diff options
Diffstat (limited to 'modules/postfix')
| -rw-r--r-- | modules/postfix/manifests/server/primary.pp | 9 | ||||
| -rw-r--r-- | modules/postfix/templates/main.cf | 36 |
2 files changed, 36 insertions, 9 deletions
diff --git a/modules/postfix/manifests/server/primary.pp b/modules/postfix/manifests/server/primary.pp index 45b8fda6..c14a8606 100644 --- a/modules/postfix/manifests/server/primary.pp +++ b/modules/postfix/manifests/server/primary.pp @@ -1,11 +1,16 @@ class postfix::server::primary inherits postfix::server { - package { 'postfix-ldap': } + # Adding DKIM server + include opendkim + opendkim::domain{['mageia.org', 'sucuk.mageia.org', 'duvel.mageia.org', 'forums.mageia.org', 'madb.mageia.org','rabbit.mageia.org', 'fiona.mageia.org','identity.mageia.org', 'group.mageia.org', 'neru.mageia.org']:} + opendkim::trusted{['127.0.0.0/8', '212.85.158.0/24']:} + + package { ['postfix-ldap', 'sqlite3-tools', 'dovecot-plugins-sqlite','rspamd']: } # council is here until we fully decide who has aliases in com team, # see https://bugs.mageia.org/show_bug.cgi?id=1345 - # alumini is a special group for tracking previous members of + # alumni is a special group for tracking previous members of # the project, so they keep their aliases for a time $aliases_group = ['mga-founders', 'mga-packagers', diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf index 7fe0f073..6b42a4de 100644 --- a/modules/postfix/templates/main.cf +++ b/modules/postfix/templates/main.cf @@ -27,7 +27,7 @@ relayhost = sucuk.<%= domain %> # User configurable parameters <% if all_tags.include?('postfix::simple_relay') %> -inet_interfaces = localhost +inet_interfaces = localhost, 127.0.0.1 <% else %> inet_interfaces = all <% end %> @@ -39,7 +39,7 @@ smtp_address_preference = ipv4 <%- end -%> # FIXME Do not hardcode this -mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.1 163.172.148.228 [2001:bc8:4400:2800::4115] +mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115] myhostname = <%= fqdn %> mydomain = <%= domain %> <%- if all_tags.include?('postfix::server::secondary') -%> @@ -49,7 +49,9 @@ relay_domains = <%= domain %>, <%- end -%> mydestination = <%= fqdn %> +<%- if all_tags.include?('postfix::server::primary') -%> ml.<%= domain %> +<%- end -%> <%- if all_tags.include?('postfix::server::primary') -%> @@ -86,6 +88,19 @@ virtual_alias_maps = regexp:/etc/postfix/sympa_aliases <%- end -%> <%- end -%> +<%- if all_tags.include?('postfix::server::primary') -%> +# Adding DKIM Miler for primaryserver (sucuk) +smtpd_milters = inet:127.0.0.1:8891 +non_smtpd_milters = $smtpd_milters +milter_default_action = accept +milter_protocol = 2 + +# Adding Sender Rewriting Scheme +sender_canonical_maps = socketmap:inet:localhost:10003:forward +sender_canonical_classes = envelope_sender +recipient_canonical_maps = socketmap:inet:localhost:10003:reverse +recipient_canonical_classes= envelope_recipient,header_recipient +<%- end -%> <%- if all_tags.include?('postfix::server') -%> transport_maps = regexp:/etc/postfix/transport_regexp @@ -121,17 +136,24 @@ smtpd_data_restrictions = permit_mynetworks reject_unauth_pipelining reject_multi_recipient_bounce -smtpd_recipient_restrictions = reject_non_fqdn_recipient - reject_non_fqdn_sender +smtpd_recipient_restrictions = permit_mynetworks # not done yet, not sure if we need to offer this kind of service # permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination reject_non_fqdn_helo_hostname + reject_non_fqdn_recipient + reject_non_fqdn_sender + check_sender_access hash:/etc/postfix/access + reject_rhsbl_helo sbl.spamhaus.org + reject_rhsbl_reverse_client sbl.spamhaus.org + reject_rhsbl_sender sbl.spamhaus.org + reject_rbl_client sbl.spamhaus.org + reject_unauth_destination reject_unknown_sender_domain reject_unknown_client <%- if classes.include?('postgrey') -%> check_policy_service unix:extern/postgrey/socket <%- end -%> - check_sender_access hash:/etc/postfix/access <%- end -%> + +# Needed for buggy clients +always_add_missing_headers = yes |