# Does the server accept emails from a public IP address? Has Mailman? Has IMAP? {% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %} {% set has_imap = not not pillar['postfix'].get('has_imap') %} {% set has_mailman = not not pillar['postfix'].get('has_mailman') %} {% set has_smtps = not not pillar['postfix'].get('has_smtps') %} ### ### Server configuration ### queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix mail_owner = postfix default_privs = mail defer_transports = deferred hash_queue_depth = 1 hash_queue_names = active,deferred,bounce,defer,flush ### ### receiving and distributing emails ### {% if not is_mx %} inet_protocols = all inet_interfaces = 127.0.0.1 {% elif pillar['postfix']['ipaddr'].get('mx6') %} inet_protocols = all inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }} smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }} #smtp_address_preference = ipv4 {% else %} inet_protocols = ipv4 inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }} {% endif %} myhostname = {{ grains["host"] }}.polytechnique.org {% if not is_mx %} mydomain = $myhostname {% else %} mydomain = polytechnique.org {% endif %} myorigin = $myhostname mydestination = hruid.polytechnique.org {{ grains["host"] }}.polytechnique.org {{ grains["host"] }}.m4x.org {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %} virtual_alias_domains = hash:/etc/postfix/virtual {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %} mynetworks = 127.0.0.1/32 relay_domains = bounces.m4x.org transport_maps = {% if is_mx %}hash:/etc/postfix/transport{% endif %} hash:/etc/postfix/transport-{{ grains["host"] }} {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %} recipient_delimiter = + append_dot_mydomain = no # local distribution #local_recipient_maps = $alias_maps unix:passwd.byname mailbox_command = /usr/bin/procmail -a "$EXTENSION" mailbox_size_limit = 0 ### ### forwarding ### relocated_maps = hash:/etc/postfix/renamed_lists alias_maps = hash:/etc/postfix/aliases {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %} {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %} alias_database = hash:/etc/postfix/aliases # used for all domains other than hruid.polytechnique.org, which is local virtual_alias_maps = {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %} {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %} {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %} {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %} {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %} {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %} hash:/etc/postfix/virtual {% if has_imap %} virtual_mailbox_domains = imap.polytechnique.org virtual_transport = deliver_imap: {% endif %} ### ### rewriting ### {% if is_mx %} local_header_rewrite_clients=static:all {% endif %} # NOTE: We use some different cleanups in function of when is it called. In order # to know which canonicals are applied when please refer to the master.cf # Possible transformation of the From in an adress in m4x.org or polytechnique.org {% if is_mx %} sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf sender_canonical_classes = envelope_sender, header_sender {% endif %} # transform the _ into + but for jaune_rouge@ and SRS decoding recipient_canonical_maps = {% if is_mx %}tcp:127.0.0.1:10002{% endif %} regexp:/etc/postfix/conversion_underscore.regex recipient_canonical_classes = envelope_recipient {% if has_mailman %} canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex pipemm_destination_recipient_limit = 1 {% endif %} # when rewriting, we have to keep the '+toto@' propagate_unmatched_extensions = canonical # We keep bounces that are not deliverable in queue only 36h bounce_queue_lifetime = 36h # Maximum message size 26MiB (cf infra 18/12/2009) message_size_limit = 27262976 ### ### anti-spam mesures ### # limits at the level of SMTP commands received in a session: # - maximum 100 recipients per email, mandatory HELO, forbidden VRFY # - slow down after 2 false commands (VRFY...) or 2 unknown commands # - slow down to 1 command every 10s, then stop after 20 errors smtpd_banner = $myhostname ESMTP smtpd_helo_required = yes disable_vrfy_command = yes smtpd_recipient_limit = 100 smtpd_junk_command_limit = 2 smtpd_soft_error_limit = 2 smtpd_error_sleep_time = 10s smtpd_hard_error_limit = 20 message_reject_characters = \0 smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_recipient_restrictions = {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %} permit_mynetworks check_recipient_access hash:/etc/postfix/recipient_access reject_invalid_hostname check_helo_access hash:/etc/postfix/helo_access reject_non_fqdn_sender reject_unknown_sender_domain reject_unauth_pipelining reject_unauth_destination {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %} reject_unlisted_sender {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %} # Postlicyd (instead of whitelister + postgrey) {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} check_helo_access regexp:/etc/postfix/helo_access.regexp permit {% if is_mx %} smtpd_recipient_restrictions_sasl = reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender check_policy_service inet:127.0.0.1:60001 permit_sasl_authenticated reject {% endif %} # Add two smtpd_data_restrictions (11/8/2005), does not seem very useful # but it does not cost anything and there is no possible false positives. # Then, Postlicyd performs the check at "DATA"-time for the honeypots. smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %} permit # reject of mails according of their content strict_rfc821_envelopes = yes nested_header_checks = mime_header_checks = regexp:/etc/postfix/header_checks/mime header_checks = regexp:/etc/postfix/header_checks/xorg regexp:/etc/postfix/header_checks/antispam regexp:/etc/postfix/header_checks/clean_self smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing ### ### not categorized ### # Make the requests stop at owner-alias for each alias owner_request_special = no parent_domain_matches_subdomains = # TLS server # paths of files: {% if is_mx %} smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key {% endif %} {% if has_smtps %} smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache smtpd_tls_session_cache_timeout=3600 {% endif %} smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt # the serveur proposes (STARTTLS): smtpd_tls_security_level = may smtpd_tls_loglevel = 1 # we add headers if TLS has been used smtpd_tls_received_header = yes # we ask the client if she can provide a certificated, but we do not require it smtpd_tls_ask_ccert = yes # TLS client {% if is_mx %} smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt smtp_tls_key_file = /etc/postfix/ssl/smtp.key {% endif %} smtp_tls_CAfile = /etc/postfix/ssl/ca.crt smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_security_level = may smtp_tls_loglevel = 1 # Choose which information is sent to postmaster... notify_classes = resource,software error_notice_recipient = root setgid_group = postdrop biff = no # Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section {% if is_mx %} proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions {% endif %} # The following line allow blocking every outgoing email, when doing tests or server migrations # source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g #default_transport = retry:waiting for more stability # vim:set syntax=pfmain: