From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 .../templates/etc/postfix/main.cf.j2               | 109 +++++++++++++++++++++
 .../templates/etc/postfix/master.cf.j2             |  34 +++++++
 .../templates/etc/postfix/virtual_aliases.cf.j2    |   8 ++
 .../templates/etc/postfix/virtual_mailboxes.cf.j2  |   7 ++
 4 files changed, 158 insertions(+)
 create mode 100644 roles/postfix_server/templates/etc/postfix/main.cf.j2
 create mode 100644 roles/postfix_server/templates/etc/postfix/master.cf.j2
 create mode 100644 roles/postfix_server/templates/etc/postfix/virtual_aliases.cf.j2
 create mode 100644 roles/postfix_server/templates/etc/postfix/virtual_mailboxes.cf.j2

(limited to 'roles/postfix_server/templates')

diff --git a/roles/postfix_server/templates/etc/postfix/main.cf.j2 b/roles/postfix_server/templates/etc/postfix/main.cf.j2
new file mode 100644
index 0000000..9132dff
--- /dev/null
+++ b/roles/postfix_server/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,109 @@
+compatibility_level = 2
+
+### path definitions
+queue_directory = /var/spool/postfix
+command_directory = /usr/sbin
+daemon_directory = /usr/libexec/postfix
+data_directory = /var/lib/postfix
+mail_owner = postfix
+
+sendmail_path = /usr/sbin/sendmail.postfix
+newaliases_path = /usr/bin/newaliases.postfix
+mailq_path = /usr/bin/mailq.postfix
+setgid_group = postdrop
+html_directory = no
+manpage_directory = /usr/share/man
+sample_directory = /usr/share/doc/postfix/samples
+readme_directory = /usr/share/doc/postfix/README_FILES
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64/postfix
+
+import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME GSS_USE_PROXY=yes
+
+myorigin = {{ postfix_myorigin }}
+myhostname = {{ postfix_myhostname }}
+
+mynetworks = 127.0.0.0/8 {{ postfix_mynetworks | join(' ') }}
+
+# disable local delivery
+mydestination =
+
+inet_interfaces = all
+inet_protocols = all
+
+# disable open relay
+mynetworks_style = host
+
+alias_database = hash:/etc/aliases
+
+smtputf8_enable = yes
+recipient_delimiter = {{ postfix_recipient_delimiter }}
+message_size_limit = {{ postfix_message_size_limit }}
+
+strict_rfc821_envelopes = yes
+allow_percent_hack = no
+swap_bangpath = no
+disable_vrfy_command = yes
+show_user_unknown_table_name = no
+
+tls_medium_cipherlist = {{ postfix_cipherlist }}
+tls_preempt_cipherlist = no
+
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = yes
+smtpd_tls_cert_file = {{ postfix_certificate_path }}
+smtpd_tls_key_file = {{ postfix_certificate_key_path }}
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_mandatory_ciphers = medium
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_dh1024_param_file = {{ postfix_dhparams_path }}
+
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+
+smtpd_helo_required = yes
+
+smtp_tls_security_level = may
+smtp_tls_CAfile = {{ postfix_smtp_ca_file }}
+
+lmtp_tls_CAfile = {{ postfix_smtp_ca_file }}
+lmtp_tls_security_level = {{ 'secure' if postfix_lmtp_require_tls else 'may' }}
+
+# public mailserver - restrictive policy
+smtpd_helo_required = yes
+smtpd_client_restrictions =
+  permit_mynetworks,
+  reject_unauth_pipelining,
+  reject_unknown_reverse_client_hostname
+smtpd_helo_restrictions =
+  permit_mynetworks,
+  reject_invalid_helo_hostname,
+  reject_non_fqdn_helo_hostname,
+  reject_unauth_pipelining
+smtpd_sender_restrictions =
+  permit_mynetworks,
+  reject_non_fqdn_sender,
+  reject_unknown_sender_domain,
+  reject_unauth_pipelining
+smtpd_relay_restrictions =
+  permit_mynetworks,
+  reject_unauth_destination
+smtpd_recipient_restrictions =
+  permit_mynetworks,
+  reject_non_fqdn_recipient,
+  reject_unknown_recipient_domain,
+  reject_unauth_pipelining,
+  reject_unlisted_recipient,
+  reject_unauth_destination,
+  check_policy_service {{ postfix_mailbox_quota_service }}
+smtpd_data_restrictions =
+  permit_mynetworks,
+  reject_unauth_pipelining
+
+virtual_transport = {{ postfix_virtual_transport }}
+virtual_mailbox_domains = {{ freeipa_realm }} {{ postfix_virtual_domains | join(' ') }}
+virtual_mailbox_maps = ldap:$config_directory/virtual_mailboxes.cf
+virtual_alias_maps = ldap:$config_directory/virtual_aliases.cf
+
+milter_default_action = accept
+smtpd_milters = {{ postfix_milter }}
diff --git a/roles/postfix_server/templates/etc/postfix/master.cf.j2 b/roles/postfix_server/templates/etc/postfix/master.cf.j2
new file mode 100644
index 0000000..1742b7a
--- /dev/null
+++ b/roles/postfix_server/templates/etc/postfix/master.cf.j2
@@ -0,0 +1,34 @@
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       -       smtpd
+submission inet n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+        -o syslog_name=postfix/$service_name
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
diff --git a/roles/postfix_server/templates/etc/postfix/virtual_aliases.cf.j2 b/roles/postfix_server/templates/etc/postfix/virtual_aliases.cf.j2
new file mode 100644
index 0000000..9ba32e8
--- /dev/null
+++ b/roles/postfix_server/templates/etc/postfix/virtual_aliases.cf.j2
@@ -0,0 +1,8 @@
+version = 3
+bind = sasl
+sasl_mechs = gssapi
+server_host = {{ freeipa_hosts | join(" ") }}
+search_base = {{ freeipa_accounts_basedn }}
+query_filter = (|(mail=%s)(mailAlternateAddress=%s))
+special_result_attribute = member
+result_attribute = krbprincipalname
diff --git a/roles/postfix_server/templates/etc/postfix/virtual_mailboxes.cf.j2 b/roles/postfix_server/templates/etc/postfix/virtual_mailboxes.cf.j2
new file mode 100644
index 0000000..a6fae98
--- /dev/null
+++ b/roles/postfix_server/templates/etc/postfix/virtual_mailboxes.cf.j2
@@ -0,0 +1,7 @@
+version = 3
+bind = sasl
+sasl_mechs = gssapi
+server_host = {{ freeipa_hosts | join(" ") }}
+search_base = {{ freeipa_user_basedn }}
+query_filter = (&(krbprincipalname=%s)(memberof=cn={{ postfix_recipient_group }},{{ freeipa_group_basedn }}))
+result_attribute = krbprincipalname
-- 
cgit