1 files changed, 194 insertions, 0 deletions
diff --git a/ansible/roles/postfix/templates/postfix/main.cf.j2 b/ansible/roles/postfix/templates/postfix/main.cf.j2
new file mode 100644
index 0000000..b3e8cc2
--- /dev/null
+++ b/ansible/roles/postfix/templates/postfix/main.cf.j2
@@ -0,0 +1,194 @@
+# Modified from https://www.c0ffee.net/blog/mail-server-guide
+smtpd_banner = $myhostname ESMTP dx Independence
+# "2" is current for postfix 3.2 configs
+compatibility_level = 2
+# disable "new mail" notifications for local unix users
+biff = no
+# directory to store mail for local unix users
+mail_spool_directory = /var/mail/local
+# Name of this mail server, used in the SMTP HELO for outgoing mail. Make
+# sure this resolves to the same IP as your reverse DNS hostname.
+myhostname = {{ network.hostname.public }}
+# Domains for which postfix will deliver local mail. Does not apply to
+# virtual domains, which are configured below. Make sure to specify the FQDN
+# of your sever, as well as localhost.
+# Note: NEVER specify any virtual domains here!!! Those come later.
+mydestination = localhost
+# Domain appended to mail sent locally from this machine - such as mail sent
+# via the `sendmail` command.
+myorigin = $myhostname
+# prevent spammers from searching for valid users
+disable_vrfy_command = yes
+# require properly formatted email addresses - prevents a lot of spam
+strict_rfc821_envelopes = yes
+# don't give any helpful info when a mailbox doesn't exist
+show_user_unknown_table_name = no
+# limit maximum e-mail size to 256 MB. mailbox size must be at least as big as
+# the message size for the mail to be accepted, but has no meaning after
+# that since we are using Dovecot for delivery.
+message_size_limit = 268435456
+mailbox_size_limit = 0
+# require addresses of the form "[email protected]"
+allow_percent_hack = no
+swap_bangpath = no
+# allow plus-aliasing: "[email protected]" delivers to "user" mailbox
+recipient_delimiter = +
+# path to the SSL certificate for the mail server
+smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
+smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
+# You can also specify an EC cert to try first if the clients support it.
+smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
+smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
+# Path to your trusted certificates file. Usually provided by a
+# ca-certificates package or similar.
+smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
+# These two lines define how postfix will connect to other mail servers.
+# "may" allows opportunistic TLS and "enabled" allows hostname lookups
+# http://www.postfix.org/TLS_README.html
+smtp_tls_security_level = may
+smtp_dns_support_level = enabled
+# IP address used by postfix to send outgoing mail. You only need this if
+# your machine has multiple IP addresses - set it to your MX address to
+# satisfy your SPF record.
+smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }}
+smtp_bind_address6 =
+inet_interfaces = 127.0.0.1,$smtp_bind_address
+inet_protocols = ipv4
+# Here we define the options for "mandatory" TLS. In our setup, TLS is only
+# "mandatory" for authenticating users. I got these settings from Mozilla's
+# SSL reccomentations page.
+#
+# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
+# connections. Do not attempt to change the default cipherlist for non-
+# mandatory connections either. There are still a lot of mail servers out
+# there that do not use TLS, and many that do only support old ciphers.
+# Forcing TLS for everyone *will* cause you to lose mail.
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2
+smtpd_tls_mandatory_ciphers = high
+tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+# allow other mail servers to connect using TLS, but don't require it
+smtpd_tls_security_level = may
+# tickets and compression have known vulnerabilities
+tls_ssl_options = no_ticket, no_compression
+# yes, using 2048 with "dh1024" is the right thing to do
+smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem
+# cache incoming and outgoing TLS sessions
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
+smtp_tls_session_cache_database  = btree:${data_directory}/smtp_tlscache
+# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's
+# runtime directory that we will use for authentication.
+# TODO: can also replace this with a network inet connection if dovecot opens it
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = private/auth
+smtpd_sasl_type = dovecot
+# only allow authentication over TLS
+smtpd_tls_auth_only = yes
+# don't allow plaintext auth methods on unencrypted connections
+smtpd_sasl_security_options = noanonymous, noplaintext
+# but plaintext auth is fine when using TLS
+smtpd_sasl_tls_security_options = noanonymous
+# add a message header when email was recieved over TLS
+smtpd_tls_received_header = yes
+# require that connecting mail servers identify themselves - this greatly
+# reduces spam
+smtpd_helo_required = yes
+# The following block specifies some security restrictions for incoming
+# mail. The gist of it is, authenticated users and connections from
+# localhost can do anything they want. Random people connecting over the
+# internet are treated with more suspicion: they must have a reverse DNS
+# entry and present a valid, FQDN HELO hostname. In addition, they can only
+# send mail to valid mailboxes on the server, and the sender's domain must
+# actually exist.
+smtpd_client_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  #reject_unknown_reverse_client_hostname,
+  # you might want to consider:
+  #  reject_unknown_client_hostname,
+  # here. This will reject all incoming connections without a reverse DNS
+  # entry that resolves back to the client's IP address. This is a very
+  # restrictive check and may reject legitimate mail.
+  reject_unauth_pipelining
+smtpd_helo_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_invalid_helo_hostname,
+  reject_non_fqdn_helo_hostname,
+  # you might want to consider:
+  #  reject_unknown_helo_hostname,
+  # here. This will reject all incoming mail without a HELO hostname that
+  # properly resolves in DNS. This is a somewhat restrictive check and may
+  # reject legitimate mail.
+  reject_unauth_pipelining
+smtpd_sender_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_non_fqdn_sender,
+#  reject_unknown_sender_domain,
+  reject_unauth_pipelining
+smtpd_relay_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
+  reject_unauth_destination
+  # !!!      DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES      !!!
+#smtpd_recipient_restrictions =
+#  permit_mynetworks,
+#  permit_sasl_authenticated,
+#  reject_non_fqdn_recipient,
+#  reject_unknown_recipient_domain,
+#  reject_unauth_pipelining,
+smtpd_data_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_multi_recipient_bounce,
+  reject_unauth_pipelining
+smtpd_recipient_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_unauth_destination
+# deliver mail for virtual users to Dovecot's LMTP socket
+# TODO: convert this to network with dovecot opening a local inet port
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = /etc/postfix/domains
+virtual_alias_maps = hash:/etc/postfix/virtual
+#virtual_alias_domains = /etc/postfix/domains
+# We'll uncomment these when we set up rspamd later:
+milter_protocol = 6
+milter_default_action = accept
+#smtpd_milters = unix:/var/run/rspamd/milter.sock
+smtpd_milters = inet:localhost:11332
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

diff --git a/ansible/roles/postfix/templates/postfix/main.cf.j2 b/ansible/roles/postfix/templates/postfix/main.cf.j2 new file mode 100644 index 0000000..b3e8cc2 --- /dev/null +++ b/ansible/roles/postfix/templates/postfix/main.cf.j2
@@ -0,0 +1,194 @@
	1	# Modified from https://www.c0ffee.net/blog/mail-server-guide
	2
	3	smtpd_banner = $myhostname ESMTP dx Independence
	4
	5	# "2" is current for postfix 3.2 configs
	6	compatibility_level = 2
	7
	8	# disable "new mail" notifications for local unix users
	9	biff = no
	10
	11	# directory to store mail for local unix users
	12	mail_spool_directory = /var/mail/local
	13
	14	# Name of this mail server, used in the SMTP HELO for outgoing mail. Make
	15	# sure this resolves to the same IP as your reverse DNS hostname.
	16	myhostname = {{ network.hostname.public }}
	17
	18	# Domains for which postfix will deliver local mail. Does not apply to
	19	# virtual domains, which are configured below. Make sure to specify the FQDN
	20	# of your sever, as well as localhost.
	21	# Note: NEVER specify any virtual domains here!!! Those come later.
	22	mydestination = localhost
	23
	24	# Domain appended to mail sent locally from this machine - such as mail sent
	25	# via the `sendmail` command.
	26	myorigin = $myhostname
	27
	28	# prevent spammers from searching for valid users
	29	disable_vrfy_command = yes
	30
	31	# require properly formatted email addresses - prevents a lot of spam
	32	strict_rfc821_envelopes = yes
	33
	34	# don't give any helpful info when a mailbox doesn't exist
	35	show_user_unknown_table_name = no
	36
	37	# limit maximum e-mail size to 256 MB. mailbox size must be at least as big as
	38	# the message size for the mail to be accepted, but has no meaning after
	39	# that since we are using Dovecot for delivery.
	40	message_size_limit = 268435456
	41	mailbox_size_limit = 0
	42
	43	# require addresses of the form "[email protected]"
	44	allow_percent_hack = no
	45	swap_bangpath = no
	46
	47	# allow plus-aliasing: "[email protected]" delivers to "user" mailbox
	48	recipient_delimiter = +
	49
	50	# path to the SSL certificate for the mail server
	51	smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
	52	smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
	53
	54	# You can also specify an EC cert to try first if the clients support it.
	55	smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
	56	smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
	57
	58	# Path to your trusted certificates file. Usually provided by a
	59	# ca-certificates package or similar.
	60	smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
	61
	62	# These two lines define how postfix will connect to other mail servers.
	63	# "may" allows opportunistic TLS and "enabled" allows hostname lookups
	64	# http://www.postfix.org/TLS_README.html
	65	smtp_tls_security_level = may
	66	smtp_dns_support_level = enabled
	67
	68	# IP address used by postfix to send outgoing mail. You only need this if
	69	# your machine has multiple IP addresses - set it to your MX address to
	70	# satisfy your SPF record.
	71	smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }}
	72	smtp_bind_address6 =
	73	inet_interfaces = 127.0.0.1,$smtp_bind_address
	74	inet_protocols = ipv4
	75
	76	# Here we define the options for "mandatory" TLS. In our setup, TLS is only
	77	# "mandatory" for authenticating users. I got these settings from Mozilla's
	78	# SSL reccomentations page.
	79	#
	80	# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
	81	# connections. Do not attempt to change the default cipherlist for non-
	82	# mandatory connections either. There are still a lot of mail servers out
	83	# there that do not use TLS, and many that do only support old ciphers.
	84	# Forcing TLS for everyone will cause you to lose mail.
	85	smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2
	86	smtpd_tls_mandatory_ciphers = high
	87	tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	88
	89	# allow other mail servers to connect using TLS, but don't require it
	90	smtpd_tls_security_level = may
	91
	92	# tickets and compression have known vulnerabilities
	93	tls_ssl_options = no_ticket, no_compression
	94
	95	# yes, using 2048 with "dh1024" is the right thing to do
	96	smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem
	97
	98	# cache incoming and outgoing TLS sessions
	99	smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
	100	smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
	101
	102	# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's
	103	# runtime directory that we will use for authentication.
	104	# TODO: can also replace this with a network inet connection if dovecot opens it
	105	smtpd_sasl_auth_enable = yes
	106	smtpd_sasl_path = private/auth
	107	smtpd_sasl_type = dovecot
	108
	109	# only allow authentication over TLS
	110	smtpd_tls_auth_only = yes
	111
	112	# don't allow plaintext auth methods on unencrypted connections
	113	smtpd_sasl_security_options = noanonymous, noplaintext
	114	# but plaintext auth is fine when using TLS
	115	smtpd_sasl_tls_security_options = noanonymous
	116
	117	# add a message header when email was recieved over TLS
	118	smtpd_tls_received_header = yes
	119
	120	# require that connecting mail servers identify themselves - this greatly
	121	# reduces spam
	122	smtpd_helo_required = yes
	123
	124	# The following block specifies some security restrictions for incoming
	125	# mail. The gist of it is, authenticated users and connections from
	126	# localhost can do anything they want. Random people connecting over the
	127	# internet are treated with more suspicion: they must have a reverse DNS
	128	# entry and present a valid, FQDN HELO hostname. In addition, they can only
	129	# send mail to valid mailboxes on the server, and the sender's domain must
	130	# actually exist.
	131	smtpd_client_restrictions =
	132	permit_mynetworks,
	133	permit_sasl_authenticated,
	134	#reject_unknown_reverse_client_hostname,
	135	# you might want to consider:
	136	# reject_unknown_client_hostname,
	137	# here. This will reject all incoming connections without a reverse DNS
	138	# entry that resolves back to the client's IP address. This is a very
	139	# restrictive check and may reject legitimate mail.
	140	reject_unauth_pipelining
	141	smtpd_helo_restrictions =
	142	permit_mynetworks,
	143	permit_sasl_authenticated,
	144	reject_invalid_helo_hostname,
	145	reject_non_fqdn_helo_hostname,
	146	# you might want to consider:
	147	# reject_unknown_helo_hostname,
	148	# here. This will reject all incoming mail without a HELO hostname that
	149	# properly resolves in DNS. This is a somewhat restrictive check and may
	150	# reject legitimate mail.
	151	reject_unauth_pipelining
	152	smtpd_sender_restrictions =
	153	permit_mynetworks,
	154	permit_sasl_authenticated,
	155	reject_non_fqdn_sender,
	156	# reject_unknown_sender_domain,
	157	reject_unauth_pipelining
	158	smtpd_relay_restrictions =
	159	permit_mynetworks,
	160	permit_sasl_authenticated,
	161	# !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
	162	reject_unauth_destination
	163	# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
	164	#smtpd_recipient_restrictions =
	165	# permit_mynetworks,
	166	# permit_sasl_authenticated,
	167	# reject_non_fqdn_recipient,
	168	# reject_unknown_recipient_domain,
	169	# reject_unauth_pipelining,
	170	smtpd_data_restrictions =
	171	permit_mynetworks,
	172	permit_sasl_authenticated,
	173	reject_multi_recipient_bounce,
	174	reject_unauth_pipelining
	175
	176	smtpd_recipient_restrictions =
	177	permit_mynetworks,
	178	permit_sasl_authenticated,
	179	reject_unauth_destination
	180
	181	# deliver mail for virtual users to Dovecot's LMTP socket
	182	# TODO: convert this to network with dovecot opening a local inet port
	183	virtual_transport = lmtp:unix:private/dovecot-lmtp
	184	virtual_mailbox_domains = /etc/postfix/domains
	185
	186	virtual_alias_maps = hash:/etc/postfix/virtual
	187	#virtual_alias_domains = /etc/postfix/domains
	188
	189	# We'll uncomment these when we set up rspamd later:
	190	milter_protocol = 6
	191	milter_default_action = accept
	192	#smtpd_milters = unix:/var/run/rspamd/milter.sock
	193	smtpd_milters = inet:localhost:11332
	194	milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}