ansible/roles/postfix/vars/main.yml
2021-12-03 13:53:36 +01:00

471 lines
11 KiB
YAML

---
sendmail_periodic:
- daily_clean_hoststat_enable
- daily_status_mail_rejects_enable
- daily_status_include_submit_mailq
- daily_submit_queuerun
postfix_log_size: '32m'
postfix_log_mode: '750'
postfix_log_uid: '20000'
postfix_log_gid: '20000'
postfix_rebuild_types:
- hash
- btree
postfix_maps:
- name: header_checks
type: regexp
- name: helo_checks
type: hash
- name: local_recipients
type: hash
- name: mynetworks
type: hash
- name: postscreen_dnsbl_reply_map
type: pcre
- name: rbl_override
type: hash
- name: virtual_aliases
type: hash
- name: sender_access
type: hash
postfix_helo_checks:
- localhost REJECT You're not me
postfix_rbl_override: []
postfix_sender_access:
- hostepro.co.ua REJECT Die you fucking spammer!
- molingrush.co.ua REJECT Die you fucking spammer!
- jenreviews.com REJECT Die you fucking spammer!
- hes.net REJECT Die you fucking spammer!
- willsamaren.co.ua REJECT Die you fucking spammer!
- liluinc.eu REJECT Die you fucking spamemr!
- winsoker.co.ua REJECT Die you fucking spammer!
- mellingrush.eu REJECT Die you fucking spammer!
- newdgise.co.ua REJECT Die you fucking spammer!
- nicemaner.eu REJECT Die you fucking spammer!
- qr-hosting.eu REJECT Die you fucking spammer!
- villpubrel.com REJECT Die you fucking spammer!
- willi-bong.eu REJECT Die you fucking spammer!
- pgp.co.in REJECT Die you fucking spammer!
- rapnews.biz.ua REJECT Die you fucking spammer!
postfix_virtual_aliases:
- root@ccchb.de crest@ccchb.de
- abuse@ccchb.de crest@ccchb.de
- noc@ccchb.de crest@ccchb.de
- security@ccchb.de crest@ccchb.de
- postmaster@ccchb.de crest@ccchb.de
- hostmaster@ccchb.de crest@ccchb.de
- thoddi@ccchb.de mail@thoddi.de
- docloc@ccchb.de docloc@posteo.net
- root@lists.ccchb.de crest@ccchb.de
- crest@lists.ccchb.de crest@ccchb.de
- abuse@lists.ccchb.de crest@ccchb.de
- noc@lists.ccchb.de crest@ccchb.de
- security@lists.ccchb.de crest@ccchb.de
- postmaster@lists.ccchb.de crest@ccchb.de
- hostmaster@lists.ccchb.de crest@ccchb.de
postfix_service_dirs:
- postfix
- postfix/env
- postfix/data
- postfix-log
- postfix-log/env
postfix_service_scripts:
- postfix/run
- postfix/finish
- postfix/data/check
- postfix-log/run
- postfix-log/finish
postfix_service_config:
- name: postfix/type
content: longrun
- name: postfix/dependencies
content: postfix-log
- name: postfix/notification-fd
content: 3
- name: postfix/env/NAME
content: postfix
- name: postfix/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: postfix-log/type
content: longrun
- name: postfix-log/notification-fd
content: 3
- name: postfix-log/env/NAME
content: postfix
- name: postfix-log/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: postfix-log/env/MODE
content: '750'
- name: postfix-log/env/USER
content: s6-log
- name: postfix-log/env/GROUP
content: s6-log
- name: postfix-log/env/DIR
content: /var/log/postfix
postfix_config:
- name: compatibility_level
value: '2'
state: present
- name: header_checks
value: 'regexp:$config_directory/header_checks'
state: present
- name: inet_interfaces
value: '{{ postfix_inet_interfaces }}'
state: present
- name: inet_protocols
value: 'ipv6, ipv4'
state: present
- name: local_recipient_maps
value: 'hash:$config_directory/local_recipients $alias_maps'
state: present
- name: maillog_file
value: '/var/log/postfix/fifo'
state: present
- name: mailbox_transport
value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp'
state: present
- name: milter_default_action
value: 'accept'
state: present
- name: milter_mail_macros
value: 'i {mail_addr} {client_addr} {client_name} {auth_authen}'
state: present
- name: mua_client_restrictions
value: 'permit_sasl_authenticated, reject'
state: present
- name: mua_helo_restrictions
value: 'permit_sasl_authenticated, reject'
state: present
- name: mua_sender_restrictions
value: 'permit_sasl_authenticated, reject'
state: present
- name: mydestination
value: '$myhostname, localhost.$mydomain, localhost, $mydomain'
state: present
- name: mynetworks
value: 'cidr:$config_directory/mynetworks'
state: present
- name: myorigin
value: '$mydomain'
state: present
- name: postscreen_bare_newline_action
value: 'enforce'
state: present
- name: postscreen_bare_newline_enable
value: 'yes'
state: present
- name: postscreen_blacklist_action
value: 'drop'
state: present
- name: postscreen_cache_map
value: 'hash:$data_directory/postscreen_cache'
state: present
- name: postscreen_dnsbl_action
value: 'enforce'
state: present
- name: postscreen_dnsbl_reply_map
value: 'pcre:$config_directory/postscreen_dnsbl_reply_map'
state: present
- name: postscreen_dnsbl_sites
value: >-
zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].[2..3]*-4
state: present
- name: postscreen_dnsbl_threshold
value: '3'
state: present
- name: postscreen_dnsbl_whitelist_threshold
value: '-1'
state: present
- name: postscreen_greet_action
value: 'enforce'
state: present
- name: postscreen_non_smtp_command_enable
value: 'yes'
state: present
- name: postscreen_pipelining_enable
value: 'yes'
state: present
- name: recipient_delimiter
value: '+'
state: present
- name: smtp_tls_exclude_ciphers
value: 'aNULL'
state: present
- name: smtp_tls_loglevel
value: '1'
state: present
- name: smtp_tls_note_starttls_offer
value: 'yes'
state: present
- name: smtp_tls_security_level
value: 'may'
state: present
- name: smtp_tls_session_cache_database
value: 'btree:${data_directory}/smtp_scache'
state: present
- name: smtpd_banner
value: '$myhostname ESMTP 8BIT-OK NO UCE NO UBE $mail_name'
state: present
- name: smtpd_client_restrictions
value: >-
permit_sasl_authenticated,
permit_mynetworks,
reject_unknown_client,
check_client_access
hash:$config_directory/rbl_override,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net
state: present
- name: smtpd_helo_required
value: 'yes'
state: present
- name: smtpd_helo_restrictions
value: >-
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
check_helo_access hash:$config_directory/helo_checks,
reject_unknown_hostname
state: present
- name: smtpd_milters
value: 'unix:/var/run/rspamd/proxy.sock'
state: present
- name: smtpd_recipient_restrictions
value: >-
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
state: present
- name: smtpd_sasl_auth_enable
value: 'yes'
state: present
- name: smtpd_sasl_path
value: 'private/dovecot-auth'
state: present
- name: smtpd_sender_restrictions
value: >-
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_sender_access hash:$config_directory/sender_access
state: present
- name: smtpd_tls_auth_only
value: 'yes'
state: present
- name: smtpd_tls_cert_file
value: '/usr/local/etc/dovecot/fullchain.pem'
state: present
- name: smtpd_tls_eecdh_grade
value: 'ultra'
state: present
- name: smtpd_tls_exclude_ciphers
value: 'aNULL'
state: present
- name: smtpd_tls_key_file
value: '/usr/local/etc/dovecot/privkey.pem'
state: present
- name: smtpd_tls_loglevel
value: '1'
state: present
- name: smtpd_tls_mandatory_ciphers
value: 'high'
state: present
- name: smtpd_tls_mandatory_exclude_ciphers
value: 'aNULL'
state: present
- name: smtpd_tls_received_header
value: 'yes'
state: present
- name: smtpd_tls_security_level
value: 'may'
state: present
- name: smtpd_tls_session_cache_database
value: 'btree:${data_directory}/smtpd_scache'
state: present
- name: strict_rfc821_envelopes
value: 'yes'
state: present
- name: tls_high_cipherlist
value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
state: present
- name: tls_ssl_options
value: 'NO_COMPRESSION'
state: present
- name: unknown_address_reject_code
value: '554'
state: present
- name: unknown_client_reject_code
value: '554'
state: present
- name: unknown_hostname_reject_code
value: '554'
state: present
- name: virtual_alias_maps
value: 'hash:/usr/local/etc/postfix/virtual_aliases, hash:/usr/local/etc/postfix/virtual_mlmmj'
state: present
- name: virtual_mailbox_domains
value: 'lists.ccchb.de'
state: present
- name: virtual_transport
value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp'
state: present
postfix_services:
- name: smtp
type: inet
value: "smtp inet n - n - 1 postscreen"
- name: smtpd
type: pass
value: "smtpd pass - - n - - smtpd"
- name: submission
type: inet
value: "submission inet n - n - - smtpd"
- name: dnsblog
type: unix
value: "dnsblog unix - - n - 0 dnsblog"
- name: tlsproxy
type: unix
value: "tlsproxy unix - - n - 0 tlsproxy"
postfix_params:
- name: submission/inet/syslog_name
value: 'postfix/submission'
state: present
- name: submission/inet/smtpd_tls_security_level
value: 'encrypt'
state: present
- name: submission/inet/tls_preempt_cipherlist
value: 'yes'
state: present
- name: submission/inet/smtpd_sasl_auth_enable
value: 'yes'
state: present
- name: submission/inet/smtpd_tls_auth_only
value: 'yes'
state: present
- name: submission/inet/smtpd_reject_unlisted_recipient
value: 'no'
state: present
- name: submission/inet/smtpd_client_restrictions
value: '$mua_client_restrictions'
state: present
- name: submission/inet/smtpd_helo_restrictions
value: '$mua_helo_restrictions'
state: present
- name: submission/inet/smtpd_sender_restrictions
value: '$mua_sender_restrictions'
state: present
- name: submission/inet/smtpd_recipient_restrictions
value: ''
state: present
- name: submission/inet/smtpd_relay_restrictions
value: 'permit_sasl_authenticated,reject'
state: present
- name: submission/inet/milter_macro_daemon_name
value: ORIGINATING
state: present