--- hiera_include: - postfix # additional altnames profiles::pki::vault::alt_names: - in-mta.main.unkin.net # postfix configuration postfix::relayhost: 'direct' postfix::myorigin: 'main.unkin.net' postfix::mydestination: 'blank' postfix::mynetworks: '127.0.0.0/8 [::1]/128' postfix::alias_maps: 'hash:/etc/aliases, hash:/etc/postfix/aliases' postfix::mta: true postfix::manage_aliases: true postfix::master_smtp: 'smtp inet n - n - 1 postscreen' postfix::master_entries: - 'smtpd pass - - n - - smtpd' - 'dnsblog unix - - n - 0 dnsblog' - 'tlsproxy unix - - n - 0 tlsproxy' # postfix main.cf configurations postfix::configs: alias_database: value: 'hash:/etc/aliases, hash:/etc/postfix/aliases' default_destination_recipient_limit: value: '1' disable_vrfy_command: value: 'yes' enable_long_queue_ids: value: 'yes' error_notice_recipient: value: 'root' header_checks: value: 'regexp:/etc/postfix/header_checks' local_recipient_maps: ensure: 'blank' local_transport: value: 'error:No local mail delivery' mailbox_size_limit: value: '133169152' message_size_limit: value: '133169152' myhostname: value: 'in-mta.main.unkin.net' non_smtpd_milters: ensure: 'blank' postscreen_access_list: value: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access' postscreen_blacklist_action: value: 'enforce' postscreen_cache_map: value: 'btree:$data_directory/postscreen_cache' postscreen_dnsbl_action: value: 'enforce' postscreen_dnsbl_sites: value: 'zen.spamhaus.org*3, b.barracudacentral.org=127.0.0.[2..11]*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.org=127.[0..255].[0..255].[2..3]*-6' postscreen_dnsbl_threshold: value: '2' postscreen_greet_action: value: 'enforce' postscreen_greet_banner: value: '$smtpd_banner' postscreen_greet_wait: value: '${stress?2}${stress:6}s' qmqpd_authorized_clients: value: '127.0.0.1 [::1]' recipient_canonical_maps: value: 'hash:/etc/postfix/recipient_canonical' recipient_delimiter: value: '+' relay_domains: value: 'hash:/etc/postfix/relay_domains' relay_recipient_maps: value: 'hash:/etc/postfix/relay_recipients' sender_canonical_maps: value: 'hash:/etc/postfix/sender_canonical' smtp_tls_CAfile: value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' smtp_tls_mandatory_protocols: value: '!SSLv2,!SSLv3' smtp_tls_note_starttls_offer: value: 'yes' smtp_tls_protocols: value: '!SSLv2,!SSLv3' smtp_tls_security_level: value: 'may' smtp_tls_session_cache_database: value: 'btree:/var/lib/postfix/smtp_tls_session_cache' smtp_use_tls: value: 'yes' smtpd_banner: value: '$myhostname ESMTP $mail_name' smtpd_client_restrictions: value: 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org' smtpd_data_restrictions: value: 'reject_unauth_pipelining' smtpd_delay_reject: value: 'yes' smtpd_discard_ehlo_keywords: value: 'chunking, silent-discard' smtpd_forbid_bare_newline: value: 'yes' smtpd_forbid_bare_newline_exclusions: value: '$mynetworks' smtpd_forbid_unauth_pipelining: value: 'yes' smtpd_helo_required: value: 'yes' smtpd_helo_restrictions: value: 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname' smtpd_milters: value: 'inet:127.0.0.1:33333' smtpd_recipient_restrictions: value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_unverified_recipient' smtpd_relay_restrictions: value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' smtpd_sender_restrictions: value: 'permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain' smtpd_tls_CAfile: value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' smtpd_tls_cert_file: value: '/etc/pki/tls/vault/certificate.pem' smtpd_tls_ciphers: value: 'medium' smtpd_tls_key_file: value: '/etc/pki/tls/vault/certificate.pem' smtpd_tls_loglevel: value: '1' smtpd_tls_mandatory_protocols: value: '!SSLv2,!SSLv3' smtpd_tls_protocols: value: '!SSLv2,!SSLv3' smtpd_tls_received_header: value: 'yes' smtpd_tls_security_level: value: 'may' smtpd_tls_session_cache_database: value: 'btree:/var/lib/postfix/smtpd_tls_session_cache' smtpd_tls_session_cache_timeout: value: '3600s' smtpd_use_tls: value: 'yes' tls_medium_cipherlist: value: 'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' tls_preempt_cipherlist: value: 'yes' tls_random_source: value: 'dev:/dev/urandom' unverified_recipient_reject_code: value: '550' unverified_recipient_reject_reason: value: 'No user at this address' # postfix maps postfix::maps: postscreen_access: ensure: present type: 'cidr' source: 'puppet:///modules/profiles/postfix/gateway/postscreen_access' relay_recipients: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/relay_recipients' relay_domains: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/relay_domains' aliases: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/aliases' helo_access: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/helo_access' sender_access: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/sender_access' recipient_access: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/recipient_access' recipient_canonical: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/recipient_canonical' sender_canonical: ensure: present type: 'hash' source: 'puppet:///modules/profiles/postfix/gateway/sender_canonical' # postfix transports postfix::transports: 'main.unkin.net': ensure: present destination: 'relay' nexthop: 'ausyd1nxvm2120.main.unkin.net:25' # postfix virtuals postfix::virtuals: 'root': ensure: present destination: 'ben@main.unkin.net' 'postmaster': ensure: present destination: 'ben@main.unkin.net' 'abuse': ensure: present destination: 'ben@main.unkin.net'