postfix-formula/pillar.example
2019-01-08 09:36:01 +01:00

238 lines
7.3 KiB
Plaintext

postfix:
manage_master_config: True
master_config:
# Preferred way of managing services/processes. This allows for finegrained
# control over each service. See postfix/services.yaml for defaults that can
# be overridden.
services:
smtp:
# Limit to no more than 10 smtp processes
maxproc: 10
# Enable oldstyle TLS wrapped SMTP
smtps:
enable: True
# Enable submission service on port 587/tcp with custom options
submission:
enable: True
args:
- "-o smtpd_tls_security_level=encrypt"
- "-o smtpd_sasl_auth_enable=yes"
- "-o smtpd_client_restrictions: permit_sasl_authenticated,reject"
tlsproxy:
enable: True
chroot: True
uucp:
enable: True
# Dovecot delivery via deliver binary. For better performance, investigate
# using LMTP instead: <https://wiki.dovecot.org/LMTP>
dovecot:
chroot: False
command: pipe
enable: True
extras: '-d ${recipient}'
flags: DRhu
type: unix
unpriv: False
user: vmail:vmail
argv: /usr/lib/dovecot/deliver
# Completely customized mail-delivery-agent entry. Will be appended to the
# master.cf file
custom-mda:
argv: /usr/local/sbin/mail-handler.py
command: pipe
extras: --rcpt ${recipient}
flags: DRhu
user: mail
# Wrap the output in master.cf at 78 chars for better readability
wrap: True
# Avoid user and arvg settings to allow define internal processes
# needed for randomizing relay IP (randmap functionality)
no_args: True
# Backwards compatible definition of dovecot delivery in master.cf
enable_dovecot: False
# The following are the default values:
dovecot:
user: vmail
group: vmail
flags: DRhu
argv: "/usr/lib/dovecot/deliver"
# Backwards compatible definition of submission listener in master.cf
enable_submission: False
# To replace the defaults use this:
submission:
smtpd_tls_security_level: encrypt
smtpd_sasl_auth_enable: yes
smtpd_client_restrictions: permit_sasl_authenticated,reject
enable_service: True
reload_service: True
postgrey:
enabled: True
enable_service: True
location: inet:172.16.0.5:6379
policyd-spf:
enabled: True
time_limit: 7200s
config:
smtpd_banner: $myhostname ESMTP $mail_name
smtp_tls_CApath: /etc/ssl/certs
biff: 'no'
append_dot_mydomain: 'no'
readme_directory: 'no'
myhostname: localhost
mydestination: localhost, localhost.localdomain
relayhost:
mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit: 0
recipient_delimiter: +
inet_interfaces: all
inet_protocols: all
#postsrsd:
sender_canonical_maps: tcp:127.0.0.1:10001
sender_canonical_classes: envelope_sender
recipient_canonical_maps: tcp:127.0.0.1:10002
recipient_canonical_classes: envelope_recipient
# Alias
alias_maps: hash:/etc/aliases
# This is the list of files for the newaliases
# cmd to process (see postconf(5) for details).
# Only local hash/btree/dbm files:
alias_database: hash:/etc/aliases
# Virtual users
virtual_alias_maps: proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains: proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_maps: proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base: /home/vmail
virtual_mailbox_limit: 512000000
virtual_minimum_uid: 5000
virtual_transport: virtual
virtual_uid_maps: static:5000
virtual_gid_maps: static:5000
local_transport: virtual
local_recipient_maps: $virtual_mailbox_maps
transport_maps: hash:/etc/postfix/transport
# SMTP server
smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
smtpd_use_tls: 'yes'
smtpd_sasl_auth_enable: 'yes'
smtpd_sasl_type: dovecot
smtpd_sasl_path: /var/run/dovecot/auth-client
smtpd_recipient_restrictions: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options: noanonymous
smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
smtpd_tls_auth_only: 'yes'
smtpd_sasl_local_domain: $mydomain
smtpd_tls_loglevel: 1
smtpd_tls_session_cache_timeout: 3600s
relay_domains: '$mydestination'
# SMTP server certificate and key (from pillar data)
smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
# SMTP client
smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
smtp_use_tls: 'yes'
smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
sender_canonical_maps: hash:/etc/postfix/sender_canonical
relay_recipient_maps: hash:/etc/postfix/relay_domains
virtual_alias_maps: hash:/etc/postfix/virtual
transport:
DOMAIN_NAME: ':[IP_ADDRESS]'
vmail:
user: postfix_user
password: DB_PASSWD
hosts: DB_HOST
dbname: postfix_db
# add mysql query to virtual
mysql:
virtual_mailbox_domains:
table: virtual_domains
select_field: 1
where_field: name
virtual_alias_maps:
table: virtual_aliases
select_field: destination
where_field: email
virtual_mailbox_maps:
table: virtual_users
select_field: 1
where_field: email
aliases:
# manage single aliases
# this uses the aliases file defined in the minion config, /etc/aliases by default
use_file: false
present:
root: info@example.com
absent:
- root
# manage entire aliases file
use_file: true
content: |
# Forward all local *nix users mail to our admins (via greedy regexp)
/.+/ admins@example.com
certificates:
server-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your intermediate certificate: example-ca.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your root certificate: trusted-root.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
example.com-relay-client-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
mapping:
smtp_sasl_password_maps:
- smtp.example.com: myaccount:somepassword
sender_canonical_maps:
- root: servers@example.com
- nagios: alerts@example.com
relay_recipient_maps:
- example.com: OK
virtual_alias_maps:
- groupaliasexample:
- someuser_1@example.com
- someuser_2@example.com
- singlealiasexample: someuser_3@example.com