Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
119 lines (115 sloc) 5.82 KB
---
postfix_config_file: /etc/postfix/main.cf
postfix_config:
smtpd_tls_cert_file: /etc/ssl/certs/server.pem
virtual_mailbox_domains: proxy:pgsql:/etc/postfix/domains.cf
alias_maps: "proxy:hash:{{aliases_file}}"
virtual_transport: vmaildrop
local_transport: local:$myhostname
virtual_alias_maps: proxy:pgsql:/etc/postfix/aliases.cf
vmaildrop_destination_recipient_limit: 1
localmaildrop_destination_recipient_limit: $vmaildrop_destination_recipient_limit
virtual_uid_maps: proxy:pgsql:/etc/postfix/uids.cf
virtual_gid_maps: proxy:pgsql:/etc/postfix/gids.cf
virtual_mailbox_base: /home/virtual
disable_vrfy_command: "yes"
virtual_minimum_uid: 500
virtual_mailbox_maps: proxy:pgsql:/etc/postfix/mailboxes.cf
smtp_sasl_auth_enable: "{{ postfix_smarthost_enabled | ternary('yes', 'no') }}"
smtpd_sasl_auth_enable: "{{ mail_enabled | ternary('yes', 'no') }}"
smtpd_sasl_type: "{{ mail_enabled | ternary('dovecot', None) }}"
mail_spool_directory: /var/spool/mail
smtpd_sasl_path: "{{ mail_enabled | ternary('private/auth', None) }}"
# plussed address notation foo+bar@domain.com
recipient_delimiter: +
transport_maps: hash:/etc/postfix/transport
# ">" breaks idempotency
proxy_read_maps:
$local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtp_sasl_auth_cache_name
proxy_write_maps:
$smtpd_tls_session_cache_database $smtp_sasl_auth_cache_name
{% if -1 != postfix_address_verify_map.find('memcache:') %}
{{ postfix_local_address_verify_map }} {{ postfix_local_postscreen_cache_map }}
{% else %}
$postscreen_cache_map $address_verify_map
{% endif %}
smtpd_recipient_restrictions:
'{{ postfix_relay_mynetworks | bool | ternary("permit_mynetworks,", "") }}
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
check_client_access pcre:/etc/postfix/client_access,
check_sender_access pcre:/etc/postfix/access,
reject_unknown_recipient_domain,
reject_unverified_recipient,
reject_non_fqdn_recipient,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname'
# Remove permit_mynetworks to prevent TCP access without SMTP authentication
smtpd_relay_restrictions: '{{ postfix_relay_mynetworks | bool | ternary("permit_mynetworks,", "") }}permit_sasl_authenticated,defer_unauth_destination'
smtpd_helo_required: "yes"
smtpd_error_sleep_time: 60
maximal_backoff_time: 8h
smtpd_timeout: ${stress?10}${stress:300}
vmaildrop_destination_rate_delay: "{{ postfix_local_delivery_delay }}"
localmaildrop_destination_rate_delay: $vmaildrop_destination_rate_delay
smtpd_sasl_security_options: noanonymous
mailbox_size_limit: $message_size_limit
mailbox_transport: localmaildrop
minimal_backoff_time: 4h
queue_run_delay: 8h
data_directory: "{{ postfix_data_dir }}"
smtpd_tls_session_cache_database: proxy:btree:$data_directory/smtpd_scache
smtp_sasl_auth_cache_name: proxy:btree:$data_directory/sasl_auth_cache
message_size_limit: "{{ postfix_message_size_limit | default(1000000000) }}"
virtual_mailbox_limit: $message_size_limit
smtpd_soft_error_limit: ${stress?2}${stress:5}
smtpd_hard_error_limit: 2
virtual_destination_rate_delay: 1s
smtpd_proxy_options: speed_adjust
smtpd_tls_loglevel: "0"
postscreen_access_list: permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold: 2
postscreen_dnsbl_sites: bl.spamcop.net*2 b.barracudacentral.org*2 zen.spamhaus.org*2 list.dnswl.org*-2
postscreen_dnsbl_action: enforce
postscreen_greet_action: enforce
postscreen_non_smtp_command_enable: "yes"
smtpd_tls_mandatory_protocols: "!SSLv2"
smtp_tls_mandatory_protocols: "!SSLv2"
smtpd_tls_exclude_ciphers: SSLv2
require_home_directory: "yes"
home_mailbox: "{{ maildir_home }}/"
postscreen_dnsbl_ttl: 24h
postscreen_pipelining_action: drop
address_verify_map: "{{ postfix_address_verify_map }}"
postscreen_cache_map: "{{ postfix_postscreen_cache_map }}"
postscreen_cache_cleanup_interval: "{{ postfix_postscreen_cache_cleanup_interval | default(43200) }}"
inet_protocols: ipv4
postscreen_greet_wait: ${stress?2}${stress:6}s
address_verify_cache_cleanup_interval: 0
postscreen_dnsbl_whitelist_threshold: -1
compatibility_level: 2
smtp_tls_security_level: "{{ postfix_smarthost_enabled | ternary('encrypt', 'may') }}"
sender_dependent_default_transport_maps: hash:/etc/postfix/sender_transport
inet_interfaces: "{{ postfix_inet_interfaces | default('all') }}"
mydomain: "{{ postfix_mydomain }}"
# Smarthost
smtpd_sasl_authenticated_header: "{{ postfix_add_sasl_auth_header | ternary('yes', 'no')}}"
smtp_sasl_tls_security_options: "{{ postfix_smarthost_enabled | ternary('noanonymous', None) }}"
smtp_sasl_password_maps: "{{ postfix_smarthost_enabled | ternary('hash:' + postfix_smarthost_auth_file, None) }}"
relayhost: "{{ postfix_smarthost_enabled | ternary(postfix_smarthost_credentials.host, None) }}"
# PostSRS
sender_canonical_maps: "{{ postsrsd_enabled | ternary('tcp:localhost:' + postsrs_sender_map_port|string, None) }}"
sender_canonical_classes: "{{ postsrsd_enabled | ternary('envelope_sender', None) }}"
recipient_canonical_maps: "{{ postsrsd_enabled | ternary('tcp:localhost:' + postsrs_recipient_map_port|string, None) }}"
recipient_canonical_classes: "{{ postsrsd_enabled | ternary('envelope_recipient,header_recipient', None) }}"
# UTF8 BOM
strict_rfc821_envelopes: "{{ postfix_strict_envelope | ternary('yes', 'no')}}"
strict_smtputf8: "{{ postfix_strict_envelope | ternary('yes', 'no')}}"