postfix-formula/postfix/files/main.cf

{%- from "postfix/map.jinja" import postfix with context -%}
{%- set config = salt['pillar.get']('postfix:config', {}) -%}

{%- if not salt['pillar.get']('postfix:mapping', False) %}
{#- Let the user configure mapping manually. -#}
{%- set processed_parameters = [] %}
{%- else -%}
{#- TODO: alias_maps probably belongs here, too: #}
{%- set processed_parameters = [
        'virtual_alias_maps',
        'smtp_sasl_password_maps',
        'sender_canonical_maps',
    ] %}
{%- endif -%}

{%- macro set_parameter(parameter, default=None) -%}
{% set value = config.get(parameter, default) %}
{%- if value is not none %}
  {%- if value is number or value is string -%}
{{ parameter }} = {{ value }}
  {%- elif value is iterable -%}
{{ parameter }} = {{ value | join('\n') | indent(parameter | length + 3) }}
  {%- endif -%}
{%- do processed_parameters.append(parameter) %}
{%- endif %}
{%- endmacro -%}

#
# This file is managed by salt.
# Modify the salt pillar in the postfix formula that generates this file instead.
#
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

{{ set_parameter('smtpd_banner', '$myhostname ESMTP $mail_name') }}
{{ set_parameter('biff', 'no') }}
{{ set_parameter('compatibility_level', '2') }}

# appending .domain is the MUA's job.
{{ set_parameter('append_dot_mydomain', 'no') }}

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

{{ set_parameter('readme_directory', 'no') }}

{%- set relay_restrictions = ['permit_mynetworks'] %}
{%- set recipient_restrictions = ['permit_mynetworks'] %}

{%- if config.get('smtpd_sasl_auth_enable', 'yes') == 'yes' %}
# SASL parameters (http://www.postfix.org/SASL_README.html)
{%- do relay_restrictions.append('permit_sasl_authenticated') %}
{%- do recipient_restrictions.append('permit_sasl_authenticated') %}
{{ set_parameter('smtpd_sasl_auth_enable', 'yes') }}
{{ set_parameter('smtpd_sasl_path', 'smtpd') }}
{{ set_parameter('smtpd_sasl_type', 'cyrus') }}
{{ set_parameter('smtpd_sasl_security_options', ['noanonymous', 'noplaintext']) }}
{{ set_parameter('smtpd_sasl_tls_security_options', ['noanonymous']) }}
{{ set_parameter('smtpd_tls_auth_only', 'yes') }}
{%- endif %}

{%- if config.get('smtpd_use_tls', 'yes') == 'yes' %}
# TLS parameters (http://www.postfix.org/TLS_README.html)
# Recipient settings
{{ set_parameter('smtpd_use_tls') }}
{{ set_parameter('smtpd_tls_loglevel', 1) }}
{{ set_parameter('smtpd_tls_security_level', 'may') }}
{{ set_parameter('smtp_tls_CApath', '/etc/ssl/certs') }}
{{ set_parameter('smtpd_tls_cert_file', '/etc/ssl/certs/ssl-cert-snakeoil.pem') }}
{{ set_parameter('smtpd_tls_key_file', '/etc/ssl/private/ssl-cert-snakeoil.key') }}
{{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }}
{{ set_parameter('smtpd_tls_mandatory_ciphers', 'high') }}
{{ set_parameter('smtpd_tls_mandatory_exclude_ciphers', ['aNULL', 'MD5']) }}
{{ set_parameter('smtpd_tls_mandatory_protocols', ['!SSLv2', '!SSLv3']) }}
{{ set_parameter('tls_preempt_cipherlist', 'yes') }}
# Relay/Sender settings
{{ set_parameter('smtp_tls_loglevel', 1) }}
{{ set_parameter('smtp_tls_security_level', 'may') }}
{{ set_parameter('smtp_tls_session_cache_database', 'btree:${data_directory}/smtp_scache') }}
{%- endif %}

{{ set_parameter('myhostname', grains['fqdn']) }}
{#- TODO: The following two may not be the same: #}
{{ set_parameter('alias_maps', 'hash:' ~ postfix.aliases_file) }}
{{ set_parameter('alias_database', 'hash:' ~ postfix.aliases_file) }}
{{ set_parameter('mydestination', [grains['fqdn'], 'localhost', 'localhost.localdomain', grains['domain']]) }}
{{ set_parameter('relayhost', '') }}
{{ set_parameter('mynetworks', ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128']) }}
{{ set_parameter('mailbox_size_limit', '0') }}
{{ set_parameter('recipient_delimiter', '+') }}
{{ set_parameter('inet_interfaces', 'all') }}
{{ set_parameter('inet_protocols', 'all') }}
{{ set_parameter('message_size_limit', '41943040') }}

{%- if config.get('relayhost') %}
{% set policyd_spf = salt['pillar.get']('postfix:policyd-spf', {}) %}
  {%- if policyd_spf.get('enabled', False) %}
  {%- do relay_restrictions.append('check_policy_server unix:private/policyd-spf') %}
policy-spf_time_limit = {{ policyd_spf.get('time_limit', '3600s') }}
  {%- endif %}
{%- do relay_restrictions.append('defer_unauth_destination') %}
{{ set_parameter('smtpd_relay_restrictions', relay_restrictions) }}
{%- endif %}

{#- check_policy_service must be after reject_unauth_destination #}
{%- do recipient_restrictions.append('reject_unauth_destination') %}
{%- set postgrey_config = salt['pillar.get']('postfix:postgrey', {}) %}
{%- if postgrey_config.get('enabled', False) %}
{%- do recipient_restrictions.append('check_policy_service ' ~ postgrey_config.get('location', 'inet:127.0.0.1:10030')) %}
{%- endif %}
{{ set_parameter('smtpd_recipient_restrictions', recipient_restrictions) }}

{# From init.sls #}
{%- set default_database_type = salt['pillar.get']('postfix:config:default_database_type', 'hash') %}

{%- for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %}
  {%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %}
  {%- if file_path.startswith('proxy:') %}
    {#- Discard the proxy:-prefix #}
    {%- set _, file_type, file_path = file_path.split(':') %}
  {%- elif ':' in file_path %}
    {%- set file_type, file_path = file_path.split(':') %}
  {%- else %}
    {%- set file_type = default_database_type %}
  {%- endif %}
  {%- if not file_path.startswith('/') %}
    {%- set file_path = postfix.config_path ~ '/' ~ file_path %}
  {%- endif %}

{{ set_parameter(mapping, file_type ~ ':' ~ file_path) }}
{% endfor %}

{# Accept arbitrary parameters -#}
{% for parameter in config -%}
{% if parameter not in processed_parameters -%}
{{ set_parameter(parameter) }}
{% endif -%}
{% endfor -%}