From 114b0450f142716887236b6f2a9dd3799b0eb3c0 Mon Sep 17 00:00:00 2001
From: Morre <morre@cccv.de>
Date: Fri, 10 Jul 2020 15:29:36 +0200
Subject: [PATCH] Migrate postfix conf

---
 README.md            |  2 +-
 templates/main.cf.j2 | 91 +++++++++++++++-----------------------------
 2 files changed, 32 insertions(+), 61 deletions(-)

diff --git a/README.md b/README.md
index 94800ed..8ee1e75 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ virtual_mailbox_domains: []
 # networks to relay mail from without user authentication
 mynetworks: []
 
-# currently ignored
+# Postfix is the destination for the domains listed here
 mydestination: []
 ```
 
diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index 60adace..bff0fae 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -34,6 +34,11 @@ smtp_tls_security_level = {{ postfix.ssl.outgoing_security_level }}
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 
+# SMTPD default settings
+smtpd_helo_required = yes
+strict_rfc821_envelopes = yes
+disable_vrfy_command = yes
+
 myhostname = {{ inventory_hostname }}
 mydomain = {{ postfix.mydomain|d(ansible_domain) }}
 myorigin = $mydomain
@@ -55,13 +60,36 @@ inet_protocols = all
 
 message_size_limit = {{ postfix.message_size_limit }}
 
+# Restrictions
+smtpd_helo_restrictions = permit_mynetworks,
+                          permit_sasl_authenticated,
+                          reject_invalid_helo_hostname,
+                          reject_non_fqdn_helo_hostname
+
+smtpd_sender_restrictions = reject_non_fqdn_sender,
+                            reject_unknown_sender_domain,
+                            reject_sender_login_mismatch,
+                            permit_mynetworks,
+                            permit_sasl_authenticated
+
+smtpd_recipient_restrictions =  permit_mynetworks,
+                                permit_sasl_authenticated,
+                                reject_unlisted_recipient,
+                                reject_unknown_recipient_domain,
+                                reject_unauth_destination,
+                                reject_non_fqdn_recipient,
+                                permit
+
+{%  if ("virtual_transport" in postfix and postfix.virtual_transport == "dovecot")
+    or postfix.ldap.enable
+%}
+smtpd_sasl_auth_enable = yes
+{% endif %}
+
 {% if "virtual_transport" in postfix and postfix.virtual_transport == "dovecot" %}
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
 smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
-smtpd_sender_restrictions = reject_unknown_sender_domain
-#smtpd_client_restrictions = permit_mynetworks,reject
 
 dovecot_destination_recipient_limit = 1
 virtual_transport = dovecot
@@ -71,63 +99,6 @@ virtual_transport = dovecot
 virtual_alias_maps = {{ postfix.virtual_alias_maps }}
 virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }}
 
-{% if postfix.ldap.enable %}
-# LDAP config
-## Virtual maps
-# virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual_mailboxes.cf
-# virtual_mailbox_base = /home/vmail
-# virtual_uid_maps = ldap:/etc/postfix/ldap/virtual_uid.cf # TODO: Do we need this?
-# virtual_gid_maps = ldap:/etc/postfix/ldap/virtual_gid.cf # TODO: Do we need this?
-
-# virtual_uid_maps = static:{{ vmail_user.uid }}
-# virtual_gid_maps = static:{{ vmail_user.group }}
-
-## Transport maps
-### None so far
-
-# TLS
-# TODO: This is already enabled when using dovecot as transport
-smtpd_sasl_auth_enable = yes
-smtpd_sasl_security_options = noanonymous
-
-# Restrictions
-smtpd_helo_required = yes
-strict_rfc821_envelopes = yes
-disable_vrfy_command = yes
-
-smtpd_helo_restrictions = permit_mynetworks,
-                          permit_sasl_authenticated,
-                          reject_invalid_hostname,
-                          reject_invalid_helo_hostname,
-                          reject_non_fqdn_helo_hostname
-
-# TODO: This is already enabled when using dovecot as transport
-smtpd_sender_restrictions = reject_non_fqdn_sender,
-                            reject_unknown_sender_domain,
-                            reject_sender_login_mismatch,
-                            permit_mynetworks,
-                            permit_sasl_authenticated
-
-# TODO: This is already enabled when using dovecot as transport
-smtpd_recipient_restrictions =  permit_mynetworks,
-                                permit_sasl_authenticated,
-                                reject_unlisted_sender,
-                                reject_unlisted_recipient,
-                                reject_unknown_sender_domain,
-                                reject_unknown_recipient_domain,
-                                reject_invalid_hostname,
-                                reject_unauth_destination,
-                                reject_non_fqdn_hostname,
-                                reject_non_fqdn_sender,
-                                reject_non_fqdn_recipient,
-                                permit
-
-smtpd_client_restrictions = permit_mynetworks,
-                            permit_sasl_authenticated,
-                            permit
-
-{% endif %}
-
 # opendkim
 
 {% if postfix.enable_opendkim %}