--- /dev/null
+# Does the server accept emails from a public IP address? Has Mailman? Has IMAP?
+{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
+{% set has_imap = not not pillar['postfix'].get('has_imap') %}
+{% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
+{% set has_smtps = not not pillar['postfix'].get('has_smtps') %}
+
+###
+### Server configuration
+###
+
+queue_directory = /var/spool/postfix
+command_directory = /usr/sbin
+daemon_directory = /usr/lib/postfix
+mail_owner = postfix
+default_privs = mail
+
+defer_transports = deferred
+
+hash_queue_depth = 1
+hash_queue_names = active,deferred,bounce,defer,flush
+
+###
+### receiving and distributing emails
+###
+
+{% if not is_mx %}
+inet_protocols = all
+inet_interfaces = 127.0.0.1
+{% elif pillar['postfix']['ipaddr'].get('mx6') %}
+inet_protocols = all
+inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }},{{ pillar['postfix']['ipaddr'].mx6 }}
+smtp_bind_address6 = {{ pillar['postfix']['ipaddr'].mx6 }}
+#smtp_address_preference = ipv4
+{% else %}
+inet_protocols = ipv4
+inet_interfaces = {{ pillar['postfix']['ipaddr'].mx4 }}
+{% endif %}
+
+myhostname = {{ grains["host"] }}.polytechnique.org
+
+{% if not is_mx %}
+mydomain = $myhostname
+{% else %}
+mydomain = polytechnique.org
+{% endif %}
+myorigin = $myhostname
+
+
+mydestination =
+ hruid.polytechnique.org
+ {{ grains["host"] }}.polytechnique.org
+ {{ grains["host"] }}.m4x.org
+ {% for dest in pillar['postfix']['dest_domains'] %}{{ dest }}{% endfor %}
+
+virtual_alias_domains =
+ hash:/etc/postfix/virtual
+ {% if is_mx %}proxy:mysql:/etc/postfix/mysql-virtual_domains.cf{% endif %}
+
+mynetworks = 127.0.0.1/32
+
+relay_domains = bounces.m4x.org
+
+transport_maps =
+ {% if is_mx %}hash:/etc/postfix/transport{% endif %}
+ hash:/etc/postfix/transport-{{ grains["host"] }}
+ {% if has_mailman %}regexp:/etc/postfix/mailman-transport.regex{% endif %}
+
+recipient_delimiter = +
+
+append_dot_mydomain = no
+
+# local distribution
+#local_recipient_maps = $alias_maps unix:passwd.byname
+mailbox_command = /usr/bin/procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+
+###
+### forwarding
+###
+
+relocated_maps = hash:/etc/postfix/renamed_lists
+
+alias_maps =
+ hash:/etc/postfix/aliases
+ {% if is_mx %}mysql:/etc/postfix/mysql-redirect_account.cf{% endif %}
+ {% if is_mx %}mysql:/etc/postfix/mysql-redirect_other.cf{% endif %}
+
+alias_database =
+ hash:/etc/postfix/aliases
+
+# used for all domains other than hruid.polytechnique.org, which is local
+virtual_alias_maps =
+ {% if is_mx %}hash:/etc/postfix/virtual-aliases{% endif %}
+ {% if is_mx %}hash:/etc/postfix/virtual-poisonous{% endif %}
+ {% if has_mailman %}regexp:/etc/postfix/mailman.regex{% endif %}
+ {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_account.cf{% endif %}
+ {% if is_mx %}proxy:mysql:/etc/postfix/mysql-source_other.cf{% endif %}
+ {% if is_mx %}proxy:mysql:/etc/postfix/mysql-redirect_direct.cf{% endif %}
+ hash:/etc/postfix/virtual
+
+{% if has_imap %}
+virtual_mailbox_domains = imap.polytechnique.org
+virtual_transport = deliver_imap:
+{% endif %}
+
+###
+### rewriting
+###
+
+{% if is_mx %}
+local_header_rewrite_clients=static:all
+{% endif %}
+
+# NOTE: We use some different cleanups in function of when is it called. In order
+# to know which canonicals are applied when please refer to the master.cf
+
+# Possible transformation of the From in an adress in m4x.org or polytechnique.org
+{% if is_mx %}
+sender_canonical_maps = proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
+sender_canonical_classes = envelope_sender, header_sender
+{% endif %}
+
+# transform the _ into + but for jaune_rouge@ and SRS decoding
+recipient_canonical_maps =
+ {% if is_mx %}tcp:127.0.0.1:10002{% endif %}
+ regexp:/etc/postfix/conversion_underscore.regex
+
+recipient_canonical_classes = envelope_recipient
+
+{% if has_mailman %}
+canonical_maps = regexp:/etc/postfix/mailman-reecriture.regex
+pipemm_destination_recipient_limit = 1
+{% endif %}
+
+# when rewriting, we have to keep the '+toto@'
+propagate_unmatched_extensions = canonical
+
+# We keep bounces that are not deliverable in queue only 36h
+bounce_queue_lifetime = 36h
+
+# Maximum message size 26MiB (cf infra 18/12/2009)
+message_size_limit = 27262976
+
+###
+### anti-spam mesures
+###
+
+# limits at the level of SMTP commands received in a session:
+# - maximum 100 recipients per email, mandatory HELO, forbidden VRFY
+# - slow down after 2 false commands (VRFY...) or 2 unknown commands
+# - slow down to 1 command every 10s, then stop after 20 errors
+smtpd_banner = $myhostname ESMTP
+smtpd_helo_required = yes
+disable_vrfy_command = yes
+smtpd_recipient_limit = 100
+smtpd_junk_command_limit = 2
+smtpd_soft_error_limit = 2
+smtpd_error_sleep_time = 10s
+smtpd_hard_error_limit = 20
+message_reject_characters = \0
+smtpd_discard_ehlo_keywords = silent-discard, dsn
+
+smtpd_recipient_restrictions =
+ {% if is_mx %}check_client_access hash:/etc/postfix/client_access{% endif %}
+ permit_mynetworks
+ check_recipient_access hash:/etc/postfix/recipient_access
+ reject_invalid_hostname
+ check_helo_access hash:/etc/postfix/helo_access
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+ reject_unauth_pipelining
+ reject_unauth_destination
+ {% if is_mx %}check_sender_access proxy:mysql:/etc/postfix/mysql-blacklist.cf{% endif %}
+ reject_unlisted_sender
+ {% if is_mx %}check_recipient_access mysql:/etc/postfix/mysql-disabled-accounts.cf{% endif %}
+
+ # Postlicyd (instead of whitelister + postgrey)
+ {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
+
+ check_helo_access regexp:/etc/postfix/helo_access.regexp
+ permit
+
+{% if is_mx %}
+smtpd_recipient_restrictions_sasl =
+ reject_non_fqdn_sender
+ reject_unknown_sender_domain
+ reject_unlisted_sender
+ check_policy_service inet:127.0.0.1:60001
+ permit_sasl_authenticated
+ reject
+{% endif %}
+
+# Add two smtpd_data_restrictions (11/8/2005), does not seem very useful
+# but it does not cost anything and there is no possible false positives.
+# Then, Postlicyd performs the check at "DATA"-time for the honeypots.
+smtpd_data_restrictions =
+ reject_unauth_pipelining
+ reject_multi_recipient_bounce
+ {% if is_mx %}check_policy_service inet:127.0.0.1:60001{% endif %}
+ permit
+
+# reject of mails according of their content
+strict_rfc821_envelopes = yes
+nested_header_checks =
+mime_header_checks = regexp:/etc/postfix/header_checks/mime
+header_checks =
+ regexp:/etc/postfix/header_checks/xorg
+ regexp:/etc/postfix/header_checks/antispam
+ regexp:/etc/postfix/header_checks/clean_self
+
+smtp_header_checks = regexp:/etc/postfix/header_checks/outgoing
+
+###
+### not categorized
+###
+
+# Make the requests stop at owner-alias for each alias
+owner_request_special = no
+
+parent_domain_matches_subdomains =
+
+# TLS server
+# paths of files:
+{% if is_mx %}
+smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
+smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
+{% endif %}
+{% if has_smtps %}
+smtpd_tls_session_cache_database=sdbm:/var/spool/postfix/smtpd_scache
+smtpd_tls_session_cache_timeout=3600
+{% endif %}
+smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
+# the serveur proposes (STARTTLS):
+smtpd_tls_security_level = may
+smtpd_tls_loglevel = 1
+# we add headers if TLS has been used
+smtpd_tls_received_header = yes
+# we ask the client if she can provide a certificated, but we do not require it
+smtpd_tls_ask_ccert = yes
+
+# TLS client
+{% if is_mx %}
+smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt
+smtp_tls_key_file = /etc/postfix/ssl/smtp.key
+{% endif %}
+smtp_tls_CAfile = /etc/postfix/ssl/ca.crt
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
+
+# Choose which information is sent to postmaster...
+notify_classes = resource,software
+error_notice_recipient = root
+
+setgid_group = postdrop
+biff = no
+
+# Default value, to which we add $smtpd_recipient_restrictions, necessary so that we can use proxy: in this section
+{% if is_mx %}
+proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_recipient_restrictions
+{% endif %}
+
+# The following line allow blocking every outgoing email, when doing tests or server migrations
+# source: https://groups.google.com/forum/#!topic/mailing.postfix.users/kPyh5euz33g
+#default_transport = retry:waiting for more stability
+
+# vim:set syntax=pfmain:
--- /dev/null
+{% set is_mx = not not pillar['postfix']['ipaddr'].get('mx4') %}
+{% set has_imap = not not pillar['postfix'].get('has_imap') %}
+{% set has_mailman = not not pillar['postfix'].get('has_mailman') %}
+{% set has_smtps = not not pillar['postfix'].get('has_smtps') %}
+
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+
+
+{% if has_smtps %}
+{% for addr in (pillar['postfix']['ipaddr'].get('mx4'), pillar['postfix']['ipaddr'].get('mx6')) %}
+{% if addr %}
+# SMTP
+{{ addr }}:2525 inet n - n - - smtpd
+ -o myhostname=ssl.polytechnique.org
+ -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl
+ -o smtpd_recipient_limit=1000
+ -o smtpd_sasl_auth_enable=yes
+ -o broken_sasl_auth_clients=yes
+ -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key
+ -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt
+# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_tls_loglevel=1
+ -o smtpd_tls_received_header=yes
+ -o smtpd_tls_ask_ccert=no
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o cleanup_service_name=cleanup-in
+
+# smtps (TCP port 465) is the same config, with enforce_tls and tls_wrappermode
+{{ addr }}::smtps inet n - n - - smtpd
+ -o myhostname=ssl.polytechnique.org
+ -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl
+ -o smtpd_recipient_limit=1000
+ -o smtpd_sasl_auth_enable=yes
+ -o broken_sasl_auth_clients=yes
+ -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key
+ -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt
+# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_tls_loglevel=1
+ -o smtpd_tls_received_header=yes
+ -o smtpd_tls_ask_ccert=no
+ -o smtpd_tls_wrappermode=yes
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o cleanup_service_name=cleanup-in
+
+# submission (TCP port 587) is the same config, with only enforce_tls
+{{ addr }}:587 inet n - n - - smtpd
+ -o myhostname=ssl.polytechnique.org
+ -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_sasl
+ -o smtpd_recipient_limit=1000
+ -o smtpd_sasl_auth_enable=yes
+ -o broken_sasl_auth_clients=yes
+ -o smtpd_tls_key_file=/etc/postfix/ssl/smtpd.key
+ -o smtpd_tls_cert_file=/etc/postfix/ssl/smtpd.crt
+# -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.crt
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_tls_loglevel=1
+ -o smtpd_tls_received_header=yes
+ -o smtpd_tls_ask_ccert=no
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o cleanup_service_name=cleanup-in
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if is_mx %}
+# input smtpd
+{% for addr in (pillar['postfix']['ipaddr'].get('mx4'), pillar['postfix']['ipaddr'].get('mx6')) %}
+{% if addr %}
+{{ addr }}:smtp inet n - n - 200 smtpd
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o smtpd_client_recipient_rate_limit=300
+ -o smtpd_client_message_rate_limit=120
+ -o cleanup_service_name=cleanup-in
+
+{% endif %}
+{% endfor %}
+
+# local smtpd (bounces)
+# 10027: decode the bounces directly produced by the system
+127.0.0.1:10027 inet n - n - 200 smtpd
+ -o myhostname=bounces.m4x.org
+ -o content_filter=localsmtp:[127.0.0.1]:10024
+ -o smtpd_client_connection_count_limit=4
+ -o smtpd_client_connection_rate_limit=30
+ -o smtpd_client_recipient_rate_limit=120
+ -o smtpd_client_message_rate_limit=60
+ -o cleanup_service_name=cleanup-bounce
+
+# 10025: receive mails given by clamsmtp
+127.0.0.1:10025 inet n - n - - smtpd.local
+ -o content_filter=bogofilter:$myhostname
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_recipient_limit=1000
+ -o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_data_restrictions=
+ -o receive_override_options=no_unknown_recipient_checks
+ -o strict_rfc821_envelopes=yes
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_tls_security_level=none
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o cleanup_service_name=cleanup-mid
+
+# 10026: receive mails from other hosts WITHOUT filtering
+127.0.0.1:10026 inet n - n - - smtpd.local
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_recipient_limit=1000
+ -o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_data_restrictions=
+ -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
+ -o strict_rfc821_envelopes=yes
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_tls_security_level=none
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o cleanup_service_name=cleanup-out
+
+# 20000: receive mails to @g.polytechnique.org and SRS-decode
+127.0.0.1:20000 inet n - n - - smtpd
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o content_filter=
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o virtual_alias_maps=
+ -o smtpd_restriction_classes=
+ -o smtpd_recipient_limit=1000
+ -o mynetworks=127.0.0.1/32
+ -o smtpd_client_restrictions=permit_mynetworks,reject
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o mydestination=g.polytechnique.org
+ -o virtual_alias_domains=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_data_restrictions=
+ -o receive_override_options=no_unknown_recipient_checks
+ -o strict_rfc821_envelopes=yes
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_tls_security_level=none
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o cleanup_service_name=cleanup-nosrs
+
+# bogofilter
+bogofilter unix - n n - 10 pipe
+ flags=R user=filter argv=/etc/postfix/bin/filter-postfix-bogo.sh -f ${sender} -- ${recipient}
+
+{% endif %}
+
+# localsmtp
+# This transport is usued for local submission
+# The timeout on end_of_data is increased because ClamAV takes a little bit too much times, occasionally
+localsmtp unix - - n - 20 smtp
+ -o smtp_bind_address=127.0.0.1
+ -o myhostname=local.polytechnique.org
+ -o smtp_data_done_timeout=1200
+ -o smtp_send_xforward_command=yes
+ -o smtp_tls_security_level=none
+
+{% if has_mailman %}
+pipemm unix - n n - - pipe
+ flags=R user=list argv=/var/lib/mailman/mail/mailman ${extension} ${user}
+{% endif %}
+
+{% if has_imap %}
+deliver_imap unix - n n - 10 pipe
+ user=vmail argv=/etc/postfix/bin/deliver_imap.sh ${user}
+{% endif %}
+
+{% if not is_mx %}
+# default daemons
+smtp inet n - - - - smtpd
+pickup fifo n - n 60 1 pickup
+bounce unix - - n - 0 bounce
+cleanup unix n - n - 0 cleanup
+ -o queue_service_name=qmgr
+{% endif %}
+
+# Base
+qmgr fifo n - n 300 1 qmgr
+#qmgr fifo n - - 300 1 nqmgr
+tlsmgr unix - - n 300 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+defer unix - - n - 0 bounce
+smtp unix - - n - 150 smtp
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+smtp-low unix - - n - 3 smtp
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+showq unix n - n - - showq
+error unix - - n - - error
+local unix - n n - - local
+#virtual unix - n n - - virtual
+#lmtp unix - - n - - lmtp
+flush unix n - - 1000? 0 flush
+relay unix - - - - - smtp
+proxymap unix - - n - - proxymap
+trace unix - - - - 0 bounce
+verify unix - - - - 1 verify
+anvil unix - - - - 1 anvil
+scache unix - - - - 1 scache
+discard unix - - - - - discard
+deferred unix - - n - - smtp
+retry unix - - - - - error
+relay unix - - n - - smtp -o smtp_fallback_relay=
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+
+
+{% if is_mx %}
+# Special cleanup
+pickup fifo n - n 60 1 pickup
+ -o cleanup_service_name=cleanup-out
+bounce unix - - n - 0 bounce
+ -o cleanup_service_name=cleanup-bounce
+
+cleanup unix n - n - 0 cleanup
+ -o sender_canonical_maps=
+ -o queue_service_name=qmgr
+
+cleanup-bounce unix n - n - 0 cleanup
+ -o syslog_name=postfix-bounce
+ -o sender_canonical_maps=
+ -o recipient_canonical_maps=tcp:127.0.0.1:10002
+ -o recipient_canonical_classes=header_recipient,envelope_recipient
+ -o queue_service_name=qmgr
+
+cleanup-nosrs unix n - n - 0 cleanup
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o virtual_alias_maps=
+ -o sender_canonical_maps=tcp:127.0.0.1:10002
+ -o sender_canonical_classes=envelope_sender
+ -o recipient_canonical_maps=
+ -o queue_service_name=qmgr-nosrs
+qmgr-nosrs fifo n - n 300 1 qmgr
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o rewrite_service_name=rewrite-nosrs
+rewrite-nosrs unix - - n - - trivial-rewrite
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o transport_maps=
+ -o default_transport=smtp-nosrs
+smtp-nosrs unix - - n - 20 smtp
+ -o syslog_name=postfix-nosrs
+ -o queue_directory=/var/spool/postfix-nosrs
+ -o myhostname={{ pillar['postfix']['mx_name'] }}
+
+cleanup-out unix n - n - 0 cleanup
+ -o syslog_name=postfix-out
+ -o sender_canonical_maps=
+ -o recipient_canonical_maps=regexp:/etc/postfix/conversion_underscore.regex
+ -o recipient_canonical_classes=envelope_recipient
+ -o queue_service_name=qmgr
+
+cleanup-mid unix n - n - 0 cleanup
+ -o syslog_name=postfix-mid
+ -o virtual_alias_maps=
+ -o sender_canonical_maps=tcp:127.0.0.1:10001
+ -o sender_canonical_classes=envelope_sender
+ -o recipient_canonical_maps=
+ -o canonical_maps=
+ -o header_checks=regexp:/etc/postfix/header_checks/bouncediscard
+ -o queue_service_name=qmgr
+
+cleanup-in unix n - n - 0 cleanup
+ -o syslog_name=postfix-in
+ -o virtual_alias_maps=
+ -o sender_canonical_maps=proxy:mysql:/etc/postfix/mysql-canonical-rewrite.cf
+ -o sender_canonical_classes=envelope_sender,header_sender
+ -o recipient_canonical_maps=tcp:127.0.0.1:10002
+ -o recipient_canonical_classes=header_recipient,envelope_recipient
+ -o canonical_maps=
+ -o queue_service_name=qmgr
+{% endif %}
+
+# vim:set noet sw=8 sts=8 ts=8 syntax=pfmain:
projects / vagrant-mail.git / commitdiff