mauro/ansible-role-postfix-docker
1
0
Fork 0
forked from mauro/ansible-role-postfix
Code Issues Pull Requests Releases Wiki Activity
ansible-role-postfix-docker/defaults/main.yml
Mauro Torrez e937775811 ssl cert
2019-09-08 15:33:56 -03:00

295 lines
9.8 KiB
YAML
Raw Blame History

---
# nombre imagen
postfix_image: eumau/postfix
# nombre container
postfix_container: postfix
# volumen con la configuracion de /etc/postfix
postfix_volume: postfix
# volumen con la configuracion ssl
postfix_volume_ssl: postfix_ssl
# nombre de la red docker, seteado por rol docker
docker_network_name: dockernet
# nombre del container dovecot, seteado por rol dovecot
dovecot_container: dovecot
# puertos públicos
postfix_publish_ports:
- 25:25
- 587:587
# directorio con reglas, relativo al volumen
postfix_rules_dir: rules
# accepted email domains
postfix_mail_domains: "{{ mail_domains | default(['example.com']) }}"
# postfix server domain: used for identification of the server
postfix_server_domain: "{{ postfix_mail_domains | first }}"
# postfix server identification
postfix_server_name: mail.{{ postfix_server_domain }}
# domains considered as "local" unix domains (local server users)
# ansible_fqdn, localhost.localdomain, and localhost are always added regardless of this value
postfix_unix_domains: []
# networks considered "local"
# 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 are always added regardless of this value
postfix_local_networks: []
# domain-specific configuration
postfix_domain_config: {}
# LOOKUP TABLES ---------------------------------------------------------------
# proveedor lookup por defecto
postfix_lookup_provider: file
# lugar donde se guarda el mail (no debería importarle a postfix)
postfix_mail_home: "{{ vmail_home | default('/srv/mail') }}"
# LDAP ------------------------------------------------------------------------
# Default LDAP connection parameters
postfix_ldap_server: "{{ ldap_server | default(ldap_container|default('ldap')) }}"
postfix_ldap_port: "{{ ldap_port | default(ldap_port|default('389')) }}"
postfix_ldap_version: "{{ ldap_version | default(3) }}"
postfix_ldap_scope: "{{ ldap_search_scope | default('sub') }}"
postfix_ldap_bind: "{{ ldap_bind | default(False) }}"
postfix_ldap_bind_dn: "{{ ldap_bind_dn | default('') }}"
postfix_ldap_bind_pw: "{{ ldap_bind_password | default('') }}"
postfix_ldap_start_tls: "{{ ldap_starttls | default(False) }}"
postfix_ldap_tls_ca_cert_dir: ''
postfix_ldap_tls_ca_cert_file: ''
postfix_ldap_use_group_alias: yes
# SQLITE ----------------------------------------------------------------------
postfix_sqlite_user_query: "SELECT name FROM users WHERE name = '%u'"
postfix_sqlite_alias_query: "SELECT dest FROM aliases WHERE alias = '%s'"
# -----------------------------------------------------------------------------
# enable submission service?
postfix_submission_enable: yes
# TLS -------------------------------------------------------------------------
# level of encryption to use for sending mail to the Internet
# only change this if you know what the implications are, see
# http://www.postfix.org/postconf.5.html#smtp_tls_security_level
# possible values: none|may|encrypt|dane|dane-only|fingerprint|verify|secure
postfix_outgoing_tls_security: 'may'
# level of encryption required for receiving mail from the Internet
# only change this if you know what the implications are, see
# http://www.postfix.org/postconf.5.html#smtpd_tls_security_level
postfix_incoming_tls_security: 'may'
# wether to allow insecure (plaintext) login from clients
postfix_allow_insecure_auth: no
# enable/disable tls session cache
postfix_tls_session_cache: yes
# SASL ------------------------------------------------------------------------
# wether to allow SASL authentication on smtpd (MX port 25)
postfix_enable_smtpd_auth: no
# creo que esto no sirve para nada
# smtpd_sasl_local_domain: $myhostname
# valor por defecto ya es noanonymous
# smtpd_sasl_security_options: noanonymous
# -----------------------------------------------------------------------------
# MESSAGE SIZE LIMIT ----------------------------------------------------------
# This value should be fine for most people. Note that increasing this limit
# does not guarantee delivery of very big emails: remote server size
# restrictions still apply.
postfix_message_size_limit: 31457280
# HELO required ---------------------------------------------------------------
postfix_helo_required: yes
# biff enabled
postfix_biff: no
# postfix_bounce_queue_lifetime: 2d
# postfix_maximal_queue_lifetime: 2d
# postfix_compatibility_level = 2 DEFAULT 0
# -----------------------------------------------------------------------------
# RESTRICTIONS AND ACCESS LISTS -----------------------------------------------
# Host-based access list: PCRE table, for wildcard support
# every item should contain a 'regex' field and a corresponding 'action' field
postfix_client_access_list: []
# - regex: '172\.16\.192\.0\/24'
# action: 'REJECT Please use alternative server'
# - regex: 'rude\.client\.com'
# action: 'REJECT Get out!'
# Restricciones aplicadas a los clientes SMTP
postfix_client_restrictions:
- check_client_access pcre:{{ postfix_rules_dir }}/client_access_list
- permit_sasl_authenticated
- permit_mynetworks
- reject_unknown_client_hostname
- reject_unauth_pipelining
- permit
# Restricciones aplicadas en SMTP DATA
postfix_data_restrictions:
- reject_unauth_pipelining
- permit
# HELO access list: reject/accept clients by their HELO hostname
# Hash table, list of items with "host" and corresponding "action" fields
postfix_helo_access_list: []
# - host: "{{ansible_ip}}"
# action: "REJECT You can't be me. Get out!"
# - host: "{{ansible_fqdn}}"
# action: "REJECT You can't be me. Get out!"
# Requerir HELO/EHLO y aplicarle restricciones
postfix_helo_restrictions:
- check_helo_access hash:{{ postfix_rules_dir }}/helo_access_list
- permit_mynetworks
- reject_non_fqdn_helo_hostname
- reject_invalid_helo_hostname
- warn_if_reject
- permit
# Restricciones de control de relay aplicadas en RCPT TO, antes de smtpd_recipient_restrictions
postfix_relay_restrictions:
- permit_mynetworks
- permit_sasl_authenticated
- reject_unauth_destination
- permit
# Recipient access list: reject/accept mail by RCPT TO recipients
postfix_recipient_access_list: []
# - rcpt: "emailvalidation.helpdesk01@gmail.com"
# action: "REJECT Forbidden recipient. Get out!"
# Restricciones al destinatario especificado en RCPT TO
postfix_recipient_restrictions:
- check_recipient_access hash:{{ postfix_rules_dir }}/recipient_access_list
- permit_mynetworks
- permit_sasl_authenticated
- reject_unknown_recipient_domain
- reject_non_fqdn_recipient
- reject_unauth_destination
- permit
# Recipient access list: reject/accept mail by MAIL FROM sender
postfix_sender_access_list: []
# - sender: "@addr.com"
# action: "REJECT We're fed up with your spam. Get out!"
# Restricciones aplicadas al remitente especificado en MAIL FROM
postfix_sender_restrictions:
- check_sender_access hash:{{ postfix_rules_dir }}/sender_access_list
- permit_sasl_authenticated
- permit_mynetworks
- reject_unknown_sender_domain
- reject_non_fqdn_sender
- permit
# configuracion postscreen ----------------------------------------------------
# ver http://www.postfix.org/POSTSCREEN_README.html
# y tambien http://www.postfix.org/postscreen.8.html
# habilitar postscreen?
postfix_postscreen_enable: yes
# lista blanca/negra de IPs (solo se permiten valores ip, ip/netmask)
postfix_postscreen_access_list: []
# action = (permit|dunno|reject). Ejemplos:
# - address: "127.0.0.0/8"
# action: dunno
# - address: "2001:db8::/32"
# action: reject
# lista de sitios y ponderacion a usar como criterio dnsbl
# cada item puede ser un string o un dict con atributos:
# .item, .score (opcional, default=1) y .mask (opcional, para
# ocultar la lista a clientes remotos)
postfix_postscreen_dnsbl_sites:
- site: zen.spamhaus.org
score: 3
- site: b.barracudacentral.org
score: 2
- site: bl.spameatingmonkey.net
score: 2
mask: spameatingmonkey.com
- site: bl.spamcop.net
- dnsbl.sorbs.net
- site: psbl.surriel.com
- bl.mailspike.net
- site: swl.spamhaus.org
score: -4 # whitelist
# example:
# - site: mypassword.bl.service.com
# score: 3
# mask: service.com
# acción a efectuar cuando el cliente está en la lista negra (access_list)
postfix_postscreen_blacklist_action: drop
# habilitar tests bare_newline? (no recomendado)
postfix_postscreen_bare_newline_enable: no
# acción a efectuar cuando el cliente no cumple el test bare_newline
postfix_postscreen_bare_newline_action: ignore
# acción a efectuar cuando el cliente está en una lista dnsbl (enforce|ignore|drop)
postfix_postscreen_dnsbl_action: enforce
# mapeo que determina cuáles dnsbls informar al cliente como razón del rechazo a la conexion
postfix_postscreen_dnsbl_reply_map: "pcre:$config_directory/reglas/postscreen_dnsbl_reply_map.pcre"
# umbral a superar para considerar al host remoto como spammer
postfix_postscreen_dnsbl_threshold: 3
# cuando esta bajo de este puntaje, no se hacen mas tests y se pasa a una whitelist
postfix_postscreen_dnsbl_whitelist_threshold: -1
# accion a efectuar cuando el cliente habla antes de su turno (enforce|ignore|drop)
postfix_postscreen_greet_action: enforce
# tiempo a esperar para detectar un cliente malo
postfix_postscreen_greet_wait: "${stress?{2}:{6}}s"
# habilitar deteccion de comandos no-smtp? (no recomendado)
postfix_postscreen_non_smtp_command_enable: no
# accion a efectuar cuando no se cumple el test non_smtp_command
postfix_postscreen_non_smtp_command_action: drop
# habilitar tests pipelining? (no recomendado)
postfix_postscreen_pipelining_enable: no
# accion a efectuar cuando no se cumple pipelining (enforce|ignore|drop)
postfix_postscreen_pipelining_action: enforce
# -----------------------------------------------------------------------------
# Hosts considerados como test, obligados a usar otro servidor
# El valor debe ser una regexp válida
# correo_hosts_test: []
# redes internas obligadas a utilizar servicio submission
# correo_forzar_submission: []
Reference in New Issue View Git Blame Copy Permalink