Mail

2024-12-19 22:32:42 -05:00
parent 12e996003e
commit 9803b2f155
27 changed files with 268 additions and 55 deletions
--- a/postfix/templates/ldap_aliases.cf.tmpl
+++ b/postfix/templates/ldap_aliases.cf.tmpl
@ -0,0 +1,10 @@
+start_tls = no
+server_host = ${LDAP_SCHEME}://${LDAP_HOST}:${LDAP_PORT}
+version = 3
+bind = yes
+bind_dn = cn=bind,dc=balsillie,dc=net
+bind_pw = ${LDAP_BIND_PW}
+search_base = ou=users,dc=balsillie,dc=net
+scope = sub
+query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))
+result_attribute = mail
--- a/postfix/templates/ldap_senders.cf.tmpl
+++ b/postfix/templates/ldap_senders.cf.tmpl
@ -0,0 +1,10 @@
+start_tls = no
+server_host = ${LDAP_SCHEME}://${LDAP_HOST}:${LDAP_PORT}
+version = 3
+bind = yes
+bind_dn = cn=bind,dc=balsillie,dc=net
+bind_pw = ${LDAP_BIND_PW}
+search_base = ou=users,dc=balsillie,dc=net
+scope = sub
+query_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(|(mailAlias=%s)(mail=%s)))
+result_attribute = mail,uid
--- a/postfix/templates/main.cf.tmpl
+++ b/postfix/templates/main.cf.tmpl
@ -0,0 +1,135 @@
+myhostname = ${POSTFIX_HOST}
+mydomain = ${POSTFIX_DOMAIN}
+myorigin = ${POSTFIX_DOMAIN}
+mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.10/32 10.96.10.254/32
+mydestination = ${POSTFIX_HOST} localhost
+
+biff = no
+bounce_queue_lifetime = 1d
+broken_sasl_auth_clients = no
+compatibility_level = 3.6
+
+header_checks = pcre:/config/header_checks.pcre
+
+inet_interfaces = all
+inet_protocols = ipv4
+
+# Not needed, lmtp uses unix socket
+# lmtp_tls_loglevel = 1
+# lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+# lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+# lmtp_tls_security_level = none
+# lmtp_tls_wrappermode = no
+# lmtp_use_tls = no
+
+local_recipient_maps =
+local_transport = local:${POSTFIX_HOST}
+
+mailbox_size_limit = 51200000
+maillog_file = /dev/stdout
+maximal_queue_lifetime = 1d
+message_size_limit = 51200000
+mime_header_checks = pcre:/config/header_checks.pcre
+
+# Milters
+milter_protocol = 6
+milter_default_action = accept
+smtpd_milters = unix:/socket/dkim
+non_smtpd_milters = unix:/socket/dkim
+
+postscreen_access_list =
+postscreen_denylist_action = drop
+postscreen_dnsbl_action = enforce
+postscreen_dnsbl_allowlist_threshold = -1
+postscreen_dnsbl_sites =
+    zen.spamhaus.org=127.0.1.[2..254]*3,
+    ix.dnsbl.manitu.net*3,
+    bl.spamcop.net,
+    b.barracudacentral.org,
+    safe.dnsbl.sorbs.net,
+    swl.spamhaus.org*-10,
+postscreen_dnsbl_threshold = 3
+postscreen_greet_action = ignore
+postscreen_greet_banner =
+postscreen_upstream_proxy_protocol =
+
+# proxy_interfaces = x.x.x.x # Set with postconf during startup
+recipient_delimiter = +
+relay_domains =
+relayhost =
+sender_dependent_relayhost_maps =
+
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps =
+smtp_tls_protocols = !SSLv2, !SSLv3
+smtp_tls_security_level = dane
+
+smtpd_banner = ${POSTFIX_HOST} ESMTP
+
+# SASL - SMTPS sasl settings specified in master.cf
+
+smtpd_sasl_auth_enable = no
+
+# SPF
+
+policyd-spf_time_limit = 3600
+
+# SMTPD restrictions
+
+smtpd_helo_required = yes
+smtpd_delay_reject = yes
+smtpd_client_restrictions = 
+    reject_unknown_reverse_client_hostname
+smtpd_helo_restrictions = 
+    reject_unknown_helo_hostname, 
+    reject_non_fqdn_helo_hostname, 
+    reject_invalid_helo_hostname
+smtpd_sender_restrictions = 
+    reject_non_fqdn_sender, 
+    reject_unknown_sender_domain
+smtpd_relay_before_recipient_restrictions = yes
+smtpd_relay_restrictions = 
+    permit_auth_destination,
+    reject_unauth_destination,
+    check_policy_service unix:private/spf
+smtpd_recipient_restrictions = 
+    reject_non_fqdn_recipient, 
+    reject_unlisted_recipient
+smtpd_data_restrictions = 
+    reject_unauth_pipelining, 
+    reject_multi_recipient_bounce
+
+# client , reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org
+# helo , reject_rhsbl_helo dbl.spamhaus.org
+# sender , reject_rhsbl_sender dbl.spamhaus.org
+
+smtpd_tls_cert_file=/cert/tls.crt
+smtpd_tls_key_file=/cert/tls.key
+smtpd_tls_dh1024_param_file = /dh/dhparams.pem
+smtpd_tls_loglevel = 1
+smtpd_tls_mandatory_ciphers = medium
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_security_level = encrypt
+
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
+tls_ssl_options = NO_COMPRESSION
+
+unverified_recipient_reject_code = 577
+
+virtual_alias_maps = ldap:/config/ldap_aliases.cf
+virtual_mailbox_base =
+virtual_mailbox_domains = ${POSTFIX_DOMAIN}
+virtual_mailbox_maps = ldap:/config/ldap_aliases.cf
+virtual_transport = lmtp:unix:/socket/lmtp
+
+# External IP templated at container start
+proxy_interfaces=${PUBLIC_IP}
+
+disable_dns_lookups = no
+smtp_dns_support_level = enabled
+smtp_host_lookup = dns
+smtpd_peername_lookup = yes