[vagrant-mail.git] / test-vagrant-salt / salt / testvm / postfix / main.cf

# Does the server accept emails from a public IP address? Has Mailman? Has IMAP?
{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
{% set has_imap = not not pillar['postfix'].get('has_imap') %}
{% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
{% set has_smtps = not not pillar['postfix'].get('has_smtps') %}

###
### Server configuration
###

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
default_privs = mail

defer_transports = deferred

hash_queue_depth = 1
hash_queue_names = active,deferred,bounce,defer,flush

###
### receiving and distributing emails
###

{% if not is_mx %}
inet_protocols = all
inet_interfaces = 127.0.0.1
{% elif pillar['postfix']['ipaddr'].get('mx6') %}
inet_protocols = all
inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }}
smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }}
#smtp_address_preference = ipv4
{% else %}
inet_protocols = ipv4
inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }}
{% endif %}

myhostname = {{ grains["host"] }}.polytechnique.org

{% if not is_mx %}
mydomain = $myhostname
{% else %}
mydomain = polytechnique.org
{% endif %}
myorigin = $myhostname


mydestination =
    hruid.polytechnique.org
    {{ grains["host"] }}.polytechnique.org
    {{ grains["host"] }}.m4x.org
    {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %}

virtual_alias_domains =
    hash:/etc/postfix/virtual
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %}

mynetworks = 127.0.0.1/32

relay_domains = bounces.m4x.org

transport_maps =
    {% if is_mx %}hash:/etc/postfix/transport{% endif %}
    hash:/etc/postfix/transport-{{ grains["host"] }}
    {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %}

recipient_delimiter = +

append_dot_mydomain = no

# local distribution
#local_recipient_maps = $alias_maps unix:passwd.byname
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0

###
### forwarding
###

relocated_maps = hash:/etc/postfix/renamed_lists

alias_maps =
    hash:/etc/postfix/aliases
    {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %}
    {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %}

alias_database =
    hash:/etc/postfix/aliases

# used for all domains other than hruid.polytechnique.org, which is local
virtual_alias_maps =
    {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %}
    {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %}
    {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %}
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %}
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %}
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %}
    hash:/etc/postfix/virtual

{% if has_imap %}
virtual_mailbox_domains = imap.polytechnique.org
virtual_transport = deliver_imap:
{% endif %}

###
### rewriting
###

{% if is_mx %}
local_header_rewrite_clients=static:all
{% endif %}

# NOTE: We use some different cleanups in function of when is it called. In order
#       to know which canonicals are applied when please refer to the master.cf

# Possible transformation of the From in an adress in m4x.org or polytechnique.org
{% if is_mx %}
sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
sender_canonical_classes = envelope_sender, header_sender
{% endif %}

# transform the _ into + but for jaune_rouge@ and SRS decoding
recipient_canonical_maps =
    {% if is_mx %}tcp:127.0.0.1:10002{% endif %}
    regexp:/etc/postfix/conversion_underscore.regex

recipient_canonical_classes = envelope_recipient

{% if has_mailman %}
canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex
pipemm_destination_recipient_limit = 1
{% endif %}

# when rewriting, we have to keep the '+toto@'
propagate_unmatched_extensions = canonical

# We keep bounces that are not deliverable in queue only 36h
bounce_queue_lifetime = 36h

# Maximum message size 26MiB (cf infra 18/12/2009)
message_size_limit = 27262976

###
### anti-spam mesures
###

# limits at the level of SMTP commands received in a session:
# - maximum 100 recipients per email, mandatory HELO, forbidden VRFY
# - slow down after 2 false commands (VRFY...) or 2 unknown commands
# - slow down to 1 command every 10s, then stop after 20 errors
smtpd_banner			    = $myhostname ESMTP
smtpd_helo_required		    = yes
disable_vrfy_command		= yes
smtpd_recipient_limit		= 100
smtpd_junk_command_limit	= 2
smtpd_soft_error_limit		= 2
smtpd_error_sleep_time		= 10s
smtpd_hard_error_limit		= 20
message_reject_characters	= \0
smtpd_discard_ehlo_keywords = silent-discard, dsn

smtpd_recipient_restrictions =
    {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %}
    permit_mynetworks
    check_recipient_access hash:/etc/postfix/recipient_access
        reject_invalid_hostname
    check_helo_access hash:/etc/postfix/helo_access
        reject_non_fqdn_sender
        reject_unknown_sender_domain
        reject_unauth_pipelining
        reject_unauth_destination
    {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %}
        reject_unlisted_sender
    {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %}

    # Postlicyd (instead of whitelister + postgrey)
    {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}

        check_helo_access regexp:/etc/postfix/helo_access.regexp
    permit

{% if is_mx %}
smtpd_recipient_restrictions_sasl =
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    reject_unlisted_sender
    check_policy_service inet:127.0.0.1:60001
    permit_sasl_authenticated
    reject
{% endif %}

# Add two smtpd_data_restrictions (11/8/2005), does not seem very useful
# but it does not cost anything and there is no possible false positives.
# Then, Postlicyd performs the check at "DATA"-time for the honeypots.
smtpd_data_restrictions =
    reject_unauth_pipelining
    reject_multi_recipient_bounce
    {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
    permit

# reject of mails according of their content
strict_rfc821_envelopes = yes
nested_header_checks    =
mime_header_checks      = regexp:/etc/postfix/header_checks/mime
header_checks           =
    regexp:/etc/postfix/header_checks/xorg
    regexp:/etc/postfix/header_checks/antispam
    regexp:/etc/postfix/header_checks/clean_self

smtp_header_checks      = regexp:/etc/postfix/header_checks/outgoing

###
### not categorized
###

# Make the requests stop at owner-alias for each alias
owner_request_special = no

parent_domain_matches_subdomains =

# TLS server
# paths of files:
{% if is_mx %}
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file  = /etc/postfix/ssl/smtpd.key
{% endif %}
{% if has_smtps %}
smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache
smtpd_tls_session_cache_timeout=3600
{% endif %}
smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
# the serveur proposes (STARTTLS):
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
# we add headers if TLS has been used
smtpd_tls_received_header = yes
# we ask the client if she can provide a certificated, but we do not require it
smtpd_tls_ask_ccert = yes

# TLS client
{% if is_mx %}
smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt
smtp_tls_key_file  = /etc/postfix/ssl/smtp.key
{% endif %}
smtp_tls_CAfile = /etc/postfix/ssl/ca.crt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_loglevel = 1

# Choose which information is sent to postmaster...
notify_classes = resource,software
error_notice_recipient = root

setgid_group = postdrop
biff = no

# Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section
{% if is_mx %}
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions
{% endif %}

# The following line allow blocking every outgoing email, when doing tests or server migrations
# source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g
#default_transport = retry:waiting for more stability

# vim:set syntax=pfmain:
Commit	Line	Data
cbf0e0a2 NI	1	# Does the server accept emails from a public IP address? Has Mailman? Has IMAP?
	2	{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
	3	{% set has_imap = not not pillar['postfix'].get('has_imap') %}
	4	{% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
	5	{% set has_smtps = not not pillar['postfix'].get('has_smtps') %}
	6
	7	###
	8	### Server configuration
	9	###
	10
	11	queue_directory = /var/spool/postfix
	12	command_directory = /usr/sbin
	13	daemon_directory = /usr/lib/postfix
	14	mail_owner = postfix
	15	default_privs = mail
	16
	17	defer_transports = deferred
	18
	19	hash_queue_depth = 1
	20	hash_queue_names = active,deferred,bounce,defer,flush
	21
	22	###
	23	### receiving and distributing emails
	24	###
	25
	26	{% if not is_mx %}
	27	inet_protocols = all
	28	inet_interfaces = 127.0.0.1
	29	{% elif pillar['postfix']['ipaddr'].get('mx6') %}
	30	inet_protocols = all
	31	inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }}
	32	smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }}
	33	#smtp_address_preference = ipv4
	34	{% else %}
	35	inet_protocols = ipv4
	36	inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }}
	37	{% endif %}
	38
	39	myhostname = {{ grains["host"] }}.polytechnique.org
	40
	41	{% if not is_mx %}
	42	mydomain = $myhostname
	43	{% else %}
	44	mydomain = polytechnique.org
	45	{% endif %}
	46	myorigin = $myhostname
	47
	48
	49	mydestination =
	50	hruid.polytechnique.org
	51	{{ grains["host"] }}.polytechnique.org
	52	{{ grains["host"] }}.m4x.org
	53	{% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %}
	54
	55	virtual_alias_domains =
	56	hash:/etc/postfix/virtual
	57	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %}
	58
	59	mynetworks = 127.0.0.1/32
	60
	61	relay_domains = bounces.m4x.org
	62
	63	transport_maps =
	64	{% if is_mx %}hash:/etc/postfix/transport{% endif %}
65	hash:/etc/postfix/transport-{{ grains["host"] }}
66	{% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %}
67
68	recipient_delimiter = +
69
70	append_dot_mydomain = no
71
72	# local distribution
73	#local_recipient_maps = $alias_maps unix:passwd.byname
74	mailbox_command = /usr/bin/procmail -a "$EXTENSION"
75	mailbox_size_limit = 0
76
77	###
78	### forwarding
79	###
80
81	relocated_maps = hash:/etc/postfix/renamed_lists
82
83	alias_maps =
84	hash:/etc/postfix/aliases
85	{% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %}
86	{% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %}
87
88	alias_database =
89	hash:/etc/postfix/aliases
90
91	# used for all domains other than hruid.polytechnique.org, which is local
92	virtual_alias_maps =
93	{% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %}
94	{% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %}
95	{% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %}
96	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %}
97	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %}
98	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %}
99	hash:/etc/postfix/virtual
100
101	{% if has_imap %}
102	virtual_mailbox_domains = imap.polytechnique.org
103	virtual_transport = deliver_imap:
104	{% endif %}
105
106	###
107	### rewriting
108	###
109
110	{% if is_mx %}
111	local_header_rewrite_clients=static:all
112	{% endif %}
113
114	# NOTE: We use some different cleanups in function of when is it called. In order
115	# to know which canonicals are applied when please refer to the master.cf
116
117	# Possible transformation of the From in an adress in m4x.org or polytechnique.org
118	{% if is_mx %}
119	sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
120	sender_canonical_classes = envelope_sender, header_sender
121	{% endif %}
122
123	# transform the _ into + but for jaune_rouge@ and SRS decoding
124	recipient_canonical_maps =
125	{% if is_mx %}tcp:127.0.0.1:10002{% endif %}
126	regexp:/etc/postfix/conversion_underscore.regex
127
128	recipient_canonical_classes = envelope_recipient
129
130	{% if has_mailman %}
131	canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex
132	pipemm_destination_recipient_limit = 1
133	{% endif %}
134
135	# when rewriting, we have to keep the '+toto@'
136	propagate_unmatched_extensions = canonical
137
138	# We keep bounces that are not deliverable in queue only 36h
139	bounce_queue_lifetime = 36h
140
141	# Maximum message size 26MiB (cf infra 18/12/2009)
142	message_size_limit = 27262976
143
144	###
145	### anti-spam mesures
146	###
147
148	# limits at the level of SMTP commands received in a session:
149	# - maximum 100 recipients per email, mandatory HELO, forbidden VRFY
150	# - slow down after 2 false commands (VRFY...) or 2 unknown commands
151	# - slow down to 1 command every 10s, then stop after 20 errors
152	smtpd_banner = $myhostname ESMTP
153	smtpd_helo_required = yes
154	disable_vrfy_command = yes
155	smtpd_recipient_limit = 100
156	smtpd_junk_command_limit = 2
157	smtpd_soft_error_limit = 2
158	smtpd_error_sleep_time = 10s
159	smtpd_hard_error_limit = 20
160	message_reject_characters = \0
161	smtpd_discard_ehlo_keywords = silent-discard, dsn
162
163	smtpd_recipient_restrictions =
164	{% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %}
165	permit_mynetworks
166	check_recipient_access hash:/etc/postfix/recipient_access
167	reject_invalid_hostname
168	check_helo_access hash:/etc/postfix/helo_access
169	reject_non_fqdn_sender
170	reject_unknown_sender_domain
171	reject_unauth_pipelining
172	reject_unauth_destination
173	{% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %}
174	reject_unlisted_sender
175	{% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %}
176
177	# Postlicyd (instead of whitelister + postgrey)
178	{% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
179
180	check_helo_access regexp:/etc/postfix/helo_access.regexp
181	permit
182
183	{% if is_mx %}
184	smtpd_recipient_restrictions_sasl =
185	reject_non_fqdn_sender
186	reject_unknown_sender_domain
187	reject_unlisted_sender
188	check_policy_service inet:127.0.0.1:60001
189	permit_sasl_authenticated
190	reject
191	{% endif %}
192
193	# Add two smtpd_data_restrictions (11/8/2005), does not seem very useful
194	# but it does not cost anything and there is no possible false positives.
195	# Then, Postlicyd performs the check at "DATA"-time for the honeypots.
196	smtpd_data_restrictions =
197	reject_unauth_pipelining
198	reject_multi_recipient_bounce
199	{% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
200	permit
201
202	# reject of mails according of their content
203	strict_rfc821_envelopes = yes
204	nested_header_checks =
205	mime_header_checks = regexp:/etc/postfix/header_checks/mime
206	header_checks =
207	regexp:/etc/postfix/header_checks/xorg
208	regexp:/etc/postfix/header_checks/antispam
209	regexp:/etc/postfix/header_checks/clean_self
210
211	smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing
212
213	###
214	### not categorized
215	###
216
217	# Make the requests stop at owner-alias for each alias
218	owner_request_special = no
219
220	parent_domain_matches_subdomains =
221
222	# TLS server
223	# paths of files:
224	{% if is_mx %}
225	smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
226	smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
227	{% endif %}
228	{% if has_smtps %}
229	smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache
230	smtpd_tls_session_cache_timeout=3600
231	{% endif %}
232	smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
233	# the serveur proposes (STARTTLS):
234	smtpd_tls_security_level = may
235	smtpd_tls_loglevel = 1
236	# we add headers if TLS has been used
237	smtpd_tls_received_header = yes
238	# we ask the client if she can provide a certificated, but we do not require it
239	smtpd_tls_ask_ccert = yes
240
241	# TLS client
242	{% if is_mx %}
243	smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt
244	smtp_tls_key_file = /etc/postfix/ssl/smtp.key
245	{% endif %}
246	smtp_tls_CAfile = /etc/postfix/ssl/ca.crt
247	smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
248	smtp_tls_security_level = may
249	smtp_tls_loglevel = 1
250
251	# Choose which information is sent to postmaster...
252	notify_classes = resource,software
253	error_notice_recipient = root
254
255	setgid_group = postdrop
256	biff = no
257
258	# Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section
259	{% if is_mx %}
260	proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions
261	{% endif %}
262
263	# The following line allow blocking every outgoing email, when doing tests or server migrations
264	# source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g
265	#default_transport = retry:waiting for more stability
266
267	# vim:set syntax=pfmain: