mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-04 15:56:03 +02:00
Code Issues
infrastructure/roles/postfix/templates/main.cf.j2
Kristian Klausen 24e73359c6
Decommission patchwork.archlinux.org and replace it with a static copy[1] 
As announced on the mailing list[2] pacman has been migrated to gitlab
and there is no real use for patchwork left, so it can be
decommissioned. A static copy[1] is kept around for the time being to
avoid link rot.

[1] https://gitlab.archlinux.org/archlinux/patchwork-archive
[2] https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/message/7B6R5HVEC67U7B2VQ3SKUVXU4RDCRRMM/

Fix #487
2023-01-08 22:10:49 +01:00

185 lines
5.1 KiB
Django/Jinja
Raw Blame History

#
# {{ansible_managed}}
#
compatibility_level = 2
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
smtputf8_enable = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/{{mail_domain}}/privkey.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_eecdh_grade = ultra
tls_preempt_cipherlist = yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAA
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_use_tls = yes
smtp_tls_CApath = /etc/ssl/certs
# TODO: daemon_directory should be the same as the default. drop it
daemon_directory = /usr/lib/postfix/bin
mydomain = {{inventory_hostname}}
myhostname = {{inventory_hostname}}
myorigin = archlinux.org
mydestination = archlinux.org
default_database_type=btree
indexed = ${default_database_type}:${config_directory}
mynetworks =
127.0.0.1
[::ffff:127.0.0.0]/104
[::1]/128
mailbox_transport = lmtp:unix:private/dovecot-lmtp
lmtp_destination_recipient_limit=1
mailbox_size_limit = 0
message_size_limit = 104857600
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
# enable for testing new config
soft_bounce = no
debug_peer_list =
smtp_connection_cache_on_demand = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# custom restriction classes
policy_check =
# postfwd (rate-limiting)
check_policy_service inet:127.0.0.1:10040
smtpd_recipient_restrictions =
# policy services
$policy_check,
# white-/blacklisting
check_recipient_access ${indexed}/access_recipient,
check_client_access ${indexed}/access_client,
check_helo_access ${indexed}/access_helo,
check_sender_access ${indexed}/access_sender,
# reject unclean mails
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
# allow our users
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
permit_mynetworks,
# reject mailservers without proper rDNS and hostname->IP
#warn_if_reject reject_unknown_client_hostname,
# check RBLs
# check the HELO
#warn_if_reject reject_invalid_helo_hostname,
# reject relaying
reject_unauth_destination,
# cache if recipient exists
#reject_unverified_recipient,
#permit_mx_backup,
permit
# some rate limiting rules only work after data so check it again
smtpd_end_of_data_restrictions =
$policy_check
address_verify_map = ${default_database_type}:/var/lib/postfix/verify_cache
unverified_recipient_reject_code = 550
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550
smtpd_reject_footer = For assistance contact <postmaster@archlinux.org>. Please provide the following information in your problem report: time ($localtime), client ($client_address) and server ($server_name).
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_tls_received_header = yes
# needed for SA
smtpd_sasl_authenticated_header = yes
submission_recipient_restrictions=
# allow postmaster
check_recipient_access ${indexed}/access_recipient,
permit_sasl_authenticated,
reject
smtpd_milters=inet:localhost:11332
non_smtpd_milters=inet:localhost:11332
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
internal_mail_filter_classes = bounce
smtpd_sender_login_maps =
${indexed}/smtp_sender_map,
${indexed}/users
smtpd_helo_required = yes
smtpd_client_connection_rate_limit = 400
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
alias_maps = ${indexed}/aliases
alias_database = ${indexed}/aliases
virtual_alias_maps =
${indexed}/users
pcre:${config_directory}/users.pcre
virtual_alias_domains = ${indexed}/domains
# reject mails to system users (nobody looks in those mailboxes)
local_recipient_maps =
${indexed}/users
$alias_maps
pcre:${config_directory}/transport.pcre
relocated_maps = ${indexed}/relocated
relay_domains =
transport_maps =
${indexed}/transport
pcre:${config_directory}/transport.pcre
wiki_bouncehandler_destination_recipient_limit = 1
authorized_mailq_users = root
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks
delay_warning_time = 4h
# vim: set ft=pfmain:
View Git Blame Copy Permalink