{% from "postfix/map.jinja" import postfix with context %} {% set config = salt['pillar.get']('postfix:config', {}) -%} {% set processed_parameters = ['aliases_file', 'virtual'] -%} {% macro set_parameter(parameter, default=None) -%} {% set value = config.get(parameter, default) -%} {% if value is not none -%} {%- if value is number or value is string %} {{ parameter }} = {{ value }} {%- elif value is iterable %} {{ parameter }} = {%- for v in value %} {{ v }}, {%- endfor %} {%- endif %} {%- do processed_parameters.append(parameter) -%} {% endif -%} {% endmacro -%} # Managed by config management # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname {{ set_parameter('smtpd_banner', '$myhostname ESMTP $mail_name') }} {{ set_parameter('biff', 'no') }} {{ set_parameter('compatibility_level', '2') }} # appending .domain is the MUA's job. {{ set_parameter('append_dot_mydomain', 'no') }} # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h {{ set_parameter('readme_directory', 'no') }} {%- set relay_restrictions = ['permit_mynetworks'] %} {%- set recipient_restrictions = ['permit_mynetworks'] %} {%- if config.get('smtpd_sasl_auth_enable', 'yes') == 'yes' %} # SASL parameters (http://www.postfix.org/SASL_README.html) {%- do relay_restrictions.append('permit_sasl_authenticated') -%} {%- do recipient_restrictions.append('permit_sasl_authenticated') -%} {{ set_parameter('smtpd_sasl_auth_enable') }} {{ set_parameter('smtpd_sasl_path', 'smtpd') }} {{ set_parameter('smtpd_sasl_type', 'cyrus') }} {{ set_parameter('smtpd_sasl_security_options', ['noanonymous', 'noplaintext']) }} {{ set_parameter('smtpd_sasl_tls_security_options', ['noanonymous']) }} {{ set_parameter('smtpd_tls_auth_only', 'yes') }} {%- endif %} {%- if config.get('smtpd_use_tls', 'yes') == 'yes' %} # TLS parameters (http://www.postfix.org/TLS_README.html) # Recipient settings {{ set_parameter('smtpd_use_tls') }} {{ set_parameter('smtpd_tls_loglevel', 1) }} {{ set_parameter('smtpd_tls_security_level', 'may') }} {{ set_parameter('smtpd_tls_cert_file', '/etc/ssl/certs/ssl-cert-snakeoil.pem') }} {{ set_parameter('smtpd_tls_key_file', '/etc/ssl/private/ssl-cert-snakeoil.key') }} {{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }} {{ set_parameter('smtpd_tls_mandatory_ciphers', 'high') }} {{ set_parameter('smtpd_tls_mandatory_exclude_ciphers', ['aNULL', 'MD5']) }} {{ set_parameter('smtpd_tls_mandatory_protocols', ['!SSLv2', '!SSLv3']) }} {{ set_parameter('tls_preempt_cipherlist', 'yes') }} # Relay/Sender settings {{ set_parameter('smtp_tls_loglevel', 1) }} {{ set_parameter('smtp_tls_security_level', 'may') }} {{ set_parameter('smtp_tls_session_cache_database', 'btree:${data_directory}/smtp_scache') }} {%- endif %} {{ set_parameter('myhostname', grains['fqdn']) }} {{ set_parameter('alias_maps', 'hash:' ~ postfix.aliases_file) }} {{ set_parameter('alias_database', 'hash:' ~ postfix.aliases_file) }} {{ set_parameter('mydestination', [grains['fqdn'], 'localhost', 'localhost.localdomain', grains['domain']]) }} {{ set_parameter('relayhost', '') }} {{ set_parameter('mynetworks', ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128']) }} {{ set_parameter('mailbox_size_limit', '0') }} {{ set_parameter('recipient_delimiter', '+') }} {{ set_parameter('inet_interfaces', 'all') }} {{ set_parameter('message_size_limit', '41943040') }} {%- if config.get('relayhost') %} {% set policyd_spf = salt['pillar.get']('postfix:policyd-spf', {}) %} {%- if policyd_spf.get('enabled', False) %} {%- do relay_restrictions.append('check_policy_server unix:private/policyd-spf') %} policy-spf_time_limit = {{ policyd_spf.get('time_limit', '3600s') }} {%- endif %} {%- do relay_restrictions.append('defer_unauth_destination') %} {{ set_parameter('smtpd_relay_restrictions', relay_restrictions) }} {%- endif %} {#- check_policy_service must be after reject_unauth_destination #} {%- do recipient_restrictions.append('reject_unauth_destination') %} {%- set postgrey_config = salt['pillar.get']('postfix:postgrey', {}) %} {%- if postgrey_config.get('enabled', False) %} {%- do recipient_restrictions.append('check_policy_service ' ~ postgrey_config.get('location', 'inet:127.0.0.1:10030')) %} {%- endif %} {{ set_parameter('smtpd_recipient_restrictions', recipient_restrictions) }} {% if 'virtual' in pillar.get('postfix','') %} virtual_alias_maps = hash:/etc/postfix/virtual {% endif %} {# Accept arbitrary parameters -#} {% for parameter in config -%} {% if parameter not in processed_parameters -%} {{ set_parameter(parameter) }} {% endif -%} {% endfor -%}