#!/bin/bash

#postconf -M smtpd/pass
#postconf -Fh smtp/inet/private smtp/inet/unprivileged smtp/inet/chroot smtp/inet/wakeup smtp/inet/process_limit smtp/inet/command
#postconf -M smtp/inet
#postconf -M tlsproxy/unix
#postconf -M dnsblog/unix
#postconf -h postscreen_access_list
#postconf -h postscreen_dnsbl_sites
#postconf -h postscreen_dnsbl_reply_map
#postconf -h postscreen_dnsbl_action
#postconf -h postscreen_blacklist_action
#postconf -h postscreen_dnsbl_whitelist_threshold
#postconf -h postscreen_greet_action
#postconf -h postscreen_greet_wait

# NOT SUPPORTED:
#postconf -h postscreen_bare_newline_enable
#postconf -h postscreen_non_smtp_command_enable
#postconf -h postscreen_pipelining_enable
#postconf -h postscreen_bare_newline_action
#postconf -h postscreen_dnsbl_threshold
#postconf -h postscreen_non_smtp_command_action
#postconf -h postscreen_pipelining_action

{{ if eq (getv "/postscreen/enable") "yes"}}
postconf -M smtpd/pass="smtpd pass - - n - - smtpd"
postconf -F smtpd/pass/private=- \
	 smtpd/pass/unprivileged=- \
	 smtpd/pass/chroot=n \
         smtpd/pass/wakeup=- \
	 smtpd/pass/process_limit=- \
	 smtpd/pass/command="smtpd"
postconf -F smtp/inet/private=n \
	 smtp/inet/unprivileged=- \
	 smtp/inet/chroot=n \
         smtp/inet/wakeup=- \
	 smtp/inet/process_limit=1 \
	 smtp/inet/command="postscreen"
postconf -M tlsproxy/unix="tlsproxy unix - - n - 0 tlsproxy"
postconf -F tlsproxy/unix/private=- \
	 tlsproxy/unix/unprivileged=- \
	 tlsproxy/unix/chroot=n \
         tlsproxy/unix/wakeup=- \
	 tlsproxy/unix/process_limit=0 \
	 tlsproxy/unix/command="tlsproxy"
postconf -M dnsblog/unix="dnsblog unix - - n - 0 dnsblog"
postconf -F dnsblog/unix/private=- \
	 dnsblog/unix/unprivileged=- \
	 dnsblog/unix/chroot=n \
         dnsblog/unix/wakeup=- \
	 dnsblog/unix/process_limit=0 \
	 dnsblog/unix/command="dnsblog"

# FIXME: template tables instead of creating empty files
touch /etc/postfix/rules/postscreen_access_list.cidr
touch /etc/postfix/rules/postscreen_dnsbl_mask.pcre

# main.cf options
postconf -e postscreen_access_list="cidr:/etc/postfix/rules/postscreen_access_list.cidr, permit_mynetworks"
postconf -e postscreen_dnsbl_sites="zen.spamhaus.org*3, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net, swl.spamhaus.org*-4"
postconf -e postscreen_dnsbl_reply_map="pcre:/etc/postfix/rules/postscreen_dnsbl_mask.pcre"
postconf -e postscreen_blacklist_action="drop"
postconf -e postscreen_dnsbl_action="enforce"
postconf -e postscreen_dnsbl_threshold="3"
postconf -e postscreen_dnsbl_whitelist_threshold="-1"
postconf -e postscreen_greet_action="enforce"

{{ else }}

# disable postscreen
postconf -M# smtpd/pass
postconf -F smtp/inet/private=n \
	 smtp/inet/unprivileged=- \
	 smtp/inet/chroot=n \
         smtp/inet/wakeup=- \
	 smtp/inet/process_limit=- \
	 smtp/inet/command="smtpd"
postconf -M# dnsblog/unix

{{ end }}

# TODO: access list:
# # Ansible-generated postscreen CIDR access table. You can change this
# # file by setting the host variable `postfix_postscreen_access_list`
# {% for entry in postfix_postscreen_access_list -%}
# { { entry.address } } { { entry.action } }
# {% endfor %}

# TODO: reply map:
# # postscreen reply map, matching entries will be replaced
# # with the resulting text when telling the source of DNS
# # blacklisting to the remote client.
# # used to mask passwords contained in dnsbl names
# # edit this file by setting the "mask" option for items
# # in the host variable postfix_postscreen_dnsbl_sites
# {% for entry in postfix_postscreen_dnsbl_sites -%}
# {% if entry is mapping -%}{% if entry.mask is defined -%}
# {% if entry.mask is string and entry.mask != "" -%}
# /^{ { entry.site } }$/ { { entry.mask } }
# {% else %}
# /^{ { entry.site } }$/ dnsbl blacklist
# {% endif %}{% endif %}{% endif %}{% endfor %}