|
|
|
###############
|
|
|
|
# General
|
|
|
|
###############
|
|
|
|
|
|
|
|
# Logging configuration
|
|
|
|
maillog_file = /dev/stdout
|
|
|
|
|
|
|
|
# Main domain and hostname
|
|
|
|
mydomain = {{ DOMAIN }}
|
|
|
|
myhostname = {{ HOSTNAMES.split(",")[0] }}
|
|
|
|
myorigin = $mydomain
|
|
|
|
|
|
|
|
# Queue location
|
|
|
|
queue_directory = /queue
|
|
|
|
|
|
|
|
# Message size limit
|
|
|
|
message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
|
|
|
|
|
|
|
|
# Relayed networks
|
|
|
|
mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }}
|
|
|
|
|
|
|
|
# Empty alias list to override the configuration variable and disable NIS
|
|
|
|
alias_maps =
|
|
|
|
|
|
|
|
# Podop configuration
|
|
|
|
podop = socketmap:unix:/tmp/podop.socket:
|
|
|
|
|
|
|
|
# Only accept virtual emails
|
|
|
|
mydestination =
|
|
|
|
|
|
|
|
# Relayhost if any is configured
|
|
|
|
relayhost = {{ RELAYHOST }}
|
|
|
|
{% if RELAYUSER %}
|
|
|
|
smtp_sasl_auth_enable = yes
|
|
|
|
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
|
|
|
|
smtp_sasl_security_options = noanonymous, noplaintext
|
|
|
|
smtp_sasl_tls_security_options = noanonymous
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
# Recipient delimiter for extended addresses
|
|
|
|
recipient_delimiter = {{ RECIPIENT_DELIMITER }}
|
|
|
|
|
|
|
|
# Only the front server is allowed to perform xclient
|
|
|
|
# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
|
|
|
|
smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }}
|
|
|
|
|
|
|
|
###############
|
|
|
|
# TLS
|
|
|
|
###############
|
|
|
|
|
|
|
|
# General TLS configuration
|
|
|
|
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
|
|
tls_preempt_cipherlist = yes
|
|
|
|
tls_ssl_options = NO_COMPRESSION, NO_TICKET
|
|
|
|
|
|
|
|
# By default, outgoing TLS is more flexible because
|
|
|
|
# 1. not all receiving servers will support TLS,
|
|
|
|
# 2. not all will have and up-to-date TLS stack.
|
|
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
|
|
smtp_tls_protocols =!SSLv2,!SSLv3
|
|
|
|
smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
|
|
|
|
smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
|
|
|
|
smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
|
|
|
|
smtp_tls_CApath = /etc/ssl/certs
|
|
|
|
smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
|
|
|
|
smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
|
|
|
|
smtp_host_lookup = dns
|
|
|
|
smtp_dns_support_level = dnssec
|
|
|
|
delay_warning_time = 5m
|
|
|
|
smtp_tls_loglevel = 1
|
|
|
|
notify_classes = resource, software, delay
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Virtual
|
|
|
|
###############
|
|
|
|
|
|
|
|
# The alias map actually returns both aliases and local mailboxes, which is
|
|
|
|
# required for reject_unlisted_sender to work properly
|
|
|
|
virtual_alias_domains =
|
|
|
|
virtual_alias_maps = ${podop}alias
|
|
|
|
virtual_mailbox_domains = ${podop}domain
|
|
|
|
virtual_mailbox_maps = ${podop}mailbox
|
|
|
|
|
|
|
|
# Mails are transported if required, then forwarded to Dovecot for delivery
|
|
|
|
relay_domains = ${podop}transport
|
|
|
|
transport_maps = ${podop}transport
|
|
|
|
virtual_transport = lmtp:inet:{{ LMTP_ADDRESS }}
|
|
|
|
|
|
|
|
# Sender and recipient canonical maps, mostly for SRS
|
|
|
|
sender_canonical_maps = ${podop}sendermap
|
|
|
|
sender_canonical_classes = envelope_sender
|
|
|
|
recipient_canonical_maps = ${podop}recipientmap
|
|
|
|
recipient_canonical_classes= envelope_recipient,header_recipient
|
|
|
|
|
|
|
|
# In order to prevent Postfix from running DNS query, enforce the use of the
|
|
|
|
# native DNS stack, that will check /etc/hosts properly.
|
|
|
|
lmtp_host_lookup = native
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Restrictions
|
|
|
|
###############
|
|
|
|
|
|
|
|
# Delay all rejects until all information can be logged
|
|
|
|
smtpd_delay_reject = yes
|
|
|
|
|
|
|
|
# Allowed senders are: the user or one of the alias destinations
|
|
|
|
smtpd_sender_login_maps = ${podop}senderlogin
|
|
|
|
|
|
|
|
# Restrictions for incoming SMTP, other restrictions are applied in master.cf
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
|
|
|
|
check_ratelimit = check_sasl_access ${podop}senderrate
|
|
|
|
|
|
|
|
smtpd_client_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
check_sender_access ${podop}senderaccess,
|
|
|
|
reject_non_fqdn_sender,
|
|
|
|
reject_unknown_sender_domain,
|
|
|
|
reject_unknown_recipient_domain,
|
|
|
|
permit
|
|
|
|
|
|
|
|
smtpd_relay_restrictions =
|
|
|
|
permit_mynetworks,
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
reject_unauth_destination
|
|
|
|
|
|
|
|
unverified_recipient_reject_reason = Address lookup failure
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Milter
|
|
|
|
###############
|
|
|
|
|
|
|
|
smtpd_milters = inet:{{ ANTISPAM_MILTER_ADDRESS }}
|
|
|
|
milter_protocol = 6
|
|
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
|
|
milter_default_action = tempfail
|
|
|
|
|
|
|
|
###############
|
|
|
|
# Extra Settings
|
|
|
|
###############
|
|
|
|
{# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #}
|
|
|
|
{{- "\n" }}
|