142 lines
5.7 KiB
YAML
142 lines
5.7 KiB
YAML
---
|
|
# vim: set et sw=2 ts=2 sts=2:
|
|
|
|
- name: postfix-configs
|
|
copy:
|
|
src: "{{item}}"
|
|
dest: /etc/postfix
|
|
owner: root
|
|
group: root
|
|
mode: 0444
|
|
with_fileglob:
|
|
- "postfix/*"
|
|
|
|
- name: 'postfix: main.cf'
|
|
lineinfile:
|
|
path: /etc/postfix/main.cf
|
|
insertafter: "^#{{item.key}} *= *"
|
|
regexp: "^{{item.key}} *= *"
|
|
line: "{{item.key}} = {{item.value}}"
|
|
with_dict:
|
|
compatibility_level: "2"
|
|
html_directory: /usr/share/doc/postfix/html
|
|
default_database_type: lmdb
|
|
|
|
# Verbindungssicherheit / Verschluesselung:
|
|
smtpd_tls_cert_file: "/etc/postfix/tls/{{mail_server_fqdn}}.crt"
|
|
smtpd_tls_key_file: "/etc/postfix/tls/{{mail_server_fqdn}}.key"
|
|
smtpd_use_tls: 'yes'
|
|
smtpd_tls_session_cache_database: 'lmdb:${data_directory}/smtpd_scache'
|
|
smtp_tls_session_cache_database: 'lmdb:${data_directory}/smtp_scache'
|
|
smtpd_tls_loglevel: "1"
|
|
smtp_tls_loglevel: "1"
|
|
smtpd_tls_security_level: may
|
|
smtp_tls_security_level: may
|
|
smtpd_tls_auth_only: 'yes'
|
|
tls_ssl_options: NO_COMPRESSION
|
|
# Some servers are crapy. If we provide only TLSv1.2, he would try it unencrypted again.
|
|
smtpd_tls_mandatory_protocols: '>=TLSv1.2'
|
|
smtpd_tls_protocols: '>=TLSv1.2'
|
|
# Same for sending mails: :/
|
|
smtp_tls_mandatory_protocols: '>=TLSv1.2'
|
|
smtp_tls_protocols: '>=TLSv1.2'
|
|
# Internal/Clients must support better crypto:
|
|
lmtp_tls_mandatory_protocols: '>=TLSv1.2'
|
|
lmtp_tls_protocols: '>=TLSv1.2'
|
|
submission_tls_mandatory_protocols: '>=TLSv1.2'
|
|
submission_tls_protocols: '>=TLSv1.2'
|
|
smtpd_tls_mandatory_ciphers: high
|
|
#tls_high_cipherlist: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
|
|
smtpd_tls_exclude_ciphers: MD5, DES, eNULL, 3DES, EXP, RC4, DSS, PSK, SEED, IDEA, ECDSA, aNULL
|
|
smtpd_tls_eecdh_grade: strong
|
|
myhostname: '{{mail_postfix_domain}}'
|
|
myorigin: '{{mail_postfix_myorigin}}'
|
|
mydestination: ''
|
|
relayhost: ''
|
|
mynetworks: '{{mynetworks}}'
|
|
recipient_delimiter: '+'
|
|
inet_interfaces: 'all'
|
|
#inet_protocols: 'ipv4'
|
|
|
|
alias_maps: 'cdb:/etc/aliases'
|
|
alias_database: 'cdb:/etc/aliases'
|
|
smtp_generic_maps: cdb:/etc/postfix/generic_map
|
|
smtpd_sasl_type: dovecot
|
|
smtpd_sasl_path: private/auth
|
|
smtpd_sasl_local_domain: '{{domain}}'
|
|
smtpd_sasl_security_options: noanonymous
|
|
smtpd_sasl_auth_enable: 'no'
|
|
strict_rfc821_envelopes: 'yes'
|
|
smtpd_reject_unlisted_sender: 'yes'
|
|
smtp_tls_policy_maps: 'cdb:/etc/postfix/tls_policy'
|
|
|
|
#### Zustellung und Ueberpruefung, ob Server fuer die Domain zustaendig ist und die Adresse existiert:
|
|
# domain ist virtuell und nicht lokal!
|
|
# zustellung via lmtp and dovecot:
|
|
virtual_transport: "lmtp:unix:private/dovecot-lmtp"
|
|
# ebenso. eigentlich nicht in verwendung.
|
|
local_transport: "lmtp:unix:private/dovecot-lmtp"
|
|
# welche domains sind moeglich?
|
|
virtual_mailbox_domains: "cdb:/etc/postfix/virtual_endpoint_map"
|
|
# aliases fuer virtuelle adressen.
|
|
virtual_alias_maps: "cdb:/etc/postfix/virtual_aliases, cdb:/etc/postfix/mailinglists"
|
|
sender_canonical_maps: "cdb:/etc/postfix/sender_canonical"
|
|
# virtual_mailbox_maps wird nicht gesezt, da virtual_transport die ueberpruefung vornimmt.
|
|
smtpd_relay_restrictions: 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination'
|
|
|
|
address_verify_map: 'lmdb:$data_directory/verify_cache'
|
|
unknown_address_reject_code: 550
|
|
|
|
smtpd_recipient_restrictions: 'reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, permit_mynetworks, reject_unauth_destination, reject_unverified_recipient, check_policy_service unix:private/policy-spf'
|
|
|
|
# Postscreen
|
|
postscreen_greet_banner: 'Loving the dog most, oh human, you say is a sin. The dog stayed true to me during the storm, the human not even during the wind.'
|
|
postscreen_cache_map: 'lmdb:$data_directory/postscreen_cache'
|
|
postscreen_access_list: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr'
|
|
postscreen_blacklist_action: 'enforce'
|
|
postscreen_greet_action: 'enforce'
|
|
postscreen_pipelining_enable: 'yes'
|
|
postscreen_dnsbl_threshold: '1'
|
|
postscreen_dnsbl_sites: 'ix.dnsbl.manitu.net b.barracudacentral.org dnsbl.sorbs.net dnsbl-3.uceprotect.net dnsbl-2.uceprotect.net dnsbl-1.uceprotect.net'
|
|
postscreen_dnsbl_action: 'enforce'
|
|
postscreen_dnsbl_ttl: '1h'
|
|
# TODO: greylisting custom message
|
|
|
|
# SPF
|
|
policy-spf_time_limit: 3600s
|
|
|
|
# DKIM
|
|
milter_default_action: accept
|
|
milter_protocol: "2"
|
|
smtpd_milters: 'unix:milter/opendkim, unix:milter/opendmarc'
|
|
non_smtpd_milters: 'unix:milter/opendkim'
|
|
|
|
- name: mailinglists-aliases
|
|
template:
|
|
src: mailinglist-aliases.j2
|
|
dest: /etc/postfix/mailinglists
|
|
mode: 0444
|
|
owner: root
|
|
group: root
|
|
|
|
- name: dummy files if needed
|
|
copy:
|
|
dest: '{{item.key}}'
|
|
content: '{{item.value}}'
|
|
force: no
|
|
with_dict: '{{postfix_default_file_content}}'
|
|
|
|
- name: force TLS for these
|
|
lineinfile:
|
|
path: /etc/postfix/tls_policy
|
|
regexp: '^{{key}}[ \t]'
|
|
line: '{{key}} {{value}}'
|
|
with_dict: '{{postfix_tls_policy}}'
|
|
|
|
- name: prepare aliases-lookup-tables
|
|
command: newaliases
|
|
- name: prepare lookup-tables
|
|
shell: 'postmap {{item|quote}}'
|
|
args:
|
|
chdir: /etc/postfix
|
|
with_items: '{{postfix_postmap}}'
|