--- sendmail_periodic: - daily_clean_hoststat_enable - daily_status_mail_rejects_enable - daily_status_include_submit_mailq - daily_submit_queuerun postfix_log_size: '32m' postfix_log_mode: '750' postfix_log_uid: '20000' postfix_log_gid: '20000' postfix_rebuild_types: - hash - btree postfix_maps: - name: header_checks type: regexp - name: helo_checks type: hash - name: local_recipients type: hash - name: mynetworks type: hash - name: postscreen_dnsbl_reply_map type: pcre - name: rbl_override type: hash - name: virtual_aliases type: hash - name: sender_access type: hash postfix_helo_checks: - localhost REJECT You're not me postfix_rbl_override: [] postfix_sender_access: - hostepro.co.ua REJECT Die you fucking spammer! - molingrush.co.ua REJECT Die you fucking spammer! - jenreviews.com REJECT Die you fucking spammer! - hes.net REJECT Die you fucking spammer! - willsamaren.co.ua REJECT Die you fucking spammer! - liluinc.eu REJECT Die you fucking spamemr! - winsoker.co.ua REJECT Die you fucking spammer! - mellingrush.eu REJECT Die you fucking spammer! - newdgise.co.ua REJECT Die you fucking spammer! - nicemaner.eu REJECT Die you fucking spammer! - qr-hosting.eu REJECT Die you fucking spammer! - villpubrel.com REJECT Die you fucking spammer! - willi-bong.eu REJECT Die you fucking spammer! - pgp.co.in REJECT Die you fucking spammer! - rapnews.biz.ua REJECT Die you fucking spammer! postfix_virtual_aliases: - root@ccchb.de crest@ccchb.de - abuse@ccchb.de crest@ccchb.de - noc@ccchb.de crest@ccchb.de - security@ccchb.de crest@ccchb.de - postmaster@ccchb.de crest@ccchb.de - hostmaster@ccchb.de crest@ccchb.de - thoddi@ccchb.de mail@thoddi.de - docloc@ccchb.de docloc@posteo.net - fritz@ccchb.de fritz@grimpen.net - root@lists.ccchb.de crest@ccchb.de - crest@lists.ccchb.de crest@ccchb.de - abuse@lists.ccchb.de crest@ccchb.de - noc@lists.ccchb.de crest@ccchb.de - security@lists.ccchb.de crest@ccchb.de - postmaster@lists.ccchb.de crest@ccchb.de - hostmaster@lists.ccchb.de crest@ccchb.de postfix_service_dirs: - postfix - postfix/env - postfix/data - postfix-log - postfix-log/env postfix_service_scripts: - postfix/run - postfix/finish - postfix/data/check - postfix-log/run - postfix-log/finish postfix_service_config: - name: postfix/type content: longrun - name: postfix/dependencies content: postfix-log - name: postfix/notification-fd content: 3 - name: postfix/env/NAME content: postfix - name: postfix/env/PATH content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin - name: postfix-log/type content: longrun - name: postfix-log/notification-fd content: 3 - name: postfix-log/env/NAME content: postfix - name: postfix-log/env/PATH content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin - name: postfix-log/env/MODE content: '750' - name: postfix-log/env/USER content: s6-log - name: postfix-log/env/GROUP content: s6-log - name: postfix-log/env/DIR content: /var/log/postfix postfix_config: - name: compatibility_level value: '2' state: present - name: header_checks value: 'regexp:$config_directory/header_checks' state: present - name: inet_interfaces value: '{{ postfix_inet_interfaces }}' state: present - name: inet_protocols value: 'ipv6, ipv4' state: present - name: local_recipient_maps value: 'hash:$config_directory/local_recipients $alias_maps' state: present - name: maillog_file value: '/var/log/postfix/fifo' state: present - name: mailbox_transport value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp' state: present - name: milter_default_action value: 'accept' state: present - name: milter_mail_macros value: 'i {mail_addr} {client_addr} {client_name} {auth_authen}' state: present - name: mua_client_restrictions value: 'permit_sasl_authenticated, reject' state: present - name: mua_helo_restrictions value: 'permit_sasl_authenticated, reject' state: present - name: mua_sender_restrictions value: 'permit_sasl_authenticated, reject' state: present - name: mydestination value: '$myhostname, localhost.$mydomain, localhost, $mydomain' state: present - name: mynetworks value: 'cidr:$config_directory/mynetworks' state: present - name: myorigin value: '$mydomain' state: present - name: postscreen_bare_newline_action value: 'enforce' state: present - name: postscreen_bare_newline_enable value: 'yes' state: present - name: postscreen_blacklist_action value: 'drop' state: present - name: postscreen_cache_map value: 'hash:$data_directory/postscreen_cache' state: present - name: postscreen_dnsbl_action value: 'enforce' state: present - name: postscreen_dnsbl_reply_map value: 'pcre:$config_directory/postscreen_dnsbl_reply_map' state: present - name: postscreen_dnsbl_sites value: >- zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 state: present - name: postscreen_dnsbl_threshold value: '3' state: present - name: postscreen_dnsbl_whitelist_threshold value: '-1' state: present - name: postscreen_greet_action value: 'enforce' state: present - name: postscreen_non_smtp_command_enable value: 'yes' state: present - name: postscreen_pipelining_enable value: 'yes' state: present - name: recipient_delimiter value: '+' state: present - name: smtp_tls_exclude_ciphers value: 'aNULL' state: present - name: smtp_tls_loglevel value: '1' state: present - name: smtp_tls_note_starttls_offer value: 'yes' state: present - name: smtp_tls_security_level value: 'may' state: present - name: smtp_tls_session_cache_database value: 'btree:${data_directory}/smtp_scache' state: present - name: smtpd_banner value: '$myhostname ESMTP 8BIT-OK NO UCE NO UBE $mail_name' state: present - name: smtpd_client_restrictions value: >- permit_sasl_authenticated, permit_mynetworks, reject_unknown_client, check_client_access hash:$config_directory/rbl_override, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net state: present - name: smtpd_helo_required value: 'yes' state: present - name: smtpd_helo_restrictions value: >- permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access hash:$config_directory/helo_checks, reject_unknown_hostname state: present - name: smtpd_milters value: 'unix:/var/run/rspamd/proxy.sock' state: present - name: smtpd_recipient_restrictions value: >- permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination state: present - name: smtpd_sasl_auth_enable value: 'yes' state: present - name: smtpd_sasl_path value: 'private/dovecot-auth' state: present - name: smtpd_sender_restrictions value: >- permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access hash:$config_directory/sender_access state: present - name: smtpd_tls_auth_only value: 'yes' state: present - name: smtpd_tls_cert_file value: '/usr/local/etc/dovecot/fullchain.pem' state: present - name: smtpd_tls_eecdh_grade value: 'ultra' state: present - name: smtpd_tls_exclude_ciphers value: 'aNULL' state: present - name: smtpd_tls_key_file value: '/usr/local/etc/dovecot/privkey.pem' state: present - name: smtpd_tls_loglevel value: '1' state: present - name: smtpd_tls_mandatory_ciphers value: 'high' state: present - name: smtpd_tls_mandatory_exclude_ciphers value: 'aNULL' state: present - name: smtpd_tls_mandatory_protocols value: 'TLSv1.2 TLSv1.3' state: present - name: smtpd_tls_protocols value: 'TLSv1.2 TLSv1.3' state: present - name: smtpd_tls_received_header value: 'yes' state: present - name: smtpd_tls_security_level value: 'may' state: present - name: smtpd_tls_session_cache_database value: 'btree:${data_directory}/smtpd_scache' state: present - name: strict_rfc821_envelopes value: 'yes' state: present - name: tls_high_cipherlist value: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' state: present - name: tls_ssl_options value: 'NO_COMPRESSION' state: present - name: unknown_address_reject_code value: '554' state: present - name: unknown_client_reject_code value: '554' state: present - name: unknown_hostname_reject_code value: '554' state: present - name: virtual_alias_maps value: 'hash:/usr/local/etc/postfix/virtual_aliases, hash:/usr/local/etc/postfix/virtual_mlmmj' state: present - name: virtual_mailbox_domains value: 'lists.ccchb.de' state: present - name: virtual_transport value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp' state: present postfix_services: - name: smtp type: inet value: "smtp inet n - n - 1 postscreen" - name: smtpd type: pass value: "smtpd pass - - n - - smtpd" - name: submission type: inet value: "submission inet n - n - - smtpd" - name: dnsblog type: unix value: "dnsblog unix - - n - 0 dnsblog" - name: tlsproxy type: unix value: "tlsproxy unix - - n - 0 tlsproxy" postfix_params: - name: submission/inet/syslog_name value: 'postfix/submission' state: present - name: submission/inet/smtpd_tls_security_level value: 'encrypt' state: present - name: submission/inet/tls_preempt_cipherlist value: 'yes' state: present - name: submission/inet/smtpd_sasl_auth_enable value: 'yes' state: present - name: submission/inet/smtpd_tls_auth_only value: 'yes' state: present - name: submission/inet/smtpd_reject_unlisted_recipient value: 'no' state: present - name: submission/inet/smtpd_client_restrictions value: '$mua_client_restrictions' state: present - name: submission/inet/smtpd_helo_restrictions value: '$mua_helo_restrictions' state: present - name: submission/inet/smtpd_sender_restrictions value: '$mua_sender_restrictions' state: present - name: submission/inet/smtpd_recipient_restrictions value: '' state: present - name: submission/inet/smtpd_relay_restrictions value: 'permit_sasl_authenticated,reject' state: present - name: submission/inet/milter_macro_daemon_name value: ORIGINATING state: present