1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
# Modified from https://www.c0ffee.net/blog/mail-server-guide
smtpd_banner = $myhostname ESMTP dx Independence
# "2" is current for postfix 3.2 configs
compatibility_level = 2
# disable "new mail" notifications for local unix users
biff = no
# directory to store mail for local unix users
mail_spool_directory = /var/mail/local
# Name of this mail server, used in the SMTP HELO for outgoing mail. Make
# sure this resolves to the same IP as your reverse DNS hostname.
myhostname = {{ network.hostname.public }}
# Domains for which postfix will deliver local mail. Does not apply to
# virtual domains, which are configured below. Make sure to specify the FQDN
# of your sever, as well as localhost.
# Note: NEVER specify any virtual domains here!!! Those come later.
mydestination = localhost
# Domain appended to mail sent locally from this machine - such as mail sent
# via the `sendmail` command.
myorigin = $myhostname
# prevent spammers from searching for valid users
disable_vrfy_command = yes
# require properly formatted email addresses - prevents a lot of spam
strict_rfc821_envelopes = yes
# don't give any helpful info when a mailbox doesn't exist
show_user_unknown_table_name = no
# limit maximum e-mail size to 256 MB. mailbox size must be at least as big as
# the message size for the mail to be accepted, but has no meaning after
# that since we are using Dovecot for delivery.
message_size_limit = 268435456
mailbox_size_limit = 0
# require addresses of the form "[email protected]"
allow_percent_hack = no
swap_bangpath = no
# allow plus-aliasing: "[email protected]" delivers to "user" mailbox
recipient_delimiter = +
# path to the SSL certificate for the mail server
smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
# You can also specify an EC cert to try first if the clients support it.
smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
# Path to your trusted certificates file. Usually provided by a
# ca-certificates package or similar.
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
# These two lines define how postfix will connect to other mail servers.
# "may" allows opportunistic TLS and "enabled" allows hostname lookups
# http://www.postfix.org/TLS_README.html
smtp_tls_security_level = may
smtp_dns_support_level = enabled
# IP address used by postfix to send outgoing mail. You only need this if
# your machine has multiple IP addresses - set it to your MX address to
# satisfy your SPF record.
smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }}
smtp_bind_address6 =
inet_interfaces = 127.0.0.1,$smtp_bind_address
inet_protocols = ipv4
# Here we define the options for "mandatory" TLS. In our setup, TLS is only
# "mandatory" for authenticating users. I got these settings from Mozilla's
# SSL reccomentations page.
#
# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
# connections. Do not attempt to change the default cipherlist for non-
# mandatory connections either. There are still a lot of mail servers out
# there that do not use TLS, and many that do only support old ciphers.
# Forcing TLS for everyone *will* cause you to lose mail.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# allow other mail servers to connect using TLS, but don't require it
smtpd_tls_security_level = may
# tickets and compression have known vulnerabilities
tls_ssl_options = no_ticket, no_compression
# yes, using 2048 with "dh1024" is the right thing to do
smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem
# cache incoming and outgoing TLS sessions
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's
# runtime directory that we will use for authentication.
# TODO: can also replace this with a network inet connection if dovecot opens it
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
# only allow authentication over TLS
smtpd_tls_auth_only = yes
# don't allow plaintext auth methods on unencrypted connections
smtpd_sasl_security_options = noanonymous, noplaintext
# but plaintext auth is fine when using TLS
smtpd_sasl_tls_security_options = noanonymous
# add a message header when email was recieved over TLS
smtpd_tls_received_header = yes
# require that connecting mail servers identify themselves - this greatly
# reduces spam
smtpd_helo_required = yes
# The following block specifies some security restrictions for incoming
# mail. The gist of it is, authenticated users and connections from
# localhost can do anything they want. Random people connecting over the
# internet are treated with more suspicion: they must have a reverse DNS
# entry and present a valid, FQDN HELO hostname. In addition, they can only
# send mail to valid mailboxes on the server, and the sender's domain must
# actually exist.
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
#reject_unknown_reverse_client_hostname,
# you might want to consider:
# reject_unknown_client_hostname,
# here. This will reject all incoming connections without a reverse DNS
# entry that resolves back to the client's IP address. This is a very
# restrictive check and may reject legitimate mail.
reject_unauth_pipelining
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
# you might want to consider:
# reject_unknown_helo_hostname,
# here. This will reject all incoming mail without a HELO hostname that
# properly resolves in DNS. This is a somewhat restrictive check and may
# reject legitimate mail.
reject_unauth_pipelining
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
# reject_unknown_sender_domain,
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
# !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
reject_unauth_destination
# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
#smtpd_recipient_restrictions =
# permit_mynetworks,
# permit_sasl_authenticated,
# reject_non_fqdn_recipient,
# reject_unknown_recipient_domain,
# reject_unauth_pipelining,
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
# deliver mail for virtual users to Dovecot's LMTP socket
# TODO: convert this to network with dovecot opening a local inet port
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = /etc/postfix/domains
virtual_alias_maps = hash:/etc/postfix/virtual
#virtual_alias_domains = /etc/postfix/domains
# We'll uncomment these when we set up rspamd later:
milter_protocol = 6
milter_default_action = accept
#smtpd_milters = unix:/var/run/rspamd/milter.sock
smtpd_milters = inet:localhost:11332
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
