255 lines
13 KiB
CFEngine3
255 lines
13 KiB
CFEngine3
{% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
|
|
|
|
##########################
|
|
# START SYSTEM DEFAULTS
|
|
##########################
|
|
alias_database = hash:/usr/local/etc/postfix/aliases
|
|
alias_maps = hash:/usr/local/etc/postfix/aliases
|
|
compatibility_level = 2
|
|
queue_directory = /var/spool/postfix
|
|
command_directory = /usr/local/sbin
|
|
daemon_directory = /usr/local/libexec/postfix
|
|
data_directory = /var/db/postfix
|
|
mail_owner = postfix
|
|
unknown_local_recipient_reject_code = 550
|
|
mynetworks_style = host
|
|
debug_peer_level = 2
|
|
debugger_command =
|
|
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
|
|
ddd $daemon_directory/$process_name $process_id & sleep 5
|
|
|
|
sendmail_path = /usr/local/sbin/sendmail
|
|
newaliases_path = /usr/local/bin/newaliases
|
|
mailq_path = /usr/local/bin/mailq
|
|
setgid_group = maildrop
|
|
html_directory = no
|
|
manpage_directory = /usr/local/man
|
|
sample_directory = /usr/local/etc/postfix
|
|
readme_directory = no
|
|
inet_protocols = {{ OPNsense.postfix.general.ip_version }}
|
|
meta_directory = /usr/local/libexec/postfix
|
|
shlib_directory = /usr/local/lib/postfix
|
|
relay_domains = hash:/usr/local/etc/postfix/transport
|
|
transport_maps = hash:/usr/local/etc/postfix/transport
|
|
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
|
|
sender_bcc_maps = hash:/usr/local/etc/postfix/senderbcc
|
|
recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
|
|
sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
|
|
header_checks = pcre:/usr/local/etc/postfix/header_checks_receiving
|
|
smtp_header_checks = pcre:/usr/local/etc/postfix/header_checks_delivering
|
|
smtp_tls_CAfile = /etc/ssl/cert.pem
|
|
##########################
|
|
# END SYSTEM DEFAULTS
|
|
##########################
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.myhostname') and OPNsense.postfix.general.myhostname != '' %}
|
|
myhostname = {{ OPNsense.postfix.general.myhostname }}
|
|
{% else %}
|
|
myhostname = {{ system.hostname }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.mydomain') and OPNsense.postfix.general.mydomain != '' %}
|
|
mydomain = {{ OPNsense.postfix.general.mydomain }}
|
|
{% else %}
|
|
mydomain = {{ system.domain }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.myorigin') and OPNsense.postfix.general.myorigin != '' %}
|
|
myorigin = {{ OPNsense.postfix.general.myorigin }}
|
|
{% else %}
|
|
myorigin = $myhostname
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.inet_interfaces') and OPNsense.postfix.general.inet_interfaces != '' %}
|
|
inet_interfaces = {{ OPNsense.postfix.general.inet_interfaces }}
|
|
{% else %}
|
|
inet_interfaces = all
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.bind_address') and OPNsense.postfix.general.bind_address != '' %}
|
|
smtp_bind_address = {{ OPNsense.postfix.general.bind_address }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.bind_address6') and OPNsense.postfix.general.bind_address6 != '' %}
|
|
smtp_bind_address6 = {{ OPNsense.postfix.general.bind_address6 }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.mynetworks') and OPNsense.postfix.general.mynetworks != '' %}
|
|
mynetworks = {{ OPNsense.postfix.general.mynetworks.replace(',', ' ') }}
|
|
{% else %}
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.banner') and OPNsense.postfix.general.banner != '' %}
|
|
smtpd_banner = {{ OPNsense.postfix.general.banner }}
|
|
{% else %}
|
|
smtpd_banner = $myhostname ESMTP Postfix
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.message_size_limit') and OPNsense.postfix.general.message_size_limit != '' %}
|
|
message_size_limit = {{ OPNsense.postfix.general.message_size_limit }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.masquerade_domains') and OPNsense.postfix.general.masquerade_domains != '' %}
|
|
masquerade_domains = {{ OPNsense.postfix.general.masquerade_domains }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.tlswrappermode') and OPNsense.postfix.general.tlswrappermode == '1' %}
|
|
smtp_tls_wrappermode = yes
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
|
|
smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
|
|
smtp_tls_loglevel = 1
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') %}
|
|
{% if OPNsense.postfix.general.tls_client_compatibility == 'modern' %}
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
|
|
{% elif OPNsense.postfix.general.tls_client_compatibility == 'intermediate' %}
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
smtp_tls_mandatory_ciphers = medium
|
|
{% elif OPNsense.postfix.general.tls_client_compatibility == 'old' %}
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
smtp_tls_mandatory_ciphers = low
|
|
{% endif %}
|
|
smtp_tls_protocols = $smtp_tls_mandatory_protocols
|
|
{% if OPNsense.postfix.general.tls_client_compatibility != 'modern' %}
|
|
smtp_tls_ciphers = $smtp_tls_mandatory_ciphers
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.certificate') and OPNsense.postfix.general.certificate != '' %}
|
|
smtpd_use_tls = yes
|
|
smtpd_tls_auth_only = yes
|
|
smtpd_tls_loglevel = 1
|
|
smtpd_tls_received_header = yes
|
|
smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
|
|
smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
|
|
{% else %}
|
|
smtpd_tls_CAfile = /etc/ssl/cert.pem
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
|
|
{% if OPNsense.postfix.general.tls_server_compatibility == 'modern' %}
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
|
|
{% elif OPNsense.postfix.general.tls_server_compatibility == 'intermediate' %}
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
|
|
smtpd_tls_mandatory_ciphers = medium
|
|
{% elif OPNsense.postfix.general.tls_server_compatibility == 'old' %}
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
|
|
smtpd_tls_mandatory_ciphers = low
|
|
{% endif %}
|
|
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
|
|
{% if OPNsense.postfix.general.tls_server_compatibility != 'modern' %}
|
|
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') or helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
|
|
tls_low_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
|
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
{% if OPNsense.postfix.general.tls_server_compatibility == 'old' %}
|
|
tls_preempt_cipherlist = yes
|
|
{% else %}
|
|
tls_preempt_cipherlist = no
|
|
{% endif %}
|
|
{% endif%}
|
|
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.relayhost') and OPNsense.postfix.general.relayhost != '' %}
|
|
relayhost = {{ OPNsense.postfix.general.relayhost }}
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.smtpauth_enabled') and OPNsense.postfix.general.smtpauth_enabled != '' %}
|
|
smtp_sasl_auth_enable = yes
|
|
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
|
|
smtp_sasl_security_options =
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}
|
|
smtpd_sasl_auth_enable = yes
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.antispam.enable_rspamd') and OPNsense.postfix.antispam.enable_rspamd == '1' %}
|
|
smtpd_milters = unix:/var/run/rspamd/milter.sock
|
|
non_smtpd_milters = $smtpd_milters
|
|
milter_protocol = 6
|
|
milter_default_action = {{ OPNsense.postfix.antispam.default_action }}
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.enforce_recipient_check') and OPNsense.postfix.general.enforce_recipient_check == '1' %}
|
|
relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access
|
|
{% endif %}
|
|
|
|
{# Sender Restrictions #}
|
|
{% set smtpd_recipient_restrictions=[] %}
|
|
{% if helpers.exists('OPNsense.postfix.sender.senders.sender') %}
|
|
{% do smtpd_recipient_restrictions.append('check_sender_access hash:/usr/local/etc/postfix/sender_access') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.recipient.recipients.recipient') %}
|
|
{% do smtpd_recipient_restrictions.append('check_recipient_access hash:/usr/local/etc/postfix/recipient_access') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_client_hostname') and OPNsense.postfix.general.reject_unknown_client_hostname == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unknown_client_hostname') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_helo_hostname') and OPNsense.postfix.general.reject_non_fqdn_helo_hostname == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_helo_hostname') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_invalid_helo_hostname') and OPNsense.postfix.general.reject_invalid_helo_hostname == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_invalid_helo_hostname') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_helo_hostname') and OPNsense.postfix.general.reject_unknown_helo_hostname == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unknown_helo_hostname') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_pipelining') and OPNsense.postfix.general.reject_unauth_pipelining == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unauth_pipelining') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_sender_domain') and OPNsense.postfix.general.reject_unknown_sender_domain == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unknown_sender_domain') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_recipient_domain') and OPNsense.postfix.general.reject_unknown_recipient_domain == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unknown_recipient_domain') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_sender') and OPNsense.postfix.general.reject_non_fqdn_sender == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_sender') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_recipient') and OPNsense.postfix.general.reject_non_fqdn_recipient == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_recipient') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('permit_sasl_authenticated') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.permit_tls_clientcerts') and OPNsense.postfix.general.permit_tls_clientcerts == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('permit_tls_clientcerts') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.permit_mynetworks') and OPNsense.postfix.general.permit_mynetworks == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('permit_mynetworks') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_destination') and OPNsense.postfix.general.reject_unauth_destination == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unauth_destination') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unverified_recipient') and OPNsense.postfix.general.reject_unverified_recipient == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unverified_recipient') %}
|
|
{% endif %}
|
|
|
|
{% if smtpd_recipient_restrictions|length >= 1 %}
|
|
smtpd_recipient_restrictions = {{ smtpd_recipient_restrictions | join(', ') }}
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.delay_warning_time') and OPNsense.postfix.general.delay_warning_time != '0' %}
|
|
delay_warning_time = {{ OPNsense.postfix.general.delay_warning_time }}h
|
|
{% endif %}
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.extensive_helo_restrictions') and OPNsense.postfix.general.extensive_helo_restrictions == '1' %}
|
|
smtpd_helo_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_invalid_helo_hostname,
|
|
reject_non_fqdn_hostname,
|
|
reject_unknown_hostname
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.extensive_sender_restrictions') and OPNsense.postfix.general.extensive_sender_restrictions == '1' %}
|
|
smtpd_sender_restrictions =
|
|
permit_mynetworks,
|
|
permit_sasl_authenticated,
|
|
reject_unknown_reverse_client_hostname,
|
|
reject_unknown_sender_domain,
|
|
reject_non_fqdn_sender
|
|
{% endif %}
|
|
syslog_facility = mail
|
|
syslog_name = postfix
|
|
|
|
{% endif %}
|