--- # nombre imagen postfix_image: eumau/postfix # nombre container postfix_container: postfix # volumen con la configuracion de /etc/postfix postfix_volume: postfix # volumen con la configuracion ssl postfix_volume_ssl: postfix_ssl # nombre de la red docker, seteado por rol docker docker_network_name: dockernet # nombre del container dovecot, seteado por rol dovecot dovecot_container: dovecot # puertos públicos postfix_publish_ports: - "25:25" # directorio con reglas, relativo al volumen postfix_rules_dir: rules # accepted email domains postfix_mail_domains: "{{ mail_domains | default(['example.com']) }}" # postfix server domain: used for identification of the server postfix_server_domain: "{{ postfix_mail_domains | first }}" # postfix server identification postfix_server_name: mail.{{ postfix_server_domain }} # domains considered as "local" unix domains (local server users) # ansible_fqdn, localhost.localdomain, and localhost are always added regardless of this value postfix_unix_domains: [] # networks considered "local" # 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 are always added regardless of this value postfix_local_networks: [] # domain-specific configuration postfix_domain_config: {} # LOOKUP TABLES --------------------------------------------------------------- # proveedor lookup por defecto postfix_lookup_provider: file # lugar donde se guarda el mail (no debería importarle a postfix) postfix_mail_home: "{{ vmail_home | default('/srv/mail') }}" # LDAP ------------------------------------------------------------------------ # Default LDAP connection parameters postfix_ldap_server: "{{ ldap_server | default(ldap_container|default('ldap')) }}" postfix_ldap_port: "{{ ldap_port | default(ldap_port|default('389')) }}" postfix_ldap_version: "{{ ldap_version | default(3) }}" postfix_ldap_scope: "{{ ldap_search_scope | default('sub') }}" postfix_ldap_bind: "{{ ldap_bind | default(False) }}" postfix_ldap_bind_dn: "{{ ldap_bind_dn | default('') }}" postfix_ldap_bind_pw: "{{ ldap_bind_password | default('') }}" postfix_ldap_start_tls: "{{ ldap_starttls | default(False) }}" postfix_ldap_tls_ca_cert_dir: '' postfix_ldap_tls_ca_cert_file: '' postfix_ldap_use_group_alias: yes # SQLITE ---------------------------------------------------------------------- postfix_sqlite_user_query: "SELECT name FROM users WHERE name = '%u'" postfix_sqlite_alias_query: "SELECT dest FROM aliases WHERE alias = '%s'" # ----------------------------------------------------------------------------- # enable submission service? postfix_submission_enable: yes # TLS ------------------------------------------------------------------------- # level of encryption to use for sending mail to the Internet # only change this if you know what the implications are, see # http://www.postfix.org/postconf.5.html#smtp_tls_security_level # possible values: none|may|encrypt|dane|dane-only|fingerprint|verify|secure postfix_outgoing_tls_security: 'may' # level of encryption required for receiving mail from the Internet # only change this if you know what the implications are, see # http://www.postfix.org/postconf.5.html#smtpd_tls_security_level postfix_incoming_tls_security: 'may' # wether to allow insecure (plaintext) login from clients postfix_allow_insecure_auth: no # enable/disable tls session cache postfix_tls_session_cache: yes # SASL ------------------------------------------------------------------------ # wether to allow SASL authentication on smtpd (MX port 25) postfix_enable_smtpd_auth: no # creo que esto no sirve para nada # smtpd_sasl_local_domain: $myhostname # valor por defecto ya es noanonymous # smtpd_sasl_security_options: noanonymous # ----------------------------------------------------------------------------- # MESSAGE SIZE LIMIT ---------------------------------------------------------- # This value should be fine for most people. Note that increasing this limit # does not guarantee delivery of very big emails: remote server size # restrictions still apply. postfix_message_size_limit: 31457280 # HELO required --------------------------------------------------------------- postfix_helo_required: yes # biff enabled postfix_biff: no # postfix_bounce_queue_lifetime: 2d # postfix_maximal_queue_lifetime: 2d # postfix_compatibility_level = 2 DEFAULT 0 # ----------------------------------------------------------------------------- # RESTRICTIONS AND ACCESS LISTS ----------------------------------------------- # Host-based access list: PCRE table, for wildcard support # every item should contain a 'regex' field and a corresponding 'action' field postfix_client_access_list: [] # - regex: '172\.16\.192\.0\/24' # action: 'REJECT Please use alternative server' # - regex: 'rude\.client\.com' # action: 'REJECT Get out!' # Restricciones aplicadas a los clientes SMTP postfix_client_restrictions: - check_client_access pcre:/etc/postfix/{{ postfix_rules_dir }}/client_access_list - permit_sasl_authenticated - permit_mynetworks - reject_unknown_client_hostname - reject_unauth_pipelining - permit # Restricciones aplicadas en SMTP DATA postfix_data_restrictions: - reject_unauth_pipelining - permit # HELO access list: reject/accept clients by their HELO hostname # Hash table, list of items with "host" and corresponding "action" fields postfix_helo_access_list: [] # - host: "{{ansible_ip}}" # action: "REJECT You can't be me. Get out!" # - host: "{{ansible_fqdn}}" # action: "REJECT You can't be me. Get out!" # Requerir HELO/EHLO y aplicarle restricciones postfix_helo_restrictions: - check_helo_access hash:/etc/postfix/{{ postfix_rules_dir }}/helo_access_list - permit_mynetworks - reject_non_fqdn_helo_hostname - reject_invalid_helo_hostname - warn_if_reject - permit # Restricciones de control de relay aplicadas en RCPT TO, antes de smtpd_recipient_restrictions postfix_relay_restrictions: - permit_mynetworks - permit_sasl_authenticated - reject_unauth_destination - permit # Recipient access list: reject/accept mail by RCPT TO recipients postfix_recipient_access_list: [] # - rcpt: "emailvalidation.helpdesk01@gmail.com" # action: "REJECT Forbidden recipient. Get out!" # Restricciones al destinatario especificado en RCPT TO postfix_recipient_restrictions: - check_recipient_access hash:/etc/postfix/{{ postfix_rules_dir }}/recipient_access_list - permit_mynetworks - permit_sasl_authenticated - reject_unknown_recipient_domain - reject_non_fqdn_recipient - reject_unauth_destination - permit # Recipient access list: reject/accept mail by MAIL FROM sender postfix_sender_access_list: [] # - sender: "@addr.com" # action: "REJECT We're fed up with your spam. Get out!" # Restricciones aplicadas al remitente especificado en MAIL FROM postfix_sender_restrictions: - check_sender_access hash:/etc/postfix/{{ postfix_rules_dir }}/sender_access_list - permit_sasl_authenticated - permit_mynetworks - reject_unknown_sender_domain - reject_non_fqdn_sender - permit # configuracion postscreen ---------------------------------------------------- # ver http://www.postfix.org/POSTSCREEN_README.html # y tambien http://www.postfix.org/postscreen.8.html # habilitar postscreen? postfix_postscreen_enable: yes # lista blanca/negra de IPs (solo se permiten valores ip, ip/netmask) postfix_postscreen_access_list: [] # action = (permit|dunno|reject). Ejemplos: # - address: "127.0.0.0/8" # action: dunno # - address: "2001:db8::/32" # action: reject # lista de sitios y ponderacion a usar como criterio dnsbl # cada item puede ser un string o un dict con atributos: # .item, .score (opcional, default=1) y .mask (opcional, para # ocultar la lista a clientes remotos) postfix_postscreen_dnsbl_sites: - site: zen.spamhaus.org score: 3 - site: b.barracudacentral.org score: 2 - site: bl.spameatingmonkey.net score: 2 mask: spameatingmonkey.com - site: bl.spamcop.net - dnsbl.sorbs.net - site: psbl.surriel.com - bl.mailspike.net - site: swl.spamhaus.org score: -4 # whitelist # example: # - site: mypassword.bl.service.com # score: 3 # mask: service.com # acción a efectuar cuando el cliente está en la lista negra (access_list) postfix_postscreen_blacklist_action: drop # habilitar tests bare_newline? (no recomendado) postfix_postscreen_bare_newline_enable: no # acción a efectuar cuando el cliente no cumple el test bare_newline postfix_postscreen_bare_newline_action: ignore # acción a efectuar cuando el cliente está en una lista dnsbl (enforce|ignore|drop) postfix_postscreen_dnsbl_action: enforce # mapeo que determina cuáles dnsbls informar al cliente como razón del rechazo a la conexion postfix_postscreen_dnsbl_reply_map: "pcre:$config_directory/{{ postfix_rules_dir }}/postscreen_dnsbl_reply_map.pcre" # umbral a superar para considerar al host remoto como spammer postfix_postscreen_dnsbl_threshold: 3 # cuando esta bajo de este puntaje, no se hacen mas tests y se pasa a una whitelist postfix_postscreen_dnsbl_whitelist_threshold: -1 # accion a efectuar cuando el cliente habla antes de su turno (enforce|ignore|drop) postfix_postscreen_greet_action: enforce # tiempo a esperar para detectar un cliente malo postfix_postscreen_greet_wait: "${stress?{2}:{6}}s" # habilitar deteccion de comandos no-smtp? (no recomendado) postfix_postscreen_non_smtp_command_enable: no # accion a efectuar cuando no se cumple el test non_smtp_command postfix_postscreen_non_smtp_command_action: drop # habilitar tests pipelining? (no recomendado) postfix_postscreen_pipelining_enable: no # accion a efectuar cuando no se cumple pipelining (enforce|ignore|drop) postfix_postscreen_pipelining_action: enforce # ----------------------------------------------------------------------------- # Hosts considerados como test, obligados a usar otro servidor # El valor debe ser una regexp válida # correo_hosts_test: [] # redes internas obligadas a utilizar servicio submission # correo_forzar_submission: []