291 lines
10 KiB
YAML
291 lines
10 KiB
YAML
---
|
|
postfix_enabled: True
|
|
postfix_install_packages: '{{ postfix_enabled }}'
|
|
|
|
postfix_relay_rh_pkgs:
|
|
- postfix
|
|
- cyrus-sasl-lib
|
|
- cyrus-sasl-plain
|
|
- cyrus-sasl-md5
|
|
|
|
postfix_relay_deb_pkgs:
|
|
- postfix
|
|
- libsasl2-2
|
|
|
|
#############################################################################
|
|
# Set them to true when you want configure your machine to send email to a relay
|
|
#############################################################################
|
|
postfix_relay_client: False
|
|
postfix_use_relay_host: '{{ postfix_relay_client }}'
|
|
postfix_biff: "no"
|
|
postfix_append_dot_mydomain: "no"
|
|
postfix_smtp_helo_required: "yes"
|
|
postfix_helo_restrictions: True
|
|
postfix_smtp_delay_reject: "yes"
|
|
postfix_smtp_disable_vrfy: "yes"
|
|
|
|
postfix_use_letsencrypt: False
|
|
postfix_tls_encryption_level: 'intermediate'
|
|
postfix_tls_dhparam_size: 2048
|
|
postfix_tls_dhparam_file: /etc/postfix/dhparam.pem
|
|
# Accepted values: none, may, encrypt
|
|
postfix_smtpd_tls_security_level: encrypt
|
|
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
|
|
postfix_smtp_tls_security_level: may
|
|
postfix_use_sasl_auth: True
|
|
postfix_smtp_sasl_auth_enable: "yes"
|
|
postfix_smtp_create_relay_user: True
|
|
# Options: noanonymous, noplaintext
|
|
postfix_smtp_sasl_security_options: noanonymous
|
|
postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}'
|
|
postfix_smtp_sasl_mechanism_filter: plain, login
|
|
|
|
# Set it in your vars files
|
|
# postfix_relay_host: smtp-relay.example.com
|
|
postfix_relay_port: 587
|
|
# postfix_smtp_relay_user: smtp-user
|
|
postfix_smtp_relay_user: '{{ ansible_fqdn }}'
|
|
# This one has to be set inside a vault file
|
|
# postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file'
|
|
postfix_smtpd_reject_unknown_helo_hostname: False
|
|
postfix_reject_unknown_sender_domain: True
|
|
#############################################################################
|
|
# Relay server: accepts authenticated clients
|
|
#############################################################################
|
|
postfix_relay_server: False
|
|
#
|
|
## Milter (antispam, antivirus)
|
|
postfix_use_milter: False
|
|
postfix_milter_connect_timeout: '30s'
|
|
postfix_milter_command_timeout: '30s'
|
|
postfix_milter_content_timeout: '300s'
|
|
postfix_spamassassin_milter: False
|
|
postfix_spamassassin_milter_socket: 'unix:/run/spamass-milter/postfix/sock'
|
|
postfix_clamav_milter: False
|
|
# inet:[127.0.0.1]:7357
|
|
postfix_clamav_milter_socket: 'unix:/run/clamav-milter/clamav-milter.socket'
|
|
# Specify accept, reject, tempfail, quarantine
|
|
postfix_milter_action: tempfail
|
|
## SPF policyd
|
|
postfix_spf_policy_install: False
|
|
postfix_spy_deb_pkg:
|
|
- 'postfix-policyd-spf-python'
|
|
postfix_spy_el_pkg:
|
|
- 'pypolicyd-spf'
|
|
postfix_spf_policy_skip_addresses: '127.0.0.0/8,::ffff:127.0.0.0/104,::1'
|
|
# From 0 to 4
|
|
postfix_spf_policy_debug_level: 1
|
|
# Set to 0 for test only mode
|
|
postfix_spf_policy_default_seed: 1
|
|
postfix_spf_perm_error_reject: False
|
|
postfix_spf_temp_error_defer: False
|
|
# HELO check rejection policy. Options are:
|
|
# HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
|
|
# HELO_reject = Softfail - Reject if result Softfail and Fail
|
|
# HELO_reject = Fail - Reject on HELO Fail
|
|
# HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
|
|
# HELO_reject = False - Never reject/defer on HELO, append header only.
|
|
# HELO_reject = No_Check - Never check HELO.
|
|
postfix_spf_policy_helo_reject: 'SPF_Not_Pass'
|
|
# Mail From rejection policy. Options are:
|
|
# Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
|
|
# Mail_From_reject = Softfail - Reject if result Softfail and Fail
|
|
# Mail_From_reject = Fail - Reject on Mail From Fail (default)
|
|
# Mail_From_reject = False - Never reject/defer on Mail From, append header only
|
|
# Mail_From_reject = No_Check - Never check Mail From/Return Path.
|
|
# * It is recommended to keep the default value, and manage specific cases setting
|
|
# postfix_spf_policy_reject_not_pass_domains
|
|
postfix_spf_policy_mail_from_reject: 'Fail'
|
|
# CIDR notation, 192.168.0.0/31,192.168.1.12
|
|
postfix_spf_policy_whitelist: ''
|
|
postfix_spf_policy_domain_whitelist: ''
|
|
# Using this option, a list of domains can be defined for special processing when messages do not Pass SPF. This can be useful for commonly spoofed domains that are not yet publishing SPF records with -all. Specifically, if mail from a domain in this list has a Neutral/Softfail result, it will be rejected (as if it had a Fail result). If needed, it is better to do it on a per-domain basis rather than globally. es: 'gmail.com,aol.com,hotmail.com'
|
|
postfix_spf_policy_reject_not_pass_domains: ''
|
|
postfix_spf_policy_lookup_time: 20
|
|
postfix_spf_policy_void_limit: 2
|
|
#
|
|
# DKIM
|
|
#
|
|
postfix_dkim_enabled: false
|
|
postfix_dkim_domains: []
|
|
# - domain: 'example.com'
|
|
# dkim_selector: 'default'
|
|
# s: sign
|
|
# v: verify
|
|
# sv: sign and verify
|
|
postfix_dkim_mode: 'v'
|
|
postfix_dkim_trusted_hosts_enabled: false
|
|
postfix_dkim_trusted_hosts: []
|
|
# - 'example.com'
|
|
# - 'CIDR'
|
|
postfix_dkim_sign_subdomains: "no"
|
|
postfix_dkim_syslog: "yes"
|
|
postfix_dkim_syslog_success: "yes"
|
|
postfix_dkim_logwhy: "yes"
|
|
postfix_dkim_socket: 'inet:8891@localhost'
|
|
postfix_dkim_milter_socket: 'inet:[127.0.0.1]:8891'
|
|
postfix_dkim_v_sendreports: 'no'
|
|
postfix_dkim_reportaddress: ''
|
|
postfix_dkim_canonicalization: 'relaxed/relaxed'
|
|
postfix_dkim_minkeybits: 1024
|
|
|
|
#############################################################################
|
|
# SMTP server that not accept authenticated clients.
|
|
#############################################################################
|
|
postfix_smtpd_server: False
|
|
postfix_smtpd_server_restrictions:
|
|
- permit_mynetworks
|
|
- reject_unknown_recipient_domain
|
|
- reject_non_fqdn_recipient
|
|
- reject_unauth_destination
|
|
- reject_unauth_pipelining
|
|
- reject_unlisted_recipient
|
|
|
|
# SMTP server that routes emails coming from outside
|
|
#############################################################################
|
|
postfix_mx_server: False
|
|
postfix_smtpd_mx_client_restrictions:
|
|
- reject_unknown_sender_domain
|
|
- reject_non_fqdn_sender
|
|
- reject_non_fqdn_recipient
|
|
- reject_invalid_hostname
|
|
- reject_unauth_destination
|
|
- reject_unknown_recipient_domain
|
|
- reject_unlisted_recipient
|
|
|
|
#############################################################################
|
|
# SMTP sender restrictions
|
|
#############################################################################
|
|
postfix_smtpd_sender_restrictions: True
|
|
postfix_reject_sender_login_mismatch: False
|
|
postfix_smtpd_sender_login_maps: []
|
|
postfix_smtpd_additional_sender_restrictions: []
|
|
#############################################################################
|
|
# SMTP submission server: accepts authenticated clients
|
|
#############################################################################
|
|
postfix_submission_server: False
|
|
# Set it to True if needed, on submission servers only
|
|
postfix_add_missing_headers: False
|
|
###########################################################################################
|
|
# The following options are used when acting as a relay or as a general purpose SMTP server
|
|
###########################################################################################
|
|
postfix_use_inet_interfaces: False
|
|
postfix_inet_interfaces:
|
|
- all
|
|
postfix_inet_protocols:
|
|
- all
|
|
postfix_proxy_interfaces_enabled: False
|
|
postfix_proxy_interfaces:
|
|
- 127.0.0.1
|
|
postfix_message_size_limit: 10240000
|
|
|
|
postfix_sasl_deb_packages:
|
|
- sasl2-bin
|
|
|
|
postfix_sasl_rh_packages:
|
|
- cyrus-sasl
|
|
|
|
postfix_saslauthd_mech: 'pam'
|
|
postfix_saslauthd_flags: ''
|
|
postfix_saslauthd_conf_file: '/etc/saslauthd.conf'
|
|
#
|
|
postfix_sasl_ldap_servers: ldap://localhost
|
|
postfix_sasl_ldap_bind_dn: cn=saslauthd,ou=dsa,dc=example,dc=com
|
|
# postfix_sasl_ldap_bind_pw: set inside a vault file
|
|
postfix_sasl_ldap_timeout: 10
|
|
postfix_sasl_ldap_time_limit: 10
|
|
postfix_sasl_ldap_scope: sub
|
|
postfix_sasl_ldap_search_base: ou=people,dc=example,dc=com
|
|
postfix_sasl_ldap_auth_method: bind
|
|
postfix_sasl_ldap_filter: (&(uid=%u)(mail=*))
|
|
postfix_sasl_ldap_debug: 0
|
|
postfix_sasl_ldap_verbose: off
|
|
postfix_sasl_ldap_ssl: no
|
|
postfix_sasl_ldap_starttls: yes
|
|
postfix_sasl_ldap_referrals: no
|
|
#
|
|
|
|
postfix_use_domain_name: False
|
|
postfix_virtual_transport_enabled: False
|
|
postfix_virtual_transport_protocol: 'lmtp'
|
|
postfix_lmtp_protocol: 'inet'
|
|
postfix_lmtp_host: '127.0.0.1'
|
|
postfix_lmtp_port: 24
|
|
postfix_delivery_soft_bounce: False
|
|
postfix_recipient_delimiter: '+'
|
|
postfix_local_recipients: False
|
|
postfix_transport_map_enabled: False
|
|
postfix_transport_maps:
|
|
- 'hash:/etc/postfix/transport'
|
|
|
|
postfix_transport_data: []
|
|
# - domain: 'example.com'
|
|
# action: 'smtp:[dest.smtp.example.com]:25'
|
|
postfix_rbl_enabled: True
|
|
postfix_rbl_list: 'zen.spamhaus.org'
|
|
postfix_spamhaus_dbl_enabled: True
|
|
|
|
postfix_mynetworks: hash:/etc/postfix/network_table
|
|
postfix_mynetworks_data:
|
|
- '127.0.0.0/8'
|
|
- '127.0.0.1'
|
|
|
|
postfix_alias_maps:
|
|
- 'hash:/etc/aliases'
|
|
|
|
postfix_alias_databases: '{{ postfix_alias_maps }}'
|
|
|
|
postfix_virtual_addresses: False
|
|
postfix_hostname_as_virtual_domain: True
|
|
postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains'
|
|
postfix_virtual_mailbox_domains_data: []
|
|
#
|
|
# Example. The 'action' part is optional:
|
|
# postfix_virtual_mailbox_domains_data:
|
|
# - { domain: 'example.com', action: 'OK' }
|
|
|
|
postfix_virtual_mailbox_maps:
|
|
- 'hash:/etc/postfix/vmailbox_maps'
|
|
|
|
postfix_virtual_domains: False
|
|
postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains'
|
|
postfix_virtual_alias_domains_data: []
|
|
#
|
|
# Example. The 'action' part is optional:
|
|
# postfix_virtual_alias_domains_data:
|
|
# - { domain: 'example.com', action: 'OK' }
|
|
|
|
postfix_virtual_alias_maps:
|
|
- 'hash:/etc/postfix/virtual'
|
|
|
|
postfix_local_dest_concurrency_limit: 2
|
|
postfix_default_destination_concurrency_limit: 5
|
|
|
|
postfix_behind_haproxy: False
|
|
postfix_postscreen_port: 1024
|
|
|
|
postfix_pflogsumm_reports: False
|
|
postfix_pflogsumm_mail_report: False
|
|
postfix_pflogsumm_mail_report_address: 'postmaster'
|
|
postfix_pflogsumm_dir: /var/log/smtp_reports
|
|
postfix_pflogsumm_logfile: '{{ postfix_pflogsumm_dir }}/pflogsumm.log'
|
|
postfix_pflogsumm_options: '-d yesterday --problems_first --rej_add_from --verbose_msg_detail -q'
|
|
postfix_pflogsumm_reports_days: 10
|
|
#
|
|
# Nagios monitoring
|
|
#
|
|
postfix_nagios_check: False
|
|
postfix_nagios_checks:
|
|
- check_postfix_mailqueue
|
|
- check_postfix_processed
|
|
|
|
nagios_postfix_mailq_w: 20
|
|
nagios_postfix_mailq_c: 50
|
|
nagios_postfix_processed_w: 50
|
|
nagios_postfix_processed_c: 150
|
|
|
|
postfix_firewalld_services:
|
|
- { service: 'smtp', state: 'enabled', zone: '{{ firewalld_default_zone }}' }
|
|
- { service: 'smtps', state: 'enabled', zone: '{{ firewalld_default_zone }}' }
|
|
- { service: 'smtp-submission', state: 'enabled', zone: '{{ firewalld_default_zone }}' }
|