diff options
Diffstat (limited to 'modules/postfix/templates/main.cf')
| -rw-r--r-- | modules/postfix/templates/main.cf | 81 |
1 files changed, 59 insertions, 22 deletions
diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf index fcedc936..6b42a4de 100644 --- a/modules/postfix/templates/main.cf +++ b/modules/postfix/templates/main.cf @@ -11,39 +11,49 @@ sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop command_directory = /usr/sbin manpage_directory = /usr/share/man -daemon_directory = <%= lib_dir %>/postfix/ +daemon_directory = /usr/libexec/postfix +meta_directory = /etc/postfix +shlib_directory = /usr/lib64 +compatibility_level = 2 data_directory = /var/lib/postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq queue_directory = /var/spool/postfix mail_owner = postfix +<% if all_tags.include?('postfix::simple_relay') || all_tags.include?('postfix::server::secondary') %> +relayhost = sucuk.<%= domain %> +<%- end -%> # User configurable parameters <% if all_tags.include?('postfix::simple_relay') %> -inet_interfaces = localhost +inet_interfaces = localhost, 127.0.0.1 <% else %> inet_interfaces = all <% end %> inet_protocols = all -mynetworks_style = host +<% if @hostname == 'neru' then %> +# We do not have a reverse on ipv6 :( +smtp_address_preference = ipv4 +<%- end -%> + +# FIXME Do not hardcode this +mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115] myhostname = <%= fqdn %> mydomain = <%= domain %> -mydestination = <%= fqdn %> -myorigin = $mydomain -<%- if all_tags.include?('postfix::secondary_smtp') -%> +<%- if all_tags.include?('postfix::server::secondary') -%> relay_domains = <%= domain %>, ml.<%= domain %>, group.<%= domain %> <%- end -%> mydestination = <%= fqdn %> -<%- if classes.include?('sympa::server') -%> +<%- if all_tags.include?('postfix::server::primary') -%> ml.<%= domain %> <%- end -%> -<%- if all_tags.include?('postfix::primary_smtp') -%> +<%- if all_tags.include?('postfix::server::primary') -%> virtual_mailbox_domains = <%= domain %>, group.<%= domain %> @@ -72,10 +82,27 @@ virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.conf <%- if classes.include?('sympa::server') -%> regexp:/etc/postfix/sympa_aliases <%- end -%> +<% else %> +<%- if classes.include?('sympa::server') -%> +virtual_alias_maps = regexp:/etc/postfix/sympa_aliases +<%- end -%> <%- end -%> +<%- if all_tags.include?('postfix::server::primary') -%> +# Adding DKIM Miler for primaryserver (sucuk) +smtpd_milters = inet:127.0.0.1:8891 +non_smtpd_milters = $smtpd_milters +milter_default_action = accept +milter_protocol = 2 + +# Adding Sender Rewriting Scheme +sender_canonical_maps = socketmap:inet:localhost:10003:forward +sender_canonical_classes = envelope_sender +recipient_canonical_maps = socketmap:inet:localhost:10003:reverse +recipient_canonical_classes= envelope_recipient,header_recipient +<%- end -%> -<%- if all_tags.include?('postfix::smtp_server') -%> +<%- if all_tags.include?('postfix::server') -%> transport_maps = regexp:/etc/postfix/transport_regexp content_filter = smtp-filter:[127.0.0.1]:10025 <%- end -%> @@ -86,18 +113,21 @@ sympabounce_destination_recipient_limit = 1 <%- end -%> #delay_warning_time = 4h -smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux) +smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= lsbdistid %>) unknown_local_recipient_reject_code = 450 smtp-filter_destination_concurrency_limit = 2 lmtp-filter_destination_concurrency_limit = 2 -# disabled for the time being, as the certificate do not exist -# FIXME create the cert in puppet -smtpd_use_tls = no -#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem -#smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem -#smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt - -<%- if all_tags.include?('postfix::smtp_server') -%> +# enable opportunistic TLS when receiving +smtpd_use_tls = yes +smtpd_tls_received_header = yes +smtpd_tls_cert_file = /etc/ssl/postfix/postfix.crt +smtpd_tls_key_file = /etc/ssl/postfix/postfix.key +smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt +# enable opportunistic TLS when sending +smtp_tls_security_level = may +smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt + +<%- if all_tags.include?('postfix::server') -%> smtpd_etrn_restrictions = reject smtpd_helo_required = yes @@ -106,13 +136,18 @@ smtpd_data_restrictions = permit_mynetworks reject_unauth_pipelining reject_multi_recipient_bounce -smtpd_recipient_restrictions = reject_non_fqdn_recipient - reject_non_fqdn_sender +smtpd_recipient_restrictions = permit_mynetworks # not done yet, not sure if we need to offer this kind of service # permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination reject_non_fqdn_helo_hostname + reject_non_fqdn_recipient + reject_non_fqdn_sender + check_sender_access hash:/etc/postfix/access + reject_rhsbl_helo sbl.spamhaus.org + reject_rhsbl_reverse_client sbl.spamhaus.org + reject_rhsbl_sender sbl.spamhaus.org + reject_rbl_client sbl.spamhaus.org + reject_unauth_destination reject_unknown_sender_domain reject_unknown_client <%- if classes.include?('postgrey') -%> @@ -120,3 +155,5 @@ smtpd_recipient_restrictions = reject_non_fqdn_recipient <%- end -%> <%- end -%> +# Needed for buggy clients +always_add_missing_headers = yes |