ansible-roles/postfix-relay/templates/main.cf.j2

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name
biff = {{ postfix_biff }}

# appending .domain is the MUA's job.
append_dot_mydomain = {{ postfix_append_dot_mydomain }}

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
# Server
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
{% if postfix_relay_server %}
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
{% endif %}
smtpd_use_tls=yes
# Client
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = {{ ansible_fqdn }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = {{ ansible_fqdn }}, localhost
{% if postfix_use_relay_host %}
relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }}
{% endif %}
{% if not postfix_relay_server %}
mynetworks = 127.0.0.1
inet_interfaces = localhost, ip6-localhost
inet_protocols = ipv4
{% endif %}
mailbox_size_limit = 0
recipient_delimiter = +
{% if postfix_use_sasl_auth %}
smtp_sasl_auth_enable= {{ postfix_smtp_sasl_auth_enable }}
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login
{% endif %}
{% if postfix_relay_server %}
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_helo_required = yes
mynetworks = {{ postfix_mynetworks }}
inet_interfaces = {{ postfix_interfaces }}
message_size_limit = {{ postfix_message_size_limit }}

# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_restrictions = reject_unknown_helo_hostname
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining

# Our internal servers talk to the submission port so they are treated as clients
smtpd_client_restrictions = permit_sasl_authenticated, reject

# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain

# Relay control: local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_sasl_authenticated, reject
{% endif %}
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks. 2015-05-28 11:32:57 +02:00			`# See /usr/share/postfix/main.cf.dist for a commented, more complete version`


			`# Debian specific: Specifying a file name will cause the first`
			`# line of that file to be used as the name. The Debian default`
			`# is /etc/mailname.`
			`#myorigin = /etc/mailname`

			`smtpd_banner = $myhostname ESMTP $mail_name`
			`biff = {{ postfix_biff }}`

			`# appending .domain is the MUA's job.`
			`append_dot_mydomain = {{ postfix_append_dot_mydomain }}`

			`# Uncomment the next line to generate "delayed mail" warnings`
			`#delay_warning_time = 4h`

			`readme_directory = no`

			`# TLS parameters`
			`# Server`
			`smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem`
			`smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key`
			`smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache`
			`{% if postfix_relay_server %}`
			`smtpd_tls_security_level = encrypt`
			`smtpd_tls_auth_only = yes`
			`{% endif %}`
			`smtpd_use_tls=yes`
			`# Client`
			`smtp_tls_security_level = encrypt`
			`smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache`

			`# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for`
			`# information on enabling SSL in the smtp client.`

			`myhostname = {{ ansible_fqdn }}`
			`alias_maps = hash:/etc/aliases`
			`alias_database = hash:/etc/aliases`
			`myorigin = /etc/mailname`
			`mydestination = {{ ansible_fqdn }}, localhost`
			`{% if postfix_use_relay_host %}`
			`relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }}`
			`{% endif %}`
			`{% if not postfix_relay_server %}`
			`mynetworks = 127.0.0.1`
			`inet_interfaces = localhost, ip6-localhost`
			`inet_protocols = ipv4`
			`{% endif %}`
			`mailbox_size_limit = 0`
			`recipient_delimiter = +`
			`{% if postfix_use_sasl_auth %}`
			`smtp_sasl_auth_enable= {{ postfix_smtp_sasl_auth_enable }}`
			`smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd`
			`smtp_sasl_security_options = noanonymous`
			`smtp_sasl_tls_security_options = noanonymous`
			`smtp_sasl_mechanism_filter = plain, login`
			`{% endif %}`
			`{% if postfix_relay_server %}`
			`smtpd_sasl_path = smtpd`
			`smtpd_sasl_auth_enable = yes`
			`smtpd_sasl_security_options = noanonymous`
			`smtpd_sasl_tls_security_options = noanonymous`
			`smtpd_helo_required = yes`
			`mynetworks = {{ postfix_mynetworks }}`
			`inet_interfaces = {{ postfix_interfaces }}`
			`message_size_limit = {{ postfix_message_size_limit }}`

			`# Don't talk to mail systems that don't know their own hostname.`
			`smtpd_helo_restrictions = reject_unknown_helo_hostname`
			`# Block clients that speak too early.`
			`smtpd_data_restrictions = reject_unauth_pipelining`

			`# Our internal servers talk to the submission port so they are treated as clients`
			`smtpd_client_restrictions = permit_sasl_authenticated, reject`

			`# Don't accept mail from domains that don't exist.`
			`smtpd_sender_restrictions = reject_unknown_sender_domain`

			`# Relay control: local clients and`
			`# authenticated clients may specify any destination domain.`
			`smtpd_relay_restrictions = permit_sasl_authenticated, reject`
			`{% endif %}`