| 1 | # Does the server accept emails from a public IP address? Has Mailman? Has IMAP? |
| 2 | {% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %} |
| 3 | {% set has_imap = not not pillar['postfix'].get('has_imap') %} |
| 4 | {% set has_mailman = not not pillar['postfix'].get('has_mailman') %} |
| 5 | {% set has_smtps = not not pillar['postfix'].get('has_smtps') %} |
| 6 | |
| 7 | ### |
| 8 | ### Server configuration |
| 9 | ### |
| 10 | |
| 11 | queue_directory = /var/spool/postfix |
| 12 | command_directory = /usr/sbin |
| 13 | daemon_directory = /usr/lib/postfix |
| 14 | mail_owner = postfix |
| 15 | default_privs = mail |
| 16 | |
| 17 | defer_transports = deferred |
| 18 | |
| 19 | hash_queue_depth = 1 |
| 20 | hash_queue_names = active,deferred,bounce,defer,flush |
| 21 | |
| 22 | ### |
| 23 | ### receiving and distributing emails |
| 24 | ### |
| 25 | |
| 26 | {% if not is_mx %} |
| 27 | inet_protocols = all |
| 28 | inet_interfaces = 127.0.0.1 |
| 29 | {% elif pillar['postfix']['ipaddr'].get('mx6') %} |
| 30 | inet_protocols = all |
| 31 | inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }} |
| 32 | smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }} |
| 33 | #smtp_address_preference = ipv4 |
| 34 | {% else %} |
| 35 | inet_protocols = ipv4 |
| 36 | inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }} |
| 37 | {% endif %} |
| 38 | |
| 39 | myhostname = {{ grains["host"] }}.polytechnique.org |
| 40 | |
| 41 | {% if not is_mx %} |
| 42 | mydomain = $myhostname |
| 43 | {% else %} |
| 44 | mydomain = polytechnique.org |
| 45 | {% endif %} |
| 46 | myorigin = $myhostname |
| 47 | |
| 48 | |
| 49 | mydestination = |
| 50 | hruid.polytechnique.org |
| 51 | {{ grains["host"] }}.polytechnique.org |
| 52 | {{ grains["host"] }}.m4x.org |
| 53 | {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %} |
| 54 | |
| 55 | virtual_alias_domains = |
| 56 | hash:/etc/postfix/virtual |
| 57 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %} |
| 58 | |
| 59 | mynetworks = 127.0.0.1/32 |
| 60 | |
| 61 | relay_domains = bounces.m4x.org |
| 62 | |
| 63 | transport_maps = |
| 64 | {% if is_mx %}hash:/etc/postfix/transport{% endif %} |
| 65 | hash:/etc/postfix/transport-{{ grains["host"] }} |
| 66 | {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %} |
| 67 | |
| 68 | recipient_delimiter = + |
| 69 | |
| 70 | append_dot_mydomain = no |
| 71 | |
| 72 | # local distribution |
| 73 | #local_recipient_maps = $alias_maps unix:passwd.byname |
| 74 | mailbox_command = /usr/bin/procmail -a "$EXTENSION" |
| 75 | mailbox_size_limit = 0 |
| 76 | |
| 77 | ### |
| 78 | ### forwarding |
| 79 | ### |
| 80 | |
| 81 | relocated_maps = hash:/etc/postfix/renamed_lists |
| 82 | |
| 83 | alias_maps = |
| 84 | hash:/etc/postfix/aliases |
| 85 | {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %} |
| 86 | {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %} |
| 87 | |
| 88 | alias_database = |
| 89 | hash:/etc/postfix/aliases |
| 90 | |
| 91 | # used for all domains other than hruid.polytechnique.org, which is local |
| 92 | virtual_alias_maps = |
| 93 | {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %} |
| 94 | {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %} |
| 95 | {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %} |
| 96 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %} |
| 97 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %} |
| 98 | {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %} |
| 99 | hash:/etc/postfix/virtual |
| 100 | |
| 101 | {% if has_imap %} |
| 102 | virtual_mailbox_domains = imap.polytechnique.org |
| 103 | virtual_transport = deliver_imap: |
| 104 | {% endif %} |
| 105 | |
| 106 | ### |
| 107 | ### rewriting |
| 108 | ### |
| 109 | |
| 110 | {% if is_mx %} |
| 111 | local_header_rewrite_clients=static:all |
| 112 | {% endif %} |
| 113 | |
| 114 | # NOTE: We use some different cleanups in function of when is it called. In order |
| 115 | # to know which canonicals are applied when please refer to the master.cf |
| 116 | |
| 117 | # Possible transformation of the From in an adress in m4x.org or polytechnique.org |
| 118 | {% if is_mx %} |
| 119 | sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf |
| 120 | sender_canonical_classes = envelope_sender, header_sender |
| 121 | {% endif %} |
| 122 | |
| 123 | # transform the _ into + but for jaune_rouge@ and SRS decoding |
| 124 | recipient_canonical_maps = |
| 125 | {% if is_mx %}tcp:127.0.0.1:10002{% endif %} |
| 126 | regexp:/etc/postfix/conversion_underscore.regex |
| 127 | |
| 128 | recipient_canonical_classes = envelope_recipient |
| 129 | |
| 130 | {% if has_mailman %} |
| 131 | canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex |
| 132 | pipemm_destination_recipient_limit = 1 |
| 133 | {% endif %} |
| 134 | |
| 135 | # when rewriting, we have to keep the '+toto@' |
| 136 | propagate_unmatched_extensions = canonical |
| 137 | |
| 138 | # We keep bounces that are not deliverable in queue only 36h |
| 139 | bounce_queue_lifetime = 36h |
| 140 | |
| 141 | # Maximum message size 26MiB (cf infra 18/12/2009) |
| 142 | message_size_limit = 27262976 |
| 143 | |
| 144 | ### |
| 145 | ### anti-spam mesures |
| 146 | ### |
| 147 | |
| 148 | # limits at the level of SMTP commands received in a session: |
| 149 | # - maximum 100 recipients per email, mandatory HELO, forbidden VRFY |
| 150 | # - slow down after 2 false commands (VRFY...) or 2 unknown commands |
| 151 | # - slow down to 1 command every 10s, then stop after 20 errors |
| 152 | smtpd_banner = $myhostname ESMTP |
| 153 | smtpd_helo_required = yes |
| 154 | disable_vrfy_command = yes |
| 155 | smtpd_recipient_limit = 100 |
| 156 | smtpd_junk_command_limit = 2 |
| 157 | smtpd_soft_error_limit = 2 |
| 158 | smtpd_error_sleep_time = 10s |
| 159 | smtpd_hard_error_limit = 20 |
| 160 | message_reject_characters = \0 |
| 161 | smtpd_discard_ehlo_keywords = silent-discard, dsn |
| 162 | |
| 163 | smtpd_recipient_restrictions = |
| 164 | {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %} |
| 165 | permit_mynetworks |
| 166 | check_recipient_access hash:/etc/postfix/recipient_access |
| 167 | reject_invalid_hostname |
| 168 | check_helo_access hash:/etc/postfix/helo_access |
| 169 | reject_non_fqdn_sender |
| 170 | reject_unknown_sender_domain |
| 171 | reject_unauth_pipelining |
| 172 | reject_unauth_destination |
| 173 | {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %} |
| 174 | reject_unlisted_sender |
| 175 | {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %} |
| 176 | |
| 177 | # Postlicyd (instead of whitelister + postgrey) |
| 178 | {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} |
| 179 | |
| 180 | check_helo_access regexp:/etc/postfix/helo_access.regexp |
| 181 | permit |
| 182 | |
| 183 | {% if is_mx %} |
| 184 | smtpd_recipient_restrictions_sasl = |
| 185 | reject_non_fqdn_sender |
| 186 | reject_unknown_sender_domain |
| 187 | reject_unlisted_sender |
| 188 | check_policy_service inet:127.0.0.1:60001 |
| 189 | permit_sasl_authenticated |
| 190 | reject |
| 191 | {% endif %} |
| 192 | |
| 193 | # Add two smtpd_data_restrictions (11/8/2005), does not seem very useful |
| 194 | # but it does not cost anything and there is no possible false positives. |
| 195 | # Then, Postlicyd performs the check at "DATA"-time for the honeypots. |
| 196 | smtpd_data_restrictions = |
| 197 | reject_unauth_pipelining |
| 198 | reject_multi_recipient_bounce |
| 199 | {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} |
| 200 | permit |
| 201 | |
| 202 | # reject of mails according of their content |
| 203 | strict_rfc821_envelopes = yes |
| 204 | nested_header_checks = |
| 205 | mime_header_checks = regexp:/etc/postfix/header_checks/mime |
| 206 | header_checks = |
| 207 | regexp:/etc/postfix/header_checks/testvm |
| 208 | |
| 209 | smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing |
| 210 | |
| 211 | ### |
| 212 | ### not categorized |
| 213 | ### |
| 214 | |
| 215 | # Make the requests stop at owner-alias for each alias |
| 216 | owner_request_special = no |
| 217 | |
| 218 | parent_domain_matches_subdomains = |
| 219 | |
| 220 | # TLS server |
| 221 | # paths of files: |
| 222 | {% if is_mx %} |
| 223 | smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt |
| 224 | smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key |
| 225 | {% endif %} |
| 226 | {% if has_smtps %} |
| 227 | smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache |
| 228 | smtpd_tls_session_cache_timeout=3600 |
| 229 | {% endif %} |
| 230 | smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt |
| 231 | # the serveur proposes (STARTTLS): |
| 232 | smtpd_tls_security_level = may |
| 233 | smtpd_tls_loglevel = 1 |
| 234 | # we add headers if TLS has been used |
| 235 | smtpd_tls_received_header = yes |
| 236 | # we ask the client if she can provide a certificated, but we do not require it |
| 237 | smtpd_tls_ask_ccert = yes |
| 238 | |
| 239 | # TLS client |
| 240 | {% if is_mx %} |
| 241 | smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt |
| 242 | smtp_tls_key_file = /etc/postfix/ssl/smtp.key |
| 243 | {% endif %} |
| 244 | smtp_tls_CAfile = /etc/postfix/ssl/ca.crt |
| 245 | smtp_tls_policy_maps = hash:/etc/postfix/tls_policy |
| 246 | smtp_tls_security_level = may |
| 247 | smtp_tls_loglevel = 1 |
| 248 | |
| 249 | # Choose which information is sent to postmaster... |
| 250 | notify_classes = resource,software |
| 251 | error_notice_recipient = root |
| 252 | |
| 253 | setgid_group = postdrop |
| 254 | biff = no |
| 255 | |
| 256 | # Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section |
| 257 | {% if is_mx %} |
| 258 | proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions |
| 259 | {% endif %} |
| 260 | |
| 261 | # The following line allow blocking every outgoing email, when doing tests or server migrations |
| 262 | # source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g |
| 263 | #default_transport = retry:waiting for more stability |
| 264 | |
| 265 | # vim:set syntax=pfmain: |