postfix_packages:
  - postfix
  - postfix-ldap
  - cyrus-sasl
  - cyrus-sasl-gssapi
  - cyrus-sasl-plain
  - s-nail

postfix_certificate_path: /etc/pki/tls/certs/postfix2.pem
postfix_certificate_key_path: /etc/pki/tls/private/postfix2.key
postfix_dhparams_path: /etc/pki/tls/misc/dhparams-postfix.pem

postfix_hbac_service: smtp
postfix_hbac_hostgroup: mail_servers

postfix_smtp_ca_file: /etc/pki/tls/certs/ca-bundle.crt
postfix_cipherlist: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

postfix_keytab: /var/lib/gssproxy/clients/postfix.keytab

postfix_selinux_policy_te: |
  require {
    type postfix_exec_t;
    type postfix_smtpd_exec_t;
    type postfix_cleanup_t;
    type postfix_cleanup_exec_t;
    type postfix_master_t;
    type postfix_cleanup_t;
    type postfix_smtpd_t;
    type gssproxy_t;
    type gssproxy_var_lib_t;
    class file getattr;
    class dir search;
    class sock_file write;
    class unix_stream_socket connectto;
    class process noatsecure;
    class key { read view write };
  }

  #============= postfix_smtpd_t ==============
  allow postfix_smtpd_t gssproxy_t:unix_stream_socket connectto;
  allow postfix_smtpd_t gssproxy_var_lib_t:dir search;
  allow postfix_smtpd_t gssproxy_var_lib_t:sock_file write;
  allow postfix_smtpd_t postfix_master_t:key { read view write };

  #============= postfix_master_t ==============
  allow postfix_master_t postfix_smtpd_t:process noatsecure;
  allow postfix_master_t postfix_smtpd_t:key { read write };
  allow postfix_master_t postfix_cleanup_t:process noatsecure;
  allow postfix_master_t gssproxy_t:unix_stream_socket connectto;
  allow postfix_master_t gssproxy_var_lib_t:dir search;
  allow postfix_master_t gssproxy_var_lib_t:sock_file write;

  #============= postfix_cleanup_t ==============
  allow postfix_cleanup_t gssproxy_var_lib_t:dir search;
  allow postfix_cleanup_t gssproxy_var_lib_t:sock_file write;
  allow postfix_cleanup_t gssproxy_t:unix_stream_socket connectto;
  allow postfix_cleanup_t postfix_master_t:key read;
  allow postfix_cleanup_t postfix_smtpd_t:key read;

  #============= gssproxy_t ==============
  allow gssproxy_t postfix_cleanup_exec_t:file getattr;
  allow gssproxy_t postfix_smtpd_exec_t:file getattr;
  allow gssproxy_t postfix_exec_t:file getattr;