diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py index 4c276bcbd13dcb55ea8da93d413d8d58d2960b98..4fd6e1eda3f02fb88b4079c58ada9d42d58b6874 100644 --- a/roles/mail_server/molecule/default/tests/test_optional.py +++ b/roles/mail_server/molecule/default/tests/test_optional.py @@ -65,8 +65,8 @@ def test_postfix_main_cf_file_content(host): assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % allow_relay_from_ip in config_lines assert "smtpd_tls_cert_file = /etc/ssl/certs/%s_smtp.pem" % hostname in config_lines assert "smtpd_tls_key_file = /etc/ssl/private/%s_smtp.key" % hostname in config_lines - assert " reject_rbl bl.spamcop.net" in config_lines - assert " reject_rbl zen.spamhaus.org" in config_lines + assert " reject_rbl_client bl.spamcop.net" in config_lines + assert " reject_rbl_client zen.spamhaus.org" in config_lines assert "smtp_host_lookup = dns, native" in config_lines diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2 index 015c86190e3fcf9c3e840599683b2d8d5812086f..bf9d1f0326339af0a6c6e9b118b7bdaf1c839bc6 100644 --- a/roles/mail_server/templates/main.cf.j2 +++ b/roles/mail_server/templates/main.cf.j2 @@ -17,6 +17,17 @@ append_dot_mydomain = no readme_directory = no +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +# TLS parameters +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +#smtpd_use_tls=yes +#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. @@ -32,13 +43,14 @@ mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all +inet_protocols = all # LDAP directory look-ups for domains, mailboxes and aliases. virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf -# Delivery of mails via Dovecot for virtual domains. +# Delivery of mails via Dovecot LDA for virtual domains. virtual_transport = dovecot dovecot_destination_recipient_limit = 1 @@ -60,13 +72,19 @@ smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -# Recipients restricting. -smtpd_recipient_restrictions = permit_mynetworks - permit_sasl_authenticated - {% for rbl in smtp_rbl -%} - reject_rbl {{ rbl }} - {% endfor -%} +# Allow relaying only from trusted networks. Do not relay mails for +# domains for which the mail server is not responsible. +smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination + +# Reject delivery of mails for domains for which the local server is +# not responsible, as well as any mails coming from addresses in one +# of the configured RBL's. +smtpd_recipient_restrictions = permit_mynetworks +{% for rbl in smtp_rbl %} + reject_rbl_client {{ rbl }} +{% endfor %} + smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl diff --git a/roles/mail_server/templates/master.cf.j2 b/roles/mail_server/templates/master.cf.j2 index 445a5b8eb1f46e3f102e16d182f4535f50b827bb..acd9f67dbf4675c2303b5234d82d9acc8082c25c 100644 --- a/roles/mail_server/templates/master.cf.j2 +++ b/roles/mail_server/templates/master.cf.j2 @@ -7,14 +7,14 @@ # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) +# (yes) (yes) (no) (never) (100) # ========================================================================== -smtp inet n - - - - smtpd -#smtp inet n - - - 1 postscreen -#smtpd pass - - - - - smtpd -#dnsblog unix - - - - 0 dnsblog -#tlsproxy unix - - - - 0 tlsproxy -#submission inet n - - - - smtpd +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes @@ -25,7 +25,7 @@ smtp inet n - - - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - - - - smtpd +#smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes @@ -36,32 +36,32 @@ smtp inet n - - - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#628 inet n - - - - qmqpd -pickup unix n - - 60 1 pickup -cleanup unix n - - - 0 cleanup +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - - 1000? 1 tlsmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap -smtp unix - - - - - smtp -relay unix - - - - - smtp +smtp unix - - y - - smtp +relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - - - - showq -error unix - - - - - error -retry unix - - - - - error -discard unix - - - - - discard +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - - - - lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual @@ -127,11 +127,13 @@ dovecot unix - n n - - pipe flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient} # Submission port with hardened TLS configuration. -submission inet n - - - - smtpd - -o smtpd_sasl_auth_enable=yes +submission inet n - y - - smtpd + -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o smtpd_sasl_auth_enable=yes + -o smtpd_tls_auth_only=yes + -o smtpd_recipient_restrictions= + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_tls_mandatory_protocols={{ mail_server_tls_protocols | join(',') }} -o smtpd_tls_mandatory_ciphers=high -o tls_high_cipherlist={{ mail_server_tls_ciphers }} - -o syslog_name=postfix/submission