From c124f84e2d56bec9871db3d22840bd2bc763f90d 2024-02-29 18:11:30 From: Branko Majic Date: 2024-02-29 18:11:30 Subject: [PATCH] MAR-192: Reformat the Postfix main configuration file for mail_server: - Improve the comments and split up the config with section titles. - Drop the deprecated/unnecessary option smtpd_use_tls (already covered with smtpd_tls_security_level). --- diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2 index 61180ecee06dc7661b4e8c6b20a45ffe6b8289e1..7f83177c2c3f4d9e96e149f7695c775469a05d9c 100644 --- a/roles/mail_server/templates/main.cf.j2 +++ b/roles/mail_server/templates/main.cf.j2 @@ -1,79 +1,140 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version +# See /usr/share/postfix/main.cf.dist for a commented, more complete +# version. -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname +# General settings +# ================ +# Internet hostname of this mail system. +myhostname = {{ inventory_hostname }} + +# Under Debian, when a file name is specified, the first line of the +# file be used as the SMTP server name. +myorigin = /etc/mailname + +# Text shown to connecting clients as part of SMTP greeting. smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -# appending .domain is the MUA's job. +# Listen on all network interfaces and all protocols. +inet_interfaces = all +inet_protocols = all + +# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup +# fails. Useful for local overrides of mail servers. +smtp_host_lookup = dns, native + +# Do not append server's domain to locally sent mail. This is up to +# sending MUAs to take care of. append_dot_mydomain = no -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h +# Recipient delimeter for separating user name from its extension. +recipient_delimiter = + + +# Deliver undeliverable bounces to domain's postmaster. Helps with application +# misconfigurations. +notify_classes = resource, software, 2bounce +# Explicitly set maximum allowed mail size that should be accepted. +message_size_limit = {{ mail_message_size_limit }} + +# Disable output of Postfix README file paths when invoking postconf. readme_directory = no -# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on -# fresh installs. +# Compatibility level for default values. For more details, see: +# https://www.postfix.org/COMPATIBILITY_README.html compatibility_level = 2 -# TLS parameters -#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -#smtpd_use_tls=yes -#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -myhostname = {{ inventory_hostname }} +# Local mailbox delivery +# ====================== + +# List of domains for local transport deliveries. +mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost + +# Alias maps for local deliveries (to system accounts). alias_maps = hash:/etc/aliases + +# Alias database that gets updated when invoking "newaliases" command. alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost -relayhost = -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128{% for network in smtp_allow_relay_from %} {{ network }}{% endfor %} +# Disable size limits for local user mailboxes. mailbox_size_limit = 0 -recipient_delimiter = + -inet_interfaces = all -inet_protocols = all + +# Disable use of biff service for new mail notifications to local +# users (improves performance). +biff = no + + +# Virtual mailbox delivery +# ======================== + +# Deliver mails via Dovecot LDA for virtual domains. +virtual_transport = dovecot + +# Maximum number of recipients per message delivery. +dovecot_destination_recipient_limit = 1 # LDAP directory look-ups for domains, mailboxes and aliases. virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf -# Delivery of mails via Dovecot LDA for virtual domains. -virtual_transport = dovecot -dovecot_destination_recipient_limit = 1 -# SMTP authentication configured, but disabled by default (for server-to-server -# communication). Users should connect via submission port instead to be able to -# authenticate. -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth -smtpd_sasl_auth_enable = no +# Remote mailbox delivery +# ======================= + +# List of trusted networks allowed to relay mail through this system. +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128{% for network in smtp_allow_relay_from %} {{ network }}{% endfor %} -# TLS configuration. +# Allow relaying only from trusted networks. Do not relay mails for +# domains for which the mail server is not responsible. +smtpd_relay_restrictions = permit_mynetworks + reject_unauth_destination + +# Do not use relay host for non-local mail delivery (act as proper +# public-facing mail system). +relayhost = + + +# TLS configuration +# ================= + +# Allow connecting SMTP clients to use TLS when connecting to the +# host, but do not enforce it. smtpd_tls_security_level = may + +# Allow SMTP authentication to proceed only over TLS. smtpd_tls_auth_only = yes + +# TLS private key and certificate to use for SMTP server. smtpd_tls_cert_file = /etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key + +# Use custom, generated DH parameters for increased security. smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem -smtpd_use_tls=yes -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# Use TLS when available with Postfix SMTP client. smtp_tls_security_level = may -# Allow relaying only from trusted networks. Do not relay mails for -# domains for which the mail server is not responsible. -smtpd_relay_restrictions = permit_mynetworks - reject_unauth_destination +# Enable TLS session cache database for SMTP client. Helps with +# performance and bandwidth usage. +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + + +# Authentication and authorisation +# ================================ + +# Authenticate users via Dovecot. +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth -# Look-up for list of SASL login names that are allowed to send mails +# Disable authentication by default (for server-to-server +# communications on TCP port 25). Users should connect via submission +# port instead, where authentication is enabled. +smtpd_sasl_auth_enable = no + +# Look-up list of SASL login names that are allowed to send mails # using the passed-in sender address. Allow sending from both original # mailbox name _and_ associated aliases. smtpd_sender_login_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf, ldap:/etc/postfix/ldap-virtual-alias-maps.cf @@ -86,18 +147,12 @@ smtpd_recipient_restrictions = permit_mynetworks reject_rbl_client {{ rbl }} {% endfor %} +# Pass all mails through anti-virus. smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl -# Deliver undeliverable bounces to domain's postmaster. Helps with application -# misconfigurations. -notify_classes = resource, software, 2bounce -# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup fails. Useful -# for local overrides of mail servers. -smtp_host_lookup = dns, native - -# Explicitly set maximum allowed mail size that should be accepted. -message_size_limit = {{ mail_message_size_limit }} +# Administrator-provided custom settings +# ====================================== {{ mail_server_smtp_additional_configuration }}