Commit | Line | Data |
---|---|---|
cbf0e0a2 NI |
1 | # Does the server accept emails from a public IP address? Has Mailman? Has IMAP? |
2 | {% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %} | |
3 | {% set has_imap = not not pillar['postfix'].get('has_imap') %} | |
4 | {% set has_mailman = not not pillar['postfix'].get('has_mailman') %} | |
5 | {% set has_smtps = not not pillar['postfix'].get('has_smtps') %} | |
6 | ||
7 | ### | |
8 | ### Server configuration | |
9 | ### | |
10 | ||
11 | queue_directory = /var/spool/postfix | |
12 | command_directory = /usr/sbin | |
13 | daemon_directory = /usr/lib/postfix | |
14 | mail_owner = postfix | |
15 | default_privs = mail | |
16 | ||
17 | defer_transports = deferred | |
18 | ||
19 | hash_queue_depth = 1 | |
20 | hash_queue_names = active,deferred,bounce,defer,flush | |
21 | ||
22 | ### | |
23 | ### receiving and distributing emails | |
24 | ### | |
25 | ||
26 | {% if not is_mx %} | |
27 | inet_protocols = all | |
28 | inet_interfaces = 127.0.0.1 | |
29 | {% elif pillar['postfix']['ipaddr'].get('mx6') %} | |
30 | inet_protocols = all | |
31 | inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }} | |
32 | smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }} | |
33 | #smtp_address_preference = ipv4 | |
34 | {% else %} | |
35 | inet_protocols = ipv4 | |
36 | inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }} | |
37 | {% endif %} | |
38 | ||
39 | myhostname = {{ grains["host"] }}.polytechnique.org | |
40 | ||
41 | {% if not is_mx %} | |
42 | mydomain = $myhostname | |
43 | {% else %} | |
44 | mydomain = polytechnique.org | |
45 | {% endif %} | |
46 | myorigin = $myhostname | |
47 | ||
48 | ||
49 | mydestination = | |
50 | hruid.polytechnique.org | |
51 | {{ grains["host"] }}.polytechnique.org | |
52 | {{ grains["host"] }}.m4x.org | |
53 | {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %} | |
54 | ||
55 | virtual_alias_domains = | |
56 | hash:/etc/postfix/virtual | |
57 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %} | |
58 | ||
59 | mynetworks = 127.0.0.1/32 | |
60 | ||
61 | relay_domains = bounces.m4x.org | |
62 | ||
63 | transport_maps = | |
64 | {% if is_mx %}hash:/etc/postfix/transport{% endif %} | |
65 | hash:/etc/postfix/transport-{{ grains["host"] }} | |
66 | {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %} | |
67 | ||
68 | recipient_delimiter = + | |
69 | ||
70 | append_dot_mydomain = no | |
71 | ||
72 | # local distribution | |
73 | #local_recipient_maps = $alias_maps unix:passwd.byname | |
74 | mailbox_command = /usr/bin/procmail -a "$EXTENSION" | |
75 | mailbox_size_limit = 0 | |
76 | ||
77 | ### | |
78 | ### forwarding | |
79 | ### | |
80 | ||
81 | relocated_maps = hash:/etc/postfix/renamed_lists | |
82 | ||
83 | alias_maps = | |
84 | hash:/etc/postfix/aliases | |
85 | {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %} | |
86 | {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %} | |
87 | ||
88 | alias_database = | |
89 | hash:/etc/postfix/aliases | |
90 | ||
91 | # used for all domains other than hruid.polytechnique.org, which is local | |
92 | virtual_alias_maps = | |
93 | {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %} | |
94 | {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %} | |
95 | {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %} | |
96 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %} | |
97 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %} | |
98 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %} | |
99 | hash:/etc/postfix/virtual | |
100 | ||
101 | {% if has_imap %} | |
102 | virtual_mailbox_domains = imap.polytechnique.org | |
103 | virtual_transport = deliver_imap: | |
104 | {% endif %} | |
105 | ||
106 | ### | |
107 | ### rewriting | |
108 | ### | |
109 | ||
110 | {% if is_mx %} | |
111 | local_header_rewrite_clients=static:all | |
112 | {% endif %} | |
113 | ||
114 | # NOTE: We use some different cleanups in function of when is it called. In order | |
115 | # to know which canonicals are applied when please refer to the master.cf | |
116 | ||
117 | # Possible transformation of the From in an adress in m4x.org or polytechnique.org | |
118 | {% if is_mx %} | |
119 | sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf | |
120 | sender_canonical_classes = envelope_sender, header_sender | |
121 | {% endif %} | |
122 | ||
123 | # transform the _ into + but for jaune_rouge@ and SRS decoding | |
124 | recipient_canonical_maps = | |
125 | {% if is_mx %}tcp:127.0.0.1:10002{% endif %} | |
126 | regexp:/etc/postfix/conversion_underscore.regex | |
127 | ||
128 | recipient_canonical_classes = envelope_recipient | |
129 | ||
130 | {% if has_mailman %} | |
131 | canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex | |
132 | pipemm_destination_recipient_limit = 1 | |
133 | {% endif %} | |
134 | ||
135 | # when rewriting, we have to keep the '+toto@' | |
136 | propagate_unmatched_extensions = canonical | |
137 | ||
138 | # We keep bounces that are not deliverable in queue only 36h | |
139 | bounce_queue_lifetime = 36h | |
140 | ||
141 | # Maximum message size 26MiB (cf infra 18/12/2009) | |
142 | message_size_limit = 27262976 | |
143 | ||
144 | ### | |
145 | ### anti-spam mesures | |
146 | ### | |
147 | ||
148 | # limits at the level of SMTP commands received in a session: | |
149 | # - maximum 100 recipients per email, mandatory HELO, forbidden VRFY | |
150 | # - slow down after 2 false commands (VRFY...) or 2 unknown commands | |
151 | # - slow down to 1 command every 10s, then stop after 20 errors | |
152 | smtpd_banner = $myhostname ESMTP | |
153 | smtpd_helo_required = yes | |
154 | disable_vrfy_command = yes | |
155 | smtpd_recipient_limit = 100 | |
156 | smtpd_junk_command_limit = 2 | |
157 | smtpd_soft_error_limit = 2 | |
158 | smtpd_error_sleep_time = 10s | |
159 | smtpd_hard_error_limit = 20 | |
160 | message_reject_characters = \0 | |
161 | smtpd_discard_ehlo_keywords = silent-discard, dsn | |
162 | ||
163 | smtpd_recipient_restrictions = | |
164 | {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %} | |
165 | permit_mynetworks | |
166 | check_recipient_access hash:/etc/postfix/recipient_access | |
167 | reject_invalid_hostname | |
168 | check_helo_access hash:/etc/postfix/helo_access | |
169 | reject_non_fqdn_sender | |
170 | reject_unknown_sender_domain | |
171 | reject_unauth_pipelining | |
172 | reject_unauth_destination | |
173 | {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %} | |
174 | reject_unlisted_sender | |
175 | {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %} | |
176 | ||
177 | # Postlicyd (instead of whitelister + postgrey) | |
178 | {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} | |
179 | ||
180 | check_helo_access regexp:/etc/postfix/helo_access.regexp | |
181 | permit | |
182 | ||
183 | {% if is_mx %} | |
184 | smtpd_recipient_restrictions_sasl = | |
185 | reject_non_fqdn_sender | |
186 | reject_unknown_sender_domain | |
187 | reject_unlisted_sender | |
188 | check_policy_service inet:127.0.0.1:60001 | |
189 | permit_sasl_authenticated | |
190 | reject | |
191 | {% endif %} | |
192 | ||
193 | # Add two smtpd_data_restrictions (11/8/2005), does not seem very useful | |
194 | # but it does not cost anything and there is no possible false positives. | |
195 | # Then, Postlicyd performs the check at "DATA"-time for the honeypots. | |
196 | smtpd_data_restrictions = | |
197 | reject_unauth_pipelining | |
198 | reject_multi_recipient_bounce | |
199 | {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} | |
200 | permit | |
201 | ||
202 | # reject of mails according of their content | |
203 | strict_rfc821_envelopes = yes | |
204 | nested_header_checks = | |
205 | mime_header_checks = regexp:/etc/postfix/header_checks/mime | |
206 | header_checks = | |
207 | regexp:/etc/postfix/header_checks/xorg | |
208 | regexp:/etc/postfix/header_checks/antispam | |
209 | regexp:/etc/postfix/header_checks/clean_self | |
210 | ||
211 | smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing | |
212 | ||
213 | ### | |
214 | ### not categorized | |
215 | ### | |
216 | ||
217 | # Make the requests stop at owner-alias for each alias | |
218 | owner_request_special = no | |
219 | ||
220 | parent_domain_matches_subdomains = | |
221 | ||
222 | # TLS server | |
223 | # paths of files: | |
224 | {% if is_mx %} | |
225 | smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt | |
226 | smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key | |
227 | {% endif %} | |
228 | {% if has_smtps %} | |
229 | smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache | |
230 | smtpd_tls_session_cache_timeout=3600 | |
231 | {% endif %} | |
232 | smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt | |
233 | # the serveur proposes (STARTTLS): | |
234 | smtpd_tls_security_level = may | |
235 | smtpd_tls_loglevel = 1 | |
236 | # we add headers if TLS has been used | |
237 | smtpd_tls_received_header = yes | |
238 | # we ask the client if she can provide a certificated, but we do not require it | |
239 | smtpd_tls_ask_ccert = yes | |
240 | ||
241 | # TLS client | |
242 | {% if is_mx %} | |
243 | smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt | |
244 | smtp_tls_key_file = /etc/postfix/ssl/smtp.key | |
245 | {% endif %} | |
246 | smtp_tls_CAfile = /etc/postfix/ssl/ca.crt | |
247 | smtp_tls_policy_maps = hash:/etc/postfix/tls_policy | |
248 | smtp_tls_security_level = may | |
249 | smtp_tls_loglevel = 1 | |
250 | ||
251 | # Choose which information is sent to postmaster... | |
252 | notify_classes = resource,software | |
253 | error_notice_recipient = root | |
254 | ||
255 | setgid_group = postdrop | |
256 | biff = no | |
257 | ||
258 | # Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section | |
259 | {% if is_mx %} | |
260 | proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions | |
261 | {% endif %} | |
262 | ||
263 | # The following line allow blocking every outgoing email, when doing tests or server migrations | |
264 | # source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g | |
265 | #default_transport = retry:waiting for more stability | |
266 | ||
267 | # vim:set syntax=pfmain: |