# {{ ansible_managed }}

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no

# Warn on delivery delays greater than 4 hours
delay_warning_time = 4h

readme_directory = no

compatibility_level = 3.6

smtpd_tls_cert_file={{ postfix_tls_cert }}
smtpd_tls_key_file={{ postfix_tls_key }}

# Configure TLS in high security mode, via https://mecsa.jrc.ec.europa.eu/en/postfix:
# - mails must be sent via TLS, optionally with DANE, and STARTTLS offer logged
# - mails must be received via TLS
# - authentication must be performed via TLS
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_note_starttls_offer = yes
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
smtpd_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only=yes

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access

smtpd_relay_restrictions =
                         permit_mynetworks,
                         permit_sasl_authenticated,
                         reject_unauth_destination,
                         reject_unauth_pipelining,
                         check_policy_service unix:private/policyd-spf,

smtpd_milters = inet:localhost:8891,inet:localhost:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = reject
milter_protocol = 6

myorigin = /etc/mailname
myhostname = {{ postfix_mailserver_name }}

policyd-spf_time_limit = 3600

# Set the default transport to our private separate smtpd instance
# which will conditionally apply SRS (Sender Rewrite Scheme).
#
# If the mail is destined for a local inbox, no SRS is needed as we
# are the final hop. If the mail is destined for a forwarding address
# we apply SRS so that SPF and other validations will pass.
default_transport = smtp:127.0.0.1:10027
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient,header_recipient

virtual_alias_maps =
    ldap:/etc/postfix/ldap-registeredaddress.cf,
    ldap:/etc/postfix/ldap-uid.cf,
    ldap:/etc/postfix/ldap-group-aliases.cf,
    ldap:/etc/postfix/ldap-service-mail.cf,
    hash:/etc/postfix/virtual

relay_recipient_maps =
    ldap:/etc/postfix/ldap-relay-recipients.cf,
    ldap:/etc/postfix/ldap-group-aliases.cf,
    ldap:/etc/postfix/ldap-service-mail.cf,
    hash:/etc/postfix/virtual

local_recipient_maps =
    $relay_recipient_maps,
    hash:/etc/postfix/transport

transport_maps = hash:/etc/postfix/transport

mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no

mydestination = {{ postfix_mailserver_name }}, localhost, {{ postfix_destination_domains | join(', ') }}
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# Basic anti-abuse ratelimits.
# The time window is specified with anvil_rate_time_unit,
# which defaults to 60 seconds.
smtpd_client_auth_rate_limit = 1000
smtpd_client_connection_rate_limit = 1000
smtpd_client_message_rate_limit = 1000
smtpd_client_new_tls_session_rate_limit = 1000
smtpd_client_recipient_rate_limit = 100
# Sleep for $smtpd_error_sleep_time (default 1s) after getting 1 junk command.
smtpd_junk_command_limit = 1
# One error counts $smtpd_junk_command_limit junk commands received.
# Once the client has performed enough bullshit, disconnect.
smtpd_hard_error_limit = 10
anvil_rate_time_unit = 24h
anvil_status_update_time = 12h