############### # General ############### # Main domain and hostname mydomain = {{ DOMAIN }} myhostname = {{ HOSTNAMES.split(",")[0] }} myorigin = $mydomain maillog_file = /dev/stdout # Queue location queue_directory = /queue # Message size limit message_size_limit = {{ MESSAGE_SIZE_LIMIT }} # Relayed networks mynetworks = 127.0.0.1/32 {{ SUBNET }} {% if SUBNET6 %}[::1]/128 {{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %} {% if RELAYNETS %}{{ RELAYNETS.split(",") | join(" ") }}{% endif %} # Empty alias list to override the configuration variable and disable NIS alias_maps = # Podop configuration podop = socketmap:unix:/tmp/podop.socket: postscreen_upstream_proxy_protocol = haproxy compatibility_level=3.6 # Only accept virtual emails mydestination = # Relayhost if any is configured relayhost = {{ RELAYHOST }} {% if RELAYUSER %} smtp_sasl_auth_enable = yes smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous {% endif %} # Recipient delimiter for extended addresses recipient_delimiter = {{ RECIPIENT_DELIMITER }} ############### # TLS ############### # General TLS configuration tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION, NO_TICKET # By default, outgoing TLS is more flexible because # 1. not all receiving servers will support TLS, # 2. not all will have and up-to-date TLS stack. smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }} smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }} smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache smtp_host_lookup = dns smtp_dns_support_level = dnssec delay_warning_time = 5m smtp_tls_loglevel = 1 notify_classes = resource, software, delay ############### # Virtual ############### # The alias map actually returns both aliases and local mailboxes, which is # required for reject_unlisted_sender to work properly virtual_alias_domains = virtual_alias_maps = ${podop}alias virtual_mailbox_domains = ${podop}domain virtual_mailbox_maps = ${podop}mailbox # Mails are transported if required, then forwarded to Dovecot for delivery relay_domains = ${podop}transport transport_maps = lmdb:/etc/postfix/transport.map, ${podop}transport virtual_transport = lmtp:inet:{{ IMAP_ADDRESS }}:2525 # Sender and recipient canonical maps, mostly for SRS sender_canonical_maps = ${podop}sendermap sender_canonical_classes = envelope_sender recipient_canonical_maps = ${podop}recipientmap recipient_canonical_classes= envelope_recipient,header_recipient # In order to prevent Postfix from running DNS query, enforce the use of the # native DNS stack, that will check /etc/hosts properly. lmtp_host_lookup = native ############### # Restrictions ############### # Delay all rejects until all information can be logged smtpd_delay_reject = yes # Allowed senders are: the user or one of the alias destinations smtpd_sender_login_maps = ${podop}senderlogin # Restrictions for incoming SMTP, other restrictions are applied in master.cf smtpd_helo_required = yes check_ratelimit = check_sasl_access ${podop}senderrate smtpd_client_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination unverified_recipient_reject_reason = Address lookup failure smtpd_authorized_xclient_hosts={{ SUBNET }}{% if SUBNET6 %},{{ "[{}]/{}".format(*SUBNET6.translate({91: None, 93: None}).split("/")) }}{% endif %} ############### # Milter ############### smtpd_milters = inet:{{ ANTISPAM_ADDRESS }}:11332 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = tempfail ############### # Extra Settings ############### {# Ensure that the rendered file ends with newline in order to make `postconf` work correctly #} {{- "\n" }}