---
postfix_enabled: True
postfix_install_packages: '{{ postfix_enabled }}'

postfix_relay_rh_pkgs:
  - postfix
  - cyrus-sasl-lib
  - cyrus-sasl-plain
  - cyrus-sasl-md5

postfix_relay_deb_pkgs:
  - postfix
  - libsasl2-2

#############################################################################
# Set them to true when you want configure your machine to send email to a relay
#############################################################################
postfix_relay_client: False
postfix_use_relay_host: '{{ postfix_relay_client }}'
postfix_biff: "no"
postfix_append_dot_mydomain: "no"
postfix_smtp_helo_required: "yes"
postfix_smtp_delay_reject: "yes"
postfix_smtp_disable_vrfy: "yes"

postfix_use_letsencrypt: False
postfix_tls_encryption_level: 'intermediate'
postfix_tls_dhparam_size: 2048
postfix_tls_dhparam_file: /etc/postfix/dhparam.pem
# Accepted values: none, may, encrypt
postfix_smtpd_tls_security_level: encrypt
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
postfix_smtp_tls_security_level: may
postfix_use_sasl_auth: True
postfix_smtp_sasl_auth_enable: "yes"
postfix_smtp_create_relay_user: True
# Options: noanonymous, noplaintext
postfix_smtp_sasl_security_options: noanonymous
postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}'
postfix_smtp_sasl_mechanism_filter: plain, login

# Set it in your vars files
#postfix_relay_host: smtp-relay.example.com
postfix_relay_port: 587
#postfix_smtp_relay_user: smtp-user
postfix_smtp_relay_user: '{{ ansible_fqdn }}'
# This one has to be set inside a vault file
#postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file'
postfix_smtpd_reject_unknown_helo_hostname: False
postfix_reject_unknown_sender_domain: True
#############################################################################
# Relay server: accepts authenticated clients
#############################################################################
postfix_relay_server: False
#
postfix_use_milter: False
postfix_milter_connect_timeout: '30s'
postfix_milter_command_timeout: '30s'
postfix_milter_content_timeout: '300s'
postfix_spamassassin_milter: False
postfix_spamassassin_milter_socket: 'unix:/run/spamass-milter/postfix/sock'
postfix_clamav_milter: False
# inet:[127.0.0.1]:7357
postfix_clamav_milter_socket: 'unix:/run/clamav-milter/clamav-milter.socket'
# Specify accept, reject, tempfail, quarantine
postfix_milter_action: tempfail
#############################################################################
# SMTP server that not accept authenticated clients. 
#############################################################################
postfix_smtpd_server: False
postfix_smtpd_server_restrictions:
  - permit_mynetworks
  - reject_unknown_recipient_domain
  - reject_non_fqdn_recipient
  - reject_unauth_destination
  - reject_unauth_pipelining
  - reject_unlisted_recipient

# SMTP server that routes emails coming from outside
#############################################################################
postfix_mx_server: False
postfix_smtpd_mx_client_restrictions:
  - reject_unknown_sender_domain
  - reject_non_fqdn_sender
  - reject_non_fqdn_recipient
  - reject_invalid_hostname
  - reject_unauth_destination
  - reject_unknown_recipient_domain
  - reject_unlisted_recipient

#############################################################################
# SMTP sender restrictions
#############################################################################
postfix_smtpd_sender_restrictions: True
postfix_reject_sender_login_mismatch: False
postfix_smtpd_sender_login_maps: []
postfix_smtpd_additional_sender_restrictions: []
#############################################################################
# SMTP submission server: accepts authenticated clients
#############################################################################
postfix_submission_server: False
# Set it to True if needed, on submission servers only
postfix_add_missing_headers: False
###########################################################################################
# The following options are used when acting as a relay or as a general purpose SMTP server
###########################################################################################
postfix_use_inet_interfaces: False
postfix_inet_interfaces:
  - all
postfix_inet_protocols:
  - all
postfix_proxy_interfaces_enabled: False
postfix_proxy_interfaces:
  - 127.0.0.1
postfix_message_size_limit: 10240000

postfix_sasl_deb_packages:
  - sasl2-bin

postfix_sasl_rh_packages:
  - cyrus-sasl

postfix_saslauthd_mech: 'pam'
postfix_saslauthd_flags: ''
postfix_saslauthd_conf_file: '/etc/saslauthd.conf'
#
postfix_sasl_ldap_servers: ldap://localhost
postfix_sasl_ldap_bind_dn: cn=saslauthd,ou=dsa,dc=example,dc=com
# postfix_sasl_ldap_bind_pw: set inside a vault file
postfix_sasl_ldap_timeout: 10
postfix_sasl_ldap_time_limit: 10
postfix_sasl_ldap_scope: sub
postfix_sasl_ldap_search_base: ou=people,dc=example,dc=com
postfix_sasl_ldap_auth_method: bind
postfix_sasl_ldap_filter: (&(uid=%u)(mail=*))
postfix_sasl_ldap_debug: 0
postfix_sasl_ldap_verbose: off
postfix_sasl_ldap_ssl: no
postfix_sasl_ldap_starttls: yes
postfix_sasl_ldap_referrals: no
#

postfix_use_domain_name: False
postfix_virtual_transport_enabled: False
postfix_virtual_transport_protocol: 'lmtp'
postfix_lmtp_protocol: 'inet'
postfix_lmtp_host: '127.0.0.1'
postfix_lmtp_port: 24
postfix_delivery_soft_bounce: False
postfix_recipient_delimiter: '+'
postfix_local_recipients: False
postfix_transport_map_enabled: False
postfix_transport_maps:
  - 'hash:/etc/postfix/transport'

postfix_transport_data: []
#
# Example:
# postfix_transport_data:
#   - { domain: 'example.com', action: 'smtp:[dest.smtp.example.com]:25' }
postfix_rbl_enabled: True
postfix_rbl_list: 'zen.spamhaus.org'

postfix_mynetworks: hash:/etc/postfix/network_table
postfix_mynetworks_data:
  - '127.0.0.0/8'
  - '127.0.0.1'

postfix_alias_maps:
  - 'hash:/etc/aliases'

postfix_alias_databases: '{{ postfix_alias_maps }}'

postfix_virtual_addresses: False
postfix_hostname_as_virtual_domain: True
postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains'
postfix_virtual_mailbox_domains_data: []
#
# Example. The 'action' part is optional:
# postfix_virtual_mailbox_domains_data:
#   - { domain: 'example.com', action: 'OK' }

postfix_virtual_mailbox_maps:
  - 'hash:/etc/postfix/vmailbox_maps'

postfix_virtual_domains: False
postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains'
postfix_virtual_alias_domains_data: []
#
# Example. The 'action' part is optional:
# postfix_virtual_alias_domains_data:
#   - { domain: 'example.com', action: 'OK' }

postfix_virtual_alias_maps:
  - 'hash:/etc/postfix/virtual'

postfix_local_dest_concurrency_limit: 2
postfix_default_destination_concurrency_limit: 5

postfix_behind_haproxy: False
postfix_postscreen_port: 1024

#
# Nagios monitoring
#
postfix_nagios_check: False
postfix_nagios_checks:
  - check_postfix_mailqueue
  - check_postfix_processed

nagios_postfix_mailq_w: 20
nagios_postfix_mailq_c: 50
nagios_postfix_processed_w: 50
nagios_postfix_processed_c: 150

postfix_firewalld_services:
  - { service: 'smtp', state: 'enabled', zone: '{{ firewalld_default_zone }}' }
  - { service: 'smtps', state: 'enabled', zone: '{{ firewalld_default_zone }}'  }
  - { service: 'smtp-submission', state: 'enabled', zone: '{{ firewalld_default_zone }}'  }