From d8ba2419467cb005eecd354b8cb79bfdc6f78731 2024-02-29 18:24:41 From: Branko Majic Date: 2024-02-29 18:24:41 Subject: [PATCH] MAR-192: Reformatted mail_forwader Postfix configuration file: - Improve commenting, and align it with the mail_server role configuration file in terms of layout. - Set the compatibility level. --- diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2 index 6201ea6b9c14cbc07965f7cf8a15aeff2e41d54c..21277d5335937dffea5a7c01ab14e45a27c9e893 100644 --- a/roles/mail_forwarder/templates/main.cf.j2 +++ b/roles/mail_forwarder/templates/main.cf.j2 @@ -1,51 +1,51 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version +# See /usr/share/postfix/main.cf.dist for a commented, more complete +# version. + + +# General settings +# ================ + +# Internet hostname of this mail system. +myhostname = {{ inventory_hostname }} # Under Debian, when a file name is specified, the first line of the -# file be used as the SMTP server's name. +# file be used as the SMTP server name. myorigin = /etc/mailname # Text shown to connecting clients as part of SMTP greeting. smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -# Disable the use of local biff service for new mail notifications to -# local users. -biff = no +# Listen on all network interfaces and all protocols. +inet_interfaces = all +inet_protocols = all + +# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup +# fails. Useful for local overrides of mail servers. +smtp_host_lookup = dns, native # Do not append server's domain to locally sent mail. This is up to # sending MUAs to take care of. append_dot_mydomain = no -# Disable output of Postfix README file paths when invoking postconf. -readme_directory = no - -# Enable opportunistic TLS. Announce to connecting clients it is -# enabled, but do not enforce it. -smtpd_use_tls=yes +# Recipient delimeter for separating user name from its extension. +recipient_delimiter = + -# Use locally-issued self-signed certificates for TLS. -smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +# Explicitly set maximum allowed mail size that should be accepted. +message_size_limit = {{ mail_message_size_limit }} -# Use custom, generated DH parameters for increased security. -smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem -smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem +# Disable output of Postfix README file paths when invoking postconf. +readme_directory = no -# Enable TLS session cache database for SMTP client. Helps with -# performance and bandwidth usage. -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +# Compatibility level for default values. For more details, see: +# https://www.postfix.org/COMPATIBILITY_README.html +compatibility_level = 2 -{% if smtp_relay_host %} -# Force full TLS certificate validation for SMTP client when it -# connect to relay host. -smtp_tls_security_level=verify -smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore.pem -{% endif %} -# Static relay host to use for outgoing mails from this server. -relayhost = {{ smtp_relay_host }}{% if smtp_relay_host and smtp_relay_host_port %}:{{ smtp_relay_host_port }}{% endif %} +# Local mailbox delivery +# ====================== -# Internet hostname of this mail system. -myhostname = {{ inventory_hostname }} +# List of domains for local transport deliveries. +mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost # Alias maps for local deliveries (to system accounts). alias_maps = hash:/etc/aliases @@ -53,32 +53,54 @@ alias_maps = hash:/etc/aliases # Alias database that gets updated when invoking "newaliases" command. alias_database = hash:/etc/aliases -# List of domains for local transport deliveries. -mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost +# Disable size limits for local user mailboxes. +mailbox_size_limit = 0 -# List of trusted networks allowed to relay mail through this system.x -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +# Disable use of biff service for new mail notifications to local +# users (improves performance). +biff = no # External command for local mail deliveries. mailbox_command = procmail -a "$EXTENSION" -# Disable size limits for local user mailboxes. -mailbox_size_limit = 0 -# Recipient delimeter for separating user name from its extension. -recipient_delimiter = + +# Remote mailbox delivery +# ======================= -# Listen on all network interfaces and all protocols. -inet_interfaces = all -inet_protocols = all - -# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup -# fails. Useful for local overrides of mail servers. -smtp_host_lookup = dns, native - -# Explicitly set maximum allowed mail size that should be accepted. -message_size_limit = {{ mail_message_size_limit }} +# List of trusted networks allowed to relay mail through this system. +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 # Allow relaying only from trusted networks. Do not relay mails for # domains for which the mail server is not responsible. -smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination +smtpd_relay_restrictions = permit_mynetworks + reject_unauth_destination + +# Static relay host to use for outgoing mails from this server. +relayhost = {{ smtp_relay_host }}{% if smtp_relay_host and smtp_relay_host_port %}:{{ smtp_relay_host_port }}{% endif %} + + +# TLS configuration +# ================= + +# Allow connecting SMTP clients to use TLS when connecting to the +# host, but do not enforce it. +smtpd_tls_security_level = may + +# Use locally-issued self-signed certificates for TLS. +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key + +# Use custom, generated DH parameters for increased security. +smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem +smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem + +{% if smtp_relay_host %} +# Force TLS certificate validation when connecting to relay host using +# the dedicated CA certificate truststore. +smtp_tls_security_level=verify +smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore.pem +{% endif %} + +# Enable TLS session cache database for SMTP client. Helps with +# performance and bandwidth usage. +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache