-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathconfigure_postfix.yml
More file actions
204 lines (162 loc) · 7.76 KB
/
configure_postfix.yml
File metadata and controls
204 lines (162 loc) · 7.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
---
- name: Update postfix configs in /etc/postfix/master.cf
lineinfile:
dest: "/etc/postfix/master.cf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
backup: yes
with_items:
- regexp: '^smtp\s+inet\s+' # The smtpd daemon listening at port 25
line: "smtp inet n - y - - smtpd"
- regexp: '^smtps\s+inet\s+' # mail submission via implicit tls on port 465
line: >-
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o cleanup_service_name=submission_cleanup
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated
- regexp: '^submission\s+inet\s+' # mail submission via starttls on port 587
line: >-
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o cleanup_service_name=submission_cleanup
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated
- regexp: '^submission_cleanup\s+unix\s+' # cleanup service for mail submissions
line: "submission_cleanup unix n - y - 0 cleanup -o header_checks=pcre:/etc/postfix/submission_header_checks"
notify: reload postfix
- name: Specify header checks for mail submitted via clients # https://serverfault.com/a/998993
template:
src: templates/submission_header_checks.j2
dest: /etc/postfix/submission_header_checks
- name: Update postfix configs in /etc/postfix/main.cf
lineinfile:
dest: "/etc/postfix/main.cf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
backup: yes
with_items:
- regexp: "^myorigin"
line: "myorigin = /etc/mailname"
- regexp: "^mydestination"
line: "mydestination = $myhostname, myplatform.dataengineering.co.ke, localhost.dataengineering.co.ke, localhost"
- regexp: "^mynetworks" # Relay mail from host only
line: "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128"
- regexp: "^relayhost" # delivery mail directly to the internet
line: "relayhost ="
# use dovecot lmtp as virtual transport
- regexp: "^virtual_transport"
line: "virtual_transport = lmtp:unix:private/dovecot-lmtp"
- regexp: "^mailbox_transport"
line: "mailbox_transport = lmtp:unix:private/dovecot-lmtp"
# settings to reduce spam
- regexp: "^smtpd_recipient_restrictions"
line: >-
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_unauth_destination
reject_non_fqdn_helo_hostname
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unverified_recipient
- regexp: "^smtpd_helo_required"
line: "smtpd_helo_required = yes"
# list of virtual domains being hosted
- regexp: "^virtual_mailbox_domains"
line: >-
virtual_mailbox_domains =
{% for domain in mail_domains %}
{{ domain }}
{% endfor %}
# configure aliases lookup table for virtual addresses
- regexp: "^virtual_alias_maps"
line: "virtual_alias_maps = hash:/etc/postfix/virtual"
# Settings to communicate with dovecot via SASL
# Dovecot authenticates clients who're sending mail
# ---
- regexp: "^smtpd_sasl_auth_enable" # enabled only for submission daemons
line: "smtpd_sasl_auth_enable = no"
- regexp: "^smtpd_sasl_type"
line: "smtpd_sasl_type = dovecot"
# communication socket relative to the queue directory
- regexp: "^smtpd_sasl_path"
line: "smtpd_sasl_path = private/auth"
- regexp: "^broken_sasl_auth_clients" # cater for non-compliant clients
line: "broken_sasl_auth_clients = yes"
# limit sending ability to my network and sasl authenticated only
- regexp: "^smtpd_relay_restrictions"
line: "smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination"
# disable anonymous auth and plaintext auth in non-tls sessions
- regexp: "^smtpd_sasl_security_options"
line: "smtpd_sasl_security_options = noanonymous, noplaintext"
- regexp: "^smtpd_sasl_tls_security_options"
line: "smtpd_sasl_tls_security_options = noanonymous"
# SSL configuration
# ---
# https://ssl-config.mozilla.org/#server=postfix&version=3.5.13&config=intermediate&openssl=1.1.1n&guideline=5.6
# generated 2022-11-23, Mozilla Guideline v5.6, Postfix 3.5.13, OpenSSL 1.1.1n, intermediate configuration
- regexp: "^smtpd_tls_key_file"
line: "smtpd_tls_key_file = /etc/letsencrypt/live/{{ server_hostname }}/privkey.pem"
- regexp: "^smtpd_tls_cert_file"
line: "smtpd_tls_cert_file = /etc/letsencrypt/live/{{ server_hostname }}/fullchain.pem"
# announce STARTTLS but do not require it
- regexp: "^smtpd_tls_security_level"
line: "smtpd_tls_security_level = may"
# Use ssl if possible with remote SMTP servers
- regexp: "^smtp_tls_security_level"
line: "smtp_tls_security_level = may"
# only authenticate through tls
- regexp: "^smtpd_tls_auth_only"
line: "smtpd_tls_auth_only = yes"
# exclude older ssl/tls versions with mandatory tls
- regexp: "^smtpd_tls_mandatory_protocols"
line: "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
# exclude older ssl/tls versions with opportunistic tls
- regexp: "^smtpd_tls_protocols"
line: "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
# use 128-bit or longer symmetric bulk-encryption keys
- regexp: "^smtpd_tls_mandatory_ciphers"
line: "smtpd_tls_mandatory_ciphers = medium"
# medium cipher list to use with above setting
- regexp: "^tls_medium_cipherlist"
line: "tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
# do not preempt cipher list order preferred by client
- regexp: "^tls_preempt_cipherlist"
line: "tls_preempt_cipherlist = no"
# Use dhparams set up with the letsencrypt cert
- regexp: "^smtpd_tls_dh1024_param_file"
line: "smtpd_tls_dh1024_param_file = /etc/letsencrypt/ssl-dhparams.pem"
# enable logging of tls connections
- regexp: "^smtpd_tls_loglevel"
line: "smtpd_tls_loglevel = 2"
- regexp: "^smtp_tls_loglevel"
line: "smtp_tls_loglevel = 2"
# Milter Configuration
# --------------------
- regexp: "^smtpd_milters"
line: "smtpd_milters = unix:/spamass/spamass.sock unix:/opendkim/opendkim.sock"
- regexp: "^non_smtpd_milters"
line: "non_smtpd_milters = unix:/opendkim/opendkim.sock"
- regexp: "^milter_default_action" # in case a milter fails, accept the message
line: "milter_default_action = accept"
notify: reload postfix
# https://www.postfix.org/SASL_README.html#server_sasl_authz_envelope
- name: Set login maps for SASL authenticated mail senders
template:
src: templates/login_maps.j2
dest: /etc/postfix/login_maps
notify:
- update login maps db
- reload postfix