[vagrant-mail.git] / test-vagrant-salt / salt / testvm / postfix / main.cf

# Does the server accept emails from a public IP address? Has Mailman? Has IMAP?
{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
{% set has_imap = not not pillar['postfix'].get('has_imap') %}
{% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
{% set has_smtps = not not pillar['postfix'].get('has_smtps') %}

###
### Server configuration
###

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
default_privs = mail

defer_transports = deferred

hash_queue_depth = 1
hash_queue_names = active,deferred,bounce,defer,flush

###
### receiving and distributing emails
###

{% if not is_mx %}
inet_protocols = all
inet_interfaces = 127.0.0.1
{% elif pillar['postfix']['ipaddr'].get('mx6') %}
inet_protocols = all
inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }}
smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }}
#smtp_address_preference = ipv4
{% else %}
inet_protocols = ipv4
inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }}
{% endif %}

myhostname = {{ grains["host"] }}.polytechnique.org

{% if not is_mx %}
mydomain = $myhostname
{% else %}
mydomain = polytechnique.org
{% endif %}
myorigin = $myhostname


mydestination =
    hruid.polytechnique.org
    {{ grains["host"] }}.polytechnique.org
    {{ grains["host"] }}.m4x.org
    {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %}

virtual_alias_domains =
    hash:/etc/postfix/virtual
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %}

mynetworks = 127.0.0.1/32

relay_domains = bounces.m4x.org

transport_maps =
    {% if is_mx %}hash:/etc/postfix/transport{% endif %}
    hash:/etc/postfix/transport-{{ grains["host"] }}
    {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %}

recipient_delimiter = +

append_dot_mydomain = no

# local distribution
#local_recipient_maps = $alias_maps unix:passwd.byname
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0

###
### forwarding
###

relocated_maps = hash:/etc/postfix/renamed_lists

alias_maps =
    hash:/etc/postfix/aliases
    {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %}
    {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %}

alias_database =
    hash:/etc/postfix/aliases

# used for all domains other than hruid.polytechnique.org, which is local
virtual_alias_maps =
    {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %}
    {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %}
    {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %}
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %}
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %}
    {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %}
    hash:/etc/postfix/virtual

{% if has_imap %}
virtual_mailbox_domains = imap.polytechnique.org
virtual_transport = deliver_imap:
{% endif %}

###
### rewriting
###

{% if is_mx %}
local_header_rewrite_clients=static:all
{% endif %}

# NOTE: We use some different cleanups in function of when is it called. In order
#       to know which canonicals are applied when please refer to the master.cf

# Possible transformation of the From in an adress in m4x.org or polytechnique.org
{% if is_mx %}
sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
sender_canonical_classes = envelope_sender, header_sender
{% endif %}

# transform the _ into + but for jaune_rouge@ and SRS decoding
recipient_canonical_maps =
    {% if is_mx %}tcp:127.0.0.1:10002{% endif %}
    regexp:/etc/postfix/conversion_underscore.regex

recipient_canonical_classes = envelope_recipient

{% if has_mailman %}
canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex
pipemm_destination_recipient_limit = 1
{% endif %}

# when rewriting, we have to keep the '+toto@'
propagate_unmatched_extensions = canonical

# We keep bounces that are not deliverable in queue only 36h
bounce_queue_lifetime = 36h

# Maximum message size 26MiB (cf infra 18/12/2009)
message_size_limit = 27262976

###
### anti-spam mesures
###

# limits at the level of SMTP commands received in a session:
# - maximum 100 recipients per email, mandatory HELO, forbidden VRFY
# - slow down after 2 false commands (VRFY...) or 2 unknown commands
# - slow down to 1 command every 10s, then stop after 20 errors
smtpd_banner			    = $myhostname ESMTP
smtpd_helo_required		    = yes
disable_vrfy_command		= yes
smtpd_recipient_limit		= 100
smtpd_junk_command_limit	= 2
smtpd_soft_error_limit		= 2
smtpd_error_sleep_time		= 10s
smtpd_hard_error_limit		= 20
message_reject_characters	= \0
smtpd_discard_ehlo_keywords = silent-discard, dsn

smtpd_recipient_restrictions =
    {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %}
    permit_mynetworks
    check_recipient_access hash:/etc/postfix/recipient_access
        reject_invalid_hostname
    check_helo_access hash:/etc/postfix/helo_access
        reject_non_fqdn_sender
        reject_unknown_sender_domain
        reject_unauth_pipelining
        reject_unauth_destination
    {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %}
        reject_unlisted_sender
    {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %}

    # Postlicyd (instead of whitelister + postgrey)
    {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}

        check_helo_access regexp:/etc/postfix/helo_access.regexp
    permit

{% if is_mx %}
smtpd_recipient_restrictions_sasl =
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    reject_unlisted_sender
    check_policy_service inet:127.0.0.1:60001
    permit_sasl_authenticated
    reject
{% endif %}

# Add two smtpd_data_restrictions (11/8/2005), does not seem very useful
# but it does not cost anything and there is no possible false positives.
# Then, Postlicyd performs the check at "DATA"-time for the honeypots.
smtpd_data_restrictions =
    reject_unauth_pipelining
    reject_multi_recipient_bounce
    {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
    permit

# reject of mails according of their content
strict_rfc821_envelopes = yes
nested_header_checks    =
mime_header_checks      = regexp:/etc/postfix/header_checks/mime
header_checks           =
    regexp:/etc/postfix/header_checks/testvm

smtp_header_checks      = regexp:/etc/postfix/header_checks/outgoing

###
### not categorized
###

# Make the requests stop at owner-alias for each alias
owner_request_special = no

parent_domain_matches_subdomains =

# TLS server
# paths of files:
{% if is_mx %}
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file  = /etc/postfix/ssl/smtpd.key
{% endif %}
{% if has_smtps %}
smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache
smtpd_tls_session_cache_timeout=3600
{% endif %}
smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
# the serveur proposes (STARTTLS):
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
# we add headers if TLS has been used
smtpd_tls_received_header = yes
# we ask the client if she can provide a certificated, but we do not require it
smtpd_tls_ask_ccert = yes

# TLS client
{% if is_mx %}
smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt
smtp_tls_key_file  = /etc/postfix/ssl/smtp.key
{% endif %}
smtp_tls_CAfile = /etc/postfix/ssl/ca.crt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_loglevel = 1

# Choose which information is sent to postmaster...
notify_classes = resource,software
error_notice_recipient = root

setgid_group = postdrop
biff = no

# Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section
{% if is_mx %}
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions
{% endif %}

# The following line allow blocking every outgoing email, when doing tests or server migrations
# source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g
#default_transport = retry:waiting for more stability

# vim:set syntax=pfmain:
Commit	Line	Data
	1	# Does the server accept emails from a public IP address? Has Mailman? Has IMAP?
	2	{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
	3	{% set has_imap = not not pillar['postfix'].get('has_imap') %}
	4	{% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
	5	{% set has_smtps = not not pillar['postfix'].get('has_smtps') %}
	6
	7	###
	8	### Server configuration
	9	###
	10
	11	queue_directory = /var/spool/postfix
	12	command_directory = /usr/sbin
	13	daemon_directory = /usr/lib/postfix
	14	mail_owner = postfix
	15	default_privs = mail
	16
	17	defer_transports = deferred
	18
	19	hash_queue_depth = 1
	20	hash_queue_names = active,deferred,bounce,defer,flush
	21
	22	###
	23	### receiving and distributing emails
	24	###
	25
	26	{% if not is_mx %}
	27	inet_protocols = all
	28	inet_interfaces = 127.0.0.1
	29	{% elif pillar['postfix']['ipaddr'].get('mx6') %}
	30	inet_protocols = all
	31	inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }}
	32	smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }}
	33	#smtp_address_preference = ipv4
	34	{% else %}
	35	inet_protocols = ipv4
	36	inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }}
	37	{% endif %}
	38
	39	myhostname = {{ grains["host"] }}.polytechnique.org
	40
	41	{% if not is_mx %}
	42	mydomain = $myhostname
	43	{% else %}
	44	mydomain = polytechnique.org
	45	{% endif %}
	46	myorigin = $myhostname
	47
	48
	49	mydestination =
	50	hruid.polytechnique.org
	51	{{ grains["host"] }}.polytechnique.org
	52	{{ grains["host"] }}.m4x.org
	53	{% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %}
	54
	55	virtual_alias_domains =
	56	hash:/etc/postfix/virtual
	57	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %}
	58
	59	mynetworks = 127.0.0.1/32
	60
	61	relay_domains = bounces.m4x.org
	62
	63	transport_maps =
	64	{% if is_mx %}hash:/etc/postfix/transport{% endif %}
	65	hash:/etc/postfix/transport-{{ grains["host"] }}
	66	{% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %}
	67
	68	recipient_delimiter = +
	69
	70	append_dot_mydomain = no
	71
	72	# local distribution
	73	#local_recipient_maps = $alias_maps unix:passwd.byname
	74	mailbox_command = /usr/bin/procmail -a "$EXTENSION"
	75	mailbox_size_limit = 0
	76
	77	###
	78	### forwarding
	79	###
	80
	81	relocated_maps = hash:/etc/postfix/renamed_lists
	82
	83	alias_maps =
	84	hash:/etc/postfix/aliases
	85	{% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %}
	86	{% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %}
	87
	88	alias_database =
	89	hash:/etc/postfix/aliases
	90
	91	# used for all domains other than hruid.polytechnique.org, which is local
	92	virtual_alias_maps =
	93	{% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %}
	94	{% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %}
	95	{% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %}
	96	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %}
	97	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %}
	98	{% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %}
	99	hash:/etc/postfix/virtual
	100
	101	{% if has_imap %}
	102	virtual_mailbox_domains = imap.polytechnique.org
	103	virtual_transport = deliver_imap:
	104	{% endif %}
	105
	106	###
	107	### rewriting
	108	###
	109
	110	{% if is_mx %}
	111	local_header_rewrite_clients=static:all
	112	{% endif %}
	113
	114	# NOTE: We use some different cleanups in function of when is it called. In order
	115	# to know which canonicals are applied when please refer to the master.cf
	116
	117	# Possible transformation of the From in an adress in m4x.org or polytechnique.org
	118	{% if is_mx %}
	119	sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
	120	sender_canonical_classes = envelope_sender, header_sender
	121	{% endif %}
	122
	123	# transform the _ into + but for jaune_rouge@ and SRS decoding
	124	recipient_canonical_maps =
	125	{% if is_mx %}tcp:127.0.0.1:10002{% endif %}
	126	regexp:/etc/postfix/conversion_underscore.regex
	127
	128	recipient_canonical_classes = envelope_recipient
	129
	130	{% if has_mailman %}
	131	canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex
	132	pipemm_destination_recipient_limit = 1
	133	{% endif %}
	134
	135	# when rewriting, we have to keep the '+toto@'
	136	propagate_unmatched_extensions = canonical
	137
	138	# We keep bounces that are not deliverable in queue only 36h
	139	bounce_queue_lifetime = 36h
	140
	141	# Maximum message size 26MiB (cf infra 18/12/2009)
	142	message_size_limit = 27262976
	143
	144	###
	145	### anti-spam mesures
	146	###
	147
	148	# limits at the level of SMTP commands received in a session:
	149	# - maximum 100 recipients per email, mandatory HELO, forbidden VRFY
	150	# - slow down after 2 false commands (VRFY...) or 2 unknown commands
	151	# - slow down to 1 command every 10s, then stop after 20 errors
	152	smtpd_banner = $myhostname ESMTP
	153	smtpd_helo_required = yes
	154	disable_vrfy_command = yes
	155	smtpd_recipient_limit = 100
	156	smtpd_junk_command_limit = 2
	157	smtpd_soft_error_limit = 2
	158	smtpd_error_sleep_time = 10s
	159	smtpd_hard_error_limit = 20
	160	message_reject_characters = \0
	161	smtpd_discard_ehlo_keywords = silent-discard, dsn
	162
	163	smtpd_recipient_restrictions =
	164	{% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %}
	165	permit_mynetworks
	166	check_recipient_access hash:/etc/postfix/recipient_access
	167	reject_invalid_hostname
	168	check_helo_access hash:/etc/postfix/helo_access
	169	reject_non_fqdn_sender
	170	reject_unknown_sender_domain
	171	reject_unauth_pipelining
	172	reject_unauth_destination
	173	{% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %}
	174	reject_unlisted_sender
	175	{% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %}
	176
	177	# Postlicyd (instead of whitelister + postgrey)
	178	{% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
	179
	180	check_helo_access regexp:/etc/postfix/helo_access.regexp
	181	permit
	182
	183	{% if is_mx %}
	184	smtpd_recipient_restrictions_sasl =
	185	reject_non_fqdn_sender
	186	reject_unknown_sender_domain
	187	reject_unlisted_sender
	188	check_policy_service inet:127.0.0.1:60001
	189	permit_sasl_authenticated
	190	reject
	191	{% endif %}
	192
	193	# Add two smtpd_data_restrictions (11/8/2005), does not seem very useful
	194	# but it does not cost anything and there is no possible false positives.
	195	# Then, Postlicyd performs the check at "DATA"-time for the honeypots.
	196	smtpd_data_restrictions =
	197	reject_unauth_pipelining
	198	reject_multi_recipient_bounce
	199	{% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
	200	permit
	201
	202	# reject of mails according of their content
	203	strict_rfc821_envelopes = yes
	204	nested_header_checks =
	205	mime_header_checks = regexp:/etc/postfix/header_checks/mime
	206	header_checks =
	207	regexp:/etc/postfix/header_checks/testvm
	208
	209	smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing
	210
	211	###
	212	### not categorized
	213	###
	214
	215	# Make the requests stop at owner-alias for each alias
	216	owner_request_special = no
	217
	218	parent_domain_matches_subdomains =
	219
	220	# TLS server
	221	# paths of files:
	222	{% if is_mx %}
	223	smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
	224	smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
	225	{% endif %}
	226	{% if has_smtps %}
	227	smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache
	228	smtpd_tls_session_cache_timeout=3600
	229	{% endif %}
	230	smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
	231	# the serveur proposes (STARTTLS):
	232	smtpd_tls_security_level = may
	233	smtpd_tls_loglevel = 1
	234	# we add headers if TLS has been used
	235	smtpd_tls_received_header = yes
	236	# we ask the client if she can provide a certificated, but we do not require it
	237	smtpd_tls_ask_ccert = yes
	238
	239	# TLS client
	240	{% if is_mx %}
	241	smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt
	242	smtp_tls_key_file = /etc/postfix/ssl/smtp.key
	243	{% endif %}
	244	smtp_tls_CAfile = /etc/postfix/ssl/ca.crt
	245	smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
	246	smtp_tls_security_level = may
	247	smtp_tls_loglevel = 1
	248
	249	# Choose which information is sent to postmaster...
	250	notify_classes = resource,software
	251	error_notice_recipient = root
	252
	253	setgid_group = postdrop
	254	biff = no
	255
	256	# Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section
	257	{% if is_mx %}
	258	proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions
	259	{% endif %}
	260
	261	# The following line allow blocking every outgoing email, when doing tests or server migrations
	262	# source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g
	263	#default_transport = retry:waiting for more stability
	264
	265	# vim:set syntax=pfmain: