profile:
postfix:
aliases:
root: admin-auto@opensuse.org
maincf:
relayhost: ''
recipient_delimiter: '+'
smtpd_banner: '$myhostname ESMTP $mail_name ($mail_version)'
delay_warning_time: '0h'
inet_interfaces: 'all'
mydestination: '$myhostname, localhost.$mydomain'
myhostname: '{{grains.host}}.opensuse.org'
mynetwork_style: 'subnet'
alias_maps: ''
canonical_maps: ''
relocated_maps: ''
transport_maps: 'lmdb:/etc/postfix/transport,lmdb:/etc/postfix/ratelimit'
message_size_limit: 10000000
strict_rfc821_envelopes: 'no'
smtpd_client_restrictions: ''
smtpd_helo_restrictions: ''
# smtpd_sender_restrictions: ''
smtpd_recipient_restrictions: >
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_invalid_hostname,
check_recipient_access pcre:/etc/postfix/bounce-old-mlmmj.pcre,
check_helo_access pcre:/etc/postfix/greylist_helos.pcre,
check_client_access pcre:/etc/postfix/suspicious_client.pcre,
check_recipient_access lmdb:/etc/postfix/handling_special_recipients,
reject_unlisted_recipient,
permit
smtp_sasl_auth_enable: 'no'
smtp_use_tls: 'yes'
smtp_tls_security_level: 'may'
smtp_tls_loglevel: 1
smtp_tls_CApath: '/etc/ssl/certs'
smtpd_use_tls: 'yes'
smtpd_tls_security_level: 'may'
smtpd_tls_loglevel: 1
smtpd_tls_CAfile: '/etc/postfix/LetsEncryptCA_chain.crt'
smtpd_tls_CApath: '/etc/ssl/certs'
smtpd_tls_cert_file: '/etc/postfix/star_opensuse_org_rsa_letsencrypt.crt'
smtpd_tls_key_file: ' /etc/postfix/star_opensuse_org_rsa_letsencrypt_key.pem'
smtpd_tls_eccert_file: '/etc/postfix/star_opensuse_org_ecdsa_letsencrypt.crt'
smtpd_tls_eckey_file: ' /etc/postfix/star_opensuse_org_ecdsa_letsencrypt_key.pem'
# 20200709 I have some names in /etc/hosts that are needed
smtp_host_lookup: 'native'
# 20200708 see http://www.postfix.org/SMTPUTF8_README.html
smtputf8_enable: 'no'
smtpd_tls_received_header: 'yes'
# 2016/03/03 updated due to DROWN
smtpd_tls_protocols: '!SSLv2, !SSLv3'
smtpd_tls_mandatory_protocols: '!SSLv2, !SSLv3'
smtp_tls_protocols: '!SSLv2, !SSLv3'
smtp_tls_mandatory_protocols: '!SSLv2, !SSLv3'
# 20160303 forward secrecy
smtpd_tls_dh1024_param_file: '/etc/postfix/dh2048.pem'
smtpd_tls_dh512_param_file: '/etc/postfix/dh512.pem'
smtpd_tls_eecdh_grade: 'strong'
# 20200714 do not offer tls for internal connections.
smtpd_discard_ehlo_keyword_address_maps: 'lmdb:/etc/postfix/no-internal-tls'
smtpd_restriction_classes: 'greylist'
greylist: 'check_policy_service unix:/var/spool/postfix/postgrey/socket'
virtual_alias_domains: 'lmdb:/etc/postfix/virtual-domains'
virtual_alias_maps: >
lmdb:/etc/postfix/virtual-opensuse-aliases,
pcre:/etc/postfix/virtual-opensuse-mm3-bounces.pcre,
lmdb:/etc/postfix/virtual-opensuse-users,
lmdb:/etc/postfix/virtual-opensuse-mailinglists
relay_domains: 'lists.opensuse.org,lists.uyuni-project.org'
smtpslow_destination_concurrency_limit: 20
smtpslow_destination_rate_delay: '1s'
smtpslow_destination_recipient_limit: 10
smtpslow_destination_concurrency_failed_cohort_limit: 10
smtpcox_destination_concurrency_limit: 2
smtpcox_destination_rate_delay: '615s'
smtpcox_destination_recipient_limit: 10
smtpcox_destination_concurrency_failed_cohort_limit: 10
# postsrsd
sender_canonical_maps: 'tcp:postsrsd:10001'
sender_canonical_classes: 'envelope_sender'
recipient_canonical_maps: 'tcp:postsrsd:10002'
recipient_canonical_classes: 'envelope_recipient,header_recipient'
# rspamd
# smtpd_milters = unix:/run/rspamd/worker-proxy.socket
header_checks: 'pcre:/etc/postfix/header_checks'
# 20200805 enable soft_bounce during migration
# 20200817 turning off soft_bounce
# 20210328 turning back on
# 20210401 back off
soft_bounce: 'no'
zypper:
packages:
postsrsd: {}
postgrey: {}
clamav: {}
spamassassin: {}
mailgraph: {}