Define smtpd_recipient_restrictions. Remove a broken scan directive.

defaults/main.yml

@@ -51,6 +51,9 @@ postfix_reject_unknown_sender_domain: True
 postfix_relay_server: False
 #
 postfix_use_milter: False
+postfix_milter_connect_timeout: '30s'
+postfix_milter_command_timeout: '30s'
+postfix_milter_content_timeout: '300s'
 postfix_spamassassin_milter: False
 postfix_spamassassin_milter_socket: 'unix:/run/spamass-milter/postfix/sock'
 postfix_clamav_milter: False

templates/main.cf.j2

@@ -557,9 +557,9 @@ message_size_limit = {{ postfix_message_size_limit }}
 #
 # clamav, milter-greylist, spamassassin
 #
-#milter_connect_timeout = 30s
+#milter_connect_timeout = {{ postfix_milter_connect_timeout }}
-#milter_command_timeout = 30s
+#milter_command_timeout = {{ postfix_milter_command_timeout }}
-#milter_content_timeout = 300s
+#milter_content_timeout = {{ postfix_milter_content_timeout }}
 # The default is 6
 #milter_protocol = 6
 {% if postfix_spamassassin_milter %}
@@ -579,6 +579,17 @@ smtpd_milters =
 {% endif %}
 
 {% if postfix_smtpd_server %}
+smtpd_recipient_restrictions =
+        permit_mynetworks
+        reject_unknown_recipient_domain
+        reject_non_fqdn_recipient
+        reject_unauth_destination
+        reject_unauth_pipelining
+        reject_unlisted_recipient
+{% if postfix_rbl_enabled %}
+        reject_rbl_client {{ postfix_rbl_list }}
+{% endif %}
+
 smtpd_client_restrictions =
         permit_mynetworks
         permit_inet_interfaces
@@ -590,7 +601,6 @@ smtpd_client_restrictions =
         reject_non_fqdn_sender
         reject_non_fqdn_recipient
         reject_invalid_hostname
-#   reject_non_fqdn_hostname
         reject_unauth_destination
         reject_unknown_recipient_domain
         reject_unlisted_recipient
@@ -619,15 +629,19 @@ smtpd_helo_restrictions = reject_unknown_helo_hostname
 {% endif %}
 {% if postfix_reject_unknown_sender_domain %}
 # Don't accept mail from domains that don't exist.
-smtpd_sender_restrictions = reject_unknown_sender_domain
+smtpd_sender_restrictions =
+        reject_unknown_sender_domain
+        reject_non_fqdn_sender
 {% endif %}
 {% if postfix_submission_server %}
 # Relay control: local clients and
 # authenticated clients may specify any destination domain.
-smtpd_relay_restrictions = permit_sasl_authenticated, reject
+smtpd_relay_restrictions =
+        permit_sasl_authenticated
+        reject
 {% endif %}
 {% if postfix_behind_haproxy %}
-smtpd_upstream_proxy_protocol=haproxy
+smtpd_upstream_proxy_protocol = haproxy
 {% endif %}
 {% endif %}
 

templates/master.cf.j2

@@ -79,12 +79,6 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       n       -       1       anvil
 scache    unix  -       -       n       -       1       scache
-{% if postfix_spamassassin_milter %}
-scan      unix  -       -       n       -       10      smtp
-        -o smtp_send_xforward_command=yes
-        -o disable_mime_output_conversion=yes
-        -o smtp_generic_maps=
-{% endif %}
 #
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual