ansible-role-mailserver/templates/postfix/main.cf.j2

compatibility_level = 3.7

# Sane defaults
biff = no
append_dot_mydomain = no
local_header_rewrite_clients = permit_inet_interfaces permit_sasl_authenticated
readme_directory = no
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
message_size_limit = 102400000
# Disable all error reports to postmaster@, because they sometimes contain
# passwords or other confidential information
notify_classes =

smtpd_helo_restrictions = permit_mynetworks,
                          permit_sasl_authenticated,
                          reject_invalid_helo_hostname,
                          reject_non_fqdn_helo_hostname

smtpd_sender_restrictions = reject_non_fqdn_sender,
                            reject_unknown_sender_domain,
                            permit_mynetworks,
                            permit_sasl_authenticated

smtpd_recipient_restrictions =  permit_mynetworks,
                                permit_sasl_authenticated,
                                reject_unlisted_recipient,
                                reject_unknown_recipient_domain,
                                reject_unauth_destination,
                                reject_non_fqdn_recipient,
                                # Quota check via Dovecot
                                check_policy_service unix:private/policy-quota,
                                permit

mua_helo_restrictions = permit_mynetworks,
                        permit_sasl_authenticated,
                        reject_invalid_helo_hostname,
                        reject_non_fqdn_helo_hostname

mua_sender_restrictions = reject_non_fqdn_sender,
                          reject_unknown_sender_domain,
                          # Sender verification is disabled!
                          warn_if_reject,
                          reject_authenticated_sender_login_mismatch,
                          permit_mynetworks,
                          permit_sasl_authenticated

mua_client_restrictions = permit_sasl_authenticated,
                          reject

# Host settings
myhostname = {{ inventory_hostname }}
mydomain = {{ ansible_domain }}
myorigin = $mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost

# TLS parameters
smtpd_tls_cert_file = {{ mailserver.smtp_tls_cert }}
smtpd_tls_key_file = {{ mailserver.smtp_tls_key }}
mua_tls_cert_file = {{ mailserver.submission_tls_cert }}
mua_tls_key_file = {{ mailserver.submission_tls_key }}
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtp_tls_security_level = may

# Postfixadmin and dovecot integration
relay_domains = $mydestination pgsql:/etc/postfix/pgsql/relay_domains.cf {{ mailserver.postfix.relay_domains }}
virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf pgsql:/etc/postfix/pgsql/virtual_alias_domain_maps.cf pgsql:/etc/postfix/pgsql/virtual_alias_domain_catchall_maps.cf {{ mailserver.postfix.virtual_alias_maps }}
virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
local_transport = dovecot
local_recipient_maps = $virtual_mailbox_maps
smtpd_sender_login_maps = pgsql:/etc/postfix/pgsql/virtual_sender_maps.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# Special address that discards all mails
transport_maps = inline:{discard@{{ inventory_hostname }}=discard:} {{ mailserver.postfix.transport_maps }}

# PostSRS integration
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:10002

# Milters
milter_protocol = 6
milter_default_action = accept
smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }}
non_smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }}

# Header checks
mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks