infra/ansible-role-postfix
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-role-postfix/templates/main.cf.j2
Julian Rother 83df531b00
Disable all error reports to postmaster@ 
These error report mails sometimes contain passwords or other confidential
information. This is by design (see postconf(5)) and enabled per default.
This is a very bad idea.
2022-01-28 23:04:02 +01:00

142 lines
5.1 KiB
Django/Jinja
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = {{ postfix.ssl.cert }}
smtpd_tls_key_file = {{ postfix.ssl.key }}
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = {{ postfix.ssl.incoming_security_level }}
smtpd_tls_auth_only = yes
smtp_tls_security_level = {{ postfix.ssl.outgoing_security_level }}
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# SMTPD default settings
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
myhostname = {{ inventory_hostname }}
mydomain = {{ postfix.mydomain|d(ansible_domain) }}
myorigin = $mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix.mynetworks|join(' ') }}
mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost {{ postfix.mydestination|join(' ') }}
alias_maps = {{ postfix.alias_maps }}
relayhost = {{ postfix.relayhost }}
relay_domains = {{ postfix.relay_domains|join(', ') }}
relay_transport = {{ postfix.relay_transport }}
transport_maps = {{ postfix.transport_maps|join(', ') }}
sender_dependent_relayhost_maps = {{ postfix.sender_dependent_relayhost_maps }}
local_recipient_maps = {{ postfix.local_recipient_maps|join(', ') }}
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
message_size_limit = {{ postfix.message_size_limit }}
# Restrictions
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
# reject_sender_login_mismatch, # Disabled because we dont map correctly
permit_mynetworks,
permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_non_fqdn_recipient,
{% if postfix.check_dovecot_quota -%}
check_policy_service inet:127.0.0.1:12340,
{% endif -%}
permit
mua_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
mua_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_mynetworks,
permit_sasl_authenticated
mua_client_restrictions = permit_sasl_authenticated,
reject
{% if ("mailbox_transport" in postfix and postfix.mailbox_transport == "dovecot")
or postfix.ldap.enable
%}
{# This applies when LDAP or dovecot are configured #}
smtpd_sasl_auth_enable = yes
{% endif %}
{% if ("mailbox_transport" in postfix and postfix.mailbox_transport == "dovecot")
and postfix.ldap.enable
%}
{# This applies when dovecot and LDAP are configured #}
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
{% endif %}
{% if ("mailbox_transport" in postfix and postfix.mailbox_transport == "dovecot")
and not postfix.ldap.enable
%}
{# This applies when dovecot is configured, but not LDAP #}
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
{% endif %}
# Virtual maps
virtual_alias_domains = {{ postfix.virtual_alias_domains|join(' ') }}
virtual_alias_maps = {{ postfix.virtual_alias_maps }}
# header checks
mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks
# milter
milter_protocol = 6
milter_default_action = accept
smtpd_milters = {{ ' '.join(postfix.smtpd_milters) }}
non_smtpd_milters = {{ ' '.join(postfix.non_smtpd_milters) }}
# Disable all error reports to postmaster@, because they sometimes contain
# passwords or other confidential information
notify_classes =
Reference in a new issue View git blame Copy permalink