postfix_user: postfix postfix_group: postfix postfix_conf_dir: /etc/postfix postfix_sql_dir: "{{ postfix_conf_dir }}/sql" postfix_tls_dir: "{{ postfix_conf_dir }}/tls" postfix_tls_int_ecc384_key: "{{ postfix_tls_dir }}/int_ecc384.key" postfix_tls_int_ecc384_cert: "{{ postfix_tls_dir }}/int_ecc384.crt" postfix_tls_int_rsa2048_key: "{{ postfix_tls_dir }}/int_rsa2048.key" postfix_tls_int_rsa2048_cert: "{{ postfix_tls_dir }}/int_rsa2048.crt" postfix_tls_ext_ecc384_key: "{{ postfix_tls_dir }}/ext_ecc384.key" postfix_tls_ext_ecc384_cert: "{{ postfix_tls_dir }}/ext_ecc384.crt" postfix_tls_ext_rsa2048_key: "{{ postfix_tls_dir }}/ext_rsa2048.key" postfix_tls_ext_rsa2048_cert: "{{ postfix_tls_dir }}/ext_rsa2048.crt" postfix_tls_dh2048: "{{ postfix_tls_dir }}/dh2048.pem" postfix_use_mta_sts_resolver: yes postfix_default_config: compatibility_level: 3.6 mydomain: "{{ mail_server.tld }}" myhostname: "{{ (mail_server.mta_actual_hostname | d(host_name)) ~ '.' ~ mail_server.tld }}" myorigin: "$mydomain" masquerade_domains: "$mydomain" mynetworks_style: host mydestination: localhost relay_domains: inet_protocols: ipv4 virtual_transport: "lmtp:inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_lmtp_port) if mail_server.mua_lmtp_port is defined else '') }}" virtual_alias_maps: "pgsql:{{ (postfix_sql_dir ~ '/aliases.cf') | quote }},pgsql:{{ (postfix_sql_dir ~ '/forwards.cf') | quote }}" virtual_mailbox_domains: "pgsql:{{ (postfix_sql_dir ~ '/domains.cf') | quote }}" virtual_mailbox_maps: "pgsql:{{ (postfix_sql_dir ~ '/users.cf') | quote }}" local_recipient_maps: "$virtual_mailbox_maps" smtpd_sender_login_maps: "unionmap:{\ pgsql:{{ (postfix_sql_dir ~ '/shared_users.cf') | quote }},\ pgsql:{{ (postfix_sql_dir ~ '/self_users.cf') | quote }},\ pgsql:{{ (postfix_sql_dir ~ '/aliases.cf') | quote }}\ }" message_size_limit: "{{ mail_server.max_mail_size_bytes }}" mailbox_size_limit: 0 virtual_mailbox_limit: 0 header_size_limit: 512000 default_destination_recipient_limit: 25 queue_run_delay: 3m minimal_backoff_time: 3m maximal_backoff_time: 30m maximal_queue_lifetime: 3d bounce_queue_lifetime: 2d tls_append_default_CA: yes tls_disable_workarounds: tls_ssl_options: NO_COMPRESSION, NO_RENEGOTIATION, ENABLE_MIDDLEBOX_COMPAT, LEGACY_SERVER_CONNECT, PRIORITIZE_CHACHA tls_preempt_cipherlist: yes smtp_dns_support_level: dnssec smtp_tls_CApath: /etc/ssl/certs smtp_tls_ciphers: medium smtp_tls_exclude_ciphers: "aNULL, eNULL, EXP, LOW, MD5, DES, 3DES, RC4, CAMELLIA, kEDH+CAMELLIA, kRSA+CAMELLIA" smtp_tls_protocols: ">=TLSv1.2" smtp_tls_mandatory_ciphers: medium smtp_tls_mandatory_protocols: ">=TLSv1.2" smtp_tls_security_level: dane smtp_tls_servername: hostname smtp_starttls_timeout: 180s smtp_tls_note_starttls_offer: yes smtp_tls_policy_maps: "{{ [ 'pgsql:' ~ ((postfix_sql_dir ~ '/tls_policies.cf') | quote), ('socketmap:inet:127.0.0.1:' ~ mail_server.mta_sts_port ~ ':postfix') if (postfix_use_mta_sts_resolver | d(false) == true) else '', ] | select() | list | join(',') }}" smtpd_tls_cert_file: "{{ postfix_tls_ext_rsa2048_cert | quote }}" smtpd_tls_key_file: "{{ postfix_tls_ext_rsa2048_key | quote }}" smtpd_tls_eccert_file: "{{ postfix_tls_ext_ecc384_cert | quote }}" smtpd_tls_eckey_file: "{{ postfix_tls_ext_ecc384_key | quote }}" smtpd_tls_security_level: may smtpd_tls_ciphers: medium smtpd_tls_mandatory_ciphers: medium smtpd_tls_exclude_ciphers: "aNULL, eNULL, EXP, LOW, MD5, DES, 3DES, RC4, CAMELLIA, kEDH+CAMELLIA, kRSA+CAMELLIA" smtpd_tls_protocols: ">=TLSv1.2" smtpd_tls_mandatory_protocols: ">=TLSv1.2" smtpd_tls_dh1024_param_file: "{{ postfix_tls_dh2048 | quote }}" smtpd_tls_auth_only: yes smtpd_tls_received_header: yes smtpd_sasl_type: dovecot smtpd_sasl_path: "inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_auth_port) if mail_server.mua_auth_port is defined else '') }}" smtpd_sasl_auth_enable: no smtpd_sasl_local_domain: "$mydomain" smtpd_sasl_exceptions_networks: "!{{ int_net }}" smtpd_sasl_security_options: "noanonymous, noplaintext" smtpd_sasl_tls_security_options: noanonymous smtpd_sasl_authenticated_header: no smtpd_client_restrictions: - permit mua_client_restrictions: - permit_sasl_authenticated - reject smtpd_helo_restrictions: - reject_unauth_pipelining - reject_invalid_helo_hostname - permit_mynetworks - reject_non_fqdn_helo_hostname - "check_helo_access pcre:{{ (postfix_conf_dir ~ '/filter_smtpd_helo.pcre') | quote }}" - "check_client_access texthash:{{ (postfix_conf_dir ~ '/smtpd_checks_relaxed.hash') | quote }}" - reject_unknown_client_hostname - reject_unknown_helo_hostname - permit mua_helo_restrictions: - reject_unauth_pipelining - reject_invalid_helo_hostname - permit_sasl_authenticated - reject smtpd_sender_restrictions: - reject_unauth_pipelining - reject_non_fqdn_sender - permit_mynetworks - "check_client_access texthash:{{ (postfix_conf_dir ~ '/smtpd_checks_relaxed.hash') | quote }}" - reject_unknown_sender_domain - permit mua_sender_restrictions: - reject_unauth_pipelining - reject_non_fqdn_sender - reject_authenticated_sender_login_mismatch - permit_sasl_authenticated - reject smtpd_relay_restrictions: - reject_unauth_pipelining - permit_mynetworks - reject_unauth_destination - permit mua_relay_restrictions: - reject_unauth_pipelining - permit_sasl_authenticated - reject smtpd_recipient_restrictions: - reject_unauth_pipelining - reject_non_fqdn_recipient - "check_recipient_access pgsql:{{ (postfix_sql_dir ~ '/no_reply.cf') | quote }}" #- "check_policy_service inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_quota_port) if mail_server.mua_quota_port is defined else '') }}" - permit_mynetworks - reject_unknown_recipient_domain - reject_unlisted_recipient - permit mua_recipient_restrictions: - reject_unauth_pipelining - reject_non_fqdn_recipient - "check_recipient_access pgsql:{{ (postfix_sql_dir ~ '/no_reply.cf') | quote }}" #- "check_policy_service inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_quota_port) if mail_server.mua_quota_port is defined else '') }}" - permit_sasl_authenticated - reject smtpd_data_restrictions: - reject_unauth_pipelining - permit smtpd_etrn_restrictions: - reject smtp_always_send_ehlo: yes smtp_connect_timeout: 20s smtp_helo_timeout: 120s smtp_rcpt_timeout: 120s smtp_mail_timeout: 180s smtp_quit_timeout: 180s smtp_xforward_timeout: 180s smtp_pix_workarounds: delay_dotcrlf smtp_use_tls: yes smtp_transport_rate_delay: 1s smtpd_authorized_verp_clients: smtpd_authorized_xclient_hosts: smtpd_authorized_xforward_hosts: smtpd_banner: "$myhostname ESMTP {{ org }} ($mail_name $mail_version) ready" smtpd_client_connection_count_limit: 120 smtpd_client_connection_rate_limit: 360 smtpd_client_message_rate_limit: 120 smtpd_client_recipient_rate_limit: 240 smtpd_client_new_tls_session_rate_limit: 180 smtpd_client_auth_rate_limit: 90 smtpd_client_port_logging: yes smtpd_delay_reject: yes smtpd_error_sleep_time: 3s smtpd_soft_error_limit: 3 smtpd_hard_error_limit: 6 smtpd_junk_command_limit: 15 smtpd_helo_required: yes smtpd_policy_service_default_action: DUNNO smtpd_recipient_limit: 50 smtpd_recipient_overshoot_limit: 50 smtpd_timeout: 120s smtpd_use_tls: yes smtpd_discard_ehlo_keywords: silent-discard, etrn postscreen_access_list: "permit_mynetworks, cidr:{{ (postfix_conf_dir ~ '/filter_postscreen_connect.cidr') | quote }}" postscreen_blacklist_action: drop postscreen_dnsbl_action: enforce postscreen_greet_action: enforce postscreen_bare_newline_enable: no postscreen_non_smtp_command_enable: no postscreen_pipelining_enable: no postscreen_dnsbl_max_ttl: 3h postscreen_dnsbl_min_ttl: 10m postscreen_dnsbl_threshold: 2 postscreen_dnsbl_sites: - "zen.spamhaus.org=127.0.0.[1..20]" - "dnsbl.sorbs.net=127.0.0.[1..255]" - "dnsbl.spfbl.net=127.0.0.[1..255]" - "bl.nordspam.com=127.0.0.2" postscreen_dnsbl_timeout: 2s postscreen_greet_wait: 2s postscreen_greet_banner: "$myhostname ESMTP {{ org }} ($mail_name $mail_version) loading..." smtpd_milters: "{{ [ (('inet:' ~ hostvars[mail_server.rspamd_hostname]['ansible_host'] ~ ':' ~ mail_server.rspamd_port) if (mail_server.rspamd_hostname is defined and mail_server.rspamd_port is defined) else ''), (('inet:' ~ hostvars[mail_server.clamav_hostname]['ansible_host'] ~ ':' ~ mail_server.clamav_port) if (mail_server.clamav_hostname is defined and mail_server.clamav_port is defined) else '') ] | select() | list | join(',') }}" milter_default_action: accept milter_protocol: 6 non_smtpd_milters: $smtpd_milters notify_classes: "bounce, data, delay, policy, resource, software" swap_bangpath: no show_user_unknown_table_name: no remote_header_rewrite_domain: no.tld local_header_rewrite_clients: - permit_mynetworks - permit_inet_interfaces - permit_sasl_authenticated enable_long_queue_ids: yes disable_vrfy_command: yes delay_warning_time: 20m confirm_delay_cleared: yes default_recipient_limit: 1000 allow_min_user: yes backwards_bounce_logfile_compatibility: no biff: no anvil_status_update_time: 1h recipient_delimiter: "+" append_dot_mydomain: yes respectful_logging: no postfix_services: - service: 2525 conf: {type: 'inet', priv: false, maxproc: 1} command: postscreen - service: smtpd conf: {type: 'pass'} command: smtpd options: syslog_name: postfix/smtp_ext - service: dnsblog conf: {maxproc: 0} command: dnsblog - service: tlsproxy conf: {maxproc: 0} command: tlsproxy - service: smtp conf: {type: 'inet', priv: false} command: smtpd options: syslog_name: postfix/smtp_int cleanup_service_name: cleanupsub - service: submission conf: {type: 'inet', priv: false} command: smtpd options: syslog_name: postfix/submission smtpd_tls_security_level: encrypt smtpd_tls_cert_file: "{{ postfix_tls_int_rsa2048_cert | quote }}" smtpd_tls_key_file: "{{ postfix_tls_int_rsa2048_key | quote }}" smtpd_tls_eccert_file: "{{ postfix_tls_int_ecc384_cert | quote }}" smtpd_tls_eckey_file: "{{ postfix_tls_int_ecc384_key | quote }}" smtpd_sasl_auth_enable: yes smtpd_client_restrictions: $mua_client_restrictions smtpd_helo_restrictions: $mua_helo_restrictions smtpd_sender_restrictions: $mua_sender_restrictions smtpd_relay_restrictions: $mua_relay_restrictions smtpd_recipient_restrictions: $mua_recipient_restrictions milter_macro_daemon_name: ORIGINATING cleanup_service_name: cleanupsub smtpd_tls_protocols: ">=TLSv1" smtpd_tls_mandatory_protocols: ">=TLSv1" - service: smtps conf: {type: 'inet', priv: false} command: smtpd options: syslog_name: postfix/smtps smtpd_tls_wrappermode: yes smtpd_tls_cert_file: "{{ postfix_tls_int_rsa2048_cert | quote }}" smtpd_tls_key_file: "{{ postfix_tls_int_rsa2048_key | quote }}" smtpd_tls_eccert_file: "{{ postfix_tls_int_ecc384_cert | quote }}" smtpd_tls_eckey_file: "{{ postfix_tls_int_ecc384_key | quote }}" smtpd_sasl_auth_enable: yes smtpd_client_restrictions: $mua_client_restrictions smtpd_helo_restrictions: $mua_helo_restrictions smtpd_sender_restrictions: $mua_sender_restrictions smtpd_relay_restrictions: $mua_relay_restrictions smtpd_recipient_restrictions: $mua_recipient_restrictions milter_macro_daemon_name: ORIGINATING cleanup_service_name: cleanupsub smtpd_tls_protocols: ">=TLSv1" smtpd_tls_mandatory_protocols: ">=TLSv1" - service: pickup conf: {priv: false, wakeup: 60, maxproc: 1} command: pickup - service: cleanup conf: {priv: false, maxproc: 0} command: cleanup - service: cleanupsub conf: {priv: false, maxproc: 0} command: cleanup options: syslog_name: postfix/cleanupsub header_checks: "pcre:{{ (postfix_conf_dir ~ '/filter_submission_header.pcre') | quote }}" - service: qmgr conf: {priv: false, wakeup: 300, maxproc: 1} command: qmgr - service: tlsmgr conf: {wakeup: '1000?', maxproc: 1} command: tlsmgr - service: rewrite command: trivial-rewrite - service: bounce conf: {maxproc: 0} command: bounce - service: defer conf: {maxproc: 0} command: bounce - service: trace conf: {maxproc: 0} command: bounce - service: verify conf: {maxproc: 1} command: verify - service: flush conf: {priv: false, wakeup: '1000?', maxproc: 0} command: flush - service: proxymap command: proxymap - service: proxywrite conf: {maxproc: 1} command: proxymap - service: smtp command: smtp - service: relay command: smtp options: syslog_name: postfix/$service_name - service: showq conf: {priv: false} command: showq - service: error command: error - service: retry command: error - service: discard command: discard - service: local conf: {unpriv: false} command: local - service: virtual conf: {unpriv: false} command: virtual - service: lmtp command: lmtp - service: anvil conf: {maxproc: 1} command: anvil - service: scache conf: {maxproc: 1} command: scache - service: postlog conf: {type: 'unix-dgram', priv: false, maxproc: 1} command: postlogd postfix_sql_queries: aliases: | SELECT concat(email_username, '@', ( SELECT domain FROM mail_domains WHERE id = email_domain_id) ) AS email FROM mail_aliases WHERE LOWER(alias_username) = LOWER('%u') AND alias_domain_id = ( SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d') ) AND enabled = true; domains: | SELECT domain FROM mail_domains WHERE LOWER(domain) = LOWER('%s'); forwards: | SELECT concat(source, ',', destination) FROM mail_forwards WHERE LOWER(source) = LOWER('%s') AND enabled = true; no_reply: | SELECT CASE WHEN no_reply = true THEN 'REJECT' ELSE 'DUNNO' END AS access FROM mail_users WHERE LOWER(username) = LOWER('%u') AND domain_id = ( SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d') ) AND enabled = true; self_users: | SELECT concat(username, '@', ( SELECT domain FROM mail_domains WHERE id = domain_id )) AS email FROM mail_users WHERE LOWER(username) = LOWER('%u') AND domain_id = ( SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d') ) AND enabled = true; shared_users: | SELECT to_user AS email FROM mail_user_shares WHERE LOWER(from_user) = LOWER('%s'); tls_policies: | SELECT policy, params FROM mail_tls WHERE LOWER(foreign_domain) = LOWER('%s') AND enabled = true; users: | SELECT 1 AS user FROM mail_users WHERE LOWER(username) = LOWER('%u') AND domain_id = ( SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d') ) AND enabled = true; postfix_relaxed_smtpd_domains: - dellin.ru - mx.smp.io - smmplanner.com - noty.smmplanner.com - 5.135.32.65 - avito.ru - smtp-fallback.avito.ru - platformalp.ru - dba.platformalp.ru - 85.119.149.136 - 146.158.53 - 146.158.48 - 146.158.55 - 178.44.116.85