175 lines
8.4 KiB
CFEngine3
175 lines
8.4 KiB
CFEngine3
{% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
|
|
|
|
##########################
|
|
# START SYSTEM DEFAULTS
|
|
##########################
|
|
alias_database = hash:/usr/local/etc/postfix/aliases
|
|
alias_maps = hash:/usr/local/etc/postfix/aliases
|
|
compatibility_level = 2
|
|
queue_directory = /var/spool/postfix
|
|
command_directory = /usr/local/sbin
|
|
daemon_directory = /usr/local/libexec/postfix
|
|
data_directory = /var/db/postfix
|
|
mail_owner = postfix
|
|
unknown_local_recipient_reject_code = 550
|
|
mynetworks_style = host
|
|
debug_peer_level = 2
|
|
debugger_command =
|
|
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
|
|
ddd $daemon_directory/$process_name $process_id & sleep 5
|
|
|
|
sendmail_path = /usr/local/sbin/sendmail
|
|
newaliases_path = /usr/local/bin/newaliases
|
|
mailq_path = /usr/local/bin/mailq
|
|
setgid_group = maildrop
|
|
html_directory = no
|
|
manpage_directory = /usr/local/man
|
|
sample_directory = /usr/local/etc/postfix
|
|
readme_directory = no
|
|
inet_protocols = all
|
|
meta_directory = /usr/local/libexec/postfix
|
|
shlib_directory = /usr/local/lib/postfix
|
|
relay_domains = hash:/usr/local/etc/postfix/transport
|
|
transport_maps = hash:/usr/local/etc/postfix/transport
|
|
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
|
|
sender_bcc_maps = hash:/usr/local/etc/postfix/senderbcc
|
|
recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
|
|
sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
|
|
##########################
|
|
# END SYSTEM DEFAULTS
|
|
##########################
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.myhostname') and OPNsense.postfix.general.myhostname != '' %}
|
|
myhostname = {{ OPNsense.postfix.general.myhostname }}
|
|
{% else %}
|
|
myhostname = {{ system.hostname }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.mydomain') and OPNsense.postfix.general.mydomain != '' %}
|
|
mydomain = {{ OPNsense.postfix.general.mydomain }}
|
|
{% else %}
|
|
mydomain = {{ system.domain }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.myorigin') and OPNsense.postfix.general.myorigin != '' %}
|
|
myorigin = {{ OPNsense.postfix.general.myorigin }}
|
|
{% else %}
|
|
myorigin = $myhostname
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.inet_interfaces') and OPNsense.postfix.general.inet_interfaces != '' %}
|
|
inet_interfaces = {{ OPNsense.postfix.general.inet_interfaces }}
|
|
{% else %}
|
|
inet_interfaces = all
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.bind_address') and OPNsense.postfix.general.bind_address != '' %}
|
|
smtp_bind_address = {{ OPNsense.postfix.general.bind_address }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.bind_address6') and OPNsense.postfix.general.bind_address6 != '' %}
|
|
smtp_bind_address6 = {{ OPNsense.postfix.general.bind_address6 }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.mynetworks') and OPNsense.postfix.general.mynetworks != '' %}
|
|
mynetworks = {{ OPNsense.postfix.general.mynetworks.replace(',', ' ') }}
|
|
{% else %}
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.banner') and OPNsense.postfix.general.banner != '' %}
|
|
smtpd_banner = {{ OPNsense.postfix.general.banner }}
|
|
{% else %}
|
|
smtpd_banner = $myhostname ESMTP Postfix
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.message_size_limit') and OPNsense.postfix.general.message_size_limit != '' %}
|
|
message_size_limit = {{ OPNsense.postfix.general.message_size_limit }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.masquerade_domains') and OPNsense.postfix.general.masquerade_domains != '' %}
|
|
masquerade_domains = {{ OPNsense.postfix.general.masquerade_domains }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.disable_ssl') and OPNsense.postfix.general.disable_ssl == '1' %}
|
|
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
|
|
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
|
smtpd_tls_protocols=!SSLv2,!SSLv3
|
|
smtp_tls_protocols=!SSLv2,!SSLv3
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.disable_weak_ciphers') and OPNsense.postfix.general.disable_weak_ciphers == '1' %}
|
|
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.tlswrappermode') and OPNsense.postfix.general.tlswrappermode == '1' %}
|
|
smtp_tls_wrappermode = yes
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
|
|
smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.certificate') and OPNsense.postfix.general.certificate != '' %}
|
|
smtpd_use_tls = yes
|
|
smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
|
|
smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.relayhost') and OPNsense.postfix.general.relayhost != '' %}
|
|
relayhost = {{ OPNsense.postfix.general.relayhost }}
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.smtpauth_enabled') and OPNsense.postfix.general.smtpauth_enabled != '' %}
|
|
smtp_sasl_auth_enable = yes
|
|
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
|
|
smtp_sasl_security_options =
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.antispam.enable_rspamd') and OPNsense.postfix.antispam.enable_rspamd == '1' %}
|
|
smtpd_milters = inet:localhost:11332
|
|
non_smtpd_milters = inet:localhost:11332
|
|
milter_protocol = 6
|
|
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
|
|
milter_default_action = accept
|
|
{% endif %}
|
|
|
|
{% if helpers.exists('OPNsense.postfix.general.enforce_recipient_check') and OPNsense.postfix.general.enforce_recipient_check == '1' %}
|
|
relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access
|
|
{% endif %}
|
|
|
|
{# Sender Restrictions #}
|
|
{% set smtpd_recipient_restrictions=[] %}
|
|
{% if helpers.exists('OPNsense.postfix.recipient.recipients.recipient') %}
|
|
{% do smtpd_recipient_restrictions.append('check_recipient_access hash:/usr/local/etc/postfix/recipient_access') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_pipelining') and OPNsense.postfix.general.reject_unauth_pipelining == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unauth_pipelining') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.sender.senders.sender') %}
|
|
{% do smtpd_recipient_restrictions.append('check_sender_access hash:/usr/local/etc/postfix/sender_access') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_sender_domain') and OPNsense.postfix.general.reject_unknown_sender_domain == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unknown_sender_domain') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unknown_recipient_domain') and OPNsense.postfix.general.reject_unknown_recipient_domain == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unknown_recipient_domain') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_sender') and OPNsense.postfix.general.reject_non_fqdn_sender == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_sender') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_recipient') and OPNsense.postfix.general.reject_non_fqdn_recipient == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_non_fqdn_recipient') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('permit_sasl_authenticated') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.permit_tls_clientcerts') and OPNsense.postfix.general.permit_tls_clientcerts == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('permit_tls_clientcerts') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.permit_mynetworks') and OPNsense.postfix.general.permit_mynetworks == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('permit_mynetworks') %}
|
|
{% endif %}
|
|
{% if helpers.exists('OPNsense.postfix.general.reject_unauth_destination') and OPNsense.postfix.general.reject_unauth_destination == '1' %}
|
|
{% do smtpd_recipient_restrictions.append('reject_unauth_destination') %}
|
|
{% endif %}
|
|
|
|
{% if smtpd_recipient_restrictions|length >= 1 %}
|
|
smtpd_recipient_restrictions = {{ smtpd_recipient_restrictions | join(', ') }}
|
|
{% endif %}
|
|
|
|
smtpd_helo_required = yes
|
|
|
|
syslog_facility = mail
|
|
syslog_name = postfix
|
|
|
|
{% endif %}
|