From 359b1396b2c0ae7fcd9b24013e8c54d850b79c0f 2024-02-28 22:30:32 From: Branko Majic Date: 2024-02-28 22:30:32 Subject: [PATCH] MAR-192: Reformat and add comments for the mail_forwarder Postfix configuration file. --- diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2 index bb0295eeb99018bc53b36219a8fc33d4a4662b53..6201ea6b9c14cbc07965f7cf8a15aeff2e41d54c 100644 --- a/roles/mail_forwarder/templates/main.cf.j2 +++ b/roles/mail_forwarder/templates/main.cf.j2 @@ -1,52 +1,79 @@ # See /usr/share/postfix/main.cf.dist for a commented, more complete version +# Under Debian, when a file name is specified, the first line of the +# file be used as the SMTP server's name. +myorigin = /etc/mailname -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - +# Text shown to connecting clients as part of SMTP greeting. smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) + +# Disable the use of local biff service for new mail notifications to +# local users. biff = no -# appending .domain is the MUA's job. +# Do not append server's domain to locally sent mail. This is up to +# sending MUAs to take care of. append_dot_mydomain = no -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - +# Disable output of Postfix README file paths when invoking postconf. readme_directory = no -# TLS parameters +# Enable opportunistic TLS. Announce to connecting clients it is +# enabled, but do not enforce it. +smtpd_use_tls=yes + +# Use locally-issued self-signed certificates for TLS. smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key + +# Use custom, generated DH parameters for increased security. smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem -smtpd_use_tls=yes + +# Enable TLS session cache database for SMTP client. Helps with +# performance and bandwidth usage. smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + {% if smtp_relay_host %} +# Force full TLS certificate validation for SMTP client when it +# connect to relay host. smtp_tls_security_level=verify smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore.pem {% endif %} -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. +# Static relay host to use for outgoing mails from this server. +relayhost = {{ smtp_relay_host }}{% if smtp_relay_host and smtp_relay_host_port %}:{{ smtp_relay_host_port }}{% endif %} +# Internet hostname of this mail system. myhostname = {{ inventory_hostname }} + +# Alias maps for local deliveries (to system accounts). alias_maps = hash:/etc/aliases + +# Alias database that gets updated when invoking "newaliases" command. alias_database = hash:/etc/aliases -myorigin = /etc/mailname + +# List of domains for local transport deliveries. mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost -relayhost = {{ smtp_relay_host }}{% if smtp_relay_host and smtp_relay_host_port %}:{{ smtp_relay_host_port }}{% endif %}{{ '' }} + +# List of trusted networks allowed to relay mail through this system.x mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 + +# External command for local mail deliveries. mailbox_command = procmail -a "$EXTENSION" + +# Disable size limits for local user mailboxes. mailbox_size_limit = 0 + +# Recipient delimeter for separating user name from its extension. recipient_delimiter = + + +# Listen on all network interfaces and all protocols. inet_interfaces = all inet_protocols = all -# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup fails. Useful -# for local overrides of mail servers. +# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup +# fails. Useful for local overrides of mail servers. smtp_host_lookup = dns, native # Explicitly set maximum allowed mail size that should be accepted.