315 lines
10 KiB
Django/Jinja
315 lines
10 KiB
Django/Jinja
### {{ ansible_managed }}
|
|
|
|
smtpd_banner = {{ postfix_smtpd_banner }}
|
|
|
|
{% if postfix_debug_peer_list is defined %}
|
|
### Debug Logging
|
|
debug_peer_list = {{ postfix_debug_peer_list | join(', ') }}
|
|
{% endif %}
|
|
|
|
### Protocols and destinations
|
|
inet_interfaces = all
|
|
inet_protocols = ipv4
|
|
|
|
myhostname = $myorigin
|
|
myorigin = {{ postfix_myorigin }}
|
|
mydestination = {{ postfix_mydestination | join(', ') }}
|
|
mynetworks = {{ postfix_mynetworks | join(', ') }}
|
|
|
|
### TLS settings
|
|
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
|
|
tls_preempt_cipherlist = no
|
|
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA
|
|
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
|
|
### TLS settings for SMTP server
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_auth_only = yes
|
|
smtpd_tls_cert_file = {{ postfix_smtpd_tls_cert_file }}
|
|
smtpd_tls_key_file = {{ postfix_smtpd_tls_key_file }}
|
|
smtpd_tls_ciphers = medium
|
|
smtpd_tls_mandatory_ciphers = medium
|
|
smtpd_tls_exclude_ciphers = aNULL, eNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA, DHE-RSA-AES256-SHA
|
|
#Einige berechtigte Mailserver nutzen nur TLSv1
|
|
#smtpd_tls_mandatory_protocols = !TLSv1
|
|
#smtpd_tls_protocols = !TLSv1
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
smtpd_tls_session_cache_timeout = 7200s
|
|
smtpd_tls_loglevel = 1
|
|
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
|
smtpd_tls_dh1024_param_file = {{ postfix_dhparam_file }}
|
|
smtpd_tls_eecdh_grade = strong
|
|
|
|
### TLS settings for SMTP client
|
|
smtp_tls_security_level = dane
|
|
smtp_dns_support_level = dnssec
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
smtp_tls_session_cache_timeout = 7200s
|
|
#Some mailserver use only TLSv1. Hence we can't disable it.
|
|
#smtp_tls_protocols = !TLSv1
|
|
{% if postfix_smtp_tls_policy_maps is defined %}
|
|
smtp_tls_policy_maps =
|
|
{% for map in postfix_smtp_tls_policy_maps %}
|
|
{{ map.type }}:{{ map.path }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
smtp_tls_ciphers = medium
|
|
smtp_tls_fingerprint_digest = sha1
|
|
smtp_tls_loglevel = 1
|
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
|
smtp_pix_workarounds = disable_esmtp
|
|
|
|
### Domains and recipients
|
|
{% if postfix_virtual_mailbox_domains is defined %}
|
|
virtual_mailbox_domains =
|
|
{% for map in postfix_virtual_mailbox_domains %}
|
|
{{ map.type }}:{{ map.path }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if postfix_virtual_mailbox_maps is defined %}
|
|
# Check for existing recipients
|
|
virtual_mailbox_maps =
|
|
{% for map in postfix_virtual_mailbox_maps %}
|
|
{{ map.type }}:{{ map.path }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if postfix_virtual_alias_maps is defined %}
|
|
virtual_alias_maps =
|
|
{% for map in postfix_virtual_alias_maps %}
|
|
{{ map.type }}:{{ map.path}}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if postfix_virtual_transport is defined %}
|
|
virtual_transport =
|
|
{% for map in postfix_virtual_transport %}
|
|
{{ map.type }}:{{ map.address }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if postfix_relay_domains is defined %}
|
|
# Relay mails without recipient check
|
|
relay_domains =
|
|
{% for map in postfix_relay_domains %}
|
|
{{ map.type}}:{{ map.path }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if postfix_sender_dependent_relayhost_maps is defined %}
|
|
sender_dependent_relayhost_maps =
|
|
{% for map in postfix_sender_dependent_relayhost_maps %}
|
|
{{ map.type }}:{{ map.path }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if postfix_transport_maps is defined %}
|
|
transport_maps =
|
|
{% for map in postfix_transport_maps %}
|
|
{{ map.type }}:{{ map.path }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if postfix_smtpd_sasl_type is defined %}
|
|
### SMTP Auth, server side
|
|
broken_sasl_auth_clients = yes
|
|
smtpd_sasl_type = {{ postfix_smtpd_sasl_type }}
|
|
smtpd_sasl_path = {{ postfix_smtpd_sasl_path }}
|
|
smtpd_sasl_auth_enable = no
|
|
{% if postfix_smtpd_sasl_exceptions_networks is defined %}
|
|
# Some clients demand SASL Auth if the server offers it
|
|
smtpd_sasl_exceptions_networks = {{ postfix_smtpd_sasl_exceptions_networks | join(', ') }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if postfix_smtp_sasl_auth is defined and postfix_smtp_sasl_auth %}
|
|
### SMTP Auth client side
|
|
smtp_sasl_auth_enable = yes
|
|
smtp_sasl_auth_soft_bounce = no
|
|
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
|
|
smtp_sasl_security_options = noanonymous
|
|
{% endif %}
|
|
|
|
#### Postscreen
|
|
postscreen_access_list =
|
|
permit_mynetworks
|
|
cidr:{{ postfix_conf_dir }}/postscreen_access.cidr
|
|
postscreen_blacklist_action = drop
|
|
|
|
# Pregreeting
|
|
postscreen_greet_action = drop
|
|
|
|
# DNS block lists
|
|
postscreen_dnsbl_threshold = 2
|
|
{% if postfix_postscreen_dnsbl_sites is defined %}
|
|
{% for site in postfix_postscreen_dnsbl_sites %}
|
|
postscreen_dnsbl_sites =
|
|
{{ site.name }}*{{ site.multiplier }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
postscreen_dnsbl_action = drop
|
|
|
|
# Postfix runs restrictions with the following order
|
|
# - smtpd_client_restriction
|
|
# - smtpd_helo_restriction
|
|
# - smtpd_sender_restrition
|
|
# - smtpd_relay_restrictions
|
|
# - smtpd_recipient_restrictions
|
|
# - smtpd_data_restriction
|
|
# - smtpd_end_of_data_restriction
|
|
# - smtpd_etrn_restriction
|
|
|
|
smtpd_restriction_classes = permit_login_mismatch
|
|
|
|
smtpd_client_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
check_client_access cdb:{{ postfix_conf_dir }}/client_checks,
|
|
reject_unknown_client_hostname,
|
|
permit
|
|
|
|
# Reject only after RCPT-TO
|
|
smtpd_delay_reject = yes
|
|
# Enforce helo to apply restrictions
|
|
smtpd_helo_required = yes
|
|
smtpd_helo_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
check_helo_access pcre:{{ postfix_conf_dir }}/helo_checks,
|
|
reject_non_fqdn_helo_hostname,
|
|
reject_invalid_helo_hostname,
|
|
permit
|
|
|
|
smtpd_sender_restrictions =
|
|
permit_mynetworks,
|
|
check_sender_access cdb:{{ postfix_conf_dir }}/sender_checks,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
check_sender_mx_access cidr:{{ postfix_conf_dir }}/bogus_mx,
|
|
#Uncomment the next two lines to block mails from other servers with our domain as MAIL FROM
|
|
#permit_sasl_authenticated,
|
|
#check_sender_access hash:{{ postfix_conf_dir }}/sender_checks_domain,
|
|
permit
|
|
|
|
{% if postfix_submission is defined and postfix_submission %}
|
|
# Restrictions for submission port
|
|
mua_sender_restrictions =
|
|
check_sasl_access cdb:{{ postfix_conf_dir }}/permit_sasl_login_mismatch,
|
|
permit_mynetworks,
|
|
check_sender_access cdb:{{ postfix_conf_dir }}/sender_checks,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
reject_sender_login_mismatch,
|
|
permit_sasl_authenticated
|
|
{% endif %}
|
|
|
|
permit_login_mismatch =
|
|
permit_mynetworks,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
permit_sasl_authenticated
|
|
|
|
{% if postfix_submission is defined and postfix_submission %}
|
|
submission_bad_smtp_user_check =
|
|
check_sasl_access cdb:{{ postfix_conf_dir }}/bad_smtp_auth_users
|
|
{% endif %}
|
|
|
|
smtpd_relay_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
check_client_access cdb:{{ postfix_conf_dir }}/relay_checks,
|
|
reject_unauth_destination
|
|
|
|
smtpd_recipient_restrictions =
|
|
reject_unauth_pipelining,
|
|
reject_non_fqdn_recipient,
|
|
reject_unknown_recipient_domain,
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unverified_recipient
|
|
|
|
# Configuration for reject_unverified_recipient
|
|
unverified_recipient_reject_reason = User unknown / Nutzer unbekannt
|
|
unverified_recipient_reject_code = 550
|
|
|
|
smtpd_data_restrictions =
|
|
reject_multi_recipient_bounce,
|
|
check_recipient_access pcre:{{ postfix_conf_dir }}/header_add,
|
|
|
|
### Connection limits
|
|
smtpd_client_connection_rate_limit = 100
|
|
smtpd_client_event_limit_exceptions = {{ postfix_smtpd_client_event_limit_exceptions | join(', ') }}
|
|
smtpd_client_message_rate_limit = 25
|
|
smtpd_client_new_tls_session_rate_limit = 100
|
|
smtpd_client_auth_rate_limit = 100
|
|
|
|
default_destination_rate_delay = 60s
|
|
default_destination_recipient_limit = 1
|
|
default_destination_concurrency_failed_cohort_limit = 10
|
|
|
|
header_checks = pcre:{{ postfix_conf_dir }}/header_checks
|
|
|
|
### Spam and DKIM
|
|
{% if postfix_smtpd_milters is defined %}
|
|
smtpd_milters =
|
|
{% for map in postfix_smtpd_milters %}
|
|
{{ map.type }}:{{ map.address }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if postfix_non_smtpd_milters is defined %}
|
|
non_smtpd_milters =
|
|
{% for map in postfix_non_smtpd_milters %}
|
|
{{ map.type }}:{{ map.address }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
milter_default_action = accept
|
|
milter_connect_macros = i j {daemon_name} v {if_name} _
|
|
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} {client_addr} {client_name}
|
|
milter_rcpt_macros = i j _ {auth_type} {rcpt_addr} {rcpt_host} {rcpt_mailer}
|
|
milter_connect_timeout = 20s
|
|
|
|
# Prevent DKIM signatures (don't allow spam header to change the signature)
|
|
disable_mime_output_conversion = yes
|
|
|
|
### Misc
|
|
|
|
readme_directory = /usr/share/doc/postfix
|
|
html_directory = /usr/share/doc/postfix/html
|
|
|
|
disable_vrfy_command = yes
|
|
recipient_delimiter = +
|
|
|
|
# Postfix-default: alias_maps = hash:/etc/mail/aliases nis:mail.aliases
|
|
# Prevents delays caused by NIS queries
|
|
alias_maps =
|
|
|
|
# Error notifications
|
|
# http://www.postfix.org/postconf.5.html#notify_classes
|
|
notify_classes = data, delay, resource, software
|
|
minimal_backoff_time = 1000s
|
|
maximal_backoff_time = 4h
|
|
|
|
compatibility_level = 2
|
|
biff = no
|
|
append_dot_mydomain = no
|
|
# Uncomment the next line to generate "delayed mail" warnings
|
|
#delay_warning_time = 4h
|
|
|
|
# Add missing headers
|
|
always_add_missing_headers = yes
|
|
local_header_rewrite_clients = permit_mynetworks
|
|
|
|
mailbox_size_limit = 0
|
|
message_size_limit = {{ postfix_message_size_limit }}
|
|
|
|
### Destination limits
|
|
# Some mail server limit concurrent connections
|
|
# Solves: Maximum parallel connections for your IP-Address
|
|
dlimit_destination_concurrency_limit = 4
|
|
dlimit_destination_recipient_limit = 3
|
|
dlimit_destination_rate_delay = 5s
|
|
|
|
{% if postfix_proxy_read_maps is defined %}
|
|
### Proxy maps
|
|
proxy_read_maps =
|
|
{% for map in postfix_proxy_read_maps %}
|
|
{{ map }}
|
|
{% endfor %}
|
|
{% endif %}
|