forked from ccchb/ansible
473 lines
12 KiB
YAML
473 lines
12 KiB
YAML
---
|
|
sendmail_periodic:
|
|
- daily_clean_hoststat_enable
|
|
- daily_status_mail_rejects_enable
|
|
- daily_status_include_submit_mailq
|
|
- daily_submit_queuerun
|
|
|
|
postfix_log_size: '32m'
|
|
postfix_log_mode: '750'
|
|
postfix_log_uid: '20000'
|
|
postfix_log_gid: '20000'
|
|
|
|
postfix_rebuild_types:
|
|
- hash
|
|
- btree
|
|
|
|
postfix_maps:
|
|
- name: header_checks
|
|
type: regexp
|
|
- name: helo_checks
|
|
type: hash
|
|
- name: local_recipients
|
|
type: hash
|
|
- name: mynetworks
|
|
type: hash
|
|
- name: postscreen_dnsbl_reply_map
|
|
type: pcre
|
|
- name: rbl_override
|
|
type: hash
|
|
- name: virtual_aliases
|
|
type: hash
|
|
- name: sender_access
|
|
type: hash
|
|
|
|
postfix_helo_checks:
|
|
- localhost REJECT You're not me
|
|
|
|
postfix_rbl_override: []
|
|
|
|
postfix_sender_access:
|
|
- hostepro.co.ua REJECT Die you fucking spammer!
|
|
- molingrush.co.ua REJECT Die you fucking spammer!
|
|
- jenreviews.com REJECT Die you fucking spammer!
|
|
- hes.net REJECT Die you fucking spammer!
|
|
- willsamaren.co.ua REJECT Die you fucking spammer!
|
|
- liluinc.eu REJECT Die you fucking spamemr!
|
|
- winsoker.co.ua REJECT Die you fucking spammer!
|
|
- mellingrush.eu REJECT Die you fucking spammer!
|
|
- newdgise.co.ua REJECT Die you fucking spammer!
|
|
- nicemaner.eu REJECT Die you fucking spammer!
|
|
- qr-hosting.eu REJECT Die you fucking spammer!
|
|
- villpubrel.com REJECT Die you fucking spammer!
|
|
- willi-bong.eu REJECT Die you fucking spammer!
|
|
- pgp.co.in REJECT Die you fucking spammer!
|
|
- rapnews.biz.ua REJECT Die you fucking spammer!
|
|
|
|
postfix_virtual_aliases:
|
|
- root@ccchb.de crest@ccchb.de
|
|
- abuse@ccchb.de crest@ccchb.de
|
|
- noc@ccchb.de crest@ccchb.de
|
|
- security@ccchb.de crest@ccchb.de
|
|
- postmaster@ccchb.de crest@ccchb.de
|
|
- hostmaster@ccchb.de crest@ccchb.de
|
|
- thoddi@ccchb.de mail@thoddi.de
|
|
- docloc@ccchb.de docloc@posteo.net
|
|
|
|
- root@lists.ccchb.de crest@ccchb.de
|
|
- crest@lists.ccchb.de crest@ccchb.de
|
|
- abuse@lists.ccchb.de crest@ccchb.de
|
|
- noc@lists.ccchb.de crest@ccchb.de
|
|
- security@lists.ccchb.de crest@ccchb.de
|
|
- postmaster@lists.ccchb.de crest@ccchb.de
|
|
- hostmaster@lists.ccchb.de crest@ccchb.de
|
|
|
|
- reddit@ccchb.de crest@ccchb.de
|
|
|
|
postfix_service_dirs:
|
|
- postfix
|
|
- postfix/env
|
|
- postfix/data
|
|
- postfix-log
|
|
- postfix-log/env
|
|
|
|
postfix_service_scripts:
|
|
- postfix/run
|
|
- postfix/finish
|
|
- postfix/data/check
|
|
- postfix-log/run
|
|
- postfix-log/finish
|
|
|
|
postfix_service_config:
|
|
- name: postfix/type
|
|
content: longrun
|
|
- name: postfix/dependencies
|
|
content: postfix-log
|
|
- name: postfix/notification-fd
|
|
content: 3
|
|
- name: postfix/env/NAME
|
|
content: postfix
|
|
- name: postfix/env/PATH
|
|
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
|
|
|
- name: postfix-log/type
|
|
content: longrun
|
|
- name: postfix-log/notification-fd
|
|
content: 3
|
|
- name: postfix-log/env/NAME
|
|
content: postfix
|
|
- name: postfix-log/env/PATH
|
|
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
|
- name: postfix-log/env/MODE
|
|
content: '750'
|
|
- name: postfix-log/env/USER
|
|
content: s6-log
|
|
- name: postfix-log/env/GROUP
|
|
content: s6-log
|
|
- name: postfix-log/env/DIR
|
|
content: /var/log/postfix
|
|
|
|
postfix_config:
|
|
- name: compatibility_level
|
|
value: '2'
|
|
state: present
|
|
|
|
- name: header_checks
|
|
value: 'regexp:$config_directory/header_checks'
|
|
state: present
|
|
|
|
- name: inet_interfaces
|
|
value: '{{ postfix_inet_interfaces }}'
|
|
state: present
|
|
|
|
- name: inet_protocols
|
|
value: 'ipv6, ipv4'
|
|
state: present
|
|
|
|
- name: local_recipient_maps
|
|
value: 'hash:$config_directory/local_recipients $alias_maps'
|
|
state: present
|
|
|
|
- name: maillog_file
|
|
value: '/var/log/postfix/fifo'
|
|
state: present
|
|
|
|
- name: mailbox_transport
|
|
value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp'
|
|
state: present
|
|
|
|
- name: milter_default_action
|
|
value: 'accept'
|
|
state: present
|
|
|
|
- name: milter_mail_macros
|
|
value: 'i {mail_addr} {client_addr} {client_name} {auth_authen}'
|
|
state: present
|
|
|
|
- name: mua_client_restrictions
|
|
value: 'permit_sasl_authenticated, reject'
|
|
state: present
|
|
|
|
- name: mua_helo_restrictions
|
|
value: 'permit_sasl_authenticated, reject'
|
|
state: present
|
|
|
|
- name: mua_sender_restrictions
|
|
value: 'permit_sasl_authenticated, reject'
|
|
state: present
|
|
|
|
- name: mydestination
|
|
value: '$myhostname, localhost.$mydomain, localhost, $mydomain'
|
|
state: present
|
|
|
|
- name: mynetworks
|
|
value: 'cidr:$config_directory/mynetworks'
|
|
state: present
|
|
|
|
- name: myorigin
|
|
value: '$mydomain'
|
|
state: present
|
|
|
|
- name: postscreen_bare_newline_action
|
|
value: 'enforce'
|
|
state: present
|
|
|
|
- name: postscreen_bare_newline_enable
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: postscreen_blacklist_action
|
|
value: 'drop'
|
|
state: present
|
|
|
|
- name: postscreen_cache_map
|
|
value: 'hash:$data_directory/postscreen_cache'
|
|
state: present
|
|
|
|
- name: postscreen_dnsbl_action
|
|
value: 'enforce'
|
|
state: present
|
|
|
|
- name: postscreen_dnsbl_reply_map
|
|
value: 'pcre:$config_directory/postscreen_dnsbl_reply_map'
|
|
state: present
|
|
|
|
- name: postscreen_dnsbl_sites
|
|
value: >-
|
|
zen.spamhaus.org*3
|
|
b.barracudacentral.org*2
|
|
bl.spameatingmonkey.net*2
|
|
bl.spamcop.net
|
|
dnsbl.sorbs.net
|
|
psbl.surriel.com
|
|
bl.mailspike.net
|
|
swl.spamhaus.org*-4
|
|
list.dnswl.org=127.0.[0..255].0*-2
|
|
list.dnswl.org=127.0.[0..255].1*-3
|
|
list.dnswl.org=127.0.[0..255].[2..3]*-4
|
|
state: present
|
|
|
|
- name: postscreen_dnsbl_threshold
|
|
value: '3'
|
|
state: present
|
|
|
|
- name: postscreen_dnsbl_whitelist_threshold
|
|
value: '-1'
|
|
state: present
|
|
|
|
- name: postscreen_greet_action
|
|
value: 'enforce'
|
|
state: present
|
|
|
|
- name: postscreen_non_smtp_command_enable
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: postscreen_pipelining_enable
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: recipient_delimiter
|
|
value: '+'
|
|
state: present
|
|
|
|
- name: smtp_tls_exclude_ciphers
|
|
value: 'aNULL'
|
|
state: present
|
|
|
|
- name: smtp_tls_loglevel
|
|
value: '1'
|
|
state: present
|
|
|
|
- name: smtp_tls_note_starttls_offer
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: smtp_tls_security_level
|
|
value: 'may'
|
|
state: present
|
|
|
|
- name: smtp_tls_session_cache_database
|
|
value: 'btree:${data_directory}/smtp_scache'
|
|
state: present
|
|
|
|
- name: smtpd_banner
|
|
value: '$myhostname ESMTP 8BIT-OK NO UCE NO UBE $mail_name'
|
|
state: present
|
|
|
|
- name: smtpd_client_restrictions
|
|
value: >-
|
|
permit_sasl_authenticated,
|
|
permit_mynetworks,
|
|
reject_unknown_client,
|
|
check_client_access
|
|
hash:$config_directory/rbl_override,
|
|
reject_rbl_client cbl.abuseat.org,
|
|
reject_rbl_client sbl.spamhaus.org,
|
|
reject_rbl_client pbl.spamhaus.org,
|
|
reject_rbl_client ix.dnsbl.manitu.net
|
|
state: present
|
|
|
|
- name: smtpd_helo_required
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: smtpd_helo_restrictions
|
|
value: >-
|
|
permit_sasl_authenticated,
|
|
permit_mynetworks,
|
|
reject_invalid_hostname,
|
|
reject_non_fqdn_hostname,
|
|
check_helo_access hash:$config_directory/helo_checks,
|
|
reject_unknown_hostname
|
|
state: present
|
|
|
|
- name: smtpd_milters
|
|
value: 'unix:/var/run/rspamd/proxy.sock'
|
|
state: present
|
|
|
|
- name: smtpd_recipient_restrictions
|
|
value: >-
|
|
permit_sasl_authenticated,
|
|
permit_mynetworks,
|
|
reject_non_fqdn_recipient,
|
|
reject_unknown_recipient_domain,
|
|
reject_unauth_destination
|
|
state: present
|
|
|
|
- name: smtpd_sasl_auth_enable
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: smtpd_sasl_path
|
|
value: 'private/dovecot-auth'
|
|
state: present
|
|
|
|
- name: smtpd_sender_restrictions
|
|
value: >-
|
|
permit_sasl_authenticated,
|
|
permit_mynetworks,
|
|
reject_non_fqdn_sender,
|
|
reject_unknown_sender_domain,
|
|
check_sender_access hash:$config_directory/sender_access
|
|
state: present
|
|
|
|
- name: smtpd_tls_auth_only
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: smtpd_tls_cert_file
|
|
value: '/usr/local/etc/dovecot/fullchain.pem'
|
|
state: present
|
|
|
|
- name: smtpd_tls_eecdh_grade
|
|
value: 'ultra'
|
|
state: present
|
|
|
|
- name: smtpd_tls_exclude_ciphers
|
|
value: 'aNULL'
|
|
state: present
|
|
|
|
- name: smtpd_tls_key_file
|
|
value: '/usr/local/etc/dovecot/privkey.pem'
|
|
state: present
|
|
|
|
- name: smtpd_tls_loglevel
|
|
value: '1'
|
|
state: present
|
|
|
|
- name: smtpd_tls_mandatory_ciphers
|
|
value: 'high'
|
|
state: present
|
|
|
|
- name: smtpd_tls_mandatory_exclude_ciphers
|
|
value: 'aNULL'
|
|
state: present
|
|
|
|
- name: smtpd_tls_received_header
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: smtpd_tls_security_level
|
|
value: 'may'
|
|
state: present
|
|
|
|
- name: smtpd_tls_session_cache_database
|
|
value: 'btree:${data_directory}/smtpd_scache'
|
|
state: present
|
|
|
|
- name: strict_rfc821_envelopes
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: tls_high_cipherlist
|
|
value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
|
|
state: present
|
|
|
|
- name: tls_ssl_options
|
|
value: 'NO_COMPRESSION'
|
|
state: present
|
|
|
|
- name: unknown_address_reject_code
|
|
value: '554'
|
|
state: present
|
|
|
|
- name: unknown_client_reject_code
|
|
value: '554'
|
|
state: present
|
|
|
|
- name: unknown_hostname_reject_code
|
|
value: '554'
|
|
state: present
|
|
|
|
- name: virtual_alias_maps
|
|
value: 'hash:/usr/local/etc/postfix/virtual_aliases, hash:/usr/local/etc/postfix/virtual_mlmmj'
|
|
state: present
|
|
|
|
- name: virtual_mailbox_domains
|
|
value: 'lists.ccchb.de'
|
|
state: present
|
|
|
|
- name: virtual_transport
|
|
value: 'lmtp:unix:$queue_directory/private/dovecot-lmtp'
|
|
state: present
|
|
|
|
postfix_services:
|
|
- name: smtp
|
|
type: inet
|
|
value: "smtp inet n - n - 1 postscreen"
|
|
|
|
- name: smtpd
|
|
type: pass
|
|
value: "smtpd pass - - n - - smtpd"
|
|
|
|
- name: submission
|
|
type: inet
|
|
value: "submission inet n - n - - smtpd"
|
|
|
|
- name: dnsblog
|
|
type: unix
|
|
value: "dnsblog unix - - n - 0 dnsblog"
|
|
|
|
- name: tlsproxy
|
|
type: unix
|
|
value: "tlsproxy unix - - n - 0 tlsproxy"
|
|
|
|
postfix_params:
|
|
- name: submission/inet/syslog_name
|
|
value: 'postfix/submission'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_tls_security_level
|
|
value: 'encrypt'
|
|
state: present
|
|
|
|
- name: submission/inet/tls_preempt_cipherlist
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_sasl_auth_enable
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_tls_auth_only
|
|
value: 'yes'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_reject_unlisted_recipient
|
|
value: 'no'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_client_restrictions
|
|
value: '$mua_client_restrictions'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_helo_restrictions
|
|
value: '$mua_helo_restrictions'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_sender_restrictions
|
|
value: '$mua_sender_restrictions'
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_recipient_restrictions
|
|
value: ''
|
|
state: present
|
|
|
|
- name: submission/inet/smtpd_relay_restrictions
|
|
value: 'permit_sasl_authenticated,reject'
|
|
state: present
|
|
|
|
- name: submission/inet/milter_macro_daemon_name
|
|
value: ORIGINATING
|
|
state: present
|