feat: implement comprehensive postfix gateway with eFa5 configuration
Build / precommit (pull_request) Successful in 5m12s

- add voxpupuli-postfix module to Puppetfile
- create profiles::postfix::gateway class with config based on efa5
- add master.cf entries for postscreen, smtpd, dnsblog, and tlsproxy services
- create postfix hash files: aliases, access controls, canonical maps
- configure TLS with system PKI certificates and strong cipher suites
- add transport and virtual alias mappings for mail routing
This commit is contained in:
2025-10-21 22:10:22 +11:00
parent e129d1cf7a
commit a0d26686a4
13 changed files with 369 additions and 0 deletions
@@ -0,0 +1,54 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
postmaster: root
# Many mailers use this address to represent the empty SMTP return path
MAILER-DAEMON: postmaster
# Common aliases for system accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
foo: root
falken: root
# Well-known aliases.
admin: root
manager: root
dumper: root
operator: root
# traps to catch security attacks
decode: root
moof: root
moog: root
# Standard aliases also defined by RFC 2142
abuse: postmaster
# reports of network infrastructure difficulties
noc: root
# address to report secuirty problems
security: root
# DNS administrator (DNS soa records should use this)
hostmaster: root
# Usenet news service administrator
news: usenet
usenet: root
# http/web service administrator
www: webmaster
webmaster: root
# UUCP service administrator
uucp: root
# FTP administrator (especially anon FTP)
ftp: root
@@ -0,0 +1,11 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# HELO/EHLO access controls
# Format: pattern action
# Actions: REJECT, OK, WARN, etc.
# Block common spam patterns
.dynamic. REJECT
.dialup. REJECT
unknown REJECT
localhost REJECT You are not localhost
@@ -0,0 +1,4 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
127.0.0.1/32 permit
10.10.12.200/32 permit
@@ -0,0 +1,9 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Recipient access controls
# Format: recipient_pattern action
# Actions: REJECT, OK, WARN, DISCARD, etc.
# Protected recipients that require special handling
# Example entries:
# @main.unkin.net OK
@@ -0,0 +1,8 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Recipient canonical address mapping
# Format: original_address canonical_address
# Used to rewrite recipient addresses
# Example mappings:
# user@olddomain.com user@main.unkin.net
@@ -0,0 +1,3 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
main.unkin.net OK
@@ -0,0 +1,3 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
@main.unkin.net OK
@@ -0,0 +1,10 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Sender access controls
# Format: sender_pattern action
# Actions: REJECT, OK, WARN, DISCARD, etc.
# Block known spam domains
# Example entries:
# spammer@example.com REJECT
# @badspammer.com REJECT
@@ -0,0 +1,8 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
# Sender canonical address mapping
# Format: original_address canonical_address
# Used to rewrite sender addresses
# Example mappings:
# user@internal.local user@main.unkin.net