compatibility_level = 3.7 # Sane defaults biff = no append_dot_mydomain = no local_header_rewrite_clients = permit_inet_interfaces permit_sasl_authenticated readme_directory = no smtpd_helo_required = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes mailbox_size_limit = 0 recipient_delimiter = + inet_protocols = all message_size_limit = 102400000 # Disable all error reports to postmaster@, because they sometimes contain # passwords or other confidential information notify_classes = smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unlisted_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_non_fqdn_recipient, # Quota check via Dovecot check_policy_service unix:private/policy-quota, permit mua_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname mua_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, # Sender verification is disabled! warn_if_reject, reject_authenticated_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated mua_client_restrictions = permit_sasl_authenticated, reject # Host settings myhostname = {{ inventory_hostname }} mydomain = {{ ansible_domain }} myorigin = $mydomain mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost # TLS parameters smtpd_tls_cert_file = {{ mailserver.smtp_tls_cert }} smtpd_tls_key_file = {{ mailserver.smtp_tls_key }} mua_tls_cert_file = {{ mailserver.submission_tls_cert }} mua_tls_key_file = {{ mailserver.submission_tls_key }} smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtp_tls_security_level = may # Postfixadmin and dovecot integration relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf pgsql:/etc/postfix/pgsql/virtual_alias_domain_maps.cf pgsql:/etc/postfix/pgsql/virtual_alias_domain_catchall_maps.cf virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 local_transport = dovecot local_recipient_maps = $virtual_mailbox_maps smtpd_sender_login_maps = pgsql:/etc/postfix/pgsql/virtual_sender_maps.cf smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth # Special address that discards all mails transport_maps = inline:{discard@{{ inventory_hostname }}=discard:} # PostSRS integration sender_canonical_maps = tcp:localhost:10001 sender_canonical_classes = envelope_sender recipient_canonical_maps = tcp:127.0.0.1:10002 # Milters milter_protocol = 6 milter_default_action = accept smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }} non_smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }} # Header checks mime_header_checks = regexp:/etc/postfix/header_checks header_checks = regexp:/etc/postfix/header_checks