1 files changed, 124 insertions, 0 deletions
diff --git a/files/usr/local/etc/postfix/main.cf.smtp_server b/files/usr/local/etc/postfix/main.cf.smtp_server
new file mode 100644
index 0000000..c1e40a4
--- /dev/null
+++ b/files/usr/local/etc/postfix/main.cf.smtp_server
@@ -0,0 +1,124 @@
+compatibility_level = 3.8
+
+queue_directory   = /var/spool/postfix
+command_directory = /usr/local/sbin
+daemon_directory  = /usr/local/libexec/postfix
+data_directory    = /var/db/postfix
+sendmail_path     = /usr/local/sbin/sendmail
+newaliases_path   = /usr/local/bin/newaliases
+mailq_path        = /usr/local/bin/mailq
+html_directory    = no
+manpage_directory = /usr/local/man
+sample_directory  = /usr/local/etc/postfix
+meta_directory    = /usr/local/libexec/postfix
+shlib_directory   = /usr/local/lib/postfix
+readme_directory  = no
+mail_owner        = ${postfix_user}
+setgid_group      = maildrop
+
+import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME KRB5_KTNAME=${postfix_keytab} KRB5_CLIENT_KTNAME=${postfix_keytab}
+
+myorigin      = ${postfix_myorigin}
+myhostname    = ${postfix_public_fqdn}
+mynetworks    = 127.0.0.0/8 [::1]/128 [fe80::]/64 ${postfix_mynetworks}
+mydestination =
+
+inet_interfaces = all
+inet_protocols  = all
+
+alias_database =
+alias_maps     =
+
+recipient_delimiter          = ${postfix_recipient_delimiter}
+message_size_limit           = ${postfix_message_size_limit}
+strict_rfc821_envelopes      = yes
+allow_percent_hack           = no
+swap_bangpath                = no
+disable_vrfy_command         = yes
+show_user_unknown_table_name = no
+tls_medium_cipherlist        = ${postfix_cipherlist}
+tls_preempt_cipherlist       = no
+
+$(if [ "$postfix_public_fqdn" != "$fqdn" ]; then
+cat <<EOF
+smtpd_tls_chain_files =
+  ${postfix_public_tls_key},
+  ${postfix_public_tls_cert}
+tls_server_sni_maps =
+  inline:{
+    { ${postfix_public_fqdn} = ${postfix_public_tls_key},${postfix_public_tls_cert} },
+    { .${domain} = ${postfix_local_tls_key},${postfix_local_tls_cert} }
+  }
+EOF
+else
+cat <<EOF
+smtpd_tls_chain_files =
+  ${postfix_local_tls_key},
+  ${postfix_local_tls_cert}
+EOF
+)
+
+smtpd_tls_security_level        = may
+smtpd_tls_auth_only             = yes
+smtpd_tls_mandatory_protocols   = >=TLSv1.2
+smtpd_tls_mandatory_ciphers     = medium
+smtpd_tls_dh1024_param_file     = ${postfix_dhparams}
+smtpd_tls_loglevel              = 1
+smtpd_sasl_security_options     = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+smtpd_helo_required             = yes
+
+smtp_tls_CApath                 = ${system_ca_dir}
+smtp_tls_security_level         = may
+smtp_tls_session_cache_database = btree:\$data_directory/smtp_scache
+smtp_tls_loglevel               = 1
+
+lmtp_tls_CApath                 = ${system_ca_dir}
+lmtp_tls_security_level         = encrypt
+lmtp_tls_wrappermode            = yes
+lmtp_tls_session_cache_database = btree:\$data_directory/lmtp_scache
+smtp_tls_loglevel               = 1
+
+smtpd_helo_required = yes
+smtpd_client_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_unauth_pipelining,
+  reject_unknown_reverse_client_hostname
+smtpd_helo_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_invalid_helo_hostname,
+  reject_non_fqdn_helo_hostname,
+  reject_unauth_pipelining
+smtpd_sender_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_non_fqdn_sender,
+  reject_unknown_sender_domain,
+  reject_unauth_pipelining
+smtpd_relay_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_unauth_destination
+smtpd_recipient_restrictions =
+  reject_unknown_recipient_domain,
+  reject_unlisted_recipient,
+  reject_unauth_destination,
+  check_policy_service inet:${imap_host}.${domain}:${quota_status_port},
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_non_fqdn_recipient,
+  reject_unauth_pipelining
+smtpd_data_restrictions =
+  permit_mynetworks,
+  permit_sasl_authenticated,
+  reject_unauth_pipelining
+
+virtual_transport       = lmtp:inet:${imap_host}.${domain}:${lmtp_port}
+virtual_mailbox_domains = ${postfix_virtual_domains}
+virtual_mailbox_maps    = proxy:ldap:\$config_directory/virtual_mailboxes.cf
+virtual_alias_maps      = proxy:ldap:\$config_directory/virtual_aliases.cf
+
+milter_default_action = accept
+smtpd_milters = unix:${rspamd_milter_sock}