tls config in main.cf

2016-07-08 10:21:21 +02:00 · 2016-07-08 10:21:21 +02:00 · 4e68d2fa39
commit 4e68d2fa39
parent 6bc0fd1a62
2 changed files with 36 additions and 28 deletions
--- a/rootfs/etc/confd/templates/main.cf.tmpl
+++ b/rootfs/etc/confd/templates/main.cf.tmpl
@ -1,48 +1,63 @@
 compatibility_level = 2
-queue_directory = /var/spool/postfix
-command_directory = /usr/sbin
-daemon_directory = /usr/lib/postfix
-data_directory = /var/lib/postfix
+
 mail_owner = postfix
 myhostname = {{getenv "MYHOSTNAME"}}
 mydomain = {{getenv "MYDOMAIN"}}
 myorigin = $mydomain
 mydestination = localhost
+
 unknown_local_recipient_reject_code = 550
 mynetworks_style = subnet
 relay_domains = $mydestination
 recipient_delimiter = +
+
 mailbox_transport = lmtp:{{getenv "LMTPHOST"}}
 mailbox_size_limit = {{getenv "MAILBOXSIZELIMIT"}}
-smtpd_banner = $myhostname ESMTP $mail_name
+smtpd_banner = {{getenv "SMTP"}} $myhostname ESMTP $mail_name
+
 virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf
 virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf
 virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-virtual-alias-maps.cf
 virtual_transport = lmtp:inet:{{getenv "LMTPHOST"}}:{{getenv "LMTPPORT"}}
+
+smtpd_tls_key_file=/etc/ssl/mail/privkey.pem
+smtpd_tls_cert_file=/etc/ssl/mail/fullchain.pem
+
+smtpd_tls_security_level = {{getenv "TLSSECURITYLEVEL"}}
+smtpd_tls_auth_only = yes
+
+smtpd_tls_mandatory_protocols = {{getenv "TLSMANDATORYPROTOCOLS"}}
+smtpd_tls_mandatory_ciphers = {{getenv "TLSMANDATORYCIPHERS"}}
+smtpd_tls_ciphers = {{getenv "TLSCIPHERS"}}
+smtpd_tls_mandatory_exclude_ciphers = {{getenv "TLSMANDATORYEXCLUDECIPHERS"}}
+smtpd_tls_wrappermode = no
+
+smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
+smtp_tls_ciphers = $smtpd_tls_ciphers
+
+lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
+lmtp_tls_ciphers = $smtpd_tls_ciphers
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = inet:{{getenv "DOVECOTHOST"}}:{{getenv "DOVECOTAUTHPORT"}}
 smtpd_sasl_auth_enable = yes
-smtpd_tls_security_level = {{getenv "TLSSECURITYLEVEL"}}
-smtpd_tls_auth_only = yes
+
+smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
+
 smtpd_milters =
    inet:{{getenv "SPAMASSASSINHOST"}}:{{getenv "SPAMASSASSINPORT"}}
 non_smtpd_milters = $smtpd_milters
 milter_default_action = accept
+milter_macro_daemon_name = ORIGINATING
 #milter_connect_macros = "i j {daemon_name} v {if_name} _"
+
 message_size_limit = {{getenv "MESSAGESIZELIMIT"}}
 sender_dependent_default_transport_maps = hash:/etc/postfix/sender-transport
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtpd_tls_mandatory_protocols = {{getenv "TLSMANDATORYPROTOCOLS"}}
+
 tls_preempt_cipherlist = yes
-smtpd_tls_mandatory_ciphers = {{getenv "TLSMANDATORYCIPHERS"}}
-smtpd_tls_ciphers = {{getenv "TLSCIPHERS"}}
-smtpd_tls_mandatory_exclude_ciphers = {{getenv "TLSMANDATORYEXCLUDECIPHERS"}}
-smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
-smtp_tls_ciphers = $smtpd_tls_ciphers
-lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
-lmtp_tls_ciphers = $smtpd_tls_ciphers
+
 smtputf8_enable = no
 biff = no
-smtpd_tls_key_file=/etc/ssl/mail/privkey.pem
-smtpd_tls_cert_file=/etc/ssl/mail/fullchain.pem
--- a/rootfs/etc/confd/templates/master.cf.tmpl
+++ b/rootfs/etc/confd/templates/master.cf.tmpl
@ -1,19 +1,12 @@
-smtp  inet  n - - - -  smtpd
-  -o syslog_name=postfix/smtp
-  -o myhostname={{getenv "MYDOMAIN"}}
-
 {{getenv "MYDOMAIN"}}-out unix - - - - - smtp
  -o smtp_helo_name={{getenv "MYHOSTNAME"}}
-  -o syslog_name=postfix/smtp-out
+  -o syslog_name=postfix/smtp-{{getenv "MYHOSTNAME"}}

 submission  inet  n  - - - -  smtpd
  -o syslog_name=postfix/submission
-  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
-  -o smtpd_sasl_auth_enable=yes
-  -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
-  -o milter_macro_daemon_name=ORIGINATING

+smtp      inet  n       -       n       -       -       smtpd
 pickup    unix  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr