ansible-role-postfix/defaults/main.yml

---
postfix_enabled: True
postfix_install_packages: '{{ postfix_enabled }}'

postfix_relay_rh_pkgs:
  - postfix
  - cyrus-sasl-lib
  - cyrus-sasl-plain
  - cyrus-sasl-md5

postfix_relay_deb_pkgs:
  - postfix
  - libsasl2-2

#############################################################################
# Set them to true when you want configure your machine to send email to a relay
#############################################################################
postfix_relay_client: False
postfix_use_relay_host: '{{ postfix_relay_client }}'
postfix_biff: "no"
postfix_append_dot_mydomain: "no"
postfix_smtp_helo_required: "yes"
postfix_helo_restrictions: True
postfix_smtp_delay_reject: "yes"
postfix_smtp_disable_vrfy: "yes"

postfix_use_letsencrypt: False
postfix_tls_encryption_level: 'intermediate'
postfix_tls_dhparam_size: 2048
postfix_tls_dhparam_file: /etc/postfix/dhparam.pem
# Accepted values: none, may, encrypt
postfix_smtpd_tls_security_level: encrypt
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
postfix_smtp_tls_security_level: may
postfix_use_sasl_auth: True
postfix_smtp_sasl_auth_enable: "yes"
postfix_smtp_create_relay_user: True
# Options: noanonymous, noplaintext
postfix_smtp_sasl_security_options: noanonymous
postfix_smtp_sasl_tls_security_options: '{{ postfix_smtp_sasl_security_options }}'
postfix_smtp_sasl_mechanism_filter: plain, login

# Set it in your vars files
#postfix_relay_host: smtp-relay.example.com
postfix_relay_port: 587
#postfix_smtp_relay_user: smtp-user
postfix_smtp_relay_user: '{{ ansible_fqdn }}'
# This one has to be set inside a vault file
#postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file'
postfix_smtpd_reject_unknown_helo_hostname: False
postfix_reject_unknown_sender_domain: True
#############################################################################
# Relay server: accepts authenticated clients
#############################################################################
postfix_relay_server: False
#
## Milter (antispam, antivirus)
postfix_use_milter: False
postfix_milter_connect_timeout: '30s'
postfix_milter_command_timeout: '30s'
postfix_milter_content_timeout: '300s'
postfix_spamassassin_milter: False
postfix_spamassassin_milter_socket: 'unix:/run/spamass-milter/postfix/sock'
postfix_clamav_milter: False
# inet:[127.0.0.1]:7357
postfix_clamav_milter_socket: 'unix:/run/clamav-milter/clamav-milter.socket'
# Specify accept, reject, tempfail, quarantine
postfix_milter_action: tempfail
## SPF policyd
postfix_spf_policy_install: False
postfix_spy_deb_pkg:
  - 'postfix-policyd-spf-python'
postfix_spy_el_pkg:
  - 'pypolicyd-spf'
postfix_spf_policy_skip_addresses: '127.0.0.0/8,::ffff:127.0.0.0/104,::1'
# From 0 to 4
postfix_spf_policy_debug_level: 1
# Set to 0 for test only mode
postfix_spf_policy_default_seed: 1
postfix_spf_perm_error_reject: False
postfix_spf_temp_error_defer: False
#  HELO check rejection policy. Options are:
#  HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
#  HELO_reject = Softfail - Reject if result Softfail and Fail
#  HELO_reject = Fail - Reject on HELO Fail
#  HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
#  HELO_reject = False - Never reject/defer on HELO, append header only.
#  HELO_reject = No_Check - Never check HELO.
postfix_spf_policy_helo_reject: 'SPF_Not_Pass'
#  Mail From rejection policy.  Options are:
#  Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
#  Mail_From_reject = Softfail - Reject if result Softfail and Fail
#  Mail_From_reject = Fail - Reject on Mail From Fail (default)
#  Mail_From_reject = False - Never reject/defer on Mail From, append header only
#  Mail_From_reject = No_Check - Never check Mail From/Return Path.
#  * It is recommended to keep the default value, and manage specific cases setting
#  postfix_spf_policy_reject_not_pass_domains
postfix_spf_policy_mail_from_reject: 'Fail'
# CIDR notation, 192.168.0.0/31,192.168.1.12
postfix_spf_policy_whitelist: ''
postfix_spf_policy_domain_whitelist: ''
# Using this option, a list of domains can be defined for special processing when messages do not Pass SPF.  This can be useful for commonly spoofed domains that are not yet publishing SPF records with -all.  Specifically, if mail from a domain in this list has a Neutral/Softfail result, it will be rejected (as if it had a Fail result).  If needed, it is better to do it on a per-domain basis rather than globally. es: 'gmail.com,aol.com,hotmail.com'
postfix_spf_policy_reject_not_pass_domains: ''
postfix_spf_policy_lookup_time: 20
postfix_spf_policy_void_limit: 2

#############################################################################
# SMTP server that not accept authenticated clients. 
#############################################################################
postfix_smtpd_server: False
postfix_smtpd_server_restrictions:
  - permit_mynetworks
  - reject_unknown_recipient_domain
  - reject_non_fqdn_recipient
  - reject_unauth_destination
  - reject_unauth_pipelining
  - reject_unlisted_recipient

# SMTP server that routes emails coming from outside
#############################################################################
postfix_mx_server: False
postfix_smtpd_mx_client_restrictions:
  - reject_unknown_sender_domain
  - reject_non_fqdn_sender
  - reject_non_fqdn_recipient
  - reject_invalid_hostname
  - reject_unauth_destination
  - reject_unknown_recipient_domain
  - reject_unlisted_recipient

#############################################################################
# SMTP sender restrictions
#############################################################################
postfix_smtpd_sender_restrictions: True
postfix_reject_sender_login_mismatch: False
postfix_smtpd_sender_login_maps: []
postfix_smtpd_additional_sender_restrictions: []
#############################################################################
# SMTP submission server: accepts authenticated clients
#############################################################################
postfix_submission_server: False
# Set it to True if needed, on submission servers only
postfix_add_missing_headers: False
###########################################################################################
# The following options are used when acting as a relay or as a general purpose SMTP server
###########################################################################################
postfix_use_inet_interfaces: False
postfix_inet_interfaces:
  - all
postfix_inet_protocols:
  - all
postfix_proxy_interfaces_enabled: False
postfix_proxy_interfaces:
  - 127.0.0.1
postfix_message_size_limit: 10240000

postfix_sasl_deb_packages:
  - sasl2-bin

postfix_sasl_rh_packages:
  - cyrus-sasl

postfix_saslauthd_mech: 'pam'
postfix_saslauthd_flags: ''
postfix_saslauthd_conf_file: '/etc/saslauthd.conf'
#
postfix_sasl_ldap_servers: ldap://localhost
postfix_sasl_ldap_bind_dn: cn=saslauthd,ou=dsa,dc=example,dc=com
# postfix_sasl_ldap_bind_pw: set inside a vault file
postfix_sasl_ldap_timeout: 10
postfix_sasl_ldap_time_limit: 10
postfix_sasl_ldap_scope: sub
postfix_sasl_ldap_search_base: ou=people,dc=example,dc=com
postfix_sasl_ldap_auth_method: bind
postfix_sasl_ldap_filter: (&(uid=%u)(mail=*))
postfix_sasl_ldap_debug: 0
postfix_sasl_ldap_verbose: off
postfix_sasl_ldap_ssl: no
postfix_sasl_ldap_starttls: yes
postfix_sasl_ldap_referrals: no
#

postfix_use_domain_name: False
postfix_virtual_transport_enabled: False
postfix_virtual_transport_protocol: 'lmtp'
postfix_lmtp_protocol: 'inet'
postfix_lmtp_host: '127.0.0.1'
postfix_lmtp_port: 24
postfix_delivery_soft_bounce: False
postfix_recipient_delimiter: '+'
postfix_local_recipients: False
postfix_transport_map_enabled: False
postfix_transport_maps:
  - 'hash:/etc/postfix/transport'

postfix_transport_data: []
#
# Example:
# postfix_transport_data:
#   - { domain: 'example.com', action: 'smtp:[dest.smtp.example.com]:25' }
postfix_rbl_enabled: True
postfix_rbl_list: 'zen.spamhaus.org'
postfix_spamhaus_dbl_enabled: True

postfix_mynetworks: hash:/etc/postfix/network_table
postfix_mynetworks_data:
  - '127.0.0.0/8'
  - '127.0.0.1'

postfix_alias_maps:
  - 'hash:/etc/aliases'

postfix_alias_databases: '{{ postfix_alias_maps }}'

postfix_virtual_addresses: False
postfix_hostname_as_virtual_domain: True
postfix_virtual_mailbox_domains: 'hash:/etc/postfix/virtual_domains'
postfix_virtual_mailbox_domains_data: []
#
# Example. The 'action' part is optional:
# postfix_virtual_mailbox_domains_data:
#   - { domain: 'example.com', action: 'OK' }

postfix_virtual_mailbox_maps:
  - 'hash:/etc/postfix/vmailbox_maps'

postfix_virtual_domains: False
postfix_virtual_alias_domains: 'hash:/etc/postfix/virtual_domains'
postfix_virtual_alias_domains_data: []
#
# Example. The 'action' part is optional:
# postfix_virtual_alias_domains_data:
#   - { domain: 'example.com', action: 'OK' }

postfix_virtual_alias_maps:
  - 'hash:/etc/postfix/virtual'

postfix_local_dest_concurrency_limit: 2
postfix_default_destination_concurrency_limit: 5

postfix_behind_haproxy: False
postfix_postscreen_port: 1024

postfix_pflogsumm_reports: False
postfix_pflogsumm_mail_report: False
postfix_pflogsumm_mail_report_address: 'postmaster'
postfix_pflogsumm_dir: /var/log/smtp_reports
postfix_pflogsumm_logfile: '{{ postfix_pflogsumm_dir }}/pflogsumm.log'
postfix_pflogsumm_options: '-d yesterday --problems_first --rej_add_from --verbose_msg_detail -q'
postfix_pflogsumm_reports_days: 10
#
# Nagios monitoring
#
postfix_nagios_check: False
postfix_nagios_checks:
  - check_postfix_mailqueue
  - check_postfix_processed

nagios_postfix_mailq_w: 20
nagios_postfix_mailq_c: 50
nagios_postfix_processed_w: 50
nagios_postfix_processed_c: 150

postfix_firewalld_services:
  - { service: 'smtp', state: 'enabled', zone: '{{ firewalld_default_zone }}' }
  - { service: 'smtps', state: 'enabled', zone: '{{ firewalld_default_zone }}'  }
  - { service: 'smtp-submission', state: 'enabled', zone: '{{ firewalld_default_zone }}'  }