {daemon_name} v {if_name} _ milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} {client_addr} {client_name} milter_rcpt_macros = i j _ {auth_type} {rcpt_addr} {rcpt_host} {rcpt_mailer} milter_connect_timeout = 20s # Prevent DKIM signatures (don't allow spam header to change the signature) disable_mime_output_conversion = yes {% endif %} ### Misc disable_vrfy_command = yes recipient_delimiter = + # Error notifications # http://www.postfix.org/postconf.5.html#notify_classes notify_classes = data, delay, resource, software minimal_backoff_time = 1000s maximal_backoff_time = 4h compatibility_level = 2 biff = no append_dot_mydomain = no # Header treatment always_add_missing_headers = yes local_header_rewrite_clients = permit_mynetworks header_checks = pcre:{{ postfix_conf_dir }}/header_checks mailbox_size_limit = 0 message_size_limit = {{ postfix_message_size_limit }} {% if postfix_type == "internet" %} ### Destination limits # Some mail server limit concurrent connections # Solves: Maximum parallel connections for your IP-Address dlimit_destination_concurrency_limit = 4 dlimit_destination_recipient_limit = 3 dlimit_destination_rate_delay = 5s {% endif %} {% if postfix_proxy_read_maps is defined %} ### Proxy maps proxy_read_maps = {% for map in postfix_proxy_read_maps %} {{ map }} {% endfor %} {% endif %} {% if postfix_authorized_submit_users is defined %} # Allow/ prevent sendmail delivery for specific users authorized_submit_users = {{ postfix_authorized_submit_users | join(', ') }} {% endif %}