You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
477 lines
16 KiB
477 lines
16 KiB
postfix_user: postfix
|
|
postfix_group: postfix
|
|
|
|
postfix_conf_dir: /etc/postfix
|
|
postfix_sql_dir: "{{ postfix_conf_dir }}/sql"
|
|
postfix_tls_dir: "{{ postfix_conf_dir }}/tls"
|
|
|
|
postfix_tls_int_ecc384_key: "{{ postfix_tls_dir }}/int_ecc384.key"
|
|
postfix_tls_int_ecc384_cert: "{{ postfix_tls_dir }}/int_ecc384.crt"
|
|
postfix_tls_int_rsa2048_key: "{{ postfix_tls_dir }}/int_rsa2048.key"
|
|
postfix_tls_int_rsa2048_cert: "{{ postfix_tls_dir }}/int_rsa2048.crt"
|
|
|
|
postfix_tls_ext_ecc384_key: "{{ postfix_tls_dir }}/ext_ecc384.key"
|
|
postfix_tls_ext_ecc384_cert: "{{ postfix_tls_dir }}/ext_ecc384.crt"
|
|
postfix_tls_ext_rsa2048_key: "{{ postfix_tls_dir }}/ext_rsa2048.key"
|
|
postfix_tls_ext_rsa2048_cert: "{{ postfix_tls_dir }}/ext_rsa2048.crt"
|
|
|
|
postfix_tls_dh2048: "{{ postfix_tls_dir }}/dh2048.pem"
|
|
|
|
postfix_use_mta_sts_resolver: yes
|
|
|
|
postfix_default_config:
|
|
compatibility_level: 3.6
|
|
|
|
mydomain: "{{ mail_server.tld }}"
|
|
myhostname: "{{ (mail_server.mta_actual_hostname | d(host_name)) ~ '.' ~ mail_server.tld }}"
|
|
myorigin: "$mydomain"
|
|
masquerade_domains: "$mydomain"
|
|
mynetworks_style: host
|
|
mydestination: localhost
|
|
relay_domains:
|
|
inet_protocols: ipv4
|
|
|
|
virtual_transport: "lmtp:inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_lmtp_port) if mail_server.mua_lmtp_port is defined else '') }}"
|
|
virtual_alias_maps: "pgsql:{{ (postfix_sql_dir ~ '/aliases.cf') | quote }},pgsql:{{ (postfix_sql_dir ~ '/forwards.cf') | quote }}"
|
|
virtual_mailbox_domains: "pgsql:{{ (postfix_sql_dir ~ '/domains.cf') | quote }}"
|
|
virtual_mailbox_maps: "pgsql:{{ (postfix_sql_dir ~ '/users.cf') | quote }}"
|
|
|
|
local_recipient_maps: "$virtual_mailbox_maps"
|
|
smtpd_sender_login_maps: "unionmap:{\
|
|
pgsql:{{ (postfix_sql_dir ~ '/shared_users.cf') | quote }},\
|
|
pgsql:{{ (postfix_sql_dir ~ '/self_users.cf') | quote }},\
|
|
pgsql:{{ (postfix_sql_dir ~ '/aliases.cf') | quote }}\
|
|
}"
|
|
|
|
message_size_limit: "{{ mail_server.max_mail_size_bytes }}"
|
|
mailbox_size_limit: 0
|
|
virtual_mailbox_limit: 0
|
|
header_size_limit: 512000
|
|
default_destination_recipient_limit: 25
|
|
|
|
queue_run_delay: 3m
|
|
minimal_backoff_time: 3m
|
|
maximal_backoff_time: 30m
|
|
maximal_queue_lifetime: 3d
|
|
bounce_queue_lifetime: 2d
|
|
|
|
tls_append_default_CA: yes
|
|
tls_disable_workarounds:
|
|
tls_ssl_options: NO_COMPRESSION, NO_RENEGOTIATION, ENABLE_MIDDLEBOX_COMPAT, LEGACY_SERVER_CONNECT, PRIORITIZE_CHACHA
|
|
tls_preempt_cipherlist: yes
|
|
|
|
smtp_dns_support_level: dnssec
|
|
smtp_tls_CApath: /etc/ssl/certs
|
|
smtp_tls_ciphers: medium
|
|
smtp_tls_exclude_ciphers: "aNULL, eNULL, EXP, LOW, MD5, DES, 3DES, RC4, CAMELLIA, kEDH+CAMELLIA, kRSA+CAMELLIA"
|
|
smtp_tls_protocols: ">=TLSv1.2"
|
|
smtp_tls_mandatory_ciphers: medium
|
|
smtp_tls_mandatory_protocols: ">=TLSv1.2"
|
|
smtp_tls_security_level: dane
|
|
smtp_tls_servername: hostname
|
|
smtp_starttls_timeout: 180s
|
|
smtp_tls_note_starttls_offer: yes
|
|
|
|
smtp_tls_policy_maps: "{{ [
|
|
'pgsql:' ~ ((postfix_sql_dir ~ '/tls_policies.cf') | quote),
|
|
('socketmap:inet:127.0.0.1:' ~ mail_server.mta_sts_port ~ ':postfix') if (postfix_use_mta_sts_resolver | d(false) == true) else '',
|
|
] | select() | list | join(',') }}"
|
|
|
|
smtpd_tls_cert_file: "{{ postfix_tls_ext_rsa2048_cert | quote }}"
|
|
smtpd_tls_key_file: "{{ postfix_tls_ext_rsa2048_key | quote }}"
|
|
smtpd_tls_eccert_file: "{{ postfix_tls_ext_ecc384_cert | quote }}"
|
|
smtpd_tls_eckey_file: "{{ postfix_tls_ext_ecc384_key | quote }}"
|
|
|
|
smtpd_tls_security_level: may
|
|
smtpd_tls_ciphers: medium
|
|
smtpd_tls_mandatory_ciphers: medium
|
|
smtpd_tls_exclude_ciphers: "aNULL, eNULL, EXP, LOW, MD5, DES, 3DES, RC4, CAMELLIA, kEDH+CAMELLIA, kRSA+CAMELLIA"
|
|
smtpd_tls_protocols: ">=TLSv1.2"
|
|
smtpd_tls_mandatory_protocols: ">=TLSv1.2"
|
|
smtpd_tls_dh1024_param_file: "{{ postfix_tls_dh2048 | quote }}"
|
|
smtpd_tls_auth_only: yes
|
|
smtpd_tls_received_header: yes
|
|
|
|
smtpd_sasl_type: dovecot
|
|
smtpd_sasl_path: "inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_auth_port) if mail_server.mua_auth_port is defined else '') }}"
|
|
smtpd_sasl_auth_enable: no
|
|
smtpd_sasl_local_domain: "$mydomain"
|
|
smtpd_sasl_exceptions_networks: "!{{ int_net }}"
|
|
smtpd_sasl_security_options: "noanonymous, noplaintext"
|
|
smtpd_sasl_tls_security_options: noanonymous
|
|
smtpd_sasl_authenticated_header: no
|
|
|
|
|
|
smtpd_client_restrictions:
|
|
- permit
|
|
mua_client_restrictions:
|
|
- permit_sasl_authenticated
|
|
- reject
|
|
|
|
smtpd_helo_restrictions:
|
|
- reject_unauth_pipelining
|
|
- reject_invalid_helo_hostname
|
|
- permit_mynetworks
|
|
- reject_non_fqdn_helo_hostname
|
|
- "check_helo_access pcre:{{ (postfix_conf_dir ~ '/filter_smtpd_helo.pcre') | quote }}"
|
|
- "check_client_access texthash:{{ (postfix_conf_dir ~ '/smtpd_checks_relaxed.hash') | quote }}"
|
|
- reject_unknown_client_hostname
|
|
- reject_unknown_helo_hostname
|
|
- permit
|
|
mua_helo_restrictions:
|
|
- reject_unauth_pipelining
|
|
- reject_invalid_helo_hostname
|
|
- permit_sasl_authenticated
|
|
- reject
|
|
|
|
smtpd_sender_restrictions:
|
|
- reject_unauth_pipelining
|
|
- reject_non_fqdn_sender
|
|
- permit_mynetworks
|
|
- "check_client_access texthash:{{ (postfix_conf_dir ~ '/smtpd_checks_relaxed.hash') | quote }}"
|
|
- reject_unknown_sender_domain
|
|
- permit
|
|
mua_sender_restrictions:
|
|
- reject_unauth_pipelining
|
|
- reject_non_fqdn_sender
|
|
- reject_authenticated_sender_login_mismatch
|
|
- permit_sasl_authenticated
|
|
- reject
|
|
|
|
smtpd_relay_restrictions:
|
|
- reject_unauth_pipelining
|
|
- permit_mynetworks
|
|
- reject_unauth_destination
|
|
- permit
|
|
mua_relay_restrictions:
|
|
- reject_unauth_pipelining
|
|
- permit_sasl_authenticated
|
|
- reject
|
|
|
|
smtpd_recipient_restrictions:
|
|
- reject_unauth_pipelining
|
|
- reject_non_fqdn_recipient
|
|
- "check_recipient_access pgsql:{{ (postfix_sql_dir ~ '/no_reply.cf') | quote }}"
|
|
#- "check_policy_service inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_quota_port) if mail_server.mua_quota_port is defined else '') }}"
|
|
- permit_mynetworks
|
|
- reject_unknown_recipient_domain
|
|
- reject_unlisted_recipient
|
|
- permit
|
|
mua_recipient_restrictions:
|
|
- reject_unauth_pipelining
|
|
- reject_non_fqdn_recipient
|
|
- "check_recipient_access pgsql:{{ (postfix_sql_dir ~ '/no_reply.cf') | quote }}"
|
|
#- "check_policy_service inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_quota_port) if mail_server.mua_quota_port is defined else '') }}"
|
|
- permit_sasl_authenticated
|
|
- reject
|
|
|
|
smtpd_data_restrictions:
|
|
- reject_unauth_pipelining
|
|
- permit
|
|
smtpd_etrn_restrictions:
|
|
- reject
|
|
|
|
|
|
smtp_always_send_ehlo: yes
|
|
smtp_connect_timeout: 20s
|
|
smtp_helo_timeout: 120s
|
|
smtp_rcpt_timeout: 120s
|
|
smtp_mail_timeout: 180s
|
|
smtp_quit_timeout: 180s
|
|
smtp_xforward_timeout: 180s
|
|
smtp_pix_workarounds: delay_dotcrlf
|
|
smtp_use_tls: yes
|
|
smtp_transport_rate_delay: 1s
|
|
|
|
smtpd_authorized_verp_clients:
|
|
smtpd_authorized_xclient_hosts:
|
|
smtpd_authorized_xforward_hosts:
|
|
smtpd_banner: "$myhostname ESMTP {{ org }} ($mail_name $mail_version) ready"
|
|
smtpd_client_connection_count_limit: 120
|
|
smtpd_client_connection_rate_limit: 360
|
|
smtpd_client_message_rate_limit: 120
|
|
smtpd_client_recipient_rate_limit: 240
|
|
smtpd_client_new_tls_session_rate_limit: 180
|
|
smtpd_client_auth_rate_limit: 90
|
|
smtpd_client_port_logging: yes
|
|
smtpd_delay_reject: yes
|
|
smtpd_error_sleep_time: 3s
|
|
smtpd_soft_error_limit: 3
|
|
smtpd_hard_error_limit: 6
|
|
smtpd_junk_command_limit: 15
|
|
smtpd_helo_required: yes
|
|
smtpd_policy_service_default_action: DUNNO
|
|
smtpd_recipient_limit: 50
|
|
smtpd_recipient_overshoot_limit: 50
|
|
smtpd_timeout: 120s
|
|
smtpd_use_tls: yes
|
|
smtpd_discard_ehlo_keywords: silent-discard, etrn
|
|
|
|
postscreen_access_list: "permit_mynetworks, cidr:{{ (postfix_conf_dir ~ '/filter_postscreen_connect.cidr') | quote }}"
|
|
postscreen_blacklist_action: drop
|
|
postscreen_dnsbl_action: enforce
|
|
postscreen_greet_action: enforce
|
|
postscreen_bare_newline_enable: no
|
|
postscreen_non_smtp_command_enable: no
|
|
postscreen_pipelining_enable: no
|
|
postscreen_dnsbl_max_ttl: 3h
|
|
postscreen_dnsbl_min_ttl: 10m
|
|
postscreen_dnsbl_threshold: 2
|
|
postscreen_dnsbl_sites:
|
|
- "zen.spamhaus.org=127.0.0.[1..20]"
|
|
- "dnsbl.sorbs.net=127.0.0.[1..255]"
|
|
- "dnsbl.spfbl.net=127.0.0.[1..255]"
|
|
- "bl.nordspam.com=127.0.0.2"
|
|
postscreen_dnsbl_timeout: 2s
|
|
postscreen_greet_wait: 2s
|
|
postscreen_greet_banner: "$myhostname ESMTP {{ org }} ($mail_name $mail_version) loading..."
|
|
|
|
smtpd_milters: "{{ [
|
|
(('inet:' ~ hostvars[mail_server.rspamd_hostname]['ansible_host'] ~ ':' ~ mail_server.rspamd_port) if (mail_server.rspamd_hostname is defined and mail_server.rspamd_port is defined) else ''),
|
|
(('inet:' ~ hostvars[mail_server.clamav_hostname]['ansible_host'] ~ ':' ~ mail_server.clamav_port) if (mail_server.clamav_hostname is defined and mail_server.clamav_port is defined) else '')
|
|
] | select() | list | join(',') }}"
|
|
milter_default_action: accept
|
|
milter_protocol: 6
|
|
non_smtpd_milters: $smtpd_milters
|
|
|
|
notify_classes: "bounce, data, delay, policy, resource, software"
|
|
swap_bangpath: no
|
|
show_user_unknown_table_name: no
|
|
remote_header_rewrite_domain: no.tld
|
|
local_header_rewrite_clients:
|
|
- permit_mynetworks
|
|
- permit_inet_interfaces
|
|
- permit_sasl_authenticated
|
|
enable_long_queue_ids: yes
|
|
disable_vrfy_command: yes
|
|
delay_warning_time: 20m
|
|
confirm_delay_cleared: yes
|
|
default_recipient_limit: 1000
|
|
allow_min_user: yes
|
|
backwards_bounce_logfile_compatibility: no
|
|
biff: no
|
|
anvil_status_update_time: 1h
|
|
recipient_delimiter: "+"
|
|
append_dot_mydomain: yes
|
|
respectful_logging: no
|
|
|
|
|
|
postfix_services:
|
|
- service: 2525
|
|
conf: {type: 'inet', priv: false, maxproc: 1}
|
|
command: postscreen
|
|
- service: smtpd
|
|
conf: {type: 'pass'}
|
|
command: smtpd
|
|
options:
|
|
syslog_name: postfix/smtp_ext
|
|
- service: dnsblog
|
|
conf: {maxproc: 0}
|
|
command: dnsblog
|
|
- service: tlsproxy
|
|
conf: {maxproc: 0}
|
|
command: tlsproxy
|
|
- service: smtp
|
|
conf: {type: 'inet', priv: false}
|
|
command: smtpd
|
|
options:
|
|
syslog_name: postfix/smtp_int
|
|
cleanup_service_name: cleanupsub
|
|
- service: submission
|
|
conf: {type: 'inet', priv: false}
|
|
command: smtpd
|
|
options:
|
|
syslog_name: postfix/submission
|
|
smtpd_tls_security_level: encrypt
|
|
smtpd_tls_cert_file: "{{ postfix_tls_int_rsa2048_cert | quote }}"
|
|
smtpd_tls_key_file: "{{ postfix_tls_int_rsa2048_key | quote }}"
|
|
smtpd_tls_eccert_file: "{{ postfix_tls_int_ecc384_cert | quote }}"
|
|
smtpd_tls_eckey_file: "{{ postfix_tls_int_ecc384_key | quote }}"
|
|
smtpd_sasl_auth_enable: yes
|
|
smtpd_client_restrictions: $mua_client_restrictions
|
|
smtpd_helo_restrictions: $mua_helo_restrictions
|
|
smtpd_sender_restrictions: $mua_sender_restrictions
|
|
smtpd_relay_restrictions: $mua_relay_restrictions
|
|
smtpd_recipient_restrictions: $mua_recipient_restrictions
|
|
milter_macro_daemon_name: ORIGINATING
|
|
cleanup_service_name: cleanupsub
|
|
smtpd_tls_protocols: ">=TLSv1"
|
|
smtpd_tls_mandatory_protocols: ">=TLSv1"
|
|
|
|
- service: smtps
|
|
conf: {type: 'inet', priv: false}
|
|
command: smtpd
|
|
options:
|
|
syslog_name: postfix/smtps
|
|
smtpd_tls_wrappermode: yes
|
|
smtpd_tls_cert_file: "{{ postfix_tls_int_rsa2048_cert | quote }}"
|
|
smtpd_tls_key_file: "{{ postfix_tls_int_rsa2048_key | quote }}"
|
|
smtpd_tls_eccert_file: "{{ postfix_tls_int_ecc384_cert | quote }}"
|
|
smtpd_tls_eckey_file: "{{ postfix_tls_int_ecc384_key | quote }}"
|
|
smtpd_sasl_auth_enable: yes
|
|
smtpd_client_restrictions: $mua_client_restrictions
|
|
smtpd_helo_restrictions: $mua_helo_restrictions
|
|
smtpd_sender_restrictions: $mua_sender_restrictions
|
|
smtpd_relay_restrictions: $mua_relay_restrictions
|
|
smtpd_recipient_restrictions: $mua_recipient_restrictions
|
|
milter_macro_daemon_name: ORIGINATING
|
|
cleanup_service_name: cleanupsub
|
|
smtpd_tls_protocols: ">=TLSv1"
|
|
smtpd_tls_mandatory_protocols: ">=TLSv1"
|
|
|
|
- service: pickup
|
|
conf: {priv: false, wakeup: 60, maxproc: 1}
|
|
command: pickup
|
|
- service: cleanup
|
|
conf: {priv: false, maxproc: 0}
|
|
command: cleanup
|
|
- service: cleanupsub
|
|
conf: {priv: false, maxproc: 0}
|
|
command: cleanup
|
|
options:
|
|
syslog_name: postfix/cleanupsub
|
|
header_checks: "pcre:{{ (postfix_conf_dir ~ '/filter_submission_header.pcre') | quote }}"
|
|
- service: qmgr
|
|
conf: {priv: false, wakeup: 300, maxproc: 1}
|
|
command: qmgr
|
|
- service: tlsmgr
|
|
conf: {wakeup: '1000?', maxproc: 1}
|
|
command: tlsmgr
|
|
- service: rewrite
|
|
command: trivial-rewrite
|
|
- service: bounce
|
|
conf: {maxproc: 0}
|
|
command: bounce
|
|
- service: defer
|
|
conf: {maxproc: 0}
|
|
command: bounce
|
|
- service: trace
|
|
conf: {maxproc: 0}
|
|
command: bounce
|
|
- service: verify
|
|
conf: {maxproc: 1}
|
|
command: verify
|
|
- service: flush
|
|
conf: {priv: false, wakeup: '1000?', maxproc: 0}
|
|
command: flush
|
|
- service: proxymap
|
|
command: proxymap
|
|
- service: proxywrite
|
|
conf: {maxproc: 1}
|
|
command: proxymap
|
|
- service: smtp
|
|
command: smtp
|
|
- service: relay
|
|
command: smtp
|
|
options:
|
|
syslog_name: postfix/$service_name
|
|
- service: showq
|
|
conf: {priv: false}
|
|
command: showq
|
|
- service: error
|
|
command: error
|
|
- service: retry
|
|
command: error
|
|
- service: discard
|
|
command: discard
|
|
- service: local
|
|
conf: {unpriv: false}
|
|
command: local
|
|
- service: virtual
|
|
conf: {unpriv: false}
|
|
command: virtual
|
|
- service: lmtp
|
|
command: lmtp
|
|
- service: anvil
|
|
conf: {maxproc: 1}
|
|
command: anvil
|
|
- service: scache
|
|
conf: {maxproc: 1}
|
|
command: scache
|
|
- service: postlog
|
|
conf: {type: 'unix-dgram', priv: false, maxproc: 1}
|
|
command: postlogd
|
|
|
|
|
|
postfix_sql_queries:
|
|
aliases: |
|
|
SELECT concat(email_username, '@', (
|
|
SELECT domain FROM mail_domains WHERE id = email_domain_id)
|
|
) AS email
|
|
FROM mail_aliases
|
|
WHERE
|
|
LOWER(alias_username) = LOWER('%u') AND
|
|
alias_domain_id = (
|
|
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
|
|
) AND
|
|
enabled = true;
|
|
|
|
domains: |
|
|
SELECT domain FROM mail_domains WHERE LOWER(domain) = LOWER('%s');
|
|
|
|
forwards: |
|
|
SELECT concat(source, ',', destination)
|
|
FROM mail_forwards
|
|
WHERE LOWER(source) = LOWER('%s') AND enabled = true;
|
|
|
|
no_reply: |
|
|
SELECT
|
|
CASE
|
|
WHEN no_reply = true THEN 'REJECT'
|
|
ELSE 'DUNNO'
|
|
END
|
|
AS access
|
|
FROM mail_users
|
|
WHERE
|
|
LOWER(username) = LOWER('%u') AND
|
|
domain_id = (
|
|
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
|
|
) AND
|
|
enabled = true;
|
|
|
|
self_users: |
|
|
SELECT concat(username, '@', (
|
|
SELECT domain FROM mail_domains WHERE id = domain_id
|
|
)) AS email
|
|
FROM mail_users
|
|
WHERE
|
|
LOWER(username) = LOWER('%u') AND
|
|
domain_id = (
|
|
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
|
|
) AND
|
|
enabled = true;
|
|
|
|
shared_users: |
|
|
SELECT to_user AS email
|
|
FROM mail_user_shares
|
|
WHERE LOWER(from_user) = LOWER('%s');
|
|
|
|
tls_policies: |
|
|
SELECT policy, params FROM mail_tls WHERE LOWER(foreign_domain) = LOWER('%s') AND enabled = true;
|
|
|
|
users: |
|
|
SELECT 1 AS user
|
|
FROM mail_users
|
|
WHERE
|
|
LOWER(username) = LOWER('%u') AND
|
|
domain_id = (
|
|
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
|
|
) AND
|
|
enabled = true;
|
|
|
|
|
|
postfix_relaxed_smtpd_domains:
|
|
- dellin.ru
|
|
- mx.smp.io
|
|
- smmplanner.com
|
|
- noty.smmplanner.com
|
|
- 5.135.32.65
|
|
- avito.ru
|
|
- smtp-fallback.avito.ru
|
|
- platformalp.ru
|
|
- dba.platformalp.ru
|
|
- 85.119.149.136
|
|
- 146.158.53
|
|
- 146.158.48
|
|
- 146.158.55
|
|
- 178.44.116.85
|
|
|