1 # Does the server accept emails from a public IP address? Has Mailman? Has IMAP?
2 {% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
3 {% set has_imap = not not pillar['postfix'].get('has_imap') %}
4 {% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
5 {% set has_smtps = not not pillar['postfix'].get('has_smtps') %}
8 ### Server configuration
11 queue_directory = /var/spool/postfix
12 command_directory = /usr/sbin
13 daemon_directory = /usr/lib/postfix
17 defer_transports = deferred
20 hash_queue_names = active,deferred,bounce,defer,flush
23 ### receiving and distributing emails
28 inet_interfaces = 127.0.0.1
29 {% elif pillar['postfix']['ipaddr'].get('mx6') %}
31 inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }}
32 smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }}
33 #smtp_address_preference = ipv4
36 inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }}
39 myhostname = {{ grains["host"] }}.polytechnique.org
42 mydomain = $myhostname
44 mydomain = polytechnique.org
46 myorigin = $myhostname
50 hruid.polytechnique.org
51 {{ grains["host"] }}.polytechnique.org
52 {{ grains["host"] }}.m4x.org
53 {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %}
55 virtual_alias_domains =
56 hash:/etc/postfix/virtual
57 {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %}
59 mynetworks = 127.0.0.1/32
61 relay_domains = bounces.m4x.org
64 {% if is_mx %}hash:/etc/postfix/transport{% endif %}
65 hash:/etc/postfix/transport-{{ grains["host"] }}
66 {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %}
68 recipient_delimiter = +
70 append_dot_mydomain = no
73 #local_recipient_maps = $alias_maps unix:passwd.byname
74 mailbox_command = /usr/bin/procmail -a "$EXTENSION"
75 mailbox_size_limit = 0
81 relocated_maps = hash:/etc/postfix/renamed_lists
84 hash:/etc/postfix/aliases
85 {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %}
86 {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %}
89 hash:/etc/postfix/aliases
91 # used for all domains other than hruid.polytechnique.org, which is local
93 {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %}
94 {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %}
95 {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %}
96 {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %}
97 {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %}
98 {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %}
99 hash:/etc/postfix/virtual
102 virtual_mailbox_domains = imap.polytechnique.org
103 virtual_transport = deliver_imap:
111 local_header_rewrite_clients=static:all
114 # NOTE: We use some different cleanups in function of when is it called. In order
115 # to know which canonicals are applied when please refer to the master.cf
117 # Possible transformation of the From in an adress in m4x.org or polytechnique.org
119 sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
120 sender_canonical_classes = envelope_sender, header_sender
123 # transform the _ into + but for jaune_rouge@ and SRS decoding
124 recipient_canonical_maps =
125 {% if is_mx %}tcp:127.0.0.1:10002{% endif %}
126 regexp:/etc/postfix/conversion_underscore.regex
128 recipient_canonical_classes = envelope_recipient
131 canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex
132 pipemm_destination_recipient_limit = 1
135 # when rewriting, we have to keep the '+toto@'
136 propagate_unmatched_extensions = canonical
138 # We keep bounces that are not deliverable in queue only 36h
139 bounce_queue_lifetime = 36h
141 # Maximum message size 26MiB (cf infra 18/12/2009)
142 message_size_limit = 27262976
145 ### anti-spam mesures
148 # limits at the level of SMTP commands received in a session:
149 # - maximum 100 recipients per email, mandatory HELO, forbidden VRFY
150 # - slow down after 2 false commands (VRFY...) or 2 unknown commands
151 # - slow down to 1 command every 10s, then stop after 20 errors
152 smtpd_banner = $myhostname ESMTP
153 smtpd_helo_required = yes
154 disable_vrfy_command = yes
155 smtpd_recipient_limit = 100
156 smtpd_junk_command_limit = 2
157 smtpd_soft_error_limit = 2
158 smtpd_error_sleep_time = 10s
159 smtpd_hard_error_limit = 20
160 message_reject_characters = \0
161 smtpd_discard_ehlo_keywords = silent-discard, dsn
163 smtpd_recipient_restrictions =
164 {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %}
166 check_recipient_access hash:/etc/postfix/recipient_access
167 reject_invalid_hostname
168 check_helo_access hash:/etc/postfix/helo_access
169 reject_non_fqdn_sender
170 reject_unknown_sender_domain
171 reject_unauth_pipelining
172 reject_unauth_destination
173 {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %}
174 reject_unlisted_sender
175 {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %}
177 # Postlicyd (instead of whitelister + postgrey)
178 {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
180 check_helo_access regexp:/etc/postfix/helo_access.regexp
184 smtpd_recipient_restrictions_sasl =
185 reject_non_fqdn_sender
186 reject_unknown_sender_domain
187 reject_unlisted_sender
188 check_policy_service inet:127.0.0.1:60001
189 permit_sasl_authenticated
193 # Add two smtpd_data_restrictions (11/8/2005), does not seem very useful
194 # but it does not cost anything and there is no possible false positives.
195 # Then, Postlicyd performs the check at "DATA"-time for the honeypots.
196 smtpd_data_restrictions =
197 reject_unauth_pipelining
198 reject_multi_recipient_bounce
199 {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
202 # reject of mails according of their content
203 strict_rfc821_envelopes = yes
204 nested_header_checks =
205 mime_header_checks = regexp:/etc/postfix/header_checks/mime
207 regexp:/etc/postfix/header_checks/testvm
209 smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing
215 # Make the requests stop at owner-alias for each alias
216 owner_request_special = no
218 parent_domain_matches_subdomains =
223 smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
224 smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
227 smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache
228 smtpd_tls_session_cache_timeout=3600
230 smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
231 # the serveur proposes (STARTTLS):
232 smtpd_tls_security_level = may
233 smtpd_tls_loglevel = 1
234 # we add headers if TLS has been used
235 smtpd_tls_received_header = yes
236 # we ask the client if she can provide a certificated, but we do not require it
237 smtpd_tls_ask_ccert = yes
241 smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt
242 smtp_tls_key_file = /etc/postfix/ssl/smtp.key
244 smtp_tls_CAfile = /etc/postfix/ssl/ca.crt
245 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
246 smtp_tls_security_level = may
247 smtp_tls_loglevel = 1
249 # Choose which information is sent to postmaster...
250 notify_classes = resource,software
251 error_notice_recipient = root
253 setgid_group = postdrop
256 # Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section
258 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions
261 # The following line allow blocking every outgoing email, when doing tests or server migrations
262 # source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g
263 #default_transport = retry:waiting for more stability
265 # vim:set syntax=pfmain: