{%- from "postfix/map.jinja" import postfix with context -%} {%- set config = salt['pillar.get']('postfix:config', {}) -%} {%- if not salt['pillar.get']('postfix:mapping', False) %} {#- Let the user configure mapping manually. -#} {%- set processed_parameters = [] %} {%- else -%} {#- TODO: alias_maps probably belongs here, too: #} {%- set processed_parameters = [ 'virtual_alias_maps', 'smtp_sasl_password_maps', 'sender_canonical_maps', ] %} {%- endif -%} {%- macro set_parameter(parameter, default=None) -%} {% set value = config.get(parameter, default) %} {%- if value is not none %} {%- if value is number or value is string -%} {{ parameter }} = {{ value }} {%- elif value is iterable -%} {{ parameter }} = {{ value | join(', ')}} {%- endif -%} {%- do processed_parameters.append(parameter) %} {%- endif %} {%- endmacro -%} # Managed by config management # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname {{ set_parameter('smtpd_banner', '$myhostname ESMTP $mail_name') }} {{ set_parameter('biff', 'no') }} {{ set_parameter('compatibility_level', '2') }} # appending .domain is the MUA's job. {{ set_parameter('append_dot_mydomain', 'no') }} # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h {{ set_parameter('readme_directory', 'no') }} {%- set relay_restrictions = ['permit_mynetworks'] %} {%- set recipient_restrictions = ['permit_mynetworks'] %} {%- if config.get('smtpd_sasl_auth_enable', 'yes') == 'yes' %} # SASL parameters (http://www.postfix.org/SASL_README.html) {%- do relay_restrictions.append('permit_sasl_authenticated') %} {%- do recipient_restrictions.append('permit_sasl_authenticated') %} {{ set_parameter('smtpd_sasl_auth_enable', 'yes') }} {{ set_parameter('smtpd_sasl_path', 'smtpd') }} {{ set_parameter('smtpd_sasl_type', 'cyrus') }} {{ set_parameter('smtpd_sasl_security_options', ['noanonymous', 'noplaintext']) }} {{ set_parameter('smtpd_sasl_tls_security_options', ['noanonymous']) }} {{ set_parameter('smtpd_tls_auth_only', 'yes') }} {%- endif %} {%- if config.get('smtpd_use_tls', 'yes') == 'yes' %} # TLS parameters (http://www.postfix.org/TLS_README.html) # Recipient settings {{ set_parameter('smtpd_use_tls') }} {{ set_parameter('smtpd_tls_loglevel', 1) }} {{ set_parameter('smtpd_tls_security_level', 'may') }} {{ set_parameter('smtp_tls_CApath', '/etc/ssl/certs') }} {{ set_parameter('smtpd_tls_cert_file', '/etc/ssl/certs/ssl-cert-snakeoil.pem') }} {{ set_parameter('smtpd_tls_key_file', '/etc/ssl/private/ssl-cert-snakeoil.key') }} {{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }} {{ set_parameter('smtpd_tls_mandatory_ciphers', 'high') }} {{ set_parameter('smtpd_tls_mandatory_exclude_ciphers', ['aNULL', 'MD5']) }} {{ set_parameter('smtpd_tls_mandatory_protocols', ['!SSLv2', '!SSLv3']) }} {{ set_parameter('tls_preempt_cipherlist', 'yes') }} # Relay/Sender settings {{ set_parameter('smtp_tls_loglevel', 1) }} {{ set_parameter('smtp_tls_security_level', 'may') }} {{ set_parameter('smtp_tls_session_cache_database', 'btree:${data_directory}/smtp_scache') }} {%- endif %} {{ set_parameter('myhostname', grains['fqdn']) }} {#- TODO: The following two may not be the same: #} {{ set_parameter('alias_maps', 'hash:' ~ postfix.aliases_file) }} {{ set_parameter('alias_database', 'hash:' ~ postfix.aliases_file) }} {{ set_parameter('mydestination', [grains['fqdn'], 'localhost', 'localhost.localdomain', grains['domain']]) }} {{ set_parameter('relayhost', '') }} {{ set_parameter('mynetworks', ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128']) }} {{ set_parameter('mailbox_size_limit', '0') }} {{ set_parameter('recipient_delimiter', '+') }} {{ set_parameter('inet_interfaces', 'all') }} {{ set_parameter('message_size_limit', '41943040') }} {%- if config.get('relayhost') %} {% set policyd_spf = salt['pillar.get']('postfix:policyd-spf', {}) %} {%- if policyd_spf.get('enabled', False) %} {%- do relay_restrictions.append('check_policy_server unix:private/policyd-spf') %} policy-spf_time_limit = {{ policyd_spf.get('time_limit', '3600s') }} {%- endif %} {%- do relay_restrictions.append('defer_unauth_destination') %} {{ set_parameter('smtpd_relay_restrictions', relay_restrictions) }} {%- endif %} {#- check_policy_service must be after reject_unauth_destination #} {%- do recipient_restrictions.append('reject_unauth_destination') %} {%- set postgrey_config = salt['pillar.get']('postfix:postgrey', {}) %} {%- if postgrey_config.get('enabled', False) %} {%- do recipient_restrictions.append('check_policy_service ' ~ postgrey_config.get('location', 'inet:127.0.0.1:10030')) %} {%- endif %} {{ set_parameter('smtpd_recipient_restrictions', recipient_restrictions) }} {# From init.sls #} {%- set default_database_type = salt['pillar.get']('postfix:config:default_database_type', 'hash') %} {%- for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %} {%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %} {%- if ':' in file_path %} {%- set file_type, file_path = file_path.split(':') %} {%- else %} {%- set file_type = default_database_type %} {%- endif %} {%- if not file_path.startswith('/') %} {%- set file_path = postfix.config_path ~ '/' ~ file_path %} {%- endif %} {{ mapping }} = {{ file_type }}:{{ file_path }} {% endfor %} {# Accept arbitrary parameters -#} {% for parameter in config -%} {% if parameter not in processed_parameters -%} {{ set_parameter(parameter) }} {% endif -%} {% endfor -%}