From 147a1fa65b16752e6b0aec1f4d23e375797e0587 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Sun, 28 Feb 2016 23:35:20 +0100 Subject: [PATCH] Postfix stuff dazu --- postfix/common.sls | 39 ++++++++++++ postfix/files/aliases | 49 +++++++++++++++ postfix/files/main.cf | 137 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 225 insertions(+) create mode 100644 postfix/common.sls create mode 100644 postfix/files/aliases create mode 100644 postfix/files/main.cf diff --git a/postfix/common.sls b/postfix/common.sls new file mode 100644 index 0000000..008132a --- /dev/null +++ b/postfix/common.sls @@ -0,0 +1,39 @@ +{%- from "postfix/map.jinja" import postfix with context -%} + +postfix: + pkg.installed: + - name: {{ postfix.package }} + - watch_in: + - service: postfix + service.running: + - name: {{ postfix.service }} + - enable: True + - require: + - pkg: postfix + - watch: + - pkg: postfix + +/etc/postfix: + file.directory: + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 + - makedirs: True + - require: + - pkg: postfix + +/etc/postfix/main.cf: + file.managed: + - source: salt://postfix/files/main.cf + - user: root + - group: root + - mode: 644 + - require: + - pkg: postfix + - file: /etc/postfix + - watch_in: + - service: postfix + - template: jinja + - backup: minion + diff --git a/postfix/files/aliases b/postfix/files/aliases new file mode 100644 index 0000000..a0f99a5 --- /dev/null +++ b/postfix/files/aliases @@ -0,0 +1,49 @@ +# See man 5 aliases for format +MAILER-DAEMON: postmaster +postmaster: root +root: frank + +# General redirections for pseudo accounts. +adm: root +bin: root +daemon: root +exim: root +lp: root +mail: root +named: root +nobody: root +postfix: root + +# Well-known aliases -- these should be filled in! +# root: +# operator: + +# Standard RFC2142 aliases +abuse: postmaster +ftp: root +hostmaster: root +news: usenet +noc: root +security: root +usenet: root +uucp: root +webmaster: root +www: webmaster + +# trap decode to catch security attacks +# decode: /dev/null + +# Persönliche Aliase + +# Frank Brehm +frank: frank@brehm-online.com +fbr: frank +brehm: frank +fbrehm: frank +f.brehm: frank +f-brehm: frank +frank.brehm: frank +frank-brehm: frank + + + diff --git a/postfix/files/main.cf b/postfix/files/main.cf new file mode 100644 index 0000000..4b00a95 --- /dev/null +++ b/postfix/files/main.cf @@ -0,0 +1,137 @@ +{%- from "postfix/map.jinja" import postfix with context -%} +{%- set config = salt['pillar.get']('postfix:config', {}) -%} +{%- set banner = salt['pillar.get']('postfix:smtpd_banner', '$myhostname ESMTP $mail_name (Debian/GNU)' ) -%} +{%- set default_mydestination = [grains['fqdn'], 'localhost', 'localhost.localdomain', grains['domain']] -%} +{%- set default_mynetworks = ['127.0.0.0/8', '[::ffff:127.0.0.0]/104', '[::1]/128'] -%} +{%- set is_satellite = salt['pillar.get']('postfix:is_satellite', True ) -%} +{% set processed_parameters = ['aliases_file', 'virtual', 'sasl_passwd', 'sender_canonical'] %} +{%- macro set_parameter(parameter, default=None) -%} +{% set value = config.get(parameter, default) %} +{%- if value is not none %} + {%- if value is number or value is string -%} +{{ parameter }} = {{ value }} + {%- elif value is iterable -%} +{{ parameter }} = + {%- for v in value %} + {{ v }}, + {%- endfor %} + {%- endif -%} +{%- do processed_parameters.append(parameter) %} +{%- endif %} +{%- endmacro -%} +# Managed by config management +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +{{ set_parameter('myorigin', '/etc/mailname') }} + +{{ set_parameter('smtpd_banner', banner) }} +{{ set_parameter('biff', 'no') }} +{# {{ set_parameter('compatibility_level', '2') }} +#} + +# appending .domain is the MUA's job. +{{ set_parameter('append_dot_mydomain', 'yes') }} + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +{{ set_parameter('readme_directory', 'no') }} + +{%- set relay_restrictions = ['permit_mynetworks'] %} +{%- set recipient_restrictions = ['permit_mynetworks'] %} + +{%- if config.get('smtpd_sasl_auth_enable', 'yes') == 'yes' %} +# SASL parameters (http://www.postfix.org/SASL_README.html) +{%- do relay_restrictions.append('permit_sasl_authenticated') %} +{%- do recipient_restrictions.append('permit_sasl_authenticated') %} +{{ set_parameter('smtpd_sasl_auth_enable', 'yes') }} +{{ set_parameter('smtpd_sasl_path', 'smtpd') }} +{{ set_parameter('smtpd_sasl_type', 'cyrus') }} +{{ set_parameter('smtpd_sasl_local_domain', '$myhostname') }} +{{ set_parameter('smtpd_sasl_security_options', ['noanonymous', 'noplaintext']) }} +{{ set_parameter('smtpd_sasl_tls_security_options', ['noanonymous']) }} +{{ set_parameter('smtpd_tls_auth_only', 'no') }} +{%- endif %} + +{%- if config.get('smtpd_use_tls', 'yes') == 'yes' %} +# TLS parameters (http://www.postfix.org/TLS_README.html) +# Recipient settings +{{ set_parameter('smtpd_use_tls') }} +{{ set_parameter('smtpd_tls_loglevel', 1) }} +{{ set_parameter('smtpd_tls_security_level', 'may') }} +{{ set_parameter('smtpd_tls_cert_file', '/etc/postfix/postfix.pem') }} +{{ set_parameter('smtpd_tls_key_file', '/etc/postfix/postfix.pem') }} +{{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }} +{{ set_parameter('smtpd_tls_mandatory_ciphers', 'high') }} +{{ set_parameter('smtpd_tls_mandatory_exclude_ciphers', ['aNULL', 'MD5']) }} +{{ set_parameter('smtpd_tls_mandatory_protocols', ['!SSLv2', '!SSLv3']) }} +{{ set_parameter('tls_preempt_cipherlist', 'yes') }} +# Relay/Sender settings +{{ set_parameter('smtp_tls_loglevel', 1) }} +{{ set_parameter('smtp_tls_security_level', 'may') }} +{{ set_parameter('smtp_tls_session_cache_database', 'btree:${data_directory}/smtp_scache') }} +{{ set_parameter('smtpd_tls_received_header', 'yes') }} +{{ set_parameter('smtpd_tls_session_cache_timeout', '3600s') }} +{%- endif %} + +{{ set_parameter('myhostname', grains['fqdn']) }} +{{ set_parameter('alias_maps', 'hash:' ~ postfix.aliases_file) }} +{{ set_parameter('alias_database', 'hash:' ~ postfix.aliases_file) }} +{{ set_parameter('mydestination', config.get('mydestination', default_mydestination)) }} +{{ set_parameter('relayhost', config.get('relayhost', '')) }} +{{ set_parameter('mynetworks', config.get('mynetworks', default_mynetworks)) }} +{{ set_parameter('mailbox_command', 'procmail -a "$EXTENSION"') }} +{{ set_parameter('mailbox_size_limit', '0') }} +{{ set_parameter('recipient_delimiter', '+') }} +{%- if is_satellite %} +{{ set_parameter('inet_interfaces', 'loopback-only') }} +{% else %} +{{ set_parameter('inet_interfaces', 'all') }} +{% endif -%} +{{ set_parameter('inet_protocols', config.get('inet_protocols', 'all')) }} + +{{ set_parameter('message_size_limit', '41943040') }} + +{%- if config.get('relayhost') %} +{% set policyd_spf = salt['pillar.get']('postfix:policyd-spf', {}) %} + {%- if policyd_spf.get('enabled', False) %} + {%- do relay_restrictions.append('check_policy_server unix:private/policyd-spf') %} +policy-spf_time_limit = {{ policyd_spf.get('time_limit', '3600s') }} + {%- endif %} +{%- do relay_restrictions.append('defer_unauth_destination') %} +{{ set_parameter('smtpd_relay_restrictions', relay_restrictions) }} +{%- endif %} + +{#- check_policy_service must be after reject_unauth_destination #} +{%- do recipient_restrictions.append('reject_unauth_destination') %} +{%- set postgrey_config = salt['pillar.get']('postfix:postgrey', {}) %} +{%- if postgrey_config.get('enabled', False) %} +{%- do recipient_restrictions.append('check_policy_service ' ~ postgrey_config.get('location', 'inet:127.0.0.1:10030')) %} +{%- endif %} +{{ set_parameter('smtpd_recipient_restrictions', recipient_restrictions) }} + +{%- if 'virtual' in pillar.get('postfix','') %} +virtual_alias_maps = hash:/etc/postfix/virtual +{% endif -%} + +{% if 'sasl_passwd' in pillar.get('postfix','') %} +smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth +{% endif %} + +{%- if 'sender_canonical' in pillar.get('postfix','') %} +sender_canonical_maps = hash:/etc/postfix/sender_canonical +{% endif -%} + +{# Accept arbitrary parameters -#} +{% for parameter in config -%} +{% if parameter not in processed_parameters -%} +{{ set_parameter(parameter) }} +{% endif -%} +{% endfor %} +{{ set_parameter('unknown_local_recipient_reject_code', 550) }} + +# vim: filetype=pfmain -- 2.39.5