1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
# {{ ansible_managed }}
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
# Warn on delivery delays greater than 4 hours
delay_warning_time = 4h
readme_directory = no
compatibility_level = 3.6
smtpd_tls_cert_file={{ postfix_tls_cert }}
smtpd_tls_key_file={{ postfix_tls_key }}
# Configure TLS in high security mode, via https://mecsa.jrc.ec.europa.eu/en/postfix:
# - mails must be sent via TLS, optionally with DANE, and STARTTLS offer logged
# - mails must be received via TLS
# - authentication must be performed via TLS
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_note_starttls_offer = yes
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
smtpd_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only=yes
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
check_policy_service unix:private/policyd-spf,
smtpd_milters = inet:localhost:8891,inet:localhost:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = reject
milter_protocol = 6
myorigin = /etc/mailname
myhostname = {{ postfix_mailserver_name }}
policyd-spf_time_limit = 3600
# Set the default transport to our private separate smtpd instance
# which will conditionally apply SRS (Sender Rewrite Scheme).
#
# If the mail is destined for a local inbox, no SRS is needed as we
# are the final hop. If the mail is destined for a forwarding address
# we apply SRS so that SPF and other validations will pass.
default_transport = smtp:127.0.0.1:10027
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient,header_recipient
virtual_alias_maps =
ldap:/etc/postfix/ldap-registeredaddress.cf,
ldap:/etc/postfix/ldap-uid.cf,
ldap:/etc/postfix/ldap-group-aliases.cf,
ldap:/etc/postfix/ldap-service-mail.cf,
hash:/etc/postfix/virtual
relay_recipient_maps =
ldap:/etc/postfix/ldap-relay-recipients.cf,
ldap:/etc/postfix/ldap-group-aliases.cf,
ldap:/etc/postfix/ldap-service-mail.cf,
hash:/etc/postfix/virtual
local_recipient_maps =
$relay_recipient_maps,
hash:/etc/postfix/transport
transport_maps = hash:/etc/postfix/transport
mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no
mydestination = {{ postfix_mailserver_name }}, localhost, {{ postfix_destination_domains | join(', ') }}
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Basic anti-abuse ratelimits.
# The time window is specified with anvil_rate_time_unit,
# which defaults to 60 seconds.
smtpd_client_auth_rate_limit = 1000
smtpd_client_connection_rate_limit = 1000
smtpd_client_message_rate_limit = 1000
smtpd_client_new_tls_session_rate_limit = 1000
smtpd_client_recipient_rate_limit = 100
# Sleep for $smtpd_error_sleep_time (default 1s) after getting 1 junk command.
smtpd_junk_command_limit = 1
# One error counts $smtpd_junk_command_limit junk commands received.
# Once the client has performed enough bullshit, disconnect.
smtpd_hard_error_limit = 10
anvil_rate_time_unit = 24h
anvil_status_update_time = 12h
|
