forked from saltstack-formulas/postfix-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
204 lines (178 loc) · 6.08 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
postfix:
manage_master_config: True
master_config:
enable_dovecot: False
# The following are the default values:
dovecot:
user: vmail
group: vmail
flags: DRhu
argv: "/usr/lib/dovecot/deliver -d ${recipient}"
enable_submission: False
# To replace the defaults use this:
submission:
smtpd_tls_security_level: encrypt
smtpd_sasl_auth_enable: yes
smtpd_client_restrictions: permit_sasl_authenticated,reject
# Alternative way of managing services allowing for much more finegrained
# control over each service. See postfix/services.jinja for details.
services:
smtp:
# Limit to no more than 10 smtp processes
maxproc: 10
# Enable oldstyle TLS wrapped SMTP
smtps:
enable: True
submission:
enable: True
args:
- "-o smtpd_tls_security_level=encrypt"
- "-o smtpd_sasl_auth_enable=yes"
- "-o smtpd_client_restrictions: permit_sasl_authenticated,reject"
tlsproxy:
enable: True
chroot: True
enable_service: True
postgrey:
enabled: True
enable_service: True
location: inet:172.16.0.5:6379
policyd-spf:
enabled: True
time_limit: 7200s
config:
smtpd_banner: $myhostname ESMTP $mail_name
smtp_tls_CApath: /etc/ssl/certs
biff: 'no'
append_dot_mydomain: 'no'
readme_directory: 'no'
myhostname: localhost
mydestination: localhost, localhost.localdomain
relayhost:
mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit: 0
recipient_delimiter: +
inet_interfaces: all
#postsrsd:
sender_canonical_maps: tcp:127.0.0.1:10001
sender_canonical_classes: envelope_sender
recipient_canonical_maps: tcp:127.0.0.1:10002
recipient_canonical_classes: envelope_recipient
# Alias
alias_maps: hash:/etc/aliases
# This is the list of files for the newaliases
# cmd to process (see postconf(5) for details).
# Only local hash/btree/dbm files:
alias_database: hash:/etc/aliases
# Virtual users
virtual_alias_maps: proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains: proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_maps: proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base: /home/vmail
virtual_mailbox_limit: 512000000
virtual_minimum_uid: 5000
virtual_transport: virtual
virtual_uid_maps: static:5000
virtual_gid_maps: static:5000
local_transport: virtual
local_recipient_maps: $virtual_mailbox_maps
transport_maps: hash:/etc/postfix/transport
# SMTP server
smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
smtpd_use_tls: 'yes'
smtpd_sasl_auth_enable: 'yes'
smtpd_sasl_type: dovecot
smtpd_sasl_path: /var/run/dovecot/auth-client
smtpd_recipient_restrictions: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options: noanonymous
smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
smtpd_tls_auth_only: 'yes'
smtpd_sasl_local_domain: $mydomain
smtpd_tls_loglevel: 1
smtpd_tls_session_cache_timeout: 3600s
relay_domains: '$mydestination'
# SMTP server certificate and key (from pillar data)
smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
# SMTP client
smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
smtp_use_tls: 'yes'
smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
sender_canonical_maps: hash:/etc/postfix/sender_canonical
relay_recipient_maps: hash:/etc/postfix/relay_domains
virtual_alias_maps: hash:/etc/postfix/virtual
transport:
DOMAIN_NAME: ':[IP_ADDRESS]'
vmail:
user: postfix_user
password: DB_PASSWD
hosts: DB_HOST
dbname: postfix_db
# add mysql query to virtual
mysql:
virtual_mailbox_domains:
table: virtual_domains
select_field: 1
where_field: name
virtual_alias_maps:
table: virtual_aliases
select_field: destination
where_field: email
virtual_mailbox_maps:
table: virtual_users
select_field: 1
where_field: email
aliases:
# manage single aliases
# this uses the aliases file defined in the minion config, /etc/aliases by default
use_file: false
present:
root: [email protected]
absent:
- root
# manage entire aliases file
use_file: true
content: |
# Forward all local *nix users mail to our admins (via greedy regexp)
/.+/ [email protected]
certificates:
server-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your intermediate certificate: example-ca.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your root certificate: trusted-root.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
example.com-relay-client-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
mapping:
smtp_sasl_password_maps:
- smtp.example.com: myaccount:somepassword
sender_canonical_maps:
- root: [email protected]
- nagios: [email protected]
relay_recipient_maps:
- example.com: OK
virtual_alias_maps:
- groupaliasexample:
- singlealiasexample: [email protected]