Update postfix config in mtaserver role

author: Matthieu Saulnier <fantom@fedoraproject.org> 2019-08-31 21:10:03 +0200
committer: Matthieu Saulnier <fantom@fedoraproject.org> 2019-08-31 21:10:03 +0200
commit: 14eec54199f7f10ba5b29a05a6345e9799584d46 (patch)
tree: 9871cd6e14ff5b7a87317657e5faa459c91cabab /roles
parent: 7f19904dc0bb41bb11565b449cacfac2e637db1a (diff)
download: playbooks-ansible-14eec54199f7f10ba5b29a05a6345e9799584d46.tar.gz
playbooks-ansible-14eec54199f7f10ba5b29a05a6345e9799584d46.tar.xz
playbooks-ansible-14eec54199f7f10ba5b29a05a6345e9799584d46.zip
2 files changed, 61 insertions, 18 deletions
diff --git a/roles/mtaserver/files/master.cf b/roles/mtaserver/files/master.cf
index c79b34c..5eaad25 100644
--- a/roles/mtaserver/files/master.cf
+++ b/roles/mtaserver/files/master.cf
@@ -1,12 +1,13 @@
 #
 # Postfix master process configuration file.  For details on the format
-# of the file, see the master(5) manual page (command: "man 5 master").
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
 #
 # Do not forget to execute "postfix reload" after editing this file.
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
-#               (yes)   (yes)   (yes)   (never) (100)
+#               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp      inet  n       -       n       -       -       smtpd
 #smtp      inet  n       -       n       -       1       postscreen
@@ -17,11 +18,13 @@ submission inet n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #smtps     inet  n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/smtps
@@ -31,7 +34,8 @@ submission inet n       -       n       -       -       smtpd
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       n       -       -       qmqpd
 pickup    unix  n       -       n       60      1       pickup
@@ -60,6 +64,7 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       n       -       -       lmtp
 anvil     unix  -       -       n       -       1       anvil
 scache    unix  -       -       n       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
 #
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual
diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2
index 008b4d4..e2ee43a 100644
--- a/roles/mtaserver/templates/main.cf.j2
+++ b/roles/mtaserver/templates/main.cf.j2
@@ -5,7 +5,7 @@
 # For common configuration examples, see BASIC_CONFIGURATION_README
 # and STANDARD_CONFIGURATION_README. To find these documents, use
 # the command "postconf html_directory readme_directory", or go to
-# http://www.postfix.org/.
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
 #
 # For best results, change no more than 2-3 parameters at a time,
 # and test if Postfix still works after every change.
@@ -182,8 +182,8 @@ inet_protocols = all
 # compatible delivery agent that lookups all recipients in /etc/passwd
 # and /etc/aliases or their equivalent.
 #
-# The default is $myhostname + localhost.$mydomain.  On a mail domain
-# gateway, you should also include $mydomain.
+# The default is $myhostname + localhost.$mydomain + localhost.  On
+# a mail domain gateway, you should also include $mydomain.
 #
 # Do not specify the names of virtual domains - those domains are
 # specified elsewhere (see VIRTUAL_README).
@@ -279,7 +279,7 @@ unknown_local_recipient_reject_code = 550
 #
 # By default (mynetworks_style = subnet), Postfix "trusts" SMTP
 # clients in the same IP subnetworks as the local machine.
-# On Linux, this does works correctly only with interfaces specified
+# On Linux, this works correctly only with interfaces specified
 # with the "ifconfig" command.
 # 
 # Specify "mynetworks_style = class" when Postfix should "trust" SMTP
@@ -548,7 +548,7 @@ alias_database = hash:/etc/aliases
 # can be used to take advantage of the single instance message store
 # capability of Cyrus. The concurrency limit can be used to control
 # how many simultaneous LMTP sessions will be permitted to the Cyrus
-# message store. 
+# message store.
 #
 # Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
 # subsequent line in master.cf.
@@ -692,7 +692,7 @@ debugger_command =
 #	>$config_directory/$process_name.$process_id.log & sleep 5
 #
 # Another possibility is to run gdb under a detached screen session.
-# To attach to the screen sesssion, su root and run "screen -r
+# To attach to the screen session, su root and run "screen -r
 # <id_string>" where <id_string> uniquely matches one of the detached
 # sessions (from "screen -list").
 #
@@ -743,12 +743,48 @@ sample_directory = /usr/share/doc/postfix/samples
 #
 readme_directory = /usr/share/doc/postfix/README_FILES
 
-{% if mtadomain is defined %}
-smtpd_tls_auth_only = yes
-smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key
+{% if mtadomain is defined -%}
+# TLS CONFIGURATION
+#
+# Basic Postfix TLS configuration by default with self-signed certificate
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
+
+# The full pathname of a file with the Postfix SMTP server RSA certificate
+# in PEM format. Intermediate certificates should be included in general,
+# the server certificate first, then the issuing CA(s) (bottom-up order).
+#
 smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt
-smtpd_tls_security_level = may
+
+# The full pathname of a file with the Postfix SMTP server RSA private key
+# in PEM format. The private key must be accessible without a pass-phrase,
+# i.e. it must not be encrypted.
+#
+smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key
+
+# Announce STARTTLS support to remote SMTP clients, but do not require that
+# clients use TLS encryption (opportunistic TLS inbound).
+#
+
+# Directory with PEM format Certification Authority certificates that the
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
+#
+smtp_tls_CApath = /etc/pki/tls/certs
+
+# The full pathname of a file containing CA certificates of root CAs
+# trusted to sign either remote SMTP server certificates or intermediate CA
+# certificates.
+#
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext (opportunistic TLS outbound).
+#
+smtp_tls_security_level = may
+
+
+smtpd_tls_auth_only = yes
 smtpd_tls_ciphers = high
+smtpd_tls_loglevel = 2
 
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
@@ -762,6 +798,7 @@ smtpd_recipient_restrictions =
     reject_non_fqdn_recipient,
     reject_unknown_recipient_domain
 
+
 # Milter configuration
 # OpenDKIM
 milter_default_action = accept
@@ -770,6 +807,7 @@ milter_protocol = 6
 smtpd_milters = inet:localhost:8891
 non_smtpd_milters = inet:localhost:8891
 
+
 smtpd_sender_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
@@ -785,21 +823,21 @@ smtpd_relay_restrictions =
 	permit_mynetworks,
 	permit_sasl_authenticated,
 	reject_unauth_destination
-{% endif %}
 
-smtpd_tls_loglevel = 2
 
-{% if mtadomain is defined %}
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 
+
 virtual_alias_maps = hash:/etc/postfix/virtual
 mailbox_size_limit = 5368709120
 message_size_limit = 5368709120
 
+
 policyd-spf_time_limit = 3600
-{% endif %}
+{% endif -%}
+
 
 {% if ansible_distribution == "Fedora" %}
 meta_directory = /etc/postfix
author	Matthieu Saulnier <fantom@fedoraproject.org>	2019-08-31 21:10:03 +0200
committer	Matthieu Saulnier <fantom@fedoraproject.org>	2019-08-31 21:10:03 +0200
commit	14eec54199f7f10ba5b29a05a6345e9799584d46 (patch)
tree	9871cd6e14ff5b7a87317657e5faa459c91cabab /roles
parent	7f19904dc0bb41bb11565b449cacfac2e637db1a (diff)
download	playbooks-ansible-14eec54199f7f10ba5b29a05a6345e9799584d46.tar.gz playbooks-ansible-14eec54199f7f10ba5b29a05a6345e9799584d46.tar.xz playbooks-ansible-14eec54199f7f10ba5b29a05a6345e9799584d46.zip