93 lines
3.2 KiB
Django/Jinja
93 lines
3.2 KiB
Django/Jinja
# Debian specific: Specifying a file name will cause the first
|
|
# line of that file to be used as the name. The Debian default
|
|
# is /etc/mailname.
|
|
#myorigin = /etc/mailname
|
|
|
|
smtpd_banner = $myhostname ESMTP $mail_name
|
|
biff = {{ postfix_biff }}
|
|
|
|
# appending .domain is the MUA's job.
|
|
append_dot_mydomain = {{ postfix_append_dot_mydomain }}
|
|
|
|
# Uncomment the next line to generate "delayed mail" warnings
|
|
#delay_warning_time = 4h
|
|
|
|
readme_directory = no
|
|
|
|
# TLS parameters
|
|
# Server
|
|
{% if letsencrypt_acme_install is defined %}
|
|
{% if postfix_use_letsencrypt %}
|
|
smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert
|
|
smtpd_tls_key_file={{ letsencrypt_acme_certs_dir }}/privkey
|
|
{% else %}
|
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if letsencrypt_acme_install is not defined %}
|
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
|
{% endif %}
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
{% if postfix_relay_server %}
|
|
smtpd_tls_security_level = encrypt
|
|
smtpd_tls_auth_only = yes
|
|
{% endif %}
|
|
smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
|
|
# Client
|
|
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
|
|
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
|
# information on enabling SSL in the smtp client.
|
|
|
|
myhostname = {{ ansible_fqdn }}
|
|
alias_maps = hash:/etc/aliases
|
|
alias_database = hash:/etc/aliases
|
|
myorigin = /etc/mailname
|
|
mydestination = {{ ansible_fqdn }}, localhost
|
|
{% if postfix_use_relay_host %}
|
|
relayhost = {{ postfix_relay_host }}:{{ postfix_relay_port }}
|
|
{% endif %}
|
|
{% if not postfix_relay_server %}
|
|
mynetworks = 127.0.0.1
|
|
inet_interfaces = localhost, ip6-localhost
|
|
inet_protocols = ipv4
|
|
{% endif %}
|
|
mailbox_size_limit = 0
|
|
recipient_delimiter = +
|
|
default_destination_concurrency_limit = {{ postfix_default_destination_concurrency_limit }}
|
|
{% if postfix_use_sasl_auth %}
|
|
smtp_sasl_auth_enable= {{ postfix_smtp_sasl_auth_enable }}
|
|
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
|
|
smtp_sasl_security_options = noanonymous
|
|
smtp_sasl_tls_security_options = noanonymous
|
|
smtp_sasl_mechanism_filter = plain, login
|
|
{% endif %}
|
|
{% if postfix_relay_server %}
|
|
smtpd_sasl_path = smtpd
|
|
smtpd_sasl_auth_enable = yes
|
|
smtpd_sasl_security_options = noanonymous
|
|
smtpd_sasl_tls_security_options = noanonymous
|
|
smtpd_helo_required = yes
|
|
mynetworks = {{ postfix_mynetworks }}
|
|
inet_interfaces = {{ postfix_interfaces }}
|
|
message_size_limit = {{ postfix_message_size_limit }}
|
|
|
|
# Don't talk to mail systems that don't know their own hostname.
|
|
smtpd_helo_restrictions = reject_unknown_helo_hostname
|
|
# Block clients that speak too early.
|
|
smtpd_data_restrictions = reject_unauth_pipelining
|
|
|
|
# Our internal servers talk to the submission port so they are treated as clients
|
|
smtpd_client_restrictions = permit_sasl_authenticated, reject
|
|
|
|
# Don't accept mail from domains that don't exist.
|
|
smtpd_sender_restrictions = reject_unknown_sender_domain
|
|
|
|
# Relay control: local clients and
|
|
# authenticated clients may specify any destination domain.
|
|
smtpd_relay_restrictions = permit_sasl_authenticated, reject
|
|
{% endif %}
|