9c01e4
profile:
9c01e4
  postfix:
9c01e4
    aliases:
9c01e4
      root: admin-auto@opensuse.org
9c01e4
    maincf:
9c01e4
      relayhost: ''
9c01e4
      recipient_delimiter: '+'
9c01e4
      smtpd_banner: '$myhostname ESMTP $mail_name ($mail_version)'
9c01e4
      delay_warning_time: '0h'
9c01e4
      inet_interfaces: 'all'
9c01e4
      mydestination: '$myhostname, localhost.$mydomain'
9c01e4
      myhostname: '{{grains.host}}.opensuse.org'
4abf44
      mynetworks_style: 'subnet'
9c01e4
      alias_maps: ''
9c01e4
      canonical_maps: ''
9c01e4
      relocated_maps: ''
9c01e4
      transport_maps: 'lmdb:/etc/postfix/transport,lmdb:/etc/postfix/ratelimit'
9c01e4
      message_size_limit: 10000000
9c01e4
      strict_rfc821_envelopes: 'no'
9c01e4
      smtpd_client_restrictions: ''
9c01e4
      smtpd_helo_restrictions: ''
e13367
      smtpd_sender_restrictions: 'check_sender_access lmdb:/etc/postfix/manually-blocked-users,permit'
9c01e4
      smtpd_recipient_restrictions: >
9c01e4
        reject_unauth_destination,
9c01e4
        reject_non_fqdn_sender,
9c01e4
        reject_non_fqdn_recipient,
9c01e4
        reject_unknown_sender_domain,
9c01e4
        reject_invalid_hostname,
9c01e4
        check_recipient_access pcre:/etc/postfix/bounce-old-mlmmj.pcre,
9c01e4
        check_helo_access pcre:/etc/postfix/greylist_helos.pcre,
9c01e4
        check_client_access pcre:/etc/postfix/suspicious_client.pcre,
9c01e4
        check_recipient_access lmdb:/etc/postfix/handling_special_recipients,
9c01e4
        reject_unlisted_recipient,
9c01e4
        permit
9c01e4
      smtp_sasl_auth_enable: 'no'
9c01e4
      smtp_use_tls: 'yes'
9c01e4
      smtp_tls_security_level: 'may'
87d5bb
      smtpd_tls_auth_only: 'yes'
9c01e4
      smtp_tls_loglevel: 1
9c01e4
      smtp_tls_CApath: '/etc/ssl/certs'
9c01e4
      smtpd_use_tls: 'yes'
9c01e4
      smtpd_tls_security_level: 'may'
9c01e4
      smtpd_tls_loglevel: 1
9c01e4
      smtpd_tls_CAfile: '/etc/postfix/LetsEncryptCA_chain.crt'
9c01e4
      smtpd_tls_CApath: '/etc/ssl/certs'
9c01e4
      smtpd_tls_cert_file: '/etc/postfix/star_opensuse_org_rsa_letsencrypt.crt'
9c01e4
      smtpd_tls_key_file: ' /etc/postfix/star_opensuse_org_rsa_letsencrypt_key.pem'
9c01e4
      smtpd_tls_eccert_file: '/etc/postfix/star_opensuse_org_ecdsa_letsencrypt.crt'
9c01e4
      smtpd_tls_eckey_file: ' /etc/postfix/star_opensuse_org_ecdsa_letsencrypt_key.pem'
9c01e4
      # 20200709 I have some names in /etc/hosts that are needed
9c01e4
      smtp_host_lookup: 'native'
9c01e4
      # 20200708 see http://www.postfix.org/SMTPUTF8_README.html
9c01e4
      smtputf8_enable: 'no'
9c01e4
      smtpd_tls_received_header: 'yes'
87d5bb
      # 2021-09-16 updated by lrupp due to Vul-Scan report
87d5bb
      # used https://ssl-config.mozilla.org/#server=postfix&version=3.4.7&config=intermediate&openssl=1.1.1d&guideline=5.6
87d5bb
      # as reference for the configuration
87d5bb
      smtpd_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
87d5bb
      smtpd_tls_mandatory_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
87d5bb
      smtp_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
87d5bb
      smtp_tls_mandatory_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
87d5bb
      smtpd_tls_mandatory_ciphers: 'medium'
87d5bb
      tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
87d5bb
      tls_preempt_cipherlist: 'no'
87d5bb
9c01e4
      # 20160303 forward secrecy
9c01e4
      smtpd_tls_dh1024_param_file: '/etc/postfix/dh2048.pem'
9c01e4
      smtpd_tls_dh512_param_file: '/etc/postfix/dh512.pem'
9c01e4
      smtpd_tls_eecdh_grade: 'strong'
9c01e4
      # 20200714 do not offer tls for internal connections.
9c01e4
      smtpd_discard_ehlo_keyword_address_maps: 'lmdb:/etc/postfix/no-internal-tls'
9c01e4
      smtpd_restriction_classes: 'greylist'
9c01e4
      greylist: 'check_policy_service unix:/var/spool/postfix/postgrey/socket'
9c01e4
      virtual_alias_domains: 'lmdb:/etc/postfix/virtual-domains'
84931c
      # please note:
84931c
      # the order of virtual alias lists is important. By keeping our "own" aliases
84931c
      # at the top, we make sure they are never overwritten by e.g. a user alias.
9c01e4
      virtual_alias_maps: >
9c01e4
        lmdb:/etc/postfix/virtual-opensuse-aliases,
9c01e4
        pcre:/etc/postfix/virtual-opensuse-mm3-bounces.pcre,
9c01e4
        lmdb:/etc/postfix/virtual-opensuse-users,
9c01e4
        lmdb:/etc/postfix/virtual-opensuse-mailinglists
9c01e4
      relay_domains: 'lists.opensuse.org,lists.uyuni-project.org'
9c01e4
      smtpslow_destination_concurrency_limit: 20
9c01e4
      smtpslow_destination_rate_delay: '1s'
9c01e4
      smtpslow_destination_recipient_limit: 10
9c01e4
      smtpslow_destination_concurrency_failed_cohort_limit: 10
9c01e4
      smtpcox_destination_concurrency_limit: 2
9c01e4
      smtpcox_destination_rate_delay: '615s'
9c01e4
      smtpcox_destination_recipient_limit: 10
9c01e4
      smtpcox_destination_concurrency_failed_cohort_limit: 10
9c01e4
      # postsrsd
9c01e4
      sender_canonical_maps: 'tcp:postsrsd:10001'
9c01e4
      sender_canonical_classes: 'envelope_sender'
9c01e4
      recipient_canonical_maps: 'tcp:postsrsd:10002'
9c01e4
      recipient_canonical_classes: 'envelope_recipient,header_recipient'
9c01e4
      # rspamd
9c01e4
      # smtpd_milters = unix:/run/rspamd/worker-proxy.socket
9c01e4
      header_checks: 'pcre:/etc/postfix/header_checks'
9c01e4
      # 20200805 enable soft_bounce during migration
9c01e4
      # 20200817 turning off soft_bounce
9c01e4
      # 20210328 turning back on
9c01e4
      # 20210401 back off
9c01e4
      soft_bounce: 'no'
9c01e4
9c01e4
zypper:
9c01e4
  packages:
9c01e4
    postsrsd: {}
9c01e4
    postgrey: {}
9c01e4
    clamav: {}
9c01e4
    spamassassin: {}
9c01e4
    mailgraph: {}