opensourcemirror
/
opnsense-plugins
mirror of https://github.com/opnsense/plugins.git
1
0
Fork 0
Code Issues Releases Wiki Activity
opnsense-plugins/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf

255 lines
13 KiB
CFEngine3
Raw Blame History

{% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
##########################
# START SYSTEM DEFAULTS
##########################
alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = hash:/usr/local/etc/postfix/aliases
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
mynetworks_style = host
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = no
inet_protocols = {{ OPNsense.postfix.general.ip_version }}
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
relay_domains = hash:/usr/local/etc/postfix/transport
transport_maps = hash:/usr/local/etc/postfix/transport
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
sender_bcc_maps = hash:/usr/local/etc/postfix/senderbcc
recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
header_checks = pcre:/usr/local/etc/postfix/header_checks_receiving
smtp_header_checks = pcre:/usr/local/etc/postfix/header_checks_delivering
smtp_tls_CAfile = /etc/ssl/cert.pem
##########################
# END SYSTEM DEFAULTS
##########################
{% if helpers.exists('OPNsense.postfix.general.myhostname') and OPNsense.postfix.general.myhostname != '' %}
myhostname = {{ OPNsense.postfix.general.myhostname }}
{% else %}
myhostname = {{ system.hostname }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.mydomain') and OPNsense.postfix.general.mydomain != '' %}
mydomain = {{ OPNsense.postfix.general.mydomain }}
{% else %}
mydomain = {{ system.domain }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.myorigin') and OPNsense.postfix.general.myorigin != '' %}
myorigin = {{ OPNsense.postfix.general.myorigin }}
{% else %}
myorigin = $myhostname
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.inet_interfaces') and OPNsense.postfix.general.inet_interfaces != '' %}
inet_interfaces = {{ OPNsense.postfix.general.inet_interfaces }}
{% else %}
inet_interfaces = all
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.bind_address') and OPNsense.postfix.general.bind_address != '' %}
smtp_bind_address = {{ OPNsense.postfix.general.bind_address }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.bind_address6') and OPNsense.postfix.general.bind_address6 != '' %}
smtp_bind_address6 = {{ OPNsense.postfix.general.bind_address6 }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.mynetworks') and OPNsense.postfix.general.mynetworks != '' %}
mynetworks = {{ OPNsense.postfix.general.mynetworks.replace(',', ' ') }}
{% else %}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.banner') and OPNsense.postfix.general.banner != '' %}
smtpd_banner = {{ OPNsense.postfix.general.banner }}
{% else %}
smtpd_banner = $myhostname ESMTP Postfix
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.message_size_limit') and OPNsense.postfix.general.message_size_limit != '' %}
message_size_limit = {{ OPNsense.postfix.general.message_size_limit }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.masquerade_domains') and OPNsense.postfix.general.masquerade_domains != '' %}
masquerade_domains = {{ OPNsense.postfix.general.masquerade_domains }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.tlswrappermode') and OPNsense.postfix.general.tlswrappermode == '1' %}
smtp_tls_wrappermode = yes
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
smtp_tls_loglevel = 1
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') %}
{% if OPNsense.postfix.general.tls_client_compatibility == 'modern' %}
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
{% elif OPNsense.postfix.general.tls_client_compatibility == 'intermediate' %}
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers = medium
{% elif OPNsense.postfix.general.tls_client_compatibility == 'old' %}
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = low
{% endif %}
smtp_tls_protocols = $smtp_tls_mandatory_protocols
{% if OPNsense.postfix.general.tls_client_compatibility != 'modern' %}
smtp_tls_ciphers = $smtp_tls_mandatory_ciphers
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.certificate') and OPNsense.postfix.general.certificate != '' %}
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
{% else %}
smtpd_tls_CAfile = /etc/ssl/cert.pem
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
{% if OPNsense.postfix.general.tls_server_compatibility == 'modern' %}
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
{% elif OPNsense.postfix.general.tls_server_compatibility == 'intermediate' %}
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
smtpd_tls_mandatory_ciphers = medium
{% elif OPNsense.postfix.general.tls_server_compatibility == 'old' %}
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
smtpd_tls_mandatory_ciphers = low
{% endif %}
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
{% if OPNsense.postfix.general.tls_server_compatibility != 'modern' %}
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') or helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
tls_low_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
{% if OPNsense.postfix.general.tls_server_compatibility == 'old' %}
tls_preempt_cipherlist = yes
{% else %}
tls_preempt_cipherlist = no
{% endif %}
{% endif%}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.relayhost') and OPNsense.postfix.general.relayhost != '' %}
relayhost = {{ OPNsense.postfix.general.relayhost }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.smtpauth_enabled') and OPNsense.postfix.general.smtpauth_enabled != '' %}
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
smtp_sasl_security_options =
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}
smtpd_sasl_auth_enable = yes
{% endif %}
{% if helpers.exists('OPNsense.postfix.antispam.enable_rspamd') and OPNsense.postfix.antispam.enable_rspamd == '1' %}
smtpd_milters = unix:/var/run/rspamd/milter.sock
non_smtpd_milters = $smtpd_milters
milter_protocol = 6
milter_default_action = {{ OPNsense.postfix.antispam.default_action }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.enforce_recipient_check') and OPNsense.postfix.general.enforce_recipient_check == '1' %}
relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access
{% endif %}
{# Sender Restrictions #}
{% set smtpd_recipient_restrictions=[] %}
{% if helpers.exists('OPNsense.postfix.sender.senders.sender') %}
{% do smtpd_recipient_restrictions.append('check_sender_access hash:/usr/local/etc/postfix/sender_access') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.recipient.recipients.recipient') %}
{% do smtpd_recipient_restrictions.append('check_recipient_access hash:/usr/local/etc/postfix/recipient_access') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_client_hostname') and OPNsense.postfix.general.reject_unknown_client_hostname == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unknown_client_hostname') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_helo_hostname') and OPNsense.postfix.general.reject_non_fqdn_helo_hostname == '1' %}
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_helo_hostname') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_invalid_helo_hostname') and OPNsense.postfix.general.reject_invalid_helo_hostname == '1' %}
{% do smtpd_recipient_restrictions.append('reject_invalid_helo_hostname') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_helo_hostname') and OPNsense.postfix.general.reject_unknown_helo_hostname == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unknown_helo_hostname') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_pipelining') and OPNsense.postfix.general.reject_unauth_pipelining == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unauth_pipelining') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_sender_domain') and OPNsense.postfix.general.reject_unknown_sender_domain == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unknown_sender_domain') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_recipient_domain') and OPNsense.postfix.general.reject_unknown_recipient_domain == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unknown_recipient_domain') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_sender') and OPNsense.postfix.general.reject_non_fqdn_sender == '1' %}
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_sender') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_recipient') and OPNsense.postfix.general.reject_non_fqdn_recipient == '1' %}
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_recipient') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}
{% do smtpd_recipient_restrictions.append('permit_sasl_authenticated') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.permit_tls_clientcerts') and OPNsense.postfix.general.permit_tls_clientcerts == '1' %}
{% do smtpd_recipient_restrictions.append('permit_tls_clientcerts') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.permit_mynetworks') and OPNsense.postfix.general.permit_mynetworks == '1' %}
{% do smtpd_recipient_restrictions.append('permit_mynetworks') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_destination') and OPNsense.postfix.general.reject_unauth_destination == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unauth_destination') %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.reject_unverified_recipient') and OPNsense.postfix.general.reject_unverified_recipient == '1' %}
{% do smtpd_recipient_restrictions.append('reject_unverified_recipient') %}
{% endif %}
{% if smtpd_recipient_restrictions|length >= 1 %}
smtpd_recipient_restrictions = {{ smtpd_recipient_restrictions | join(', ') }}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.delay_warning_time') and OPNsense.postfix.general.delay_warning_time != '0' %}
delay_warning_time = {{ OPNsense.postfix.general.delay_warning_time }}h
{% endif %}
smtpd_helo_required = yes
{% if helpers.exists('OPNsense.postfix.general.extensive_helo_restrictions') and OPNsense.postfix.general.extensive_helo_restrictions == '1' %}
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.extensive_sender_restrictions') and OPNsense.postfix.general.extensive_sender_restrictions == '1' %}
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,
reject_unknown_sender_domain,
reject_non_fqdn_sender
{% endif %}
syslog_facility = mail
syslog_name = postfix
{% endif %}
Reference in New Issue View Git Blame Copy Permalink