# See /usr/share/postfix/main.cf.dist for a commented, more complete
# version.


# General settings
# ================

# Internet hostname of this mail system.
myhostname = {{ inventory_hostname }}

# Under Debian, when a file name is specified, the first line of the
# file be used as the SMTP server name.
myorigin = /etc/mailname

# Text shown to connecting clients as part of SMTP greeting.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

# Listen on all network interfaces and all protocols.
inet_interfaces = all
inet_protocols = all

# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup
# fails. Useful for local overrides of mail servers.
smtp_host_lookup = dns, native

# Recipient delimeter for separating user name from its extension.
recipient_delimiter = +

# Deliver undeliverable bounces to domain's postmaster. Helps with application
# misconfigurations.
notify_classes = resource, software, 2bounce

# Explicitly set maximum allowed mail size that should be accepted.
message_size_limit = {{ mail_message_size_limit }}

# Disable output of Postfix README file paths when invoking postconf.
readme_directory = no

# Use whitelist/blacklist instead of allowlist/denylist in log
# entries.
respectful_logging = no

# Compatibility level for default values. For more details, see:
#     https://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 3.6


# Local mailbox delivery
# ======================

# List of domains for local transport deliveries.
mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost

# Alias maps for local deliveries (to system accounts).
alias_maps = hash:/etc/aliases

# Alias database that gets updated when invoking "newaliases" command.
alias_database = hash:/etc/aliases

# Disable size limits for local user mailboxes.
mailbox_size_limit = 0

# Disable use of biff service for new mail notifications to local
# users (improves performance).
biff = no


# Virtual mailbox delivery
# ========================

# Deliver mails via Dovecot LDA for virtual domains.
virtual_transport = dovecot

# Maximum number of recipients per message delivery.
dovecot_destination_recipient_limit = 1

# LDAP directory look-ups for domains, mailboxes and aliases.
virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf


# Remote mailbox delivery
# =======================

# List of trusted networks allowed to relay mail through this system.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128{% for network in smtp_allow_relay_from  %} {{ network }}{% endfor %}

# Allow relaying only from trusted networks. Do not relay mails for
# domains for which the mail server is not responsible.
smtpd_relay_restrictions = permit_mynetworks
  reject_unauth_destination

# Do not use relay host for non-local mail delivery (act as proper
# public-facing mail system).
relayhost =


# TLS configuration
# =================

# Allow connecting SMTP clients to use TLS when connecting to the
# host, but do not enforce it.
smtpd_tls_security_level = may

# Allow SMTP authentication to proceed only over TLS.
smtpd_tls_auth_only = yes

# TLS private key and certificate to use for SMTP server.
smtpd_tls_cert_file = /etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem
smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key

# Use custom, generated DH parameters for increased security.
smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem
smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem

# Use TLS when available with Postfix SMTP client.
smtp_tls_security_level = may

# Enable TLS session cache database for SMTP client. Helps with
# performance and bandwidth usage.
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


# Authentication and authorisation
# ================================

# Authenticate users via Dovecot.
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# Disable authentication by default (for server-to-server
# communications on TCP port 25). Users should connect via submission
# port instead, where authentication is enabled.
smtpd_sasl_auth_enable = no

# Look-up list of SASL login names that are allowed to send mails
# using the passed-in sender address. Allow sending from both original
# mailbox name _and_ associated aliases.
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf, ldap:/etc/postfix/ldap-virtual-alias-maps.cf

# Reject delivery of mails for domains for which the local server is
# not responsible, as well as any mails coming from addresses in one
# of the configured RBL's.
smtpd_recipient_restrictions = permit_mynetworks
{% for rbl in smtp_rbl %}
  reject_rbl_client {{ rbl }}
{% endfor %}

# Pass all mails through anti-virus.
smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl


# Administrator-provided custom settings
# ======================================

{{ mail_server_smtp_additional_configuration }}