Gomplate + Debian 13

templates/start.d/setup_main

@@ -0,0 +1,105 @@
+#!/bin/bash
+set -e
+
+postconf maillog_file=/dev/stdout
+postconf alias_maps=hash:/etc/aliases
+{{- if getenv "BIFF" }}
+postconf biff='{{ getenv "BIFF" }}'
+{{- end }}
+{{- if getenv "MESSAGE_SIZE_LIMIT" }}
+postconf message_size_limit='{{ getenv "MESSAGE_SIZE_LIMIT" }}'
+{{- end }}
+{{- if getenv "MYDESTINATION" }}
+postconf mydestination='{{ getenv "MYDESTINATION" }}'
+{{- end }}
+{{- if getenv "MYDOMAIN" }}
+postconf mydomain='{{ getenv "MYDOMAIN" }}'
+{{- end }}
+{{- if getenv "MYHOSTNAME" }}
+postconf myhostname='{{ getenv "MYHOSTNAME" }}'
+{{- end }}
+{{- if getenv "MYNETWORKS" }}
+postconf mynetworks='{{ getenv "MYNETWORKS" }}'
+{{- end }}
+{{- if getenv "MYNETWORKS_STYLE" }}
+postconf mynetworks_style='{{ getenv "MYNETWORKS_STYLE" }}'
+{{- end }}
+{{- if getenv "PROPAGATE_UNMATCHED_EXTENSIONS" }}
+postconf propagate_unmatched_extensions='{{ getenv "PROPAGATE_UNMATCHED_EXTENSIONS" }}'
+{{- end }}
+{{- if getenv "RECIPIENT_DELIMITER" }}
+postconf recipient_delimiter='{{ getenv "RECIPIENT_DELIMITER" }}'
+{{- end }}
+{{- if getenv "SMTP_TLS_SECURITY_LEVEL" }}
+postconf smtp_tls_security_level='{{ getenv "SMTP_TLS_SECURITY_LEVEL" }}'
+{{- end }}
+{{- if getenv "SMTPD_CLIENT_RESTRICTIONS" }}
+postconf smtpd_client_restrictions='{{ getenv "SMTPD_CLIENT_RESTRICTIONS" }}'
+{{- end }}
+{{- if getenv "SMTPD_DATA_RESTRICTIONS" }}
+postconf smtpd_data_restrictions='{{ getenv "SMTPD_DATA_RESTRICTIONS" }}'
+{{- end }}
+{{- if getenv "SMTPD_HELO_REQUIRED" }}
+postconf smtpd_helo_required='{{ getenv "SMTPD_HELO_REQUIRED" }}'
+{{- end }}
+{{- if getenv "SMTPD_HELO_RESTRICTIONS" }}
+postconf smtpd_helo_restrictions='{{ getenv "SMTPD_HELO_RESTRICTIONS" }}'
+{{- end }}
+{{- if getenv "SMTPD_RECIPIENT_RESTRICTIONS" }}
+postconf smtpd_recipient_restrictions='{{ getenv "SMTPD_RECIPIENT_RESTRICTIONS" }}'
+{{- end }}
+{{- if getenv "SMTPD_RELAY_RESTRICTIONS" }}
+postconf smtpd_relay_restrictions='{{ getenv "SMTPD_RELAY_RESTRICTIONS" }}'
+{{- end }}
+{{- if getenv "SMTPD_SASL_AUTH_ENABLE" }}
+postconf smtpd_sasl_auth_enable='{{ getenv "SMTPD_SASL_AUTH_ENABLE" }}'
+{{- end }}
+{{- if getenv "SMTPD_SASL_PATH" }}
+postconf smtpd_sasl_path='{{ getenv "SMTPD_SASL_PATH" }}'
+{{- end }}
+{{- if getenv "SMTPD_SASL_TYPE" }}
+postconf smtpd_sasl_type='{{ getenv "SMTPD_SASL_TYPE" }}'
+{{- end }}
+{{- if getenv "SMTPD_TLS_AUTH_ONLY" }}
+postconf smtpd_tls_auth_only='{{ getenv "SMTPD_TLS_AUTH_ONLY" }}'
+{{- end }}
+{{- if getenv "SMTPD_TLS_CERT_FILE" }}
+postconf smtpd_tls_cert_file='{{ getenv "SMTPD_TLS_CERT_FILE" }}'
+{{- end }}
+{{- if getenv "SMTPD_TLS_KEY_FILE" }}
+postconf smtpd_tls_key_file='{{ getenv "SMTPD_TLS_KEY_FILE" }}'
+{{- end }}
+{{- if getenv "SMTPD_TLS_SECURITY_LEVEL" }}
+postconf smtpd_tls_security_level='{{ getenv "SMTPD_TLS_SECURITY_LEVEL" }}'
+{{- end }}
+{{- if getenv "SMTPD_TLS_SESSION_CACHE_DATABASE" }}
+postconf smtpd_tls_session_cache_database='{{ getenv "SMTPD_TLS_SESSION_CACHE_DATABASE" }}'
+{{- end }}
+{{- if getenv "SMTPUTF8_ENABLE" }}
+postconf smtputf8_enable='{{ getenv "SMTPUTF8_ENABLE" }}'
+{{- end }}
+{{- if getenv "VIRTUAL_ALIAS_MAPS" }}
+postconf virtual_alias_maps='{{ getenv "VIRTUAL_ALIAS_MAPS" }}'
+{{- end }}
+{{- if getenv "VIRTUAL_MAILBOX_DOMAINS" }}
+postconf virtual_mailbox_domains='{{ getenv "VIRTUAL_MAILBOX_DOMAINS" }}'
+{{- end }}
+{{- if getenv "VIRTUAL_MAILBOX_MAPS" }}
+postconf virtual_mailbox_maps='{{ getenv "VIRTUAL_MAILBOX_MAPS" }}'
+{{- end }}
+{{- if getenv "VIRTUAL_TRANSPORT" }}
+postconf virtual_transport='{{ getenv "VIRTUAL_TRANSPORT" }}'
+{{- end }}
+
+postconf -M spamfilter/unix | grep -q spamfilter || {
+    postconf -M spamfilter/unix="spamfilter unix - n n - - pipe"
+}
+postconf -F spamfilter/unix/private=- \
+         spamfilter/unix/unprivileged=n \
+         spamfilter/unix/chroot=n \
+         spamfilter/unix/wakeup=- \
+         spamfilter/unix/process_limit=- \
+         spamfilter/unix/command='pipe flags=Rq user=vmail argv=/usr/local/bin/spamfilter -oi -f ${sender} ${recipient}'
+
+# run postmap for all lookup tables
+postmap_all

templates/start.d/setup_milter

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+{{- if getenv "INTERNAL_MAIL_FILTER_CLASSES" }}
+postconf internal_mail_filter_classes='{{ getenv "INTERNAL_MAIL_FILTER_CLASSES" }}'
+{{- end }}
+{{- if getenv "MILTER_DEFAULT_ACTION" }}
+postconf milter_default_action='{{ getenv "MILTER_DEFAULT_ACTION" }}'
+{{- end }}
+{{- if getenv "NON_SMTPD_MILTERS" }}
+postconf non_smtpd_milters='{{ getenv "NON_SMTPD_MILTERS" }}'
+{{- end }}
+{{- if getenv "SMTPD_MILTERS" }}
+postconf smtpd_milters='{{ getenv "SMTPD_MILTERS" }}'
+{{- end }}

templates/start.d/setup_postscreen

@@ -0,0 +1,88 @@
+#!/bin/bash
+set -e
+
+{{ if eq (getenv "POSTSCREEN_ENABLE") "yes" -}}
+postconf -M smtpd/pass="smtpd pass - - n - - smtpd"
+postconf -F smtpd/pass/private=- \
+	 smtpd/pass/unprivileged=- \
+	 smtpd/pass/chroot=n \
+         smtpd/pass/wakeup=- \
+	 smtpd/pass/process_limit=- \
+	 smtpd/pass/command="smtpd"
+postconf -F smtp/inet/private=n \
+	 smtp/inet/unprivileged=- \
+	 smtp/inet/chroot=n \
+         smtp/inet/wakeup=- \
+	 smtp/inet/process_limit=1 \
+	 smtp/inet/command="postscreen"
+postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy"
+postconf -F tlsproxy/unix/private=- \
+	 tlsproxy/unix/unprivileged=- \
+	 tlsproxy/unix/chroot=n \
+         tlsproxy/unix/wakeup=- \
+	 tlsproxy/unix/process_limit=0 \
+	 tlsproxy/unix/command="tlsproxy"
+postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog"
+postconf -F dnsblog/unix/private=- \
+	 dnsblog/unix/unprivileged=- \
+	 dnsblog/unix/chroot=n \
+         dnsblog/unix/wakeup=- \
+	 dnsblog/unix/process_limit=0 \
+	 dnsblog/unix/command="dnsblog"
+
+{{ if eq (getenv "BOGOFILTER_ENABLE") "yes" -}}
+postconf -P smtpd/pass/content_filter=spamfilter
+{{ else -}}
+postconf -X -P smtpd/pass/content_filter
+{{ end -}}
+
+# FIXME: template tables instead of creating empty files
+touch /etc/postfix/rules/postscreen_access_list.cidr
+touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre
+
+# main.cf options
+{{- if getenv "POSTSCREEN_ACCESS_LIST" }}
+postconf -e postscreen_access_list='{{ getenv "POSTSCREEN_ACCESS_LIST" }}'
+{{- end }}
+{{- if getenv "POSTSCREEN_BLACKLIST_ACTION" }}
+postconf -e postscreen_blacklist_action='{{ getenv "POSTSCREEN_BLACKLIST_ACTION" }}'
+{{- end }}
+{{- if getenv "POSTSCREEN_DNSBL_ACTION" }}
+postconf -e postscreen_dnsbl_action='{{ getenv "POSTSCREEN_DNSBL_ACTION" }}'
+{{- end }}
+{{- if getenv "POSTSCREEN_DNSBL_REPLY_MAP" }}
+postconf -e postscreen_dnsbl_reply_map='{{ getenv "POSTSCREEN_DNSBL_REPLY_MAP" }}'
+{{- end }}
+{{- if getenv "POSTSCREEN_DNSBL_SITES" }}
+postconf -e postscreen_dnsbl_sites='{{ getenv "POSTSCREEN_DNSBL_SITES" }}'
+{{- end }}
+{{- if getenv "POSTSCREEN_DNSBL_THRESHOLD" }}
+postconf -e postscreen_dnsbl_threshold='{{ getenv "POSTSCREEN_DNSBL_THRESHOLD" }}'
+{{- end }}
+{{- if getenv "POSTSCREEN_DNSBL_WHITELIST_THRESHOLD" }}
+postconf -e postscreen_dnsbl_whitelist_threshold='{{ getenv "POSTSCREEN_DNSBL_WHITELIST_THRESHOLD" }}'
+{{- end }}
+{{- if getenv "POSTSCREEN_GREET_ACTION" }}
+postconf -e postscreen_greet_action='{{ getenv "POSTSCREEN_GREET_ACTION" }}'
+{{- end }}
+
+{{ else -}}
+
+# disable postscreen
+postconf -M# smtpd/pass
+postconf -F smtp/inet/private=n \
+	 smtp/inet/unprivileged=- \
+	 smtp/inet/chroot=n \
+         smtp/inet/wakeup=- \
+	 smtp/inet/process_limit=- \
+	 smtp/inet/command="smtpd"
+
+{{ if eq (getenv "BOGOFILTER_ENABLE") "yes" -}}
+postconf -P smtp/inet/content_filter=spamfilter
+{{ else -}}
+postconf -X -P smtp/inet/content_filter
+{{ end -}}
+
+postconf -M# dnsblog/unix
+
+{{ end -}}

templates/start.d/setup_relayhost

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+{{- if getenv "RELAYHOST" }}
+postconf relayhost='{{ getenv "RELAYHOST" }}'
+{{- end }}
+{{- if getenv "SMTP_FALLBACK_RELAY" }}
+postconf smtp_fallback_relay='{{ getenv "SMTP_FALLBACK_RELAY" }}'
+{{- end }}
+{{- if getenv "SMTP_SASL_AUTH_ENABLE" }}
+postconf smtp_sasl_auth_enable='{{ getenv "SMTP_SASL_AUTH_ENABLE" }}'
+{{- end }}
+{{- if getenv "SMTP_SASL_PASSWORD_MAPS" }}
+postconf smtp_sasl_password_maps='{{ getenv "SMTP_SASL_PASSWORD_MAPS" }}'
+{{- end }}
+{{- if getenv "SMTP_SASL_SECURITY_OPTIONS" }}
+postconf smtp_sasl_security_options='{{ getenv "SMTP_SASL_SECURITY_OPTIONS" }}'
+{{- end }}
+{{- if getenv "SMTP_TLS_CAFILE" }}
+postconf smtp_tls_CAfile='{{ getenv "SMTP_TLS_CAFILE" }}'
+{{- end }}
+{{- if getenv "SMTP_TLS_MANDATORY_PROTOCOLS" }}
+postconf smtp_tls_mandatory_protocols='{{ getenv "SMTP_TLS_MANDATORY_PROTOCOLS" }}'
+{{- end }}
+{{- if getenv "SMTP_TLS_NOTE_STARTTLS_OFFER" }}
+postconf smtp_tls_note_starttls_offer='{{ getenv "SMTP_TLS_NOTE_STARTTLS_OFFER" }}'
+{{- end }}
+{{- if getenv "SMTP_TLS_SECURITY_LEVEL" }}
+postconf smtp_tls_security_level='{{ getenv "SMTP_TLS_SECURITY_LEVEL" }}'
+{{- end }}
+{{- if getenv "SMTP_TLS_SESSION_CACHE_DATABASE" }}
+postconf smtp_tls_session_cache_database='{{ getenv "SMTP_TLS_SESSION_CACHE_DATABASE" }}'
+{{- end }}

templates/start.d/setup_submission

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+{{ if eq (getenv "SUBMISSION_ENABLE") "yes" -}}
+postconf -M submission/inet="submission inet n - n - - smtpd"
+postconf -F submission/inet/private=n \
+	 submission/inet/unprivileged=- \
+	 submission/inet/chroot=n submission/inet/wakeup=- \
+	 submission/inet/process_limit=- \
+	 submission/inet/command="smtpd"
+postconf -P -e submission/inet/milter_macro_daemon_name="ORIGINATING"
+postconf -P -e submission/inet/smtpd_client_restrictions="permit_sasl_authenticated,reject"
+postconf -P -e submission/inet/smtpd_helo_restrictions="permit"
+postconf -P -e submission/inet/smtpd_sasl_auth_enable="yes"
+postconf -P -e submission/inet/smtpd_tls_security_level="encrypt"
+postconf -P -e submission/inet/syslog_name="postfix/submission"
+{{ else -}}
+postconf -M# submission/inet
+{{ end -}}

templates/start.d/spamfilter

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# pass mail through spam filter Bogofilter
+# arguments are passed on to sendmail
+
+/usr/bin/bogofilter -d /vmail/bogofilter -p {{ if getenv "BOGOFILTER_HAM_CUTOFF" }}--ham-cutoff '{{ getenv "BOGOFILTER_HAM_CUTOFF" }}'{{ end }} {{ if getenv "BOGOFILTER_SPAM_CUTOFF" }}--spam-cutoff '{{ getenv "BOGOFILTER_SPAM_CUTOFF" }}'{{ end }} | /usr/sbin/sendmail "$@"