--- postfix_enabled: True postfix_install_packages: '{{ postfix_enabled }}' postfix_relay_rh_pkgs: - postfix - cyrus-sasl-lib - cyrus-sasl-plain - cyrus-sasl-md5 postfix_relay_deb_pkgs: - postfix - libsasl2-2 ############################################################################# # Set them to true when you want configure your machine to send email to a relay ############################################################################# postfix_relay_client: False postfix_use_relay_host: '{{ postfix_relay_client }}' postfix_biff: "no" postfix_append_dot_mydomain: "no" postfix_smtp_helo_required: "yes" postfix_helo_restrictions: True postfix_smtp_delay_reject: "yes" postfix_smtp_disable_vrfy: "yes" postfix_use_letsencrypt: False postfix_tls_encryption_level: 'intermediate' postfix_tls_dhparam_size: 2048 postfix_tls_dhparam_file: /etc/postfix/dhparam.pem # Accepted values: none, may, encrypt postfix_smtpd_tls_security_level: encrypt # Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only postfix_smtp_tls_security_level: may postfix_use_sasl_auth: True postfix_smtp_sasl_auth_enable: "yes" postfix_smtp_create_relay_user: True # Options: noanonymous, noplaintext postfix_smtp_sasl_security_options: noanonymous postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}' postfix_smtp_sasl_mechanism_filter: plain, login # Set it in your vars files # postfix_relay_host: smtp-relay.example.com postfix_relay_port: 587 # postfix_smtp_relay_user: smtp-user postfix_smtp_relay_user: '{{ ansible_fqdn }}' # This one has to be set inside a vault file # postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file' postfix_smtpd_reject_unknown_helo_hostname: False postfix_reject_unknown_sender_domain: True ############################################################################# # Relay server: accepts authenticated clients ############################################################################# postfix_relay_server: False # ## Milter (antispam, antivirus) postfix_use_milter: False postfix_milter_connect_timeout: '30s' postfix_milter_command_timeout: '30s' postfix_milter_content_timeout: '300s' postfix_spamassassin_milter: False postfix_spamassassin_milter_socket: 'unix:/run/spamass-milter/postfix/sock' postfix_clamav_milter: False # inet:[127.0.0.1]:7357 postfix_clamav_milter_socket: 'unix:/run/clamav-milter/clamav-milter.socket' # Specify accept, reject, tempfail, quarantine postfix_milter_action: tempfail ## SPF policyd postfix_spf_policy_install: False postfix_spy_deb_pkg: - 'postfix-policyd-spf-python' postfix_spy_el_pkg: - 'pypolicyd-spf' postfix_spf_policy_skip_addresses: '127.0.0.0/8,::ffff:127.0.0.0/104,::1' # From 0 to 4 postfix_spf_policy_debug_level: 1 # Set to 0 for test only mode postfix_spf_policy_default_seed: 1 postfix_spf_perm_error_reject: False postfix_spf_temp_error_defer: False # HELO check rejection policy. Options are: # HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail. # HELO_reject = Softfail - Reject if result Softfail and Fail # HELO_reject = Fail - Reject on HELO Fail # HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic) # HELO_reject = False - Never reject/defer on HELO, append header only. # HELO_reject = No_Check - Never check HELO. postfix_spf_policy_helo_reject: 'SPF_Not_Pass' # Mail From rejection policy. Options are: # Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail. # Mail_From_reject = Softfail - Reject if result Softfail and Fail # Mail_From_reject = Fail - Reject on Mail From Fail (default) # Mail_From_reject = False - Never reject/defer on Mail From, append header only # Mail_From_reject = No_Check - Never check Mail From/Return Path. # * It is recommended to keep the default value, and manage specific cases setting # postfix_spf_policy_reject_not_pass_domains postfix_spf_policy_mail_from_reject: 'Fail' # CIDR notation, 192.168.0.0/31,192.168.1.12 postfix_spf_policy_whitelist: '' postfix_spf_policy_domain_whitelist: '' postfix_spf_policy_domain_whitelist_ptr: '' # Using this option, a list of domains can be defined for special processing when messages do not Pass SPF. This can be useful for commonly spoofed domains that are not yet publishing SPF records with -all. Specifically, if mail from a domain in this list has a Neutral/Softfail result, it will be rejected (as if it had a Fail result). If needed, it is better to do it on a per-domain basis rather than globally. es: 'gmail.com,aol.com,hotmail.com' postfix_spf_policy_reject_not_pass_domains: '' postfix_spf_policy_lookup_time: 20 postfix_spf_policy_void_limit: 2 # # DKIM # postfix_dkim_enabled: false postfix_dkim_domains: [] # - domain: 'example.com' # dkim_selector: 'default' # s: sign # v: verify # sv: sign and verify postfix_dkim_mode: 'v' postfix_dkim_trusted_hosts_enabled: false postfix_dkim_trusted_hosts: [] # - 'example.com' # - 'CIDR' postfix_dkim_sign_subdomains: "no" postfix_dkim_syslog: "yes" postfix_dkim_syslog_success: "yes" postfix_dkim_logwhy: "yes" postfix_dkim_socket: 'inet:8891@localhost' postfix_dkim_milter_socket: 'inet:[127.0.0.1]:8891' postfix_dkim_v_sendreports: 'no' postfix_dkim_reportaddress: '' postfix_dkim_canonicalization: 'relaxed/relaxed' postfix_dkim_minkeybits: 1024 # ARC # - domain: 'example.com' # arc_selector: 'default' # s: sign # v: verify # sv: sign and verify postfix_arc_enabled: false postfix_arc_domain: "" postfix_arc_domain_selector: "arc-{{ ansible_hostname }}" postfix_arc_trusted_hosts: - "127.0.0.1" postfix_arc_mode: 'v' postfix_arc_socket: 'inet:8894@localhost' postfix_arc_milter_socket: 'inet:[127.0.0.1]:8894' postfix_arc_canonicalization: 'relaxed/relaxed' # SRS # Compute it with 'dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64' # postfix_srs_secret: 'use a vault' postfix_srs_secrets: - '{{ postfix_srs_secret }}' postfix_srs_list_exclude_domains: false postfix_srs_exclude_domains: [] postfix_srs_user: 'nobody' postfix_srs_sender_enabled: false postfix_srs_receiver_enabled: false postfix_srs_listen: '127.0.0.1' postfix_srs_sender_port: 10001 postfix_srs_receiver_port: 10002 postfix_sender_canonical_maps: 'tcp:{{ postfix_srs_listen }}:{{ postfix_srs_sender_port }}' postfix_recipient_canonical_maps: 'tcp:{{ postfix_srs_listen }}:{{ postfix_srs_receiver_port }}' ############################################################################# # SMTP server that not accept authenticated clients. ############################################################################# postfix_smtpd_server: False postfix_smtpd_server_restrictions: - permit_mynetworks - reject_unknown_recipient_domain - reject_non_fqdn_recipient - reject_unauth_destination - reject_unauth_pipelining - reject_unlisted_recipient # SMTP server that routes emails coming from outside ############################################################################# postfix_mx_server: False postfix_smtpd_mx_client_restrictions: - reject_unknown_sender_domain - reject_non_fqdn_sender - reject_non_fqdn_recipient - reject_invalid_hostname - reject_unauth_destination - reject_unauth_pipelining - reject_unknown_recipient_domain - reject_unlisted_recipient ############################################################################# # SMTP sender restrictions ############################################################################# postfix_smtpd_sender_restrictions: True postfix_reject_sender_login_mismatch: False postfix_smtpd_sender_login_maps: [] postfix_smtpd_additional_sender_restrictions: [] ############################################################################# # SMTP submission server: accepts authenticated clients ############################################################################# postfix_submission_server: False # Set it to True if needed, on submission servers only postfix_add_missing_headers: False ########################################################################################### # The following options are used when acting as a relay or as a general purpose SMTP server ########################################################################################### postfix_use_inet_interfaces: False postfix_inet_interfaces: - all postfix_inet_protocols: - all postfix_proxy_interfaces_enabled: False postfix_proxy_interfaces: - 127.0.0.1 postfix_message_size_limit: 10240000 postfix_sasl_deb_packages: - sasl2-bin postfix_sasl_rh_packages: - cyrus-sasl postfix_saslauthd_mech: 'pam' postfix_saslauthd_flags: '' postfix_saslauthd_conf_file: '/etc/saslauthd.conf' # postfix_sasl_ldap_servers: ldap://localhost postfix_sasl_ldap_bind_dn: cn=saslauthd,ou=dsa,dc=example,dc=com # postfix_sasl_ldap_bind_pw: set inside a vault file postfix_sasl_ldap_timeout: 10 postfix_sasl_ldap_time_limit: 10 postfix_sasl_ldap_scope: sub postfix_sasl_ldap_search_base: ou=people,dc=example,dc=com postfix_sasl_ldap_auth_method: bind postfix_sasl_ldap_filter: (&(uid=%u)(mail=*)) postfix_sasl_ldap_debug: 0 postfix_sasl_ldap_verbose: off postfix_sasl_ldap_ssl: no postfix_sasl_ldap_starttls: yes postfix_sasl_ldap_referrals: no # postfix_use_domain_name: False postfix_virtual_transport_enabled: False postfix_virtual_transport_protocol: 'lmtp' postfix_lmtp_protocol: 'inet' postfix_lmtp_host: '127.0.0.1' postfix_lmtp_port: 24 postfix_delivery_soft_bounce: False postfix_recipient_delimiter: '+' postfix_local_recipients: False postfix_transport_map_enabled: False postfix_transport_maps: - 'hash:/etc/postfix/transport' postfix_transport_data: [] # - domain: 'example.com' # action: 'smtp:[dest.smtp.example.com]:25' postfix_rbl_enabled: True postfix_rbl_list: 'zen.spamhaus.org' postfix_spamhaus_dbl_enabled: True postfix_mynetworks: hash:/etc/postfix/network_table postfix_mynetworks_data: - '127.0.0.0/8' - '127.0.0.1' postfix_alias_maps: - 'hash:/etc/aliases' postfix_alias_databases: '{{ postfix_alias_maps }}' postfix_virtual_addresses: False postfix_hostname_as_virtual_domain: True postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains' postfix_virtual_mailbox_domains_data: [] # # Example. The 'action' part is optional: # postfix_virtual_mailbox_domains_data: # - { domain: 'example.com', action: 'OK' } postfix_virtual_mailbox_maps: - 'hash:/etc/postfix/vmailbox_maps' postfix_virtual_domains: False postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains' postfix_virtual_alias_domains_data: [] # # Example. The 'action' part is optional: # postfix_virtual_alias_domains_data: # - { domain: 'example.com', action: 'OK' } postfix_virtual_alias_maps: - 'hash:/etc/postfix/virtual' postfix_local_dest_concurrency_limit: 2 postfix_default_destination_concurrency_limit: 5 postfix_smtp_destination_concurrency_limit: "{{ postfix_default_destination_concurrency_limit }}" # Other rate limiting parameters postfix_enforce_users_rate_limiting: false postfix_smtpd_client_message_rate_limit: 4 postfix_anvil_rate_time_unit: "60s" postfix_default_destination_rate_delay: "2s" postfix_default_destination_recipient_limit: 50 postfix_behind_haproxy: False postfix_postscreen_port: 1024 postfix_pflogsumm_reports: False postfix_pflogsumm_mail_report: False postfix_pflogsumm_mail_report_address: 'postmaster' postfix_pflogsumm_dir: /var/log/smtp_reports postfix_pflogsumm_logfile: '{{ postfix_pflogsumm_dir }}/pflogsumm.log' postfix_pflogsumm_options: '-d yesterday --problems_first --rej_add_from --verbose_msg_detail -q' postfix_pflogsumm_reports_days: 10 # # Nagios monitoring # postfix_nagios_check: False postfix_nagios_checks: - check_postfix_mailqueue - check_postfix_processed nagios_postfix_mailq_w: 20 nagios_postfix_mailq_c: 50 nagios_postfix_processed_w: 50 nagios_postfix_processed_c: 150 postfix_firewalld_services: - { service: 'smtp', state: 'enabled', zone: '{{ firewalld_default_zone }}' } - { service: 'smtps', state: 'enabled', zone: '{{ firewalld_default_zone }}' } - { service: 'smtp-submission', state: 'enabled', zone: '{{ firewalld_default_zone }}' }