From 8c202b36bbeab19bcffb5b2c0f82d0ec9497d3b8 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 12 Jun 2020 20:45:48 +0200 Subject: [PATCH] Define smtpd_recipient_restrictions. Remove a broken scan directive. --- defaults/main.yml | 3 ++ templates/main.cf.j2 | 62 ++++++++++++++++++++++++++---------------- templates/master.cf.j2 | 6 ---- 3 files changed, 41 insertions(+), 30 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1070768..878d8ba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,6 +51,9 @@ postfix_reject_unknown_sender_domain: True postfix_relay_server: False # postfix_use_milter: False +postfix_milter_connect_timeout: '30s' +postfix_milter_command_timeout: '30s' +postfix_milter_content_timeout: '300s' postfix_spamassassin_milter: False postfix_spamassassin_milter_socket: 'unix:/run/spamass-milter/postfix/sock' postfix_clamav_milter: False diff --git a/templates/main.cf.j2 b/templates/main.cf.j2 index acd6725..3b420b3 100644 --- a/templates/main.cf.j2 +++ b/templates/main.cf.j2 @@ -557,9 +557,9 @@ message_size_limit = {{ postfix_message_size_limit }} # # clamav, milter-greylist, spamassassin # -#milter_connect_timeout = 30s -#milter_command_timeout = 30s -#milter_content_timeout = 300s +#milter_connect_timeout = {{ postfix_milter_connect_timeout }} +#milter_command_timeout = {{ postfix_milter_command_timeout }} +#milter_content_timeout = {{ postfix_milter_content_timeout }} # The default is 6 #milter_protocol = 6 {% if postfix_spamassassin_milter %} @@ -579,29 +579,39 @@ smtpd_milters = {% endif %} {% if postfix_smtpd_server %} -smtpd_client_restrictions = - permit_mynetworks - permit_inet_interfaces -{% if postfix_submission_server %} - permit_sasl_authenticated -{% endif %} -{% if postfix_mx_server %} - reject_unknown_sender_domain - reject_non_fqdn_sender - reject_non_fqdn_recipient - reject_invalid_hostname -# reject_non_fqdn_hostname - reject_unauth_destination - reject_unknown_recipient_domain - reject_unlisted_recipient +smtpd_recipient_restrictions = + permit_mynetworks + reject_unknown_recipient_domain + reject_non_fqdn_recipient + reject_unauth_destination + reject_unauth_pipelining + reject_unlisted_recipient {% if postfix_rbl_enabled %} - reject_rbl_client {{ postfix_rbl_list }} + reject_rbl_client {{ postfix_rbl_list }} +{% endif %} + +smtpd_client_restrictions = + permit_mynetworks + permit_inet_interfaces +{% if postfix_submission_server %} + permit_sasl_authenticated +{% endif %} +{% if postfix_mx_server %} + reject_unknown_sender_domain + reject_non_fqdn_sender + reject_non_fqdn_recipient + reject_invalid_hostname + reject_unauth_destination + reject_unknown_recipient_domain + reject_unlisted_recipient +{% if postfix_rbl_enabled %} + reject_rbl_client {{ postfix_rbl_list }} {% endif %} {% endif %} {% if postfix_mx_server %} - permit + permit {% else %} - reject + reject {% endif %} {% if postfix_submission_server %} smtpd_sasl_path = smtpd @@ -619,15 +629,19 @@ smtpd_helo_restrictions = reject_unknown_helo_hostname {% endif %} {% if postfix_reject_unknown_sender_domain %} # Don't accept mail from domains that don't exist. -smtpd_sender_restrictions = reject_unknown_sender_domain +smtpd_sender_restrictions = + reject_unknown_sender_domain + reject_non_fqdn_sender {% endif %} {% if postfix_submission_server %} # Relay control: local clients and # authenticated clients may specify any destination domain. -smtpd_relay_restrictions = permit_sasl_authenticated, reject +smtpd_relay_restrictions = + permit_sasl_authenticated + reject {% endif %} {% if postfix_behind_haproxy %} -smtpd_upstream_proxy_protocol=haproxy +smtpd_upstream_proxy_protocol = haproxy {% endif %} {% endif %} diff --git a/templates/master.cf.j2 b/templates/master.cf.j2 index 46549b9..2fc6f16 100644 --- a/templates/master.cf.j2 +++ b/templates/master.cf.j2 @@ -79,12 +79,6 @@ virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache -{% if postfix_spamassassin_milter %} -scan unix - - n - 10 smtp - -o smtp_send_xforward_command=yes - -o disable_mime_output_conversion=yes - -o smtp_generic_maps= -{% endif %} # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual