--- # vim: set et sw=2 ts=2 sts=2: - name: postfix-configs copy: src: "{{item}}" dest: /etc/postfix owner: root group: root mode: 0444 with_fileglob: - "postfix/*" - name: 'postfix: main.cf' lineinfile: path: /etc/postfix/main.cf insertafter: "^#{{item.key}} *= *" regexp: "^{{item.key}} *= *" line: "{{item.key}} = {{item.value}}" with_dict: compatibility_level: "2" html_directory: /usr/share/doc/postfix/html default_database_type: lmdb # Verbindungssicherheit / Verschluesselung: smtpd_tls_cert_file: "/etc/postfix/tls/{{mail_server_fqdn}}.crt" smtpd_tls_key_file: "/etc/postfix/tls/{{mail_server_fqdn}}.key" smtpd_use_tls: 'yes' smtpd_tls_session_cache_database: 'lmdb:${data_directory}/smtpd_scache' smtp_tls_session_cache_database: 'lmdb:${data_directory}/smtp_scache' smtpd_tls_loglevel: "1" smtp_tls_loglevel: "1" smtpd_tls_security_level: may smtp_tls_security_level: may smtpd_tls_auth_only: 'yes' tls_ssl_options: NO_COMPRESSION # Some servers are crapy. If we provide only TLSv1.2, he would try it unencrypted again. smtpd_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3' smtpd_tls_protocols: 'TLSv1.2, TLSv1.3' # Same for sending mails: :/ smtp_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3' smtp_tls_protocols: 'TLSv1.2, TLSv1.3' # Internal/Clients must support better crypto: lmtp_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3' lmtp_tls_protocols: 'TLSv1.2, TLSv1.3' submission_tls_mandatory_protocols: 'TLSv1.2, TLSv1.3' submission_tls_protocols: 'TLSv1.2, TLSv1.3' smtpd_tls_mandatory_ciphers: high #tls_high_cipherlist: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' smtpd_tls_exclude_ciphers: MD5, DES, eNULL, 3DES, EXP, RC4, DSS, PSK, SEED, IDEA, ECDSA, aNULL smtpd_tls_eecdh_grade: strong myhostname: '{{postfix_myhostname}}' myorigin: '{{postfix_myorigin}}' mydestination: '' relayhost: '' mynetworks: '{{postfix_mynetworks}}' recipient_delimiter: '+' inet_interfaces: 'all' #inet_protocols: 'ipv4' alias_maps: 'cdb:/etc/aliases' alias_database: 'cdb:/etc/aliases' smtp_generic_maps: cdb:/etc/postfix/generic_map smtpd_sasl_type: dovecot smtpd_sasl_path: private/auth smtpd_sasl_local_domain: '{{domain}}' smtpd_sasl_security_options: noanonymous smtpd_sasl_auth_enable: 'no' strict_rfc821_envelopes: 'yes' smtpd_reject_unlisted_sender: 'yes' smtp_tls_policy_maps: 'cdb:/etc/postfix/tls_policy' #### Zustellung und Ueberpruefung, ob Server fuer die Domain zustaendig ist und die Adresse existiert: # domain ist virtuell und nicht lokal! # zustellung via lmtp and dovecot: virtual_transport: "lmtp:unix:private/dovecot-lmtp" # ebenso. eigentlich nicht in verwendung. local_transport: "lmtp:unix:private/dovecot-lmtp" # welche domains sind moeglich? virtual_mailbox_domains: "cdb:/etc/postfix/virtual_endpoint_map" # aliases fuer virtuelle adressen. virtual_alias_maps: "cdb:/etc/postfix/virtual_aliases, cdb:/etc/postfix/mailinglists" sender_canonical_maps: "cdb:/etc/postfix/sender_canonical" # virtual_mailbox_maps wird nicht gesezt, da virtual_transport die ueberpruefung vornimmt. smtpd_relay_restrictions: 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination' address_verify_map: 'lmdb:$data_directory/verify_cache' unknown_address_reject_code: 550 smtpd_recipient_restrictions: 'reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, permit_mynetworks, reject_unauth_destination, reject_unverified_recipient, check_policy_service unix:private/policy-spf' # Postscreen postscreen_greet_banner: 'Loving the dog most, oh human, you say is a sin. The dog stayed true to me during the storm, the human not even during the wind.' postscreen_cache_map: 'lmdb:$data_directory/postscreen_cache' postscreen_access_list: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr' postscreen_blacklist_action: 'enforce' postscreen_greet_action: 'enforce' postscreen_pipelining_enable: 'yes' postscreen_dnsbl_threshold: '1' postscreen_dnsbl_sites: 'ix.dnsbl.manitu.net b.barracudacentral.org dnsbl.sorbs.net dnsbl-3.uceprotect.net dnsbl-2.uceprotect.net dnsbl-1.uceprotect.net' postscreen_dnsbl_action: 'enforce' postscreen_dnsbl_ttl: '1h' # TODO: greylisting custom message # SPF policy-spf_time_limit: 3600s # DKIM milter_default_action: accept milter_protocol: "2" smtpd_milters: 'unix:milter/opendkim, unix:milter/opendmarc' non_smtpd_milters: 'unix:milter/opendkim' - name: mailinglists-aliases template: src: mailinglist-aliases.j2 dest: /etc/postfix/mailinglists mode: 0444 owner: root group: root vars: mailinglists: '{{mail_lists}}' - name: dummy files if needed copy: dest: '{{item.key}}' content: '{{item.value}}' force: no with_dict: '{{postfix_default_file_content}}' - name: force TLS for these lineinfile: path: /etc/postfix/tls_policy regexp: '^{{item.key}}[ \t]' line: '{{item.key}} {{item.value}}' with_dict: '{{postfix_tls_policy}}' - name: prepare aliases-lookup-tables command: newaliases - name: prepare lookup-tables shell: 'postmap {{item|quote}}' args: chdir: /etc/postfix with_items: '{{postfix_postmap}}'