Files
@ c124f84e2d56
Branch filter:
Location: majic-ansible-roles/roles/mail_server/templates/main.cf.j2
c124f84e2d56
5.1 KiB
text/plain
MAR-192: Reformat the Postfix main configuration file for mail_server:
- Improve the comments and split up the config with section titles.
- Drop the deprecated/unnecessary option smtpd_use_tls (already
covered with smtpd_tls_security_level).
- Improve the comments and split up the config with section titles.
- Drop the deprecated/unnecessary option smtpd_use_tls (already
covered with smtpd_tls_security_level).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | # See /usr/share/postfix/main.cf.dist for a commented, more complete
# version.
# General settings
# ================
# Internet hostname of this mail system.
myhostname = {{ inventory_hostname }}
# Under Debian, when a file name is specified, the first line of the
# file be used as the SMTP server name.
myorigin = /etc/mailname
# Text shown to connecting clients as part of SMTP greeting.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
# Listen on all network interfaces and all protocols.
inet_interfaces = all
inet_protocols = all
# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup
# fails. Useful for local overrides of mail servers.
smtp_host_lookup = dns, native
# Do not append server's domain to locally sent mail. This is up to
# sending MUAs to take care of.
append_dot_mydomain = no
# Recipient delimeter for separating user name from its extension.
recipient_delimiter = +
# Deliver undeliverable bounces to domain's postmaster. Helps with application
# misconfigurations.
notify_classes = resource, software, 2bounce
# Explicitly set maximum allowed mail size that should be accepted.
message_size_limit = {{ mail_message_size_limit }}
# Disable output of Postfix README file paths when invoking postconf.
readme_directory = no
# Compatibility level for default values. For more details, see:
# https://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 2
# Local mailbox delivery
# ======================
# List of domains for local transport deliveries.
mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost
# Alias maps for local deliveries (to system accounts).
alias_maps = hash:/etc/aliases
# Alias database that gets updated when invoking "newaliases" command.
alias_database = hash:/etc/aliases
# Disable size limits for local user mailboxes.
mailbox_size_limit = 0
# Disable use of biff service for new mail notifications to local
# users (improves performance).
biff = no
# Virtual mailbox delivery
# ========================
# Deliver mails via Dovecot LDA for virtual domains.
virtual_transport = dovecot
# Maximum number of recipients per message delivery.
dovecot_destination_recipient_limit = 1
# LDAP directory look-ups for domains, mailboxes and aliases.
virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps.cf
# Remote mailbox delivery
# =======================
# List of trusted networks allowed to relay mail through this system.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128{% for network in smtp_allow_relay_from %} {{ network }}{% endfor %}
# Allow relaying only from trusted networks. Do not relay mails for
# domains for which the mail server is not responsible.
smtpd_relay_restrictions = permit_mynetworks
reject_unauth_destination
# Do not use relay host for non-local mail delivery (act as proper
# public-facing mail system).
relayhost =
# TLS configuration
# =================
# Allow connecting SMTP clients to use TLS when connecting to the
# host, but do not enforce it.
smtpd_tls_security_level = may
# Allow SMTP authentication to proceed only over TLS.
smtpd_tls_auth_only = yes
# TLS private key and certificate to use for SMTP server.
smtpd_tls_cert_file = /etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem
smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key
# Use custom, generated DH parameters for increased security.
smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem
smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem
# Use TLS when available with Postfix SMTP client.
smtp_tls_security_level = may
# Enable TLS session cache database for SMTP client. Helps with
# performance and bandwidth usage.
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Authentication and authorisation
# ================================
# Authenticate users via Dovecot.
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# Disable authentication by default (for server-to-server
# communications on TCP port 25). Users should connect via submission
# port instead, where authentication is enabled.
smtpd_sasl_auth_enable = no
# Look-up list of SASL login names that are allowed to send mails
# using the passed-in sender address. Allow sending from both original
# mailbox name _and_ associated aliases.
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf, ldap:/etc/postfix/ldap-virtual-alias-maps.cf
# Reject delivery of mails for domains for which the local server is
# not responsible, as well as any mails coming from addresses in one
# of the configured RBL's.
smtpd_recipient_restrictions = permit_mynetworks
{% for rbl in smtp_rbl %}
reject_rbl_client {{ rbl }}
{% endfor %}
# Pass all mails through anti-virus.
smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl
# Administrator-provided custom settings
# ======================================
{{ mail_server_smtp_additional_configuration }}
|