Files
@ 0a435b5ba2cf
Branch filter:
Location: majic-ansible-roles/roles/mail_server/templates/main.cf.j2
0a435b5ba2cf
5.1 KiB
text/plain
MAR-218: Upgrade test site for Ansible 10.x and fix linting errors:
- Disable name checks when importing playbooks into top-level playbook
to avoid naming duplication.
- Disable name checks when importing playbooks into top-level playbook
to avoid naming duplication.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | # See /usr/share/postfix/main.cf.dist for a commented, more complete
# version.
# General settings
# ================
# Internet hostname of this mail system.
myhostname = {{ inventory_hostname }}
# Under Debian, when a file name is specified, the first line of the
# file be used as the SMTP server name.
myorigin = /etc/mailname
# Text shown to connecting clients as part of SMTP greeting.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
# Listen on all network interfaces and all protocols.
inet_interfaces = all
inet_protocols = all
# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup
# fails. Useful for local overrides of mail servers.
smtp_host_lookup = dns, native
# Recipient delimeter for separating user name from its extension.
recipient_delimiter = +
# Deliver undeliverable bounces to domain's postmaster. Helps with application
# misconfigurations.
notify_classes = resource, software, 2bounce
# Explicitly set maximum allowed mail size that should be accepted.
message_size_limit = {{ mail_message_size_limit }}
# Disable output of Postfix README file paths when invoking postconf.
readme_directory = no
# Use whitelist/blacklist instead of allowlist/denylist in log
# entries.
respectful_logging = no
# Compatibility level for default values. For more details, see:
# https://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 3.6
# Local mailbox delivery
# ======================
# List of domains for local transport deliveries.
mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost
# Alias maps for local deliveries (to system accounts).
alias_maps = hash:/etc/aliases
# Alias database that gets updated when invoking "newaliases" command.
alias_database = hash:/etc/aliases
# Disable size limits for local user mailboxes.
mailbox_size_limit = 0
# Disable use of biff service for new mail notifications to local
# users (improves performance).
biff = no
# Virtual mailbox delivery
# ========================
# Deliver mails via Dovecot LDA for virtual domains.
virtual_transport = dovecot
# Maximum number of recipients per message delivery.
dovecot_destination_recipient_limit = 1
# LDAP directory look-ups for domains, mailboxes and aliases.
virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf
# Remote mailbox delivery
# =======================
# List of trusted networks allowed to relay mail through this system.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128{% for network in smtp_allow_relay_from %} {{ network }}{% endfor %}
# Allow relaying only from trusted networks. Do not relay mails for
# domains for which the mail server is not responsible.
smtpd_relay_restrictions = permit_mynetworks
reject_unauth_destination
# Do not use relay host for non-local mail delivery (act as proper
# public-facing mail system).
relayhost =
# TLS configuration
# =================
# Allow connecting SMTP clients to use TLS when connecting to the
# host, but do not enforce it.
smtpd_tls_security_level = may
# Allow SMTP authentication to proceed only over TLS.
smtpd_tls_auth_only = yes
# TLS private key and certificate to use for SMTP server.
smtpd_tls_cert_file = /etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem
smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key
# Use custom, generated DH parameters for increased security.
smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem
smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem
# Use TLS when available with Postfix SMTP client.
smtp_tls_security_level = may
# Enable TLS session cache database for SMTP client. Helps with
# performance and bandwidth usage.
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Authentication and authorisation
# ================================
# Authenticate users via Dovecot.
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# Disable authentication by default (for server-to-server
# communications on TCP port 25). Users should connect via submission
# port instead, where authentication is enabled.
smtpd_sasl_auth_enable = no
# Look-up list of SASL login names that are allowed to send mails
# using the passed-in sender address. Allow sending from both original
# mailbox name _and_ associated aliases.
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf, ldap:/etc/postfix/ldap-virtual-alias-maps.cf
# Reject delivery of mails for domains for which the local server is
# not responsible, as well as any mails coming from addresses in one
# of the configured RBL's.
smtpd_recipient_restrictions = permit_mynetworks
{% for rbl in smtp_rbl %}
reject_rbl_client {{ rbl }}
{% endfor %}
# Pass all mails through anti-virus.
smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
# Administrator-provided custom settings
# ======================================
{{ mail_server_smtp_additional_configuration }}
|