Project

General

Profile

Statistics
| Branch: | Revision:

duckcorp-infra / ansible / roles / dc-postfix / templates / mx1 / main.cf @ 9ab70ad9

History | View | Annotate | Download (5.42 KB)

1
# {{ ansible_managed }}
2

    
3
compatibility_level = 2
4

    
5
## Network options
6
inet_protocols = all
7
inet_interfaces = all
8
myhostname = {{ mail.mx.dns_name }}
9
mydomain = duckcorp.org
10
smtpd_banner = $myhostname ESMTP (No UCE, No Viruses)
11
myorigin = /etc/mailname
12
mynetworks =
13
	127.0.0.0/8
14
	[::1]/128
15
	193.17.192.249
16
	193.200.43.160/27
17
	[2001:67c:1740:a000::]/64
18
	[2001:2c0:cc1e:e700::]/64
19
	[2001:2c0:cc1e:e701::]/64
20
	193.200.42.177
21
	213.215.11.164
22
	[2001:7a8:1:267::3]
23
	193.200.42.176/28
24
	[2001:67c:1740:9001::]/64
25
	193.200.43.105
26
	[2001:67c:1740:9016::c111:c0d3]
27
	124.41.91.213
28
        [2001:2c0:cc1e:e700::1]
29
mydestination = $myhostname, {{ ansible_fqdn }}, localhost.$mydomain, localhost, localhost.localdomain
30
local_transport = local_redirect
31
fast_flush_domains = $mydomain
32
relay_domains = ldap:$config_directory/ldap_relay_domains.cf
33

    
34
# Duck: disabled, affects sending to ML and also using a ML address in From (like dc-admins@lists.dc.o)
35
## Masquerading
36
#masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
37
#masquerade_domains = $mydomain
38
#masquerade_exceptions =
39

    
40
## Local Alias
41
# (alias_maps needed to stop postfix from loading NIS support)
42
alias_maps = hash:/etc/aliases
43

    
44
## Address rewriting
45
canonical_maps = hash:$config_directory/canonical
46
local_header_rewrite_clients = permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated
47

    
48
# Gmail IPv6 retry:
49
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
50

    
51
## Transports
52
transport_maps =
53
	hash:$config_directory/transport
54
	ldap:$config_directory/ldap_transport_mailinglists.cf
55

    
56
{% if 'ml_servers' in group_names %}
57
## Mailing-lists
58
mailman_destination_recipient_limit = 1
59
{% endif %}
60

    
61
## Virtual users
62
# virtual_uid_maps and virtual_gid_maps not needed, no direct Postfix delivery
63
# virtual_mailbox_{base|maps} no more needed, dovecot 'deliver' handle this part
64
virtual_mailbox_domains = duckcorp.dl
65
virtual_alias_domains = ldap:$config_directory/ldap_virtual_domains.cf
66
virtual_alias_maps =
67
	ldap:$config_directory/ldap_redirs.cf
68
	ldap:$config_directory/ldap_virtual_mailboxes.cf
69
	ldap:$config_directory/ldap_catchall.cf
70
virtual_transport = lmtp:unix:private/dovecot-lmtp
71

    
72
## SASL
73
smtpd_sasl_auth_enable = yes
74
smtpd_sasl_local_domain =
75
smtpd_sasl_security_options = noanonymous
76
smtpd_sasl_type = dovecot
77
smtpd_sasl_path = private/auth
78
#smtpd_sasl_authenticated_header = yes
79
broken_sasl_auth_clients = yes
80

    
81
{% include "includes/tls.conf" %}
82

    
83
## Security options
84
authorized_flush_users = /etc/postfix/admin_users
85
authorized_mailq_users = /etc/postfix/admin_users
86
# (you can test any directive by prepending warn_if_reject)
87
# (you can also set "soft_bounce = yes" to transform permanent rejects into temporary rejects)
88
smtpd_helo_required = yes
89
smtpd_helo_restrictions =
90
	permit_mynetworks
91
	permit_sasl_authenticated
92
	check_helo_access hash:$config_directory/helo_overrides
93
	reject_invalid_helo_hostname
94
	reject_non_fqdn_helo_hostname
95
	reject_unknown_helo_hostname
96
	permit
97
smtpd_client_restrictions =
98
	check_client_access hash:$config_directory/client_access
99
	reject_unauth_pipelining
100
	permit_mynetworks
101
	permit_sasl_authenticated
102
	reject_unknown_client_hostname
103
	permit
104
smtpd_sender_restrictions =
105
	check_sender_access hash:$config_directory/sender_access
106
	permit_sasl_authenticated
107
	reject_unknown_sender_domain
108
	permit_mynetworks
109
	reject_non_fqdn_sender
110
	permit
111
smtpd_recipient_restrictions =
112
	# yeah, sender filter too
113
	check_sender_access hash:$config_directory/sender_access
114
	permit_sasl_authenticated
115
	reject_unknown_recipient_domain
116
	permit_mynetworks
117
	reject_non_fqdn_recipient
118
	reject_unauth_destination
119
	reject_unlisted_recipient
120
	permit
121
smtpd_relay_restrictions =
122
	permit_sasl_authenticated
123
	reject_unknown_recipient_domain
124
	permit_mynetworks
125
	reject_unauth_destination
126
	permit
127
smtpd_etrn_restrictions =
128
	permit_mynetworks
129
	reject
130
smtpd_data_restrictions =
131
	reject_unauth_pipelining
132
	reject_multi_recipient_bounce
133
smtpd_authorized_verp_clients = $mynetworks
134
smtpd_delay_open_until_valid_rcpt = yes
135
disable_vrfy_command = yes
136
# we should try this
137
#strict_8bitmime = yes
138
strict_rfc821_envelopes = yes
139
# Keep default value for strict_mime_encoding_domain, see issue #493
140
strict_mime_encoding_domain = no
141
biff = no
142
header_checks = pcre:$config_directory/header_checks
143
body_checks = pcre:$config_directory/body_checks
144
message_reject_characters = \0
145
smtpd_delay_reject = yes
146
# for TLSA
147
smtp_dns_support_level = dnssec
148
# milters
149
smtpd_milters = unix:/rspamd/rspamd_proxy
150
non_smtpd_milters = unix:/rspamd/rspamd_proxy
151

    
152
## Limits
153
default_process_limit = 50
154
maximal_queue_lifetime = 2w
155
bounce_queue_lifetime = 1d
156
mailbox_size_limit = 31457280
157
header_size_limit = 102400
158
message_size_limit = 20971520
159
line_length_limit = 8096
160
smtp_line_length_limit = 990
161
initial_destination_concurrency = 10
162
default_destination_concurrency_limit = 10
163
local_destination_concurrency_limit = 4
164
local_destination_recipient_limit = 1
165
qmqpd_error_delay = 5s
166
qmgr_message_active_limit = 10000
167
qmgr_message_recipient_limit = 10000
168
anvil_rate_time_unit = 60s
169
smtpd_client_connection_rate_limit = 30
170
smtpd_client_message_rate_limit = 100
171
smtpd_client_recipient_rate_limit = 100
172
smtpd_soft_error_limit = 5
173
smtpd_hard_error_limit = 10
174
smtpd_error_sleep_time = 7s
175
smtpd_junk_command_limit = 10
176
smtpd_recipient_limit = 50
177
delay_warning_time = 1h
178
trigger_timeout = 5s
179
max_idle = 30s
180

    
181
## Misc
182
recipient_delimiter = +
183
append_at_myorigin = yes
184
append_dot_mydomain = yes
185
enable_long_queue_ids = yes
186
hash_queue_depth = 2
187
hash_queue_names = incoming,active,deferred,bounce,defer,flush
188