+{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
+{% set has_imap = not not pillar['postfix'].get('has_imap') %}
+{% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
+{% set has_smtps = not not pillar['postfix'].get('has_smtps') %}
+
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+
+
+{% if has_smtps %}
+{% for addr in (pillar['postfix']['ipaddr'].get('mx4'), pillar['postfix']['ipaddr'].get('mx6')) %}
+{% if addr %}
+# SMTP
+{{ addr }}:2525 inet n - n - - smtpd
+ -o myhostname=ssl.polytechnique.org
+ -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl
+ -o smtpd_recipient_limit=1000
+ -o smtpd_sasl_auth_enable=yes
+ -o broken_sasl_auth_clients=yes
+ -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key
+ -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt
+# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_tls_loglevel=1
+ -o smtpd_tls_received_header=yes
+ -o smtpd_tls_ask_ccert=no
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o cleanup_service_name=cleanup-in
+
+# smtps (TCP port 465) is the same config, with enforce_tls and tls_wrappermode
+{{ addr }}::smtps inet n - n - - smtpd
+ -o myhostname=ssl.polytechnique.org
+ -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl
+ -o smtpd_recipient_limit=1000
+ -o smtpd_sasl_auth_enable=yes
+ -o broken_sasl_auth_clients=yes
+ -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key
+ -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt
+# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_tls_loglevel=1
+ -o smtpd_tls_received_header=yes
+ -o smtpd_tls_ask_ccert=no
+ -o smtpd_tls_wrappermode=yes
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o cleanup_service_name=cleanup-in
+
+# submission (TCP port 587) is the same config, with only enforce_tls
+{{ addr }}:587 inet n - n - - smtpd
+ -o myhostname=ssl.polytechnique.org
+ -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl
+ -o smtpd_recipient_limit=1000
+ -o smtpd_sasl_auth_enable=yes
+ -o broken_sasl_auth_clients=yes
+ -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key
+ -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt
+# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_tls_loglevel=1
+ -o smtpd_tls_received_header=yes
+ -o smtpd_tls_ask_ccert=no
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o cleanup_service_name=cleanup-in
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if is_mx %}
+# input smtpd
+{% for addr in (pillar['postfix']['ipaddr'].get('mx4'), pillar['postfix']['ipaddr'].get('mx6')) %}
+{% if addr %}
+{{ addr }}:smtp inet n - n - 200 smtpd
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o smtpd_client_recipient_rate_limit=300
+ -o smtpd_client_message_rate_limit=120
+ -o cleanup_service_name=cleanup-in
+
+{% endif %}
+{% endfor %}
+
+# local smtpd (bounces)
+# 10027: decode the bounces directly produced by the system
+127.0.0.1:10027 inet n - n - 200 smtpd
+ -o myhostname=bounces.m4x.org
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o smtpd_client_connection_count_limit=4
+ -o smtpd_client_connection_rate_limit=30
+ -o smtpd_client_recipient_rate_limit=120
+ -o smtpd_client_message_rate_limit=60
+ -o cleanup_service_name=cleanup-bounce
+
+# 10025: receive mails given by clamsmtp
+127.0.0.1:10025 inet n - n - - smtpd.local
+ -o content_filter=bogofilter:$myhostname
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_recipient_limit=1000
+ -o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_data_restrictions=
+ -o receive_override_options=no_unknown_recipient_checks
+ -o strict_rfc821_envelopes=yes
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_tls_security_level=none
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o cleanup_service_name=cleanup-mid
+
+# 10026: receive mails from other hosts WITHOUT filtering
+127.0.0.1:10026 inet n - n - - smtpd.local
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_recipient_limit=1000
+ -o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_data_restrictions=
+ -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
+ -o strict_rfc821_envelopes=yes
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_tls_security_level=none
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o cleanup_service_name=cleanup-out
+
+# 20000: receive mails to @g.polytechnique.org and SRS-decode
+127.0.0.1:20000 inet n - n - - smtpd
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o virtual_alias_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_recipient_limit=1000
+ -o mynetworks=127.0.0.1/32
+ -o smtpd_client_restrictions=permit_mynetworks,reject
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o mydestination=g.polytechnique.org
+ -o virtual_alias_domains=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_data_restrictions=
+ -o receive_override_options=no_unknown_recipient_checks
+ -o strict_rfc821_envelopes=yes
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_tls_security_level=none
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o cleanup_service_name=cleanup-nosrs
+
+# bogofilter
+bogofilter unix - n n - 10 pipe
+ flags=R user=filter argv=/etc/postfix/bin/filter-postfix-bogo.sh -f ${sender} -- ${recipient}
+
+{% endif %}
+
+# localsmtp
+# This transport is usued for local submission
+# The timeout on end_of_data is increased because ClamAV takes a little bit too much times, occasionally
+localsmtp unix - - n - 20 smtp
+ -o smtp_bind_address=127.0.0.1
+ -o myhostname=local.polytechnique.org
+ -o smtp_data_done_timeout=1200
+ -o smtp_send_xforward_command=yes
+ -o smtp_tls_security_level=none
+
+{% if has_mailman %}
+pipemm unix - n n - - pipe
+ flags=R user=list argv=/var/lib/mailman/mail/mailman ${extension} ${user}
+{% endif %}
+
+{% if has_imap %}
+deliver_imap unix - n n - 10 pipe
+ user=vmail argv=/etc/postfix/bin/deliver_imap.sh ${user}
+{% endif %}
+
+{% if not is_mx %}
+# default daemons
+smtp inet n - - - - smtpd
+pickup fifo n - n 60 1 pickup
+bounce unix - - n - 0 bounce
+cleanup unix n - n - 0 cleanup
+ -o queue_service_name=qmgr
+{% endif %}
+
+# Base
+qmgr fifo n - n 300 1 qmgr
+#qmgr fifo n - - 300 1 nqmgr
+tlsmgr unix - - n 300 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+defer unix - - n - 0 bounce
+smtp unix - - n - 150 smtp
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+smtp-low unix - - n - 3 smtp
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+showq unix n - n - - showq
+error unix - - n - - error
+local unix - n n - - local
+#virtual unix - n n - - virtual
+#lmtp unix - - n - - lmtp
+flush unix n - - 1000? 0 flush
+relay unix - - - - - smtp
+proxymap unix - - n - - proxymap
+trace unix - - - - 0 bounce
+verify unix - - - - 1 verify
+anvil unix - - - - 1 anvil
+scache unix - - - - 1 scache
+discard unix - - - - - discard
+deferred unix - - n - - smtp
+retry unix - - - - - error
+relay unix - - n - - smtp -o smtp_fallback_relay=
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+
+
+{% if is_mx %}
+# Special cleanup
+pickup fifo n - n 60 1 pickup
+ -o cleanup_service_name=cleanup-out
+bounce unix - - n - 0 bounce
+ -o cleanup_service_name=cleanup-bounce
+
+cleanup unix n - n - 0 cleanup
+ -o sender_canonical_maps=
+ -o queue_service_name=qmgr
+
+cleanup-bounce unix n - n - 0 cleanup
+ -o syslog_name=postfix-bounce
+ -o sender_canonical_maps=
+ -o recipient_canonical_maps=tcp:127.0.0.1:10002
+ -o recipient_canonical_classes=header_recipient,envelope_recipient
+ -o queue_service_name=qmgr
+
+cleanup-nosrs unix n - n - 0 cleanup
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o virtual_alias_maps=
+ -o sender_canonical_maps=tcp:127.0.0.1:10002
+ -o sender_canonical_classes=envelope_sender
+ -o recipient_canonical_maps=
+ -o queue_service_name=qmgr-nosrs
+qmgr-nosrs fifo n - n 300 1 qmgr
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o rewrite_service_name=rewrite-nosrs
+rewrite-nosrs unix - - n - - trivial-rewrite
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o transport_maps=
+ -o default_transport=smtp-nosrs
+smtp-nosrs unix - - n - 20 smtp
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+
+cleanup-out unix n - n - 0 cleanup
+ -o syslog_name=postfix-out
+ -o sender_canonical_maps=
+ -o recipient_canonical_maps=regexp:/etc/postfix/conversion_underscore.regex
+ -o recipient_canonical_classes=envelope_recipient
+ -o queue_service_name=qmgr
+
+cleanup-mid unix n - n - 0 cleanup
+ -o syslog_name=postfix-mid
+ -o virtual_alias_maps=
+ -o sender_canonical_maps=tcp:127.0.0.1:10001
+ -o sender_canonical_classes=envelope_sender
+ -o recipient_canonical_maps=
+ -o canonical_maps=
+ -o header_checks=regexp:/etc/postfix/header_checks/bouncediscard
+ -o queue_service_name=qmgr
+
+cleanup-in unix n - n - 0 cleanup
+ -o syslog_name=postfix-in
+ -o virtual_alias_maps=
+ -o sender_canonical_maps=proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
+ -o sender_canonical_classes=envelope_sender,header_sender
+ -o recipient_canonical_maps=tcp:127.0.0.1:10002
+ -o recipient_canonical_classes=header_recipient,envelope_recipient
+ -o canonical_maps=
+ -o queue_service_name=qmgr
+{% endif %}
+
+# vim:set noet sw=8 sts=8 ts=8 syntax=pfmain: