94 lines
4.8 KiB
CFEngine3
94 lines
4.8 KiB
CFEngine3
### {{ ansible_managed }}
|
|
|
|
# ==========================================================================
|
|
# service type private unpriv chroot wakeup maxproc command + args
|
|
# (yes) (yes) (no) (never) (100)
|
|
# ==========================================================================
|
|
{% if postfix_type == "internet" %}
|
|
smtp inet n - y - 1 postscreen
|
|
smtpd pass - - y - 100 smtpd
|
|
-o cleanup_service_name=smtpd-in
|
|
{% else %}
|
|
smtp inet n - y - - smtpd
|
|
{% endif %}
|
|
dnsblog unix - - y - 0 dnsblog
|
|
tlsproxy unix - - y - 0 tlsproxy
|
|
{% if postfix_submission is defined and postfix_submission %}
|
|
smtps inet n - y - 100 smtpd
|
|
-o syslog_name=postfix/smtps
|
|
-o smtpd_tls_wrappermode=yes
|
|
-o smtpd_tls_cert_file={{ postfix_submission_smtpd_tls_cert_file }}
|
|
-o smtpd_tls_key_file={{ postfix_submission_smtpd_tls_key_file }}
|
|
-o smtpd_tls_dh1024_param_file={{ dhparam_file }}
|
|
-o smtpd_tls_mandatory_protocols=!TLSv1,!TLSv1.1
|
|
-o smtpd_tls_protocols=!TLSv1,!TLSv1.1
|
|
-o smtpd_client_restrictions=$submission_bad_smtp_user_check,permit_sasl_authenticated,reject
|
|
-o smtpd_sasl_auth_enable=yes
|
|
{% if postfix_smtpd_sender_login_maps is defined %}
|
|
-o smtpd_sender_login_maps={{ postfix_smtpd_sender_login_maps | join(', ') }}
|
|
{% endif %}
|
|
-o smtpd_sender_restrictions=$mua_sender_restrictions
|
|
-o cleanup_service_name=subclean
|
|
submission inet n - y - - smtpd
|
|
-o syslog_name=postfix/submission
|
|
-o smtpd_tls_security_level=encrypt
|
|
-o smtpd_tls_cert_file={{ postfix_submission_smtpd_tls_cert_file }}
|
|
-o smtpd_tls_key_file={{ postfix_submission_smtpd_tls_key_file }}
|
|
-o smtpd_tls_dh1024_param_file={{ dhparam_file }}
|
|
-o smtpd_client_restrictions=$submission_bad_smtp_user_check,permit_sasl_authenticated,reject
|
|
-o smtpd_sasl_auth_enable=yes
|
|
{% if postfix_smtpd_sender_login_maps is defined %}
|
|
-o smtpd_sender_login_maps={{ postfix_smtpd_sender_login_maps | join(', ') }}
|
|
{% endif %}
|
|
-o smtpd_sender_restrictions=$mua_sender_restrictions
|
|
-o cleanup_service_name=subclean
|
|
{% if postfix_submission_non_tls_port is defined %}
|
|
{{ postfix_submission_non_tls_port }} inet n - y - - smtpd
|
|
-o syslog_name=postfix/submission-local
|
|
-o smtpd_tls_security_level=none
|
|
-o smtpd_client_restrictions=permit_mynetworks,reject
|
|
-o smtpd_sasl_auth_enable=no
|
|
-o cleanup_service_name=subclean
|
|
{% endif %}
|
|
{% endif %}
|
|
dlimit unix - - n - - smtp
|
|
-o syslog_name=postfix-dlimit
|
|
pickup unix n - y 60 1 pickup
|
|
cleanup unix n - y - 0 cleanup
|
|
qmgr unix n - n 300 1 qmgr
|
|
tlsmgr unix - - y 1000? 1 tlsmgr
|
|
rewrite unix - - y - - trivial-rewrite
|
|
bounce unix - - y - 0 bounce
|
|
defer unix - - y - 0 bounce
|
|
trace unix - - y - 0 bounce
|
|
verify unix - - y - 1 verify
|
|
flush unix n - y 1000? 0 flush
|
|
proxymap unix - - n - - proxymap
|
|
proxywrite unix - - n - 1 proxymap
|
|
smtp unix - - y - - smtp
|
|
smtptor unix - - n - - smtp_tor
|
|
-o smtp_dns_support_level=disabled
|
|
-o smtp_tls_security_level=none
|
|
-o smtp_tls_policy_maps=
|
|
relay unix - - y - - smtp
|
|
-o syslog_name=postfix/$service_name
|
|
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
|
showq unix n - y - - showq
|
|
error unix - - y - - error
|
|
retry unix - - y - - error
|
|
discard unix - - y - - discard
|
|
local unix - n n - - local
|
|
virtual unix - n n - - virtual
|
|
lmtp unix - - y - - lmtp
|
|
anvil unix - - y - 1 anvil
|
|
scache unix - - y - 1 scache
|
|
postlog unix-dgram n - n - 1 postlogd
|
|
|
|
# Outbound: Remove sensible headers
|
|
subclean unix n - y - 0 cleanup
|
|
-o header_checks=regexp:{{ postfix_conf_dir }}/header_treatment
|
|
|
|
# Inbound: Remove some headers
|
|
smtpd-in unix n - y - 0 cleanup
|
|
-o syslog_name=postfix/smtpd-in
|
|
-o header_checks=pcre:{{ postfix_conf_dir }}/header_checks_inbound
|