3.6 KiB
3.6 KiB
Postfix
Use this role to setup a Postfix mail server. It comes with the following additions:
- Mail-TLS-Helper
- Fail2ban
- optional: MTA-STS-Resolver
- optional: OnionMX
- optional: Unbound
General type of mail server configuration
You can select via the variable postfix_type
a pre-defined set of configuraion options that best meets your needs.
internet
: Mail is send received directly using SMTP. TLS is enabled.internal
: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25.
Dual use of RSA and ECDSA certificates
Newer versions of Let's Encrypt clients (as of Certbot 2.0.0 or Dehydrated ) defaults to ECDSA certificates. This could be a problem with older mail servers which only support RSA ciphers. Postfix can use both RSA and ECDSA certificates at the same time.
If you use Dehydrated follow these steps:
- Add your domain to
/etc/dehydrated/domains.txt
:mx.example.org
- Add another entry to
/etc/dehydrated/domains.txt
for the RSA certificate and use the alias to force a different directory name:mx.example.org mx.example.org > mx.example.org_rsa
- Create the certificate's directory:
mkdir /var/lib/dehydrated/certs/mx.example.org_rsa chmod 0700 /var/lib/dehydrated/certs/mx.example.org_rsa
- Create a config
/var/lib/dehydrated/certs/mx.example.org_rsa/config
with the following setting:KEY_ALGO="rsa"
- Obtain the certificate:
dehydrated --cron
- Add all certificates to Postfix'
main.cf
:smtpd_tls_cert_file = /var/lib/dehydrated/certs/mx.example.org_rsa/fullchain.pem smtpd_tls_key_file = /var/lib/dehydrated/certs/mx.example.org_rsa/privkey.pem smtpd_tls_eccert_file = /var/lib/dehydrated/certs/mx.example.org/fullchain.pem smtpd_tls_eckey_file = /var/lib/dehydrated/certs/mx.example.org/privkey.pem
Variables
Required
Variable | Value | Default | Note |
---|---|---|---|
postfix_type |
str | internet |
Determines how to setup Postfix. Choose internet or internal |
Scope: misc
Variable | Value | Default | Note |
---|---|---|---|
unbound_install |
bool | True if you whish to install unbound |
|
postfix_onionmx |
bool | True to setup OnionMX delivery |
|
postfix_tls_herlp |
bool | True to setup Mail-TLS-Helper |
|
postfix_mydestination |
List | List with hostnames | |
postfix_mynetworks |
List | List with network addresses |
Scope: submission
Variable | Value | Default | Note |
---|---|---|---|
postfix_submission |
bool | Set True to configure submission port settings |
|
postfix_submission_smtpd_tls_cert_file |
string | Path to TLS cert file | |
postfix_submission_smtpd_tls_key_file |
string | Path to TLS key file | |
postfix_submission_non_tls_port |
int | Port number for an additional (internal) submission port without TLS |
Scope: SASL Auth
Variable | Value | Default | Note |
---|---|---|---|
postfix_smtpd_sasl_type |
string | ||
postfix_smtpd_sasl_path |
string | ||
postfix_smtp_sasl_auth_enabled |
bool | no |
|
postfix_smtp_sasl_auth_relay |
string | Relay server which provides SASL-Auth | |
postfix_smtp_sasl_auth_user |
string | Username for SASL authentication | |
postfix_smtp_sasl_auth_password |
string | Password for SASL authenticatio |