Ben Vincent
9836857df2
- remove profiles::postfix::gateway wrapper class entirely - move all postfix configurations to hieradata/roles/infra/mail/gateway.yaml - add deep merge lookup options for postfix::configs, postfix::maps, and postfix::virtuals - use hiera_include to include postfix module directly
214 lines
6.8 KiB
YAML
214 lines
6.8 KiB
YAML
---
|
|
|
|
hiera_include:
|
|
- postfix
|
|
|
|
# additional altnames
|
|
profiles::pki::vault::alt_names:
|
|
- in-mta.main.unkin.net
|
|
|
|
# postfix configuration
|
|
postfix::relayhost: 'direct'
|
|
postfix::myorigin: 'main.unkin.net'
|
|
postfix::mydestination: 'blank'
|
|
postfix::mynetworks: '127.0.0.0/8 [::1]/128'
|
|
postfix::alias_maps: 'hash:/etc/aliases, hash:/etc/postfix/aliases'
|
|
postfix::mta: true
|
|
postfix::manage_aliases: true
|
|
postfix::master_smtp: 'smtp inet n - n - 1 postscreen'
|
|
postfix::master_entries:
|
|
- 'smtpd pass - - n - - smtpd'
|
|
- 'dnsblog unix - - n - 0 dnsblog'
|
|
- 'tlsproxy unix - - n - 0 tlsproxy'
|
|
|
|
# postfix main.cf configurations
|
|
postfix::configs:
|
|
alias_database:
|
|
value: 'hash:/etc/aliases, hash:/etc/postfix/aliases'
|
|
default_destination_recipient_limit:
|
|
value: '1'
|
|
disable_vrfy_command:
|
|
value: 'yes'
|
|
enable_long_queue_ids:
|
|
value: 'yes'
|
|
error_notice_recipient:
|
|
value: 'root'
|
|
header_checks:
|
|
value: 'regexp:/etc/postfix/header_checks'
|
|
local_recipient_maps:
|
|
ensure: 'blank'
|
|
local_transport:
|
|
value: 'error:No local mail delivery'
|
|
mailbox_size_limit:
|
|
value: '133169152'
|
|
message_size_limit:
|
|
value: '133169152'
|
|
myhostname:
|
|
value: 'in-mta.main.unkin.net'
|
|
non_smtpd_milters:
|
|
ensure: 'blank'
|
|
postscreen_access_list:
|
|
value: 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'
|
|
postscreen_blacklist_action:
|
|
value: 'enforce'
|
|
postscreen_cache_map:
|
|
value: 'btree:$data_directory/postscreen_cache'
|
|
postscreen_dnsbl_action:
|
|
value: 'enforce'
|
|
postscreen_dnsbl_sites:
|
|
value: 'zen.spamhaus.org*3, b.barracudacentral.org=127.0.0.[2..11]*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2, list.dnswl.org=127.[0..255].[0..255].1*-4, list.dnswl.org=127.[0..255].[0..255].[2..3]*-6'
|
|
postscreen_dnsbl_threshold:
|
|
value: '2'
|
|
postscreen_greet_action:
|
|
value: 'enforce'
|
|
postscreen_greet_banner:
|
|
value: '$smtpd_banner'
|
|
postscreen_greet_wait:
|
|
value: '${stress?2}${stress:6}s'
|
|
qmqpd_authorized_clients:
|
|
value: '127.0.0.1 [::1]'
|
|
recipient_canonical_maps:
|
|
value: 'hash:/etc/postfix/recipient_canonical'
|
|
recipient_delimiter:
|
|
value: '+'
|
|
relay_domains:
|
|
value: 'hash:/etc/postfix/relay_domains'
|
|
relay_recipient_maps:
|
|
value: 'hash:/etc/postfix/relay_recipients'
|
|
sender_canonical_maps:
|
|
value: 'hash:/etc/postfix/sender_canonical'
|
|
smtp_tls_CAfile:
|
|
value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'
|
|
smtp_tls_mandatory_protocols:
|
|
value: '!SSLv2,!SSLv3'
|
|
smtp_tls_note_starttls_offer:
|
|
value: 'yes'
|
|
smtp_tls_protocols:
|
|
value: '!SSLv2,!SSLv3'
|
|
smtp_tls_security_level:
|
|
value: 'may'
|
|
smtp_tls_session_cache_database:
|
|
value: 'btree:/var/lib/postfix/smtp_tls_session_cache'
|
|
smtp_use_tls:
|
|
value: 'yes'
|
|
smtpd_banner:
|
|
value: '$myhostname ESMTP $mail_name'
|
|
smtpd_client_restrictions:
|
|
value: 'permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org'
|
|
smtpd_data_restrictions:
|
|
value: 'reject_unauth_pipelining'
|
|
smtpd_delay_reject:
|
|
value: 'yes'
|
|
smtpd_discard_ehlo_keywords:
|
|
value: 'chunking, silent-discard'
|
|
smtpd_forbid_bare_newline:
|
|
value: 'yes'
|
|
smtpd_forbid_bare_newline_exclusions:
|
|
value: '$mynetworks'
|
|
smtpd_forbid_unauth_pipelining:
|
|
value: 'yes'
|
|
smtpd_helo_required:
|
|
value: 'yes'
|
|
smtpd_helo_restrictions:
|
|
value: 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'
|
|
smtpd_milters:
|
|
value: 'inet:127.0.0.1:33333'
|
|
smtpd_recipient_restrictions:
|
|
value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_unverified_recipient'
|
|
smtpd_relay_restrictions:
|
|
value: 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
|
|
smtpd_sender_restrictions:
|
|
value: 'permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain'
|
|
smtpd_tls_CAfile:
|
|
value: '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'
|
|
smtpd_tls_cert_file:
|
|
value: '/etc/pki/tls/vault/certificate.pem'
|
|
smtpd_tls_ciphers:
|
|
value: 'medium'
|
|
smtpd_tls_key_file:
|
|
value: '/etc/pki/tls/vault/certificate.pem'
|
|
smtpd_tls_loglevel:
|
|
value: '1'
|
|
smtpd_tls_mandatory_protocols:
|
|
value: '!SSLv2,!SSLv3'
|
|
smtpd_tls_protocols:
|
|
value: '!SSLv2,!SSLv3'
|
|
smtpd_tls_received_header:
|
|
value: 'yes'
|
|
smtpd_tls_security_level:
|
|
value: 'may'
|
|
smtpd_tls_session_cache_database:
|
|
value: 'btree:/var/lib/postfix/smtpd_tls_session_cache'
|
|
smtpd_tls_session_cache_timeout:
|
|
value: '3600s'
|
|
smtpd_use_tls:
|
|
value: 'yes'
|
|
tls_medium_cipherlist:
|
|
value: 'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
|
|
tls_preempt_cipherlist:
|
|
value: 'yes'
|
|
tls_random_source:
|
|
value: 'dev:/dev/urandom'
|
|
unverified_recipient_reject_code:
|
|
value: '550'
|
|
unverified_recipient_reject_reason:
|
|
value: 'No user at this address'
|
|
|
|
# postfix maps
|
|
postfix::maps:
|
|
postscreen_access:
|
|
ensure: present
|
|
type: 'cidr'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/postscreen_access'
|
|
relay_recipients:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/relay_recipients'
|
|
relay_domains:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/relay_domains'
|
|
aliases:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/aliases'
|
|
helo_access:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/helo_access'
|
|
sender_access:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/sender_access'
|
|
recipient_access:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/recipient_access'
|
|
recipient_canonical:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/recipient_canonical'
|
|
sender_canonical:
|
|
ensure: present
|
|
type: 'hash'
|
|
source: 'puppet:///modules/profiles/postfix/gateway/sender_canonical'
|
|
|
|
# postfix transports
|
|
postfix::transports:
|
|
'main.unkin.net':
|
|
ensure: present
|
|
destination: 'relay'
|
|
nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
|
|
|
|
# postfix virtuals
|
|
postfix::virtuals:
|
|
'root':
|
|
ensure: present
|
|
destination: 'ben@main.unkin.net'
|
|
'postmaster':
|
|
ensure: present
|
|
destination: 'ben@main.unkin.net'
|
|
'abuse':
|
|
ensure: present
|
|
destination: 'ben@main.unkin.net'
|