dave
/
ansible-playbooks
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
2 Branches
0 Tags
425 KiB
 
 
Tag: Branch: Tree: 5878ef2e31
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5878ef2e31'
${ noResults }
ansible-playbooks/roles/postfix/defaults/main.yml

477 lines
16 KiB
Raw Blame History

postfix_user: postfix
postfix_group: postfix
postfix_conf_dir: /etc/postfix
postfix_sql_dir: "{{ postfix_conf_dir }}/sql"
postfix_tls_dir: "{{ postfix_conf_dir }}/tls"
postfix_tls_int_ecc384_key: "{{ postfix_tls_dir }}/int_ecc384.key"
postfix_tls_int_ecc384_cert: "{{ postfix_tls_dir }}/int_ecc384.crt"
postfix_tls_int_rsa2048_key: "{{ postfix_tls_dir }}/int_rsa2048.key"
postfix_tls_int_rsa2048_cert: "{{ postfix_tls_dir }}/int_rsa2048.crt"
postfix_tls_ext_ecc384_key: "{{ postfix_tls_dir }}/ext_ecc384.key"
postfix_tls_ext_ecc384_cert: "{{ postfix_tls_dir }}/ext_ecc384.crt"
postfix_tls_ext_rsa2048_key: "{{ postfix_tls_dir }}/ext_rsa2048.key"
postfix_tls_ext_rsa2048_cert: "{{ postfix_tls_dir }}/ext_rsa2048.crt"
postfix_tls_dh2048: "{{ postfix_tls_dir }}/dh2048.pem"
postfix_use_mta_sts_resolver: yes
postfix_default_config:
compatibility_level: 3.6
mydomain: "{{ mail_server.tld }}"
myhostname: "{{ (mail_server.mta_actual_hostname | d(host_name)) ~ '.' ~ mail_server.tld }}"
myorigin: "$mydomain"
masquerade_domains: "$mydomain"
mynetworks_style: host
mydestination: localhost
relay_domains:
inet_protocols: ipv4
virtual_transport: "lmtp:inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_lmtp_port) if mail_server.mua_lmtp_port is defined else '') }}"
virtual_alias_maps: "pgsql:{{ (postfix_sql_dir ~ '/aliases.cf') | quote }},pgsql:{{ (postfix_sql_dir ~ '/forwards.cf') | quote }}"
virtual_mailbox_domains: "pgsql:{{ (postfix_sql_dir ~ '/domains.cf') | quote }}"
virtual_mailbox_maps: "pgsql:{{ (postfix_sql_dir ~ '/users.cf') | quote }}"
local_recipient_maps: "$virtual_mailbox_maps"
smtpd_sender_login_maps: "unionmap:{\
pgsql:{{ (postfix_sql_dir ~ '/shared_users.cf') | quote }},\
pgsql:{{ (postfix_sql_dir ~ '/self_users.cf') | quote }},\
pgsql:{{ (postfix_sql_dir ~ '/aliases.cf') | quote }}\
}"
message_size_limit: "{{ mail_server.max_mail_size_bytes }}"
mailbox_size_limit: 0
virtual_mailbox_limit: 0
header_size_limit: 512000
default_destination_recipient_limit: 25
queue_run_delay: 3m
minimal_backoff_time: 3m
maximal_backoff_time: 30m
maximal_queue_lifetime: 3d
bounce_queue_lifetime: 2d
tls_append_default_CA: yes
tls_disable_workarounds:
tls_ssl_options: NO_COMPRESSION, NO_RENEGOTIATION, ENABLE_MIDDLEBOX_COMPAT, LEGACY_SERVER_CONNECT, PRIORITIZE_CHACHA
tls_preempt_cipherlist: yes
smtp_dns_support_level: dnssec
smtp_tls_CApath: /etc/ssl/certs
smtp_tls_ciphers: medium
smtp_tls_exclude_ciphers: "aNULL, eNULL, EXP, LOW, MD5, DES, 3DES, RC4, CAMELLIA, kEDH+CAMELLIA, kRSA+CAMELLIA"
smtp_tls_protocols: ">=TLSv1.2"
smtp_tls_mandatory_ciphers: medium
smtp_tls_mandatory_protocols: ">=TLSv1.2"
smtp_tls_security_level: dane
smtp_tls_servername: hostname
smtp_starttls_timeout: 180s
smtp_tls_note_starttls_offer: yes
smtp_tls_policy_maps: "{{ [
'pgsql:' ~ ((postfix_sql_dir ~ '/tls_policies.cf') | quote),
('socketmap:inet:127.0.0.1:' ~ mail_server.mta_sts_port ~ ':postfix') if (postfix_use_mta_sts_resolver | d(false) == true) else '',
] | select() | list | join(',') }}"
smtpd_tls_cert_file: "{{ postfix_tls_ext_rsa2048_cert | quote }}"
smtpd_tls_key_file: "{{ postfix_tls_ext_rsa2048_key | quote }}"
smtpd_tls_eccert_file: "{{ postfix_tls_ext_ecc384_cert | quote }}"
smtpd_tls_eckey_file: "{{ postfix_tls_ext_ecc384_key | quote }}"
smtpd_tls_security_level: may
smtpd_tls_ciphers: medium
smtpd_tls_mandatory_ciphers: medium
smtpd_tls_exclude_ciphers: "aNULL, eNULL, EXP, LOW, MD5, DES, 3DES, RC4, CAMELLIA, kEDH+CAMELLIA, kRSA+CAMELLIA"
smtpd_tls_protocols: ">=TLSv1.2"
smtpd_tls_mandatory_protocols: ">=TLSv1.2"
smtpd_tls_dh1024_param_file: "{{ postfix_tls_dh2048 | quote }}"
smtpd_tls_auth_only: yes
smtpd_tls_received_header: yes
smtpd_sasl_type: dovecot
smtpd_sasl_path: "inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_auth_port) if mail_server.mua_auth_port is defined else '') }}"
smtpd_sasl_auth_enable: no
smtpd_sasl_local_domain: "$mydomain"
smtpd_sasl_exceptions_networks: "!{{ int_net }}"
smtpd_sasl_security_options: "noanonymous, noplaintext"
smtpd_sasl_tls_security_options: noanonymous
smtpd_sasl_authenticated_header: no
smtpd_client_restrictions:
- permit
mua_client_restrictions:
- permit_sasl_authenticated
- reject
smtpd_helo_restrictions:
- reject_unauth_pipelining
- reject_invalid_helo_hostname
- permit_mynetworks
- reject_non_fqdn_helo_hostname
- "check_helo_access pcre:{{ (postfix_conf_dir ~ '/filter_smtpd_helo.pcre') | quote }}"
- "check_client_access texthash:{{ (postfix_conf_dir ~ '/smtpd_checks_relaxed.hash') | quote }}"
- reject_unknown_client_hostname
- reject_unknown_helo_hostname
- permit
mua_helo_restrictions:
- reject_unauth_pipelining
- reject_invalid_helo_hostname
- permit_sasl_authenticated
- reject
smtpd_sender_restrictions:
- reject_unauth_pipelining
- reject_non_fqdn_sender
- permit_mynetworks
- "check_client_access texthash:{{ (postfix_conf_dir ~ '/smtpd_checks_relaxed.hash') | quote }}"
- reject_unknown_sender_domain
- permit
mua_sender_restrictions:
- reject_unauth_pipelining
- reject_non_fqdn_sender
- reject_authenticated_sender_login_mismatch
- permit_sasl_authenticated
- reject
smtpd_relay_restrictions:
- reject_unauth_pipelining
- permit_mynetworks
- reject_unauth_destination
- permit
mua_relay_restrictions:
- reject_unauth_pipelining
- permit_sasl_authenticated
- reject
smtpd_recipient_restrictions:
- reject_unauth_pipelining
- reject_non_fqdn_recipient
- "check_recipient_access pgsql:{{ (postfix_sql_dir ~ '/no_reply.cf') | quote }}"
#- "check_policy_service inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_quota_port) if mail_server.mua_quota_port is defined else '') }}"
- permit_mynetworks
- reject_unknown_recipient_domain
- reject_unlisted_recipient
- permit
mua_recipient_restrictions:
- reject_unauth_pipelining
- reject_non_fqdn_recipient
- "check_recipient_access pgsql:{{ (postfix_sql_dir ~ '/no_reply.cf') | quote }}"
#- "check_policy_service inet:{{ hostvars[mail_server.mua_hostname]['ansible_host'] ~ ((':' ~ mail_server.mua_quota_port) if mail_server.mua_quota_port is defined else '') }}"
- permit_sasl_authenticated
- reject
smtpd_data_restrictions:
- reject_unauth_pipelining
- permit
smtpd_etrn_restrictions:
- reject
smtp_always_send_ehlo: yes
smtp_connect_timeout: 20s
smtp_helo_timeout: 120s
smtp_rcpt_timeout: 120s
smtp_mail_timeout: 180s
smtp_quit_timeout: 180s
smtp_xforward_timeout: 180s
smtp_pix_workarounds: delay_dotcrlf
smtp_use_tls: yes
smtp_transport_rate_delay: 1s
smtpd_authorized_verp_clients:
smtpd_authorized_xclient_hosts:
smtpd_authorized_xforward_hosts:
smtpd_banner: "$myhostname ESMTP {{ org }} ($mail_name $mail_version) ready"
smtpd_client_connection_count_limit: 120
smtpd_client_connection_rate_limit: 360
smtpd_client_message_rate_limit: 120
smtpd_client_recipient_rate_limit: 240
smtpd_client_new_tls_session_rate_limit: 180
smtpd_client_auth_rate_limit: 90
smtpd_client_port_logging: yes
smtpd_delay_reject: yes
smtpd_error_sleep_time: 3s
smtpd_soft_error_limit: 3
smtpd_hard_error_limit: 6
smtpd_junk_command_limit: 15
smtpd_helo_required: yes
smtpd_policy_service_default_action: DUNNO
smtpd_recipient_limit: 50
smtpd_recipient_overshoot_limit: 50
smtpd_timeout: 120s
smtpd_use_tls: yes
smtpd_discard_ehlo_keywords: silent-discard, etrn
postscreen_access_list: "permit_mynetworks, cidr:{{ (postfix_conf_dir ~ '/filter_postscreen_connect.cidr') | quote }}"
postscreen_blacklist_action: drop
postscreen_dnsbl_action: enforce
postscreen_greet_action: enforce
postscreen_bare_newline_enable: no
postscreen_non_smtp_command_enable: no
postscreen_pipelining_enable: no
postscreen_dnsbl_max_ttl: 3h
postscreen_dnsbl_min_ttl: 10m
postscreen_dnsbl_threshold: 2
postscreen_dnsbl_sites:
- "zen.spamhaus.org=127.0.0.[1..20]"
- "dnsbl.sorbs.net=127.0.0.[1..255]"
- "dnsbl.spfbl.net=127.0.0.[1..255]"
- "bl.nordspam.com=127.0.0.2"
postscreen_dnsbl_timeout: 2s
postscreen_greet_wait: 2s
postscreen_greet_banner: "$myhostname ESMTP {{ org }} ($mail_name $mail_version) loading..."
smtpd_milters: "{{ [
(('inet:' ~ hostvars[mail_server.rspamd_hostname]['ansible_host'] ~ ':' ~ mail_server.rspamd_port) if (mail_server.rspamd_hostname is defined and mail_server.rspamd_port is defined) else ''),
(('inet:' ~ hostvars[mail_server.clamav_hostname]['ansible_host'] ~ ':' ~ mail_server.clamav_port) if (mail_server.clamav_hostname is defined and mail_server.clamav_port is defined) else '')
] | select() | list | join(',') }}"
milter_default_action: accept
milter_protocol: 6
non_smtpd_milters: $smtpd_milters
notify_classes: "bounce, data, delay, policy, resource, software"
swap_bangpath: no
show_user_unknown_table_name: no
remote_header_rewrite_domain: no.tld
local_header_rewrite_clients:
- permit_mynetworks
- permit_inet_interfaces
- permit_sasl_authenticated
enable_long_queue_ids: yes
disable_vrfy_command: yes
delay_warning_time: 20m
confirm_delay_cleared: yes
default_recipient_limit: 1000
allow_min_user: yes
backwards_bounce_logfile_compatibility: no
biff: no
anvil_status_update_time: 1h
recipient_delimiter: "+"
append_dot_mydomain: yes
respectful_logging: no
postfix_services:
- service: 2525
conf: {type: 'inet', priv: false, maxproc: 1}
command: postscreen
- service: smtpd
conf: {type: 'pass'}
command: smtpd
options:
syslog_name: postfix/smtp_ext
- service: dnsblog
conf: {maxproc: 0}
command: dnsblog
- service: tlsproxy
conf: {maxproc: 0}
command: tlsproxy
- service: smtp
conf: {type: 'inet', priv: false}
command: smtpd
options:
syslog_name: postfix/smtp_int
cleanup_service_name: cleanupsub
- service: submission
conf: {type: 'inet', priv: false}
command: smtpd
options:
syslog_name: postfix/submission
smtpd_tls_security_level: encrypt
smtpd_tls_cert_file: "{{ postfix_tls_int_rsa2048_cert | quote }}"
smtpd_tls_key_file: "{{ postfix_tls_int_rsa2048_key | quote }}"
smtpd_tls_eccert_file: "{{ postfix_tls_int_ecc384_cert | quote }}"
smtpd_tls_eckey_file: "{{ postfix_tls_int_ecc384_key | quote }}"
smtpd_sasl_auth_enable: yes
smtpd_client_restrictions: $mua_client_restrictions
smtpd_helo_restrictions: $mua_helo_restrictions
smtpd_sender_restrictions: $mua_sender_restrictions
smtpd_relay_restrictions: $mua_relay_restrictions
smtpd_recipient_restrictions: $mua_recipient_restrictions
milter_macro_daemon_name: ORIGINATING
cleanup_service_name: cleanupsub
smtpd_tls_protocols: ">=TLSv1"
smtpd_tls_mandatory_protocols: ">=TLSv1"
- service: smtps
conf: {type: 'inet', priv: false}
command: smtpd
options:
syslog_name: postfix/smtps
smtpd_tls_wrappermode: yes
smtpd_tls_cert_file: "{{ postfix_tls_int_rsa2048_cert | quote }}"
smtpd_tls_key_file: "{{ postfix_tls_int_rsa2048_key | quote }}"
smtpd_tls_eccert_file: "{{ postfix_tls_int_ecc384_cert | quote }}"
smtpd_tls_eckey_file: "{{ postfix_tls_int_ecc384_key | quote }}"
smtpd_sasl_auth_enable: yes
smtpd_client_restrictions: $mua_client_restrictions
smtpd_helo_restrictions: $mua_helo_restrictions
smtpd_sender_restrictions: $mua_sender_restrictions
smtpd_relay_restrictions: $mua_relay_restrictions
smtpd_recipient_restrictions: $mua_recipient_restrictions
milter_macro_daemon_name: ORIGINATING
cleanup_service_name: cleanupsub
smtpd_tls_protocols: ">=TLSv1"
smtpd_tls_mandatory_protocols: ">=TLSv1"
- service: pickup
conf: {priv: false, wakeup: 60, maxproc: 1}
command: pickup
- service: cleanup
conf: {priv: false, maxproc: 0}
command: cleanup
- service: cleanupsub
conf: {priv: false, maxproc: 0}
command: cleanup
options:
syslog_name: postfix/cleanupsub
header_checks: "pcre:{{ (postfix_conf_dir ~ '/filter_submission_header.pcre') | quote }}"
- service: qmgr
conf: {priv: false, wakeup: 300, maxproc: 1}
command: qmgr
- service: tlsmgr
conf: {wakeup: '1000?', maxproc: 1}
command: tlsmgr
- service: rewrite
command: trivial-rewrite
- service: bounce
conf: {maxproc: 0}
command: bounce
- service: defer
conf: {maxproc: 0}
command: bounce
- service: trace
conf: {maxproc: 0}
command: bounce
- service: verify
conf: {maxproc: 1}
command: verify
- service: flush
conf: {priv: false, wakeup: '1000?', maxproc: 0}
command: flush
- service: proxymap
command: proxymap
- service: proxywrite
conf: {maxproc: 1}
command: proxymap
- service: smtp
command: smtp
- service: relay
command: smtp
options:
syslog_name: postfix/$service_name
- service: showq
conf: {priv: false}
command: showq
- service: error
command: error
- service: retry
command: error
- service: discard
command: discard
- service: local
conf: {unpriv: false}
command: local
- service: virtual
conf: {unpriv: false}
command: virtual
- service: lmtp
command: lmtp
- service: anvil
conf: {maxproc: 1}
command: anvil
- service: scache
conf: {maxproc: 1}
command: scache
- service: postlog
conf: {type: 'unix-dgram', priv: false, maxproc: 1}
command: postlogd
postfix_sql_queries:
aliases: |
SELECT concat(email_username, '@', (
SELECT domain FROM mail_domains WHERE id = email_domain_id)
) AS email
FROM mail_aliases
WHERE
LOWER(alias_username) = LOWER('%u') AND
alias_domain_id = (
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
) AND
enabled = true;
domains: |
SELECT domain FROM mail_domains WHERE LOWER(domain) = LOWER('%s');
forwards: |
SELECT concat(source, ',', destination)
FROM mail_forwards
WHERE LOWER(source) = LOWER('%s') AND enabled = true;
no_reply: |
SELECT
CASE
WHEN no_reply = true THEN 'REJECT'
ELSE 'DUNNO'
END
AS access
FROM mail_users
WHERE
LOWER(username) = LOWER('%u') AND
domain_id = (
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
) AND
enabled = true;
self_users: |
SELECT concat(username, '@', (
SELECT domain FROM mail_domains WHERE id = domain_id
)) AS email
FROM mail_users
WHERE
LOWER(username) = LOWER('%u') AND
domain_id = (
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
) AND
enabled = true;
shared_users: |
SELECT to_user AS email
FROM mail_user_shares
WHERE LOWER(from_user) = LOWER('%s');
tls_policies: |
SELECT policy, params FROM mail_tls WHERE LOWER(foreign_domain) = LOWER('%s') AND enabled = true;
users: |
SELECT 1 AS user
FROM mail_users
WHERE
LOWER(username) = LOWER('%u') AND
domain_id = (
SELECT id FROM mail_domains WHERE LOWER(domain) = LOWER('%d')
) AND
enabled = true;
postfix_relaxed_smtpd_domains:
- dellin.ru
- mx.smp.io
- smmplanner.com
- noty.smmplanner.com
- 5.135.32.65
- avito.ru
- smtp-fallback.avito.ru
- platformalp.ru
- dba.platformalp.ru
- 85.119.149.136
- 146.158.53
- 146.158.48
- 146.158.55
- 178.44.116.85